@intentius/chant-lexicon-aws 0.0.8 → 0.0.9

package/dist/rules/cf-refs.ts

@@ -50,6 +50,105 @@ export function findResourceRefs(value: unknown): Set<string> {
   return refs;
 }
 
+/**
+ * Check if a value is a CloudFormation intrinsic function (Ref, Fn::*, etc.)
+ * that cannot be statically evaluated.
+ */
+export function isIntrinsic(value: unknown): boolean {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const obj = value as Record<string, unknown>;
+  return "Ref" in obj || Object.keys(obj).some((k) => k.startsWith("Fn::"));
+}
+
+/**
+ * Walk IAM policy statements from a resource's properties.
+ * Handles IAM::Policy, IAM::Role, and IAM::ManagedPolicy layouts.
+ */
+export function walkPolicyStatements(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const statements: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  // PolicyDocument.Statement (IAM::Policy, IAM::ManagedPolicy)
+  collectStatements(props.PolicyDocument, statements);
+
+  // AssumeRolePolicyDocument.Statement (IAM::Role)
+  collectStatements(props.AssumeRolePolicyDocument, statements);
+
+  // Policies[].PolicyDocument.Statement (IAM::Role inline policies)
+  if (Array.isArray(props.Policies)) {
+    for (const policy of props.Policies) {
+      if (typeof policy === "object" && policy !== null) {
+        collectStatements((policy as Record<string, unknown>).PolicyDocument, statements);
+      }
+    }
+  }
+
+  return statements;
+}
+
+function collectStatements(
+  policyDoc: unknown,
+  out: Array<Record<string, unknown>>,
+): void {
+  if (typeof policyDoc !== "object" || policyDoc === null) return;
+  const doc = policyDoc as Record<string, unknown>;
+  if (Array.isArray(doc.Statement)) {
+    for (const stmt of doc.Statement) {
+      if (typeof stmt === "object" && stmt !== null) {
+        out.push(stmt as Record<string, unknown>);
+      }
+    }
+  }
+}
+
+/**
+ * Normalize security group ingress rules from inline SecurityGroupIngress
+ * property and standalone SecurityGroupIngress resources.
+ */
+export function getSecurityGroupIngress(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const rules: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  if (Array.isArray(props.SecurityGroupIngress)) {
+    for (const rule of props.SecurityGroupIngress) {
+      if (typeof rule === "object" && rule !== null) {
+        rules.push(rule as Record<string, unknown>);
+      }
+    }
+  }
+
+  return rules;
+}
+
+/**
+ * Check if a port range [fromPort, toPort] contains any of the sensitive ports.
+ */
+export function portRangeContainsSensitive(
+  fromPort: unknown,
+  toPort: unknown,
+  sensitivePorts: number[],
+): boolean {
+  // Missing ports means all ports
+  if (fromPort === undefined && toPort === undefined) return true;
+
+  const from = typeof fromPort === "number" ? fromPort : -1;
+  const to = typeof toPort === "number" ? toPort : -1;
+
+  // If either is an intrinsic, we can't statically verify
+  if (isIntrinsic(fromPort) || isIntrinsic(toPort)) return false;
+
+  if (from === -1 && to === -1) return true;
+
+  for (const port of sensitivePorts) {
+    if (from <= port && port <= to) return true;
+  }
+  return false;
+}
+
 function walkValue(value: unknown, refs: Set<string>): void {
   if (value === null || value === undefined) return;
   if (typeof value !== "object") return;

package/dist/rules/ext001.ts

@@ -16,7 +16,7 @@ import { join } from "path";
 import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
 import { parseCFTemplate, type CFResource } from "./cf-refs";
 
-interface ExtensionConstraint {
+export interface ExtensionConstraint {
   name: string;
   type: "if_then" | "dependent_excluded" | "required_or" | "required_xor";
   condition?: unknown;
@@ -25,7 +25,7 @@ interface ExtensionConstraint {
 
 interface LexiconEntry {
   kind: string;
-  cfn?: string;
+  resourceType: string;
   constraints?: ExtensionConstraint[];
   [key: string]: unknown;
 }
@@ -43,8 +43,8 @@ function loadLexiconConstraints(): Map<string, ExtensionConstraint[]> {
     const data = JSON.parse(content) as Record<string, LexiconEntry>;
 
     for (const [_name, entry] of Object.entries(data)) {
-      if (entry.kind === "resource" && entry.cfn && entry.constraints && entry.constraints.length > 0) {
-        map.set(entry.cfn, entry.constraints);
+      if (entry.kind === "resource" && entry.resourceType && entry.constraints && entry.constraints.length > 0) {
+        map.set(entry.resourceType, entry.constraints);
       }
     }
   } catch {
@@ -193,28 +193,37 @@ function validateResource(
   return diagnostics;
 }
 
-export const ext001: PostSynthCheck = {
-  id: "EXT001",
-  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
-
-  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
-    const lexiconConstraints = loadLexiconConstraints();
-    if (lexiconConstraints.size === 0) return [];
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkExtensionConstraints(
+  ctx: PostSynthContext,
+  constraintMap: Map<string, ExtensionConstraint[]>,
+): PostSynthDiagnostic[] {
+  if (constraintMap.size === 0) return [];
 
-    const diagnostics: PostSynthDiagnostic[] = [];
+  const diagnostics: PostSynthDiagnostic[] = [];
 
-    for (const [_lexicon, output] of ctx.outputs) {
-      const template = parseCFTemplate(output);
-      if (!template?.Resources) continue;
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
 
-      for (const [logicalId, resource] of Object.entries(template.Resources)) {
-        const constraints = lexiconConstraints.get(resource.Type);
-        if (!constraints) continue;
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const constraints = constraintMap.get(resource.Type);
+      if (!constraints) continue;
 
-        diagnostics.push(...validateResource(logicalId, resource, constraints));
-      }
+      diagnostics.push(...validateResource(logicalId, resource, constraints));
     }
+  }
 
-    return diagnostics;
+  return diagnostics;
+}
+
+export const ext001: PostSynthCheck = {
+  id: "EXT001",
+  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkExtensionConstraints(ctx, loadLexiconConstraints());
   },
 };

package/dist/rules/hardcoded-region.ts

@@ -11,6 +11,7 @@ export const hardcodedRegionRule: LintRule = {
   id: "WAW001",
   severity: "warning",
   category: "security",
+  description: "Detects hardcoded AWS region strings — use AWS.Region pseudo-parameter instead",
 
   check(context: LintContext): LintDiagnostic[] {
     const { sourceFile } = context;

package/dist/rules/iam-wildcard.ts

@@ -11,6 +11,7 @@ export const iamWildcardRule: LintRule = {
   id: "WAW009",
   severity: "warning",
   category: "security",
+  description: "Detects IAM policies with wildcard (*) resources — specify explicit resource ARNs for better security",
 
   check(context: LintContext): LintDiagnostic[] {
     const { sourceFile } = context;

package/dist/rules/s3-encryption.ts

@@ -11,6 +11,7 @@ export const s3EncryptionRule: LintRule = {
   id: "WAW006",
   severity: "warning",
   category: "security",
+  description: "Detects S3 Bucket creation without encryption configuration — all buckets should have server-side encryption enabled",
 
   check(context: LintContext): LintDiagnostic[] {
     const { sourceFile } = context;

package/dist/rules/waw016.ts

@@ -0,0 +1,86 @@
+/**
+ * WAW016: Deprecated Property Usage
+ *
+ * Flags properties marked as deprecated in the CloudFormation Registry.
+ * Sources: explicit `deprecatedProperties` array + description text mining.
+ */
+
+import { readFileSync } from "fs";
+import { join } from "path";
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+interface LexiconEntry {
+  kind: string;
+  resourceType: string;
+  deprecatedProperties?: string[];
+  [key: string]: unknown;
+}
+
+/**
+ * Load deprecated properties per resource type from the lexicon JSON.
+ */
+function loadDeprecatedProperties(): Map<string, Set<string>> {
+  const map = new Map<string, Set<string>>();
+  try {
+    const pkgDir = join(__dirname, "..", "..", "..");
+    const lexiconPath = join(pkgDir, "src", "generated", "lexicon-aws.json");
+    const content = readFileSync(lexiconPath, "utf-8");
+    const data = JSON.parse(content) as Record<string, LexiconEntry>;
+
+    for (const [_name, entry] of Object.entries(data)) {
+      if (entry.kind === "resource" && entry.resourceType && entry.deprecatedProperties && entry.deprecatedProperties.length > 0) {
+        map.set(entry.resourceType, new Set(entry.deprecatedProperties));
+      }
+    }
+  } catch {
+    // Lexicon not available — skip
+  }
+  return map;
+}
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkDeprecatedProperties(
+  ctx: PostSynthContext,
+  deprecated: Map<string, Set<string>>,
+): PostSynthDiagnostic[] {
+  if (deprecated.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const deprProps = deprecated.get(resource.Type);
+      if (!deprProps) continue;
+
+      const props = resource.Properties ?? {};
+      for (const propName of Object.keys(props)) {
+        if (deprProps.has(propName)) {
+          diagnostics.push({
+            checkId: "WAW016",
+            severity: "warning",
+            message: `Resource "${logicalId}" (${resource.Type}) uses deprecated property "${propName}" — consider alternatives`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw016: PostSynthCheck = {
+  id: "WAW016",
+  description: "Deprecated property usage — flags properties marked as deprecated in the CloudFormation Registry",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkDeprecatedProperties(ctx, loadDeprecatedProperties());
+  },
+};

package/dist/rules/waw017.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW017: Missing Tags on Taggable Resource
+ *
+ * Flags taggable resources that have no Tags property set.
+ * Encourages adding tags for cost allocation and compliance.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+import { loadTaggableResources } from "../../taggable";
+
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkMissingTags(
+  ctx: PostSynthContext,
+  taggable: Set<string>,
+): PostSynthDiagnostic[] {
+  if (taggable.size === 0) return [];
+
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!taggable.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      if (!("Tags" in props)) {
+        diagnostics.push({
+          checkId: "WAW017",
+          severity: "warning",
+          message: `Resource "${logicalId}" (${resource.Type}) supports tagging but has no Tags — consider adding tags for cost allocation and compliance`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw017: PostSynthCheck = {
+  id: "WAW017",
+  description: "Missing tags on taggable resource — suggests adding tags for cost allocation and compliance",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkMissingTags(ctx, loadTaggableResources());
+  },
+};

package/dist/rules/waw018.ts

@@ -0,0 +1,71 @@
+/**
+ * WAW018: S3 Public Access Not Blocked
+ *
+ * Flags S3 buckets missing PublicAccessBlockConfiguration or with any flag set to false.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const REQUIRED_FLAGS = [
+  "BlockPublicAcls",
+  "BlockPublicPolicy",
+  "IgnorePublicAcls",
+  "RestrictPublicBuckets",
+] as const;
+
+export function checkS3PublicAccess(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::S3::Bucket") continue;
+
+      const props = resource.Properties ?? {};
+      const pab = props.PublicAccessBlockConfiguration;
+
+      if (!pab) {
+        diagnostics.push({
+          checkId: "WAW018",
+          severity: "error",
+          message: `S3 bucket "${logicalId}" is missing PublicAccessBlockConfiguration — all public access should be blocked`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+        continue;
+      }
+
+      if (isIntrinsic(pab)) continue;
+
+      if (typeof pab === "object" && pab !== null) {
+        const config = pab as Record<string, unknown>;
+        for (const flag of REQUIRED_FLAGS) {
+          const value = config[flag];
+          if (value === false) {
+            diagnostics.push({
+              checkId: "WAW018",
+              severity: "error",
+              message: `S3 bucket "${logicalId}" has ${flag} set to false — all public access should be blocked`,
+              entity: logicalId,
+              lexicon: "aws",
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw018: PostSynthCheck = {
+  id: "WAW018",
+  description: "S3 bucket missing public access block — all public access should be blocked",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkS3PublicAccess(ctx);
+  },
+};

package/dist/rules/waw019.ts

@@ -0,0 +1,82 @@
+/**
+ * WAW019: Security Group Unrestricted Ingress
+ *
+ * Flags security groups with 0.0.0.0/0 or ::/0 ingress on sensitive ports
+ * (SSH 22, RDP 3389, MySQL 3306, PostgreSQL 5432).
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, getSecurityGroupIngress, portRangeContainsSensitive, isIntrinsic } from "./cf-refs";
+
+const SENSITIVE_PORTS = [22, 3389, 3306, 5432];
+const OPEN_CIDRS = new Set(["0.0.0.0/0", "::/0"]);
+
+function checkIngressRule(
+  rule: Record<string, unknown>,
+  logicalId: string,
+  diagnostics: PostSynthDiagnostic[],
+): void {
+  const cidrIp = rule.CidrIp;
+  const cidrIpv6 = rule.CidrIpv6;
+
+  const hasOpenCidr =
+    (typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp)) ||
+    (typeof cidrIpv6 === "string" && OPEN_CIDRS.has(cidrIpv6));
+
+  if (!hasOpenCidr) return;
+
+  if (portRangeContainsSensitive(rule.FromPort, rule.ToPort, SENSITIVE_PORTS)) {
+    const cidr = typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp) ? cidrIp : cidrIpv6;
+    const fromPort = rule.FromPort;
+    const toPort = rule.ToPort;
+    const portDesc = fromPort !== undefined && toPort !== undefined
+      ? ` on ports ${fromPort}-${toPort}`
+      : " on all ports";
+
+    diagnostics.push({
+      checkId: "WAW019",
+      severity: "error",
+      message: `Security group "${logicalId}" allows unrestricted ingress from ${cidr}${portDesc} — restrict to specific CIDR ranges`,
+      entity: logicalId,
+      lexicon: "aws",
+    });
+  }
+}
+
+export function checkUnrestrictedIngress(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      // Check inline SecurityGroupIngress on EC2::SecurityGroup
+      if (resource.Type === "AWS::EC2::SecurityGroup") {
+        const rules = getSecurityGroupIngress(resource);
+        for (const rule of rules) {
+          checkIngressRule(rule, logicalId, diagnostics);
+        }
+      }
+
+      // Check standalone SecurityGroupIngress resources
+      if (resource.Type === "AWS::EC2::SecurityGroupIngress") {
+        const props = resource.Properties ?? {};
+        if (!isIntrinsic(props)) {
+          checkIngressRule(props as Record<string, unknown>, logicalId, diagnostics);
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw019: PostSynthCheck = {
+  id: "WAW019",
+  description: "Security group allows unrestricted ingress on sensitive ports (SSH, RDP, database)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkUnrestrictedIngress(ctx);
+  },
+};

package/dist/rules/waw020.ts

@@ -0,0 +1,64 @@
+/**
+ * WAW020: IAM Wildcard Action
+ *
+ * Flags IAM policies with Action: "*" in any statement.
+ * Checks IAM::Policy, IAM::Role, and IAM::ManagedPolicy resource types.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, walkPolicyStatements, isIntrinsic } from "./cf-refs";
+
+const IAM_TYPES = new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::Role",
+  "AWS::IAM::ManagedPolicy",
+]);
+
+function hasWildcardAction(statement: Record<string, unknown>): boolean {
+  const action = statement.Action;
+  if (action === "*") return true;
+  if (Array.isArray(action)) {
+    return action.some((a) => a === "*");
+  }
+  return false;
+}
+
+export function checkIamWildcardAction(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_TYPES.has(resource.Type)) continue;
+
+      const statements = walkPolicyStatements(resource);
+      for (const stmt of statements) {
+        if (isIntrinsic(stmt.Action)) continue;
+
+        if (hasWildcardAction(stmt)) {
+          diagnostics.push({
+            checkId: "WAW020",
+            severity: "warning",
+            message: `IAM resource "${logicalId}" has a policy statement with Action: "*" — use specific actions following least privilege`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+          break; // One diagnostic per resource
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw020: PostSynthCheck = {
+  id: "WAW020",
+  description: "IAM policy uses wildcard Action — use specific actions following least privilege",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkIamWildcardAction(ctx);
+  },
+};

package/dist/rules/waw021.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW021: RDS Storage Not Encrypted
+ *
+ * Flags RDS instances and clusters without StorageEncrypted: true.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const RDS_TYPES = new Set([
+  "AWS::RDS::DBInstance",
+  "AWS::RDS::DBCluster",
+]);
+
+export function checkRdsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!RDS_TYPES.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      const encrypted = props.StorageEncrypted;
+
+      // Skip if it's an intrinsic (can't statically verify)
+      if (isIntrinsic(encrypted)) continue;
+
+      if (encrypted !== true) {
+        diagnostics.push({
+          checkId: "WAW021",
+          severity: "error",
+          message: `RDS resource "${logicalId}" (${resource.Type}) does not have StorageEncrypted: true — enable encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw021: PostSynthCheck = {
+  id: "WAW021",
+  description: "RDS instance or cluster storage is not encrypted — enable encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkRdsEncryption(ctx);
+  },
+};

package/dist/rules/waw022.ts

@@ -0,0 +1,43 @@
+/**
+ * WAW022: Lambda Not in VPC
+ *
+ * Flags Lambda functions without VpcConfig.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkLambdaVpc(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::Lambda::Function") continue;
+
+      const props = resource.Properties ?? {};
+      if (!("VpcConfig" in props)) {
+        diagnostics.push({
+          checkId: "WAW022",
+          severity: "warning",
+          message: `Lambda function "${logicalId}" is not configured with a VPC — consider adding VpcConfig for network isolation`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw022: PostSynthCheck = {
+  id: "WAW022",
+  description: "Lambda function is not configured with a VPC — consider adding VpcConfig for network isolation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkLambdaVpc(ctx);
+  },
+};