npm - @sureshgururajan/aws-console-private-access-validator - Versions diffs - 1.0.3 → 1.0.4 - Mend

@sureshgururajan/aws-console-private-access-validator 1.0.3 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -1,88 +1,88 @@
-# AWS Console Private Access Validator MCP Server
-An MCP (Model Context Protocol) server that validates CloudFormation templates for AWS Console Private Access requirements.
-## Features
-Validates CloudFormation templates for:
-- Required VPC endpoints (Console, Signin, SSM, EC2Messages, SSMMessages, S3)
-- Endpoint policies restricting access to specific accounts
-- Route53 private hosted zones for console and signin
-- Security group configuration for HTTPS access
-- EC2 instance setup with IAM roles
-- NAT Gateway for private subnet egress
-- Network configuration and routing
-## Installation
-```bash
-npm install
-```
-## Build
-```bash
-npm run build
-```
-## Running the MCP Server
-```bash
-npm start
-```
-The server will listen on stdin/stdout for MCP protocol messages.
-## Testing
-Test the validator against a CloudFormation template:
-```bash
-npm test -- /path/to/template.json
-```
-## Usage
-### Tool: `validate-cloudformation`
-Validates a CloudFormation template for AWS Console Private Access requirements.
-**Input Parameters:**
-- `template` (string, required): CloudFormation template as JSON string
-- `region` (string, optional): AWS region (default: "us-east-1")
-**Output:**
-```json
-{
-  "valid": true/false,
-  "checks": [
-    {
-      "name": "Check name",
-      "status": "pass" | "fail" | "warning",
-      "message": "Description of what was checked",
-      "details": "Additional details if needed"
-    }
-  ],
-  "summary": "Overall validation summary"
-}
-```
-## Validation Checks
-1. **VPC Endpoints** - Verifies all required interface and gateway endpoints exist
-2. **Endpoint Policies** - Checks that policies are attached and properly configured
-3. **Route53 Hosted Zones** - Validates private hosted zones for console and signin
-4. **Security Groups** - Checks for HTTPS (port 443) access rules
-5. **EC2 Instance** - Verifies instance exists with IAM role (optional)
-6. **NAT Gateway** - Checks for NAT Gateway for private subnet egress
-7. **Network Configuration** - Validates private subnets and route tables
-## Example
-```bash
-# Generate CloudFormation template
-npx cdk synth > template.json
-# Validate the template
-echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"validate-cloudformation","arguments":{"template":"<template-json>"}}}' | npm start
-```
+# AWS Console Private Access Validator MCP Server
+An MCP (Model Context Protocol) server that validates CloudFormation templates for AWS Console Private Access requirements.
+## Features
+Validates CloudFormation templates for:
+- Required VPC endpoints (Console, Signin, SSM, EC2Messages, SSMMessages, S3)
+- Endpoint policies restricting access to specific accounts
+- Route53 private hosted zones for console and signin
+- Security group configuration for HTTPS access
+- EC2 instance setup with IAM roles
+- NAT Gateway for private subnet egress
+- Network configuration and routing
+## Installation
+```bash
+npm install
+```
+## Build
+```bash
+npm run build
+```
+## Running the MCP Server
+```bash
+npm start
+```
+The server will listen on stdin/stdout for MCP protocol messages.
+## Testing
+Test the validator against a CloudFormation template:
+```bash
+npm test -- /path/to/template.json
+```
+## Usage
+### Tool: `validate-cloudformation`
+Validates a CloudFormation template for AWS Console Private Access requirements.
+**Input Parameters:**
+- `template` (string, required): CloudFormation template as JSON string
+- `region` (string, optional): AWS region (default: "us-east-1")
+**Output:**
+```json
+{
+  "valid": true/false,
+  "checks": [
+    {
+      "name": "Check name",
+      "status": "pass" | "fail" | "warning",
+      "message": "Description of what was checked",
+      "details": "Additional details if needed"
+    }
+  ],
+  "summary": "Overall validation summary"
+}
+```
+## Validation Checks
+1. **VPC Endpoints** - Verifies all required interface and gateway endpoints exist
+2. **Endpoint Policies** - Checks that policies are attached and properly configured
+3. **Route53 Hosted Zones** - Validates private hosted zones for console and signin
+4. **Security Groups** - Checks for HTTPS (port 443) access rules
+5. **EC2 Instance** - Verifies instance exists with IAM role (optional)
+6. **NAT Gateway** - Checks for NAT Gateway for private subnet egress
+7. **Network Configuration** - Validates private subnets and route tables
+## Example
+```bash
+# Generate CloudFormation template
+npx cdk synth > template.json
+# Validate the template
+echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"validate-cloudformation","arguments":{"template":"<template-json>"}}}' | npm start
+```

package/dist/index.d.ts CHANGED Viewed

@@ -1,2 +1,3 @@
+#!/usr/bin/env node
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { CallToolRequestSchema, ListToolsRequestSchema, } from '@modelcontextprotocol/sdk/types.js';

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"~~AAAA~~,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,6BAA6B,EAAE,MAAM,gBAAgB,CAAC;AAG/D,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,sCAAsC;IAC5C,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EACT,iFAAiF;QACnF,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,wCAAwC;iBACtD;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,iCAAiC;oBAC9C,OAAO,EAAE,WAAW;iBACrB;aACF;YACD,QAAQ,EAAE,CAAC,UAAU,CAAC;SACvB;KACF;CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK;CACN,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QACtD,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,WAAW,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,SAGzD,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,cAAc,GAA2B,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACpE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;YAC5E,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;YAEpC,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;qBACtC;iBACF;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAClB;4BACE,KAAK,EAAE,KAAK;4BACZ,MAAM,EAAE,EAAE;4BACV,OAAO,EAAE,2BAA2B,YAAY,EAAE;yBACnD,EACD,IAAI,EACJ,CAAC,CACF;qBACF;iBACF;gBACD,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,iBAAiB,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE;aAC7C;SACF;QACD,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,6BAA6B,EAAE,MAAM,gBAAgB,CAAC;AAG/D,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,sCAAsC;IAC5C,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EACT,iFAAiF;QACnF,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,wCAAwC;iBACtD;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,iCAAiC;oBAC9C,OAAO,EAAE,WAAW;iBACrB;aACF;YACD,QAAQ,EAAE,CAAC,UAAU,CAAC;SACvB;KACF;CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK;CACN,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QACtD,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,WAAW,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,SAGzD,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,cAAc,GAA2B,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACpE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;YAC5E,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;YAEpC,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;qBACtC;iBACF;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAClB;4BACE,KAAK,EAAE,KAAK;4BACZ,MAAM,EAAE,EAAE;4BACV,OAAO,EAAE,2BAA2B,YAAY,EAAE;yBACnD,EACD,IAAI,EACJ,CAAC,CACF;qBACF;iBACF;gBACD,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,iBAAiB,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE;aAC7C;SACF;QACD,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,29 +1,30 @@
-{
-  "name": "@sureshgururajan/aws-console-private-access-validator",
-  "version": "1.0.3",
-  "type": "module",
-  "description": "MCP server for validating AWS Console Private Access CloudFormation templates",
-  "main": "dist/index.js",
-  "bin": {
-    "aws-console-private-access-validator": "dist/index.js"
-  },
-  "scripts": {
-    "build": "tsc",
-    "start": "node dist/index.js",
-    "test": "node dist/test.js",
-    "dev": "ts-node src/index.ts"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^0.5.0"
-  },
-  "devDependencies": {
-    "@types/node": "^20.0.0",
-    "typescript": "^5.0.0",
-    "ts-node": "^10.9.0"
-  },
-  "publishConfig": {
-    "access": "public"
-  }
-}
+{
+  "name": "@sureshgururajan/aws-console-private-access-validator",
+  "version": "1.0.4",
+  "type": "module",
+  "description": "MCP server for validating AWS Console Private Access CloudFormation templates",
+  "main": "dist/index.js",
+  "bin": {
+    "aws-console-private-access-validator": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "prepare": "npm run build",
+    "start": "node dist/index.js",
+    "test": "node dist/test.js",
+    "dev": "ts-node src/index.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^0.5.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.0.0",
+    "ts-node": "^10.9.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/index.ts CHANGED Viewed

@@ -1,110 +1,111 @@
-import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema,
-  Tool,
-} from '@modelcontextprotocol/sdk/types.js';
-import { ConsolePrivateAccessValidator } from './validator.js';
-import { CloudFormationTemplate } from './types.js';
-const server = new Server(
-  {
-    name: 'aws-console-private-access-validator',
-    version: '1.0.0',
-  },
-  {
-    capabilities: {
-      tools: {},
-    },
-  }
-);
-const tools: Tool[] = [
-  {
-    name: 'validate-cloudformation',
-    description:
-      'Validates a CloudFormation template for AWS Console Private Access requirements',
-    inputSchema: {
-      type: 'object' as const,
-      properties: {
-        template: {
-          type: 'string',
-          description: 'CloudFormation template as JSON string',
-        },
-        region: {
-          type: 'string',
-          description: 'AWS region (default: us-east-1)',
-          default: 'us-east-1',
-        },
-      },
-      required: ['template'],
-    },
-  },
-];
-server.setRequestHandler(ListToolsRequestSchema, async () => ({
-  tools,
-}));
-server.setRequestHandler(CallToolRequestSchema, async (request) => {
-  if (request.params.name === 'validate-cloudformation') {
-    const { template, region = 'us-east-1' } = request.params.arguments as {
-      template: string;
-      region?: string;
-    };
-    try {
-      const parsedTemplate: CloudFormationTemplate = JSON.parse(template);
-      const validator = new ConsolePrivateAccessValidator(parsedTemplate, region);
-      const result = validator.validate();
-      return {
-        content: [
-          {
-            type: 'text',
-            text: JSON.stringify(result, null, 2),
-          },
-        ],
-      };
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      return {
-        content: [
-          {
-            type: 'text',
-            text: JSON.stringify(
-              {
-                valid: false,
-                checks: [],
-                summary: `Error parsing template: ${errorMessage}`,
-              },
-              null,
-              2
-            ),
-          },
-        ],
-        isError: true,
-      };
-    }
-  }
-  return {
-    content: [
-      {
-        type: 'text',
-        text: `Unknown tool: ${request.params.name}`,
-      },
-    ],
-    isError: true,
-  };
-});
-async function main() {
-  const transport = new StdioServerTransport();
-  await server.connect(transport);
-}
-main().catch((error) => {
-  process.exit(1);
-});
+#!/usr/bin/env node
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+  Tool,
+} from '@modelcontextprotocol/sdk/types.js';
+import { ConsolePrivateAccessValidator } from './validator.js';
+import { CloudFormationTemplate } from './types.js';
+const server = new Server(
+  {
+    name: 'aws-console-private-access-validator',
+    version: '1.0.0',
+  },
+  {
+    capabilities: {
+      tools: {},
+    },
+  }
+);
+const tools: Tool[] = [
+  {
+    name: 'validate-cloudformation',
+    description:
+      'Validates a CloudFormation template for AWS Console Private Access requirements',
+    inputSchema: {
+      type: 'object' as const,
+      properties: {
+        template: {
+          type: 'string',
+          description: 'CloudFormation template as JSON string',
+        },
+        region: {
+          type: 'string',
+          description: 'AWS region (default: us-east-1)',
+          default: 'us-east-1',
+        },
+      },
+      required: ['template'],
+    },
+  },
+];
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools,
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  if (request.params.name === 'validate-cloudformation') {
+    const { template, region = 'us-east-1' } = request.params.arguments as {
+      template: string;
+      region?: string;
+    };
+    try {
+      const parsedTemplate: CloudFormationTemplate = JSON.parse(template);
+      const validator = new ConsolePrivateAccessValidator(parsedTemplate, region);
+      const result = validator.validate();
+      return {
+        content: [
+          {
+            type: 'text',
+            text: JSON.stringify(result, null, 2),
+          },
+        ],
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      return {
+        content: [
+          {
+            type: 'text',
+            text: JSON.stringify(
+              {
+                valid: false,
+                checks: [],
+                summary: `Error parsing template: ${errorMessage}`,
+              },
+              null,
+              2
+            ),
+          },
+        ],
+        isError: true,
+      };
+    }
+  }
+  return {
+    content: [
+      {
+        type: 'text',
+        text: `Unknown tool: ${request.params.name}`,
+      },
+    ],
+    isError: true,
+  };
+});
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+main().catch((error) => {
+  process.exit(1);
+});

package/src/test.ts CHANGED Viewed

@@ -1,31 +1,31 @@
-import fs from 'fs';
-import { ConsolePrivateAccessValidator } from './validator.js';
-// Read the CloudFormation template
-const templatePath = process.argv[2] || '/tmp/template.json';
-const templateContent = fs.readFileSync(templatePath, 'utf-8');
-const template = JSON.parse(templateContent);
-// Run validation
-const validator = new ConsolePrivateAccessValidator(template, 'us-east-1');
-const result = validator.validate();
-// Print results
-console.log('\n=== AWS Console Private Access Validation Results ===\n');
-console.log(`Valid: ${result.valid ? '✓ YES' : '✗ NO'}\n`);
-console.log('Checks:');
-result.checks.forEach((check) => {
-  const icon = check.status === 'pass' ? '✓' : check.status === 'fail' ? '✗' : '⚠';
-  console.log(`  ${icon} ${check.name}`);
-  console.log(`    Status: ${check.status}`);
-  console.log(`    Message: ${check.message}`);
-  if (check.details) {
-    console.log(`    Details: ${check.details}`);
-  }
-});
-console.log(`\nSummary: ${result.summary}\n`);
-// Exit with appropriate code
-process.exit(result.valid ? 0 : 1);
+import fs from 'fs';
+import { ConsolePrivateAccessValidator } from './validator.js';
+// Read the CloudFormation template
+const templatePath = process.argv[2] || '/tmp/template.json';
+const templateContent = fs.readFileSync(templatePath, 'utf-8');
+const template = JSON.parse(templateContent);
+// Run validation
+const validator = new ConsolePrivateAccessValidator(template, 'us-east-1');
+const result = validator.validate();
+// Print results
+console.log('\n=== AWS Console Private Access Validation Results ===\n');
+console.log(`Valid: ${result.valid ? '✓ YES' : '✗ NO'}\n`);
+console.log('Checks:');
+result.checks.forEach((check) => {
+  const icon = check.status === 'pass' ? '✓' : check.status === 'fail' ? '✗' : '⚠';
+  console.log(`  ${icon} ${check.name}`);
+  console.log(`    Status: ${check.status}`);
+  console.log(`    Message: ${check.message}`);
+  if (check.details) {
+    console.log(`    Details: ${check.details}`);
+  }
+});
+console.log(`\nSummary: ${result.summary}\n`);
+// Exit with appropriate code
+process.exit(result.valid ? 0 : 1);

package/src/types.ts CHANGED Viewed

@@ -1,18 +1,18 @@
-export interface ValidationCheck {
-  name: string;
-  status: 'pass' | 'fail' | 'warning';
-  message: string;
-  details?: string;
-}
-export interface ValidationResult {
-  valid: boolean;
-  checks: ValidationCheck[];
-  summary: string;
-}
-export interface CloudFormationTemplate {
-  Resources?: Record<string, any>;
-  Outputs?: Record<string, any>;
-  Parameters?: Record<string, any>;
-}
+export interface ValidationCheck {
+  name: string;
+  status: 'pass' | 'fail' | 'warning';
+  message: string;
+  details?: string;
+}
+export interface ValidationResult {
+  valid: boolean;
+  checks: ValidationCheck[];
+  summary: string;
+}
+export interface CloudFormationTemplate {
+  Resources?: Record<string, any>;
+  Outputs?: Record<string, any>;
+  Parameters?: Record<string, any>;
+}

package/src/validator.ts CHANGED Viewed

@@ -1,310 +1,310 @@
-import { ValidationCheck, ValidationResult, CloudFormationTemplate } from './types';
-export class ConsolePrivateAccessValidator {
-  private template: CloudFormationTemplate;
-  private region: string;
-  private checks: ValidationCheck[] = [];
-  constructor(template: CloudFormationTemplate, region: string = 'us-east-1') {
-    this.template = template;
-    this.region = region;
-  }
-  validate(): ValidationResult {
-    this.checks = [];
-    this.checkVpcEndpoints();
-    this.checkEndpointPolicies();
-    this.checkRoute53HostedZones();
-    this.checkSecurityGroups();
-    this.checkEc2Instance();
-    this.checkNatGateway();
-    this.checkNetworkConfiguration();
-    const failCount = this.checks.filter(c => c.status === 'fail').length;
-    const valid = failCount === 0;
-    return {
-      valid,
-      checks: this.checks,
-      summary: this.generateSummary(valid, failCount),
-    };
-  }
-  private getServiceName(serviceName: any): string | null {
-    if (typeof serviceName === 'string') {
-      return serviceName;
-    }
-    if (serviceName?.['Fn::Join']) {
-      const parts = serviceName['Fn::Join'][1];
-      if (Array.isArray(parts)) {
-        // Handle Ref to AWS::Region by replacing with actual region
-        return parts
-          .map((part: any) => {
-            if (typeof part === 'string') {
-              return part;
-            }
-            if (part?.Ref === 'AWS::Region') {
-              return this.region;
-            }
-            return '';
-          })
-          .join('');
-      }
-    }
-    return null;
-  }
-  private checkVpcEndpoints(): void {
-    const requiredEndpoints = [
-      { name: 'console', service: `com.amazonaws.${this.region}.console` },
-      { name: 'signin', service: `com.amazonaws.${this.region}.signin` },
-      { name: 'ssm', service: `com.amazonaws.${this.region}.ssm` },
-      { name: 'ec2messages', service: `com.amazonaws.${this.region}.ec2messages` },
-      { name: 'ssmmessages', service: `com.amazonaws.${this.region}.ssmmessages` },
-    ];
-    const resources = this.template.Resources || {};
-    const interfaceEndpoints = Object.values(resources).filter(
-      (r: any) => r.Type === 'AWS::EC2::VPCEndpoint' && r.Properties?.VpcEndpointType === 'Interface'
-    );
-    for (const endpoint of requiredEndpoints) {
-      const found = interfaceEndpoints.some((e: any) => {
-        const serviceName = this.getServiceName(e.Properties?.ServiceName);
-        return serviceName && serviceName.includes(endpoint.service);
-      });
-      this.checks.push({
-        name: `VPC Endpoint: ${endpoint.name}`,
-        status: found ? 'pass' : 'fail',
-        message: found
-          ? `Interface VPC endpoint for ${endpoint.name} found`
-          : `Missing interface VPC endpoint for ${endpoint.name}`,
-      });
-    }
-    // Check for S3 Gateway endpoint
-    const s3Gateway = Object.values(resources).some(
-      (r: any) => {
-        const serviceName = this.getServiceName(r.Properties?.ServiceName);
-        return (
-          r.Type === 'AWS::EC2::VPCEndpoint' &&
-          r.Properties?.VpcEndpointType === 'Gateway' &&
-          serviceName &&
-          serviceName.includes('s3')
-        );
-      }
-    );
-    this.checks.push({
-      name: 'VPC Endpoint: S3 Gateway',
-      status: s3Gateway ? 'pass' : 'fail',
-      message: s3Gateway ? 'S3 Gateway VPC endpoint found' : 'Missing S3 Gateway VPC endpoint',
-    });
-  }
-  private checkEndpointPolicies(): void {
-    const resources = this.template.Resources || {};
-    const consoleEndpoint = Object.entries(resources).find(
-      ([_, r]: [string, any]) => {
-        const serviceName = this.getServiceName(r.Properties?.ServiceName);
-        return (
-          r.Type === 'AWS::EC2::VPCEndpoint' &&
-          serviceName &&
-          serviceName.includes('console')
-        );
-      }
-    );
-    const signinEndpoint = Object.entries(resources).find(
-      ([_, r]: [string, any]) => {
-        const serviceName = this.getServiceName(r.Properties?.ServiceName);
-        return (
-          r.Type === 'AWS::EC2::VPCEndpoint' &&
-          serviceName &&
-          serviceName.includes('signin')
-        );
-      }
-    );
-    for (const [name, endpoint] of [
-      ['Console', consoleEndpoint],
-      ['Signin', signinEndpoint],
-    ]) {
-      if (!endpoint) continue;
-      const [_, resource] = endpoint as [string, any];
-      const hasPolicy = resource.Properties?.PolicyDocument;
-      this.checks.push({
-        name: `Endpoint Policy: ${name}`,
-        status: hasPolicy ? 'pass' : 'fail',
-        message: hasPolicy
-          ? `${name} endpoint has a policy attached`
-          : `${name} endpoint is missing a policy`,
-        details: hasPolicy
-          ? this.validatePolicyContent(resource.Properties.PolicyDocument)
-          : undefined,
-      });
-    }
-  }
-  private validatePolicyContent(policy: any): string {
-    if (!policy.Statement || policy.Statement.length === 0) {
-      return 'Policy has no statements';
-    }
-    const statement = policy.Statement[0];
-    const hasAccountCondition = statement.Condition?.StringEquals?.['aws:PrincipalAccount'];
-    if (hasAccountCondition) {
-      return 'Policy restricts access to specific account(s)';
-    }
-    return 'Policy does not restrict access by account';
-  }
-  private checkRoute53HostedZones(): void {
-    const resources = this.template.Resources || {};
-    const hostedZones = Object.values(resources).filter(
-      (r: any) => r.Type === 'AWS::Route53::HostedZone'
-    );
-    const requiredZones = ['console.aws.amazon.com', 'signin.aws.amazon.com'];
-    for (const zone of requiredZones) {
-      const found = hostedZones.some((hz: any) => {
-        const zoneName = hz.Properties?.Name;
-        // Route53 zone names may have a trailing dot
-        return zoneName === zone || zoneName === `${zone}.`;
-      });
-      this.checks.push({
-        name: `Route53 Hosted Zone: ${zone}`,
-        status: found ? 'pass' : 'fail',
-        message: found
-          ? `Private hosted zone for ${zone} found`
-          : `Missing private hosted zone for ${zone}`,
-      });
-    }
-    // Check for Route53 records
-    const recordSets = Object.values(resources).filter(
-      (r: any) => r.Type === 'AWS::Route53::RecordSet'
-    );
-    this.checks.push({
-      name: 'Route53 Records',
-      status: recordSets.length > 0 ? 'pass' : 'warning',
-      message:
-        recordSets.length > 0
-          ? `Found ${recordSets.length} Route53 records`
-          : 'No Route53 records found',
-    });
-  }
-  private checkSecurityGroups(): void {
-    const resources = this.template.Resources || {};
-    const securityGroups = Object.values(resources).filter(
-      (r: any) => r.Type === 'AWS::EC2::SecurityGroup'
-    );
-    const hasHttpsIngress = securityGroups.some((sg: any) => {
-      const ingress = sg.Properties?.SecurityGroupIngress || [];
-      return ingress.some(
-        (rule: any) =>
-          (rule.FromPort === 443 || rule.IpProtocol === 'tcp') &&
-          (rule.ToPort === 443 || rule.IpProtocol === 'tcp')
-      );
-    });
-    this.checks.push({
-      name: 'Security Group: HTTPS Access',
-      status: hasHttpsIngress ? 'pass' : 'warning',
-      message: hasHttpsIngress
-        ? 'Security group allows HTTPS (port 443) traffic'
-        : 'No security group rule found for HTTPS (port 443)',
-    });
-  }
-  private checkEc2Instance(): void {
-    const resources = this.template.Resources || {};
-    const instance = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::Instance');
-    this.checks.push({
-      name: 'EC2 Instance',
-      status: instance ? 'pass' : 'warning',
-      message: instance ? 'EC2 instance found' : 'No EC2 instance found (optional)',
-    });
-    if (instance) {
-      const hasIamRole = (instance as any).Properties?.IamInstanceProfile;
-      this.checks.push({
-        name: 'EC2 IAM Role',
-        status: hasIamRole ? 'pass' : 'warning',
-        message: hasIamRole
-          ? 'EC2 instance has IAM instance profile'
-          : 'EC2 instance missing IAM instance profile',
-      });
-    }
-  }
-  private checkNatGateway(): void {
-    const resources = this.template.Resources || {};
-    const natGateway = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::NatGateway');
-    this.checks.push({
-      name: 'NAT Gateway',
-      status: natGateway ? 'pass' : 'warning',
-      message: natGateway
-        ? 'NAT Gateway found for private subnet egress'
-        : 'No NAT Gateway found (required for private subnet internet access)',
-    });
-  }
-  private checkNetworkConfiguration(): void {
-    const resources = this.template.Resources || {};
-    // Check for private subnets
-    const privateSubnets = Object.values(resources).filter(
-      (r: any) =>
-        r.Type === 'AWS::EC2::Subnet' &&
-        !r.Properties?.MapPublicIpOnLaunch
-    );
-    this.checks.push({
-      name: 'Private Subnets',
-      status: privateSubnets.length > 0 ? 'pass' : 'fail',
-      message:
-        privateSubnets.length > 0
-          ? `Found ${privateSubnets.length} private subnet(s)`
-          : 'No private subnets found',
-    });
-    // Check for route tables
-    const routeTables = Object.values(resources).filter(
-      (r: any) => r.Type === 'AWS::EC2::RouteTable'
-    );
-    this.checks.push({
-      name: 'Route Tables',
-      status: routeTables.length > 0 ? 'pass' : 'warning',
-      message:
-        routeTables.length > 0
-          ? `Found ${routeTables.length} route table(s)`
-          : 'No route tables found',
-    });
-  }
-  private generateSummary(valid: boolean, failCount: number): string {
-    const passCount = this.checks.filter(c => c.status === 'pass').length;
-    const warningCount = this.checks.filter(c => c.status === 'warning').length;
-    if (valid) {
-      return `✓ Validation passed. All required checks passed (${passCount} passed, ${warningCount} warnings).`;
-    }
-    return `✗ Validation failed. ${failCount} check(s) failed, ${passCount} passed, ${warningCount} warnings.`;
-  }
-}
+import { ValidationCheck, ValidationResult, CloudFormationTemplate } from './types';
+export class ConsolePrivateAccessValidator {
+  private template: CloudFormationTemplate;
+  private region: string;
+  private checks: ValidationCheck[] = [];
+  constructor(template: CloudFormationTemplate, region: string = 'us-east-1') {
+    this.template = template;
+    this.region = region;
+  }
+  validate(): ValidationResult {
+    this.checks = [];
+    this.checkVpcEndpoints();
+    this.checkEndpointPolicies();
+    this.checkRoute53HostedZones();
+    this.checkSecurityGroups();
+    this.checkEc2Instance();
+    this.checkNatGateway();
+    this.checkNetworkConfiguration();
+    const failCount = this.checks.filter(c => c.status === 'fail').length;
+    const valid = failCount === 0;
+    return {
+      valid,
+      checks: this.checks,
+      summary: this.generateSummary(valid, failCount),
+    };
+  }
+  private getServiceName(serviceName: any): string | null {
+    if (typeof serviceName === 'string') {
+      return serviceName;
+    }
+    if (serviceName?.['Fn::Join']) {
+      const parts = serviceName['Fn::Join'][1];
+      if (Array.isArray(parts)) {
+        // Handle Ref to AWS::Region by replacing with actual region
+        return parts
+          .map((part: any) => {
+            if (typeof part === 'string') {
+              return part;
+            }
+            if (part?.Ref === 'AWS::Region') {
+              return this.region;
+            }
+            return '';
+          })
+          .join('');
+      }
+    }
+    return null;
+  }
+  private checkVpcEndpoints(): void {
+    const requiredEndpoints = [
+      { name: 'console', service: `com.amazonaws.${this.region}.console` },
+      { name: 'signin', service: `com.amazonaws.${this.region}.signin` },
+      { name: 'ssm', service: `com.amazonaws.${this.region}.ssm` },
+      { name: 'ec2messages', service: `com.amazonaws.${this.region}.ec2messages` },
+      { name: 'ssmmessages', service: `com.amazonaws.${this.region}.ssmmessages` },
+    ];
+    const resources = this.template.Resources || {};
+    const interfaceEndpoints = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::VPCEndpoint' && r.Properties?.VpcEndpointType === 'Interface'
+    );
+    for (const endpoint of requiredEndpoints) {
+      const found = interfaceEndpoints.some((e: any) => {
+        const serviceName = this.getServiceName(e.Properties?.ServiceName);
+        return serviceName && serviceName.includes(endpoint.service);
+      });
+      this.checks.push({
+        name: `VPC Endpoint: ${endpoint.name}`,
+        status: found ? 'pass' : 'fail',
+        message: found
+          ? `Interface VPC endpoint for ${endpoint.name} found`
+          : `Missing interface VPC endpoint for ${endpoint.name}`,
+      });
+    }
+    // Check for S3 Gateway endpoint
+    const s3Gateway = Object.values(resources).some(
+      (r: any) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          r.Properties?.VpcEndpointType === 'Gateway' &&
+          serviceName &&
+          serviceName.includes('s3')
+        );
+      }
+    );
+    this.checks.push({
+      name: 'VPC Endpoint: S3 Gateway',
+      status: s3Gateway ? 'pass' : 'fail',
+      message: s3Gateway ? 'S3 Gateway VPC endpoint found' : 'Missing S3 Gateway VPC endpoint',
+    });
+  }
+  private checkEndpointPolicies(): void {
+    const resources = this.template.Resources || {};
+    const consoleEndpoint = Object.entries(resources).find(
+      ([_, r]: [string, any]) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          serviceName &&
+          serviceName.includes('console')
+        );
+      }
+    );
+    const signinEndpoint = Object.entries(resources).find(
+      ([_, r]: [string, any]) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          serviceName &&
+          serviceName.includes('signin')
+        );
+      }
+    );
+    for (const [name, endpoint] of [
+      ['Console', consoleEndpoint],
+      ['Signin', signinEndpoint],
+    ]) {
+      if (!endpoint) continue;
+      const [_, resource] = endpoint as [string, any];
+      const hasPolicy = resource.Properties?.PolicyDocument;
+      this.checks.push({
+        name: `Endpoint Policy: ${name}`,
+        status: hasPolicy ? 'pass' : 'fail',
+        message: hasPolicy
+          ? `${name} endpoint has a policy attached`
+          : `${name} endpoint is missing a policy`,
+        details: hasPolicy
+          ? this.validatePolicyContent(resource.Properties.PolicyDocument)
+          : undefined,
+      });
+    }
+  }
+  private validatePolicyContent(policy: any): string {
+    if (!policy.Statement || policy.Statement.length === 0) {
+      return 'Policy has no statements';
+    }
+    const statement = policy.Statement[0];
+    const hasAccountCondition = statement.Condition?.StringEquals?.['aws:PrincipalAccount'];
+    if (hasAccountCondition) {
+      return 'Policy restricts access to specific account(s)';
+    }
+    return 'Policy does not restrict access by account';
+  }
+  private checkRoute53HostedZones(): void {
+    const resources = this.template.Resources || {};
+    const hostedZones = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::Route53::HostedZone'
+    );
+    const requiredZones = ['console.aws.amazon.com', 'signin.aws.amazon.com'];
+    for (const zone of requiredZones) {
+      const found = hostedZones.some((hz: any) => {
+        const zoneName = hz.Properties?.Name;
+        // Route53 zone names may have a trailing dot
+        return zoneName === zone || zoneName === `${zone}.`;
+      });
+      this.checks.push({
+        name: `Route53 Hosted Zone: ${zone}`,
+        status: found ? 'pass' : 'fail',
+        message: found
+          ? `Private hosted zone for ${zone} found`
+          : `Missing private hosted zone for ${zone}`,
+      });
+    }
+    // Check for Route53 records
+    const recordSets = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::Route53::RecordSet'
+    );
+    this.checks.push({
+      name: 'Route53 Records',
+      status: recordSets.length > 0 ? 'pass' : 'warning',
+      message:
+        recordSets.length > 0
+          ? `Found ${recordSets.length} Route53 records`
+          : 'No Route53 records found',
+    });
+  }
+  private checkSecurityGroups(): void {
+    const resources = this.template.Resources || {};
+    const securityGroups = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::SecurityGroup'
+    );
+    const hasHttpsIngress = securityGroups.some((sg: any) => {
+      const ingress = sg.Properties?.SecurityGroupIngress || [];
+      return ingress.some(
+        (rule: any) =>
+          (rule.FromPort === 443 || rule.IpProtocol === 'tcp') &&
+          (rule.ToPort === 443 || rule.IpProtocol === 'tcp')
+      );
+    });
+    this.checks.push({
+      name: 'Security Group: HTTPS Access',
+      status: hasHttpsIngress ? 'pass' : 'warning',
+      message: hasHttpsIngress
+        ? 'Security group allows HTTPS (port 443) traffic'
+        : 'No security group rule found for HTTPS (port 443)',
+    });
+  }
+  private checkEc2Instance(): void {
+    const resources = this.template.Resources || {};
+    const instance = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::Instance');
+    this.checks.push({
+      name: 'EC2 Instance',
+      status: instance ? 'pass' : 'warning',
+      message: instance ? 'EC2 instance found' : 'No EC2 instance found (optional)',
+    });
+    if (instance) {
+      const hasIamRole = (instance as any).Properties?.IamInstanceProfile;
+      this.checks.push({
+        name: 'EC2 IAM Role',
+        status: hasIamRole ? 'pass' : 'warning',
+        message: hasIamRole
+          ? 'EC2 instance has IAM instance profile'
+          : 'EC2 instance missing IAM instance profile',
+      });
+    }
+  }
+  private checkNatGateway(): void {
+    const resources = this.template.Resources || {};
+    const natGateway = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::NatGateway');
+    this.checks.push({
+      name: 'NAT Gateway',
+      status: natGateway ? 'pass' : 'warning',
+      message: natGateway
+        ? 'NAT Gateway found for private subnet egress'
+        : 'No NAT Gateway found (required for private subnet internet access)',
+    });
+  }
+  private checkNetworkConfiguration(): void {
+    const resources = this.template.Resources || {};
+    // Check for private subnets
+    const privateSubnets = Object.values(resources).filter(
+      (r: any) =>
+        r.Type === 'AWS::EC2::Subnet' &&
+        !r.Properties?.MapPublicIpOnLaunch
+    );
+    this.checks.push({
+      name: 'Private Subnets',
+      status: privateSubnets.length > 0 ? 'pass' : 'fail',
+      message:
+        privateSubnets.length > 0
+          ? `Found ${privateSubnets.length} private subnet(s)`
+          : 'No private subnets found',
+    });
+    // Check for route tables
+    const routeTables = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::RouteTable'
+    );
+    this.checks.push({
+      name: 'Route Tables',
+      status: routeTables.length > 0 ? 'pass' : 'warning',
+      message:
+        routeTables.length > 0
+          ? `Found ${routeTables.length} route table(s)`
+          : 'No route tables found',
+    });
+  }
+  private generateSummary(valid: boolean, failCount: number): string {
+    const passCount = this.checks.filter(c => c.status === 'pass').length;
+    const warningCount = this.checks.filter(c => c.status === 'warning').length;
+    if (valid) {
+      return `✓ Validation passed. All required checks passed (${passCount} passed, ${warningCount} warnings).`;
+    }
+    return `✗ Validation failed. ${failCount} check(s) failed, ${passCount} passed, ${warningCount} warnings.`;
+  }
+}

package/tsconfig.json CHANGED Viewed

@@ -1,20 +1,20 @@
-{
-  "compilerOptions": {
-    "target": "ES2020",
-    "module": "esnext",
-    "lib": ["ES2020"],
-    "outDir": "./dist",
-    "rootDir": "./src",
-    "strict": true,
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true,
-    "resolveJsonModule": true,
-    "declaration": true,
-    "declarationMap": true,
-    "sourceMap": true,
-    "moduleResolution": "node"
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules"]
-}
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "esnext",
+    "lib": ["ES2020"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "moduleResolution": "node"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}