@intentius/chant-lexicon-aws 0.1.1 → 0.1.8

package/dist/rules/waw032.ts

@@ -0,0 +1,52 @@
+/**
+ * WAW032: EFS Transit Encryption Disabled
+ *
+ * Flags EFS volume configurations on Fargate task definitions where transit
+ * encryption has been explicitly disabled. FargateService defaults to ENABLED;
+ * this rule catches intentional opt-outs.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkEfsTransitEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ECS::TaskDefinition") continue;
+
+      const volumes = resource.Properties?.Volumes;
+      if (!Array.isArray(volumes)) continue;
+
+      for (const volume of volumes) {
+        const efsConfig = volume?.EFSVolumeConfiguration;
+        if (!efsConfig) continue;
+
+        if (efsConfig.TransitEncryption === "DISABLED") {
+          diagnostics.push({
+            checkId: "WAW032",
+            severity: "warning",
+            message: `EFS volume "${volume.Name ?? "unnamed"}" in task "${logicalId}" has transit encryption disabled — set TransitEncryption: ENABLED to protect data in transit`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw032: PostSynthCheck = {
+  id: "WAW032",
+  description: "EFS volume on Fargate task has transit encryption disabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkEfsTransitEncryption(ctx);
+  },
+};

package/dist/rules/waw033.ts

@@ -0,0 +1,86 @@
+/**
+ * WAW033: Solr Heap Exceeds 50% of Container Memory
+ *
+ * When SOLR_HEAP is set on a Fargate task running a Solr image, validates that
+ * the heap does not exceed 50% of the task's allocated memory. Exceeding this
+ * leaves insufficient headroom for the OS file cache that Lucene MMap relies on,
+ * causing the OOM killer to terminate the container.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+/** Parse heap strings like "4g", "2048m", "2048" → megabytes */
+function parseHeapMb(value: string): number | null {
+  const lower = value.trim().toLowerCase();
+  const gMatch = lower.match(/^(\d+(?:\.\d+)?)g$/);
+  if (gMatch) return Math.round(parseFloat(gMatch[1]) * 1024);
+  const mMatch = lower.match(/^(\d+(?:\.\d+)?)m?$/);
+  if (mMatch) return Math.round(parseFloat(mMatch[1]));
+  return null;
+}
+
+function isSolrImage(image: unknown): boolean {
+  return typeof image === "string" && image.toLowerCase().includes("solr");
+}
+
+export function checkSolrHeapRatio(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ECS::TaskDefinition") continue;
+
+      const props = resource.Properties ?? {};
+      if (typeof props.Memory !== "string") continue;
+      const taskMemoryMb = parseInt(props.Memory);
+      if (!taskMemoryMb) continue;
+
+      const containers: unknown[] = Array.isArray(props.ContainerDefinitions)
+        ? props.ContainerDefinitions
+        : [];
+
+      for (const container of containers) {
+        if (typeof container !== "object" || container === null) continue;
+        const c = container as Record<string, unknown>;
+
+        if (!isSolrImage(c.Image)) continue;
+
+        const envVars: unknown[] = Array.isArray(c.Environment) ? c.Environment : [];
+        const heapEntry = envVars.find(
+          (e): e is Record<string, unknown> =>
+            typeof e === "object" && e !== null && (e as Record<string, unknown>).Name === "SOLR_HEAP",
+        );
+
+        if (!heapEntry) continue; // WAW034 covers missing heap
+
+        const heapMb = parseHeapMb(String(heapEntry.Value ?? ""));
+        if (heapMb === null) continue;
+
+        if (heapMb > taskMemoryMb * 0.5) {
+          diagnostics.push({
+            checkId: "WAW033",
+            severity: "error",
+            message: `Solr container "${c.Name ?? "app"}" SOLR_HEAP (${heapMb}MB) exceeds 50% of task memory (${taskMemoryMb}MB) — risk of OOM kill; set SOLR_HEAP <= ${Math.floor(taskMemoryMb * 0.45)}m`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw033: PostSynthCheck = {
+  id: "WAW033",
+  description: "Solr SOLR_HEAP exceeds 50% of Fargate task memory",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSolrHeapRatio(ctx);
+  },
+};

package/dist/rules/waw034.ts

@@ -0,0 +1,63 @@
+/**
+ * WAW034: Solr Container Undersized
+ *
+ * Fargate tasks running a Solr image with less than 2048MB of memory will
+ * fail under any real load — the JVM alone needs headroom for the heap plus
+ * OS file cache for Lucene MMap. 4096MB is the practical production minimum.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+function isSolrImage(image: unknown): boolean {
+  return typeof image === "string" && image.toLowerCase().includes("solr");
+}
+
+export function checkSolrMemoryMinimum(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ECS::TaskDefinition") continue;
+
+      const props = resource.Properties ?? {};
+      if (typeof props.Memory !== "string") continue;
+      const taskMemoryMb = parseInt(props.Memory);
+      if (!taskMemoryMb) continue;
+
+      const containers: unknown[] = Array.isArray(props.ContainerDefinitions)
+        ? props.ContainerDefinitions
+        : [];
+
+      const hasSolr = containers.some(
+        (c) => typeof c === "object" && c !== null && isSolrImage((c as Record<string, unknown>).Image),
+      );
+
+      if (!hasSolr) continue;
+
+      if (taskMemoryMb < 2048) {
+        diagnostics.push({
+          checkId: "WAW034",
+          severity: "warning",
+          message: `Solr task "${logicalId}" has only ${taskMemoryMb}MB memory — Solr requires at least 2048MB; 4096MB recommended for production`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw034: PostSynthCheck = {
+  id: "WAW034",
+  description: "Fargate task running Solr has insufficient memory (< 2048MB)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSolrMemoryMinimum(ctx);
+  },
+};

package/dist/rules/waw035.ts

@@ -0,0 +1,71 @@
+/**
+ * WAW035: Solr Container Missing nofile Ulimit
+ *
+ * Solr opens a file descriptor for every shard replica, index file, log, and
+ * connection. Without a raised nofile limit the process hits the default kernel
+ * limit (~1024) under moderate load, causing "Too many open files" errors that
+ * bring the node down. The production minimum is 65535.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+const NOFILE_MIN = 65535;
+
+function isSolrImage(image: unknown): boolean {
+  return typeof image === "string" && image.toLowerCase().includes("solr");
+}
+
+export function checkSolrUlimits(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ECS::TaskDefinition") continue;
+
+      const containers: unknown[] = Array.isArray(resource.Properties?.ContainerDefinitions)
+        ? resource.Properties.ContainerDefinitions
+        : [];
+
+      for (const container of containers) {
+        if (typeof container !== "object" || container === null) continue;
+        const c = container as Record<string, unknown>;
+
+        if (!isSolrImage(c.Image)) continue;
+
+        const ulimits: unknown[] = Array.isArray(c.Ulimits) ? c.Ulimits : [];
+        const nofile = ulimits.find(
+          (u): u is Record<string, unknown> =>
+            typeof u === "object" && u !== null && (u as Record<string, unknown>).Name === "nofile",
+        );
+
+        const hardLimit = nofile ? Number(nofile.HardLimit ?? 0) : 0;
+
+        if (!nofile || hardLimit < NOFILE_MIN) {
+          const current = nofile ? ` (current HardLimit: ${hardLimit})` : " (not set)";
+          diagnostics.push({
+            checkId: "WAW035",
+            severity: "warning",
+            message: `Solr container "${c.Name ?? "app"}" in task "${logicalId}" nofile ulimit${current} — set HardLimit >= ${NOFILE_MIN} to prevent "Too many open files" under load`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw035: PostSynthCheck = {
+  id: "WAW035",
+  description: "Solr container missing nofile ulimit >= 65535",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSolrUlimits(ctx);
+  },
+};

package/dist/rules/waw036.ts

@@ -0,0 +1,88 @@
+/**
+ * WAW036: Non-ASCII Characters in EC2/IAM String Properties
+ *
+ * EC2, IAM, CloudWatch, and other AWS services only accept ASCII 0x20–0x7E in
+ * description, name, and label fields. Non-ASCII characters (em-dashes, curly
+ * quotes, accented letters, etc.) cause the changeset to fail at EarlyValidation
+ * with an opaque "Invalid parameter" error that doesn't name the offending property.
+ *
+ * Properties checked (all must be plain ASCII strings):
+ *   - AWS::EC2::SecurityGroup           GroupDescription
+ *   - AWS::EC2::LaunchTemplate          LaunchTemplateName
+ *   - AWS::IAM::Role                    RoleName
+ *   - AWS::Lambda::Function             FunctionName
+ *   - AWS::RDS::DBSubnetGroup           DBSubnetGroupDescription
+ *   - AWS::CloudWatch::Alarm            AlarmDescription, AlarmName
+ *   - AWS::AutoScaling::AutoScalingGroup AutoScalingGroupName
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+/** Map of CFN resource type → list of property names that must be ASCII-only. */
+const ASCII_REQUIRED: Record<string, string[]> = {
+  "AWS::EC2::SecurityGroup":             ["GroupDescription"],
+  "AWS::EC2::LaunchTemplate":            ["LaunchTemplateName"],
+  "AWS::IAM::Role":                      ["RoleName"],
+  "AWS::Lambda::Function":               ["FunctionName"],
+  "AWS::RDS::DBSubnetGroup":             ["DBSubnetGroupDescription"],
+  "AWS::CloudWatch::Alarm":              ["AlarmDescription", "AlarmName"],
+  "AWS::AutoScaling::AutoScalingGroup":  ["AutoScalingGroupName"],
+};
+
+/** Return true if the string contains any character outside ASCII printable range (0x20–0x7E). */
+function hasNonAscii(s: string): boolean {
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i);
+    if (code < 0x20 || code > 0x7e) return true;
+  }
+  return false;
+}
+
+export function checkNonAsciiProps(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const propsToCheck = ASCII_REQUIRED[resource.Type];
+      if (!propsToCheck) continue;
+
+      const props = resource.Properties ?? {};
+
+      for (const propName of propsToCheck) {
+        const value = props[propName];
+        if (typeof value !== "string") continue;
+        if (!hasNonAscii(value)) continue;
+
+        // Find the specific offending characters for the message.
+        const badChars = [...new Set([...value].filter((c) => {
+          const code = c.charCodeAt(0);
+          return code < 0x20 || code > 0x7e;
+        }))];
+        const charList = badChars.map((c) => `U+${c.charCodeAt(0).toString(16).toUpperCase().padStart(4, "0")}`).join(", ");
+
+        diagnostics.push({
+          checkId: "WAW036",
+          severity: "error",
+          message: `${resource.Type} "${logicalId}" property "${propName}" contains non-ASCII characters (${charList}) — AWS rejects these at changeset validation time`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw036: PostSynthCheck = {
+  id: "WAW036",
+  description: "Non-ASCII characters in EC2/IAM/CW string properties — rejected at changeset time",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkNonAsciiProps(ctx);
+  },
+};

package/dist/rules/waw037.ts

@@ -0,0 +1,81 @@
+/**
+ * WAW037: Null Values in CloudFormation Resource Properties
+ *
+ * `resource.PropName` where PropName is not a real GetAtt attribute returns null
+ * silently in chant's AttrRef system — the TypeScript types say `string` but the
+ * runtime value is null. This produces a template with literal null values that
+ * CloudFormation rejects at changeset time with an unhelpful "Invalid template"
+ * error.
+ *
+ * Common causes:
+ *   - `resource.SomeId` instead of `Ref(resource)` (use Ref for the primary identifier)
+ *   - `resource.SomeProp` where SomeProp is not listed in AWS CloudFormation GetAtt docs
+ *   - Typo in an attribute name (e.g. `resource.GroupName` vs `resource.GroupId`)
+ *
+ * This check scans every resource's Properties for null values at any depth and
+ * reports the logical resource ID and dotted property path.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+interface NullLocation {
+  logicalId: string;
+  path: string;
+}
+
+/** Recursively collect all paths where the value is null. */
+function collectNullPaths(value: unknown, path: string, results: NullLocation[], logicalId: string): void {
+  if (value === null) {
+    results.push({ logicalId, path });
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      collectNullPaths(value[i], `${path}[${i}]`, results, logicalId);
+    }
+    return;
+  }
+  if (typeof value === "object") {
+    for (const [k, v] of Object.entries(value as Record<string, unknown>)) {
+      collectNullPaths(v, path ? `${path}.${k}` : k, results, logicalId);
+    }
+  }
+}
+
+export function checkNullProperties(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!resource.Properties) continue;
+
+      const nullLocations: NullLocation[] = [];
+      collectNullPaths(resource.Properties, "", nullLocations, logicalId);
+
+      for (const loc of nullLocations) {
+        diagnostics.push({
+          checkId: "WAW037",
+          severity: "error",
+          message: `${resource.Type} "${logicalId}" has a null value at Properties.${loc.path} — likely a .PropName AttrRef on a non-existent GetAtt attribute. Use Ref(resource) for the primary identifier, or check the attribute name.`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw037: PostSynthCheck = {
+  id: "WAW037",
+  description: "Null values in CFN resource properties — caused by invalid AttrRef (.PropName) usage",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkNullProperties(ctx);
+  },
+};