@intentius/chant-lexicon-aws 0.0.8 → 0.0.9

package/src/lint/post-synth/waw025.ts

@@ -0,0 +1,43 @@
+/**
+ * WAW025: SNS Topic Not Encrypted
+ *
+ * Flags SNS topics without KmsMasterKeyId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkSnsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::SNS::Topic") continue;
+
+      const props = resource.Properties ?? {};
+      if (!("KmsMasterKeyId" in props)) {
+        diagnostics.push({
+          checkId: "WAW025",
+          severity: "warning",
+          message: `SNS topic "${logicalId}" is not encrypted — add KmsMasterKeyId for encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw025: PostSynthCheck = {
+  id: "WAW025",
+  description: "SNS topic is not encrypted — add KmsMasterKeyId for encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSnsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw026.test.ts

@@ -0,0 +1,54 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw026, checkSqsEncryption } from "./waw026";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW026: SQS Queue Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw026.id).toBe("WAW026");
+    expect(waw026.description).toContain("encrypted");
+  });
+
+  test("flags queue without encryption", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { QueueName: "my-queue" },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW026");
+  });
+
+  test("no diagnostic with SqsManagedSseEnabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { SqsManagedSseEnabled: true },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with KmsMasterKeyId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { KmsMasterKeyId: "alias/my-key" },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw026.ts

@@ -0,0 +1,46 @@
+/**
+ * WAW026: SQS Queue Not Encrypted
+ *
+ * Flags SQS queues without SqsManagedSseEnabled or KmsMasterKeyId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkSqsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::SQS::Queue") continue;
+
+      const props = resource.Properties ?? {};
+      const hasSseSqs = props.SqsManagedSseEnabled === true;
+      const hasKms = "KmsMasterKeyId" in props;
+
+      if (!hasSseSqs && !hasKms) {
+        diagnostics.push({
+          checkId: "WAW026",
+          severity: "warning",
+          message: `SQS queue "${logicalId}" is not encrypted — enable SqsManagedSseEnabled or set KmsMasterKeyId`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw026: PostSynthCheck = {
+  id: "WAW026",
+  description: "SQS queue is not encrypted — enable SqsManagedSseEnabled or set KmsMasterKeyId",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSqsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw027.test.ts

@@ -0,0 +1,63 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw027, checkDynamoDbPitr } from "./waw027";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW027: DynamoDB Missing PITR", () => {
+  test("check metadata", () => {
+    expect(waw027.id).toBe("WAW027");
+    expect(waw027.description).toContain("point-in-time");
+  });
+
+  test("flags table without PITR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            TableName: "my-table",
+            KeySchema: [{ AttributeName: "id", KeyType: "HASH" }],
+            AttributeDefinitions: [{ AttributeName: "id", AttributeType: "S" }],
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW027");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when PITR is enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            PointInTimeRecoverySpecification: { PointInTimeRecoveryEnabled: true },
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags when PITR spec present but not enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            PointInTimeRecoverySpecification: { PointInTimeRecoveryEnabled: false },
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw027.ts

@@ -0,0 +1,50 @@
+/**
+ * WAW027: DynamoDB Missing Point-in-Time Recovery
+ *
+ * Flags DynamoDB tables without PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkDynamoDbPitr(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::DynamoDB::Table") continue;
+
+      const props = resource.Properties ?? {};
+      const pitrSpec = props.PointInTimeRecoverySpecification;
+
+      let pitrEnabled = false;
+      if (typeof pitrSpec === "object" && pitrSpec !== null) {
+        pitrEnabled = (pitrSpec as Record<string, unknown>).PointInTimeRecoveryEnabled === true;
+      }
+
+      if (!pitrEnabled) {
+        diagnostics.push({
+          checkId: "WAW027",
+          severity: "info",
+          message: `DynamoDB table "${logicalId}" does not have point-in-time recovery enabled — consider enabling for data protection`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw027: PostSynthCheck = {
+  id: "WAW027",
+  description: "DynamoDB table does not have point-in-time recovery enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkDynamoDbPitr(ctx);
+  },
+};

package/src/lint/post-synth/waw028.test.ts

@@ -0,0 +1,68 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw028, checkEbsEncryption } from "./waw028";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW028: EBS Volume Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw028.id).toBe("WAW028");
+    expect(waw028.description).toContain("encrypted");
+  });
+
+  test("flags volume without Encrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Size: 100 },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW028");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when Encrypted: true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: true },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags Encrypted: false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: false },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("skips intrinsic value for Encrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: { Ref: "EncryptParam" } },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw028.ts

@@ -0,0 +1,47 @@
+/**
+ * WAW028: EBS Volume Not Encrypted
+ *
+ * Flags EBS volumes without Encrypted: true.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+export function checkEbsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::EC2::Volume") continue;
+
+      const props = resource.Properties ?? {};
+      const encrypted = props.Encrypted;
+
+      if (isIntrinsic(encrypted)) continue;
+
+      if (encrypted !== true) {
+        diagnostics.push({
+          checkId: "WAW028",
+          severity: "warning",
+          message: `EBS volume "${logicalId}" does not have Encrypted: true — enable encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw028: PostSynthCheck = {
+  id: "WAW028",
+  description: "EBS volume is not encrypted — enable encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkEbsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw029.test.ts

@@ -0,0 +1,179 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw029, checkInvalidDependsOn } from "./waw029";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW029: Invalid DependsOn Target", () => {
+  test("check metadata", () => {
+    expect(waw029.id).toBe("WAW029");
+    expect(waw029.description).toContain("DependsOn");
+  });
+
+  test("dangling DependsOn target → error", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: "MyBukcet",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW029");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("MyBukcet");
+    expect(diags[0].message).toContain("does not exist");
+    expect(diags[0].entity).toBe("MyBucket");
+    expect(diags[0].lexicon).toBe("aws");
+  });
+
+  test("self-referencing DependsOn → error", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: "MyBucket",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW029");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("itself");
+    expect(diags[0].entity).toBe("MyBucket");
+  });
+
+  test("valid DependsOn → no diagnostic", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {},
+        },
+        MyFunction: {
+          Type: "AWS::Lambda::Function",
+          DependsOn: "MyBucket",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("string DependsOn (not array) → works", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: "NonExistent",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("NonExistent");
+  });
+
+  test("multiple invalid targets → multiple diagnostics", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: ["Typo1", "Typo2"],
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(2);
+    expect(diags[0].message).toContain("Typo1");
+    expect(diags[1].message).toContain("Typo2");
+  });
+
+  test("no DependsOn → no diagnostic", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("empty Resources → no diagnostic", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("empty DependsOn array → no diagnostic", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: [],
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("mixed valid and invalid in same array", () => {
+    const ctx = makeCtx({
+      Resources: {
+        A: { Type: "AWS::S3::Bucket", Properties: {} },
+        B: {
+          Type: "AWS::Lambda::Function",
+          DependsOn: ["A", "NonExistent", "B"],
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(2);
+    expect(diags[0].message).toContain("NonExistent");
+    expect(diags[0].message).toContain("does not exist");
+    expect(diags[1].message).toContain("itself");
+  });
+
+  test("no Resources key → no diagnostic", () => {
+    const ctx = makeCtx({ AWSTemplateFormatVersion: "2010-09-09" });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("multiple resources each with invalid DependsOn", () => {
+    const ctx = makeCtx({
+      Resources: {
+        A: {
+          Type: "AWS::S3::Bucket",
+          DependsOn: "Ghost1",
+          Properties: {},
+        },
+        B: {
+          Type: "AWS::Lambda::Function",
+          DependsOn: "Ghost2",
+          Properties: {},
+        },
+      },
+    });
+    const diags = checkInvalidDependsOn(ctx);
+    expect(diags).toHaveLength(2);
+    expect(diags[0].entity).toBe("A");
+    expect(diags[1].entity).toBe("B");
+  });
+});

package/src/lint/post-synth/waw029.ts

@@ -0,0 +1,62 @@
+/**
+ * WAW029: Invalid DependsOn Target
+ *
+ * Detects two cases in the serialized template:
+ * - Dangling reference: DependsOn target not in template.Resources
+ * - Self-reference: Resource depends on itself
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkInvalidDependsOn(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    const resourceIds = new Set(Object.keys(template.Resources));
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!resource.DependsOn) continue;
+
+      const deps = Array.isArray(resource.DependsOn)
+        ? resource.DependsOn
+        : [resource.DependsOn];
+
+      for (const dep of deps) {
+        if (typeof dep !== "string") continue;
+
+        if (dep === logicalId) {
+          diagnostics.push({
+            checkId: "WAW029",
+            severity: "error",
+            message: `Resource "${logicalId}" has a DependsOn on itself — self-references are invalid`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        } else if (!resourceIds.has(dep)) {
+          diagnostics.push({
+            checkId: "WAW029",
+            severity: "error",
+            message: `Resource "${logicalId}" has DependsOn "${dep}" which does not exist in the template`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw029: PostSynthCheck = {
+  id: "WAW029",
+  description: "Invalid DependsOn target — dangling reference or self-reference",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkInvalidDependsOn(ctx);
+  },
+};