cfn-check 0.3.1__tar.gz → 0.3.3__tar.gz

{cfn_check-0.3.1 → cfn_check-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cfn-check
-Version: 0.3.1
+Version: 0.3.3
 Summary: Validate Cloud Formation
 Author-email: Ada Lundhe <adalundhe@lundhe.audio>
 License: MIT License
@@ -50,7 +50,7 @@ Dynamic: license-file
 
 | Package     | cfn-check                                                           |
 | ----------- | -----------                                                     |
-| Version     | 0.2.0                                                           |
+| Version     | 0.3.3                                                           |
 | Download    | https://pypi.org/project/cfn-check/                             | 
 | Source      | https://github.com/adalundhe/cfn-check                          |
 | Keywords    | cloud-formation, testing, aws, cli                              |
@@ -314,7 +314,7 @@ class ValidateSecurityGroups(Collection):
         "Resources::SecurityGroup::Properties::(SecurityGroup)",
         "It checks Security Groups are correctly definined",
     )
-    def validate_test(self, value: list[dict]):
+    def validate_security_groups(self, value: list[dict]):
       assert len(value) > 0
       
       for item in value:
@@ -352,7 +352,7 @@ To select all `Resource` objects, then further extract the `Type` field from eac
 Ranges allow you to perform sophisticated selection of objects or data within a CloudFormation document.
 
 > [!IMPORTANT]
-> Range Tokens *only* work on list items. This means that any
+> Range Tokens *only* work on arrays. This means that any
 > values or other objects/data in the selected section of the
 > CloudFormation document will be *ignored* and filtered out.
 
@@ -456,7 +456,7 @@ The Rule will fail as below:
 error: ❌ No results matching results for query Resources::[*]::Type
 ```
 
-As we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
+as we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
 
 ```yaml
   AppendItemToListFunction:
@@ -514,7 +514,7 @@ will select any EC2 ImageIds that start with either `AWSRegion` or `Custom`.
 
 ### Nested Ranges
 
-CloudFormation often involes nested arrays, and navigates these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
+CloudFormation often involes nested arrays, and navigating these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
 
 ```yaml
 ZipFile: !Join
@@ -537,5 +537,51 @@ With Nested Ranges, this can be shortened to:
 
 ```
 Resources::AppendItemToListFunction::Properties::Code::ZipFile::[[]]
+```
 
 Which is both more concise *and* more representitave of our intention to select only the array.
+
+<br/>
+
+# Using Pydantic Models
+
+In addition to traditional `pytest`-like assert statements, `cfn-lint` can validate results returned by queries via `Pydantic` models.
+
+For example, consider again the initial example where we validate the `Type` field of `Resource` objects.
+
+```python
+from cfn_check import Collection, Rule
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*::Type",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: str): 
+        assert value is not None, '❌ Resource Type not defined'
+        assert isinstance(value, str), '❌ Resource Type not a string'
+```
+
+Rather than explicitly querying for the type field and writing assertions, we can instead define a `Pydantic` schema, then pass all `Resource` objects to that schema by specifying it as a Python type hint in our `Rule` method's signature.
+
+```python
+from cfn_check import Collection, Rule
+from pydantic import BaseModel, StrictStr
+
+class Resource(BaseModel):
+    Type: StrictStr
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: Resource):
+        assert value is not None
+```
+
+By deferring type and existence assertions to `Pydantic` models, you can focus your actual assertion logic on business/security policy checks.

{cfn_check-0.3.1 → cfn_check-0.3.3}/README.md

@@ -9,7 +9,7 @@
 
 | Package     | cfn-check                                                           |
 | ----------- | -----------                                                     |
-| Version     | 0.2.0                                                           |
+| Version     | 0.3.3                                                           |
 | Download    | https://pypi.org/project/cfn-check/                             | 
 | Source      | https://github.com/adalundhe/cfn-check                          |
 | Keywords    | cloud-formation, testing, aws, cli                              |
@@ -273,7 +273,7 @@ class ValidateSecurityGroups(Collection):
         "Resources::SecurityGroup::Properties::(SecurityGroup)",
         "It checks Security Groups are correctly definined",
     )
-    def validate_test(self, value: list[dict]):
+    def validate_security_groups(self, value: list[dict]):
       assert len(value) > 0
       
       for item in value:
@@ -311,7 +311,7 @@ To select all `Resource` objects, then further extract the `Type` field from eac
 Ranges allow you to perform sophisticated selection of objects or data within a CloudFormation document.
 
 > [!IMPORTANT]
-> Range Tokens *only* work on list items. This means that any
+> Range Tokens *only* work on arrays. This means that any
 > values or other objects/data in the selected section of the
 > CloudFormation document will be *ignored* and filtered out.
 
@@ -415,7 +415,7 @@ The Rule will fail as below:
 error: ❌ No results matching results for query Resources::[*]::Type
 ```
 
-As we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
+as we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
 
 ```yaml
   AppendItemToListFunction:
@@ -473,7 +473,7 @@ will select any EC2 ImageIds that start with either `AWSRegion` or `Custom`.
 
 ### Nested Ranges
 
-CloudFormation often involes nested arrays, and navigates these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
+CloudFormation often involes nested arrays, and navigating these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
 
 ```yaml
 ZipFile: !Join
@@ -496,5 +496,51 @@ With Nested Ranges, this can be shortened to:
 
 ```
 Resources::AppendItemToListFunction::Properties::Code::ZipFile::[[]]
+```
+
+Which is both more concise *and* more representitave of our intention to select only the array.
+
+<br/>
+
+# Using Pydantic Models
+
+In addition to traditional `pytest`-like assert statements, `cfn-lint` can validate results returned by queries via `Pydantic` models.
+
+For example, consider again the initial example where we validate the `Type` field of `Resource` objects.
+
+```python
+from cfn_check import Collection, Rule
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*::Type",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: str): 
+        assert value is not None, '❌ Resource Type not defined'
+        assert isinstance(value, str), '❌ Resource Type not a string'
+```
+
+Rather than explicitly querying for the type field and writing assertions, we can instead define a `Pydantic` schema, then pass all `Resource` objects to that schema by specifying it as a Python type hint in our `Rule` method's signature.
+
+```python
+from cfn_check import Collection, Rule
+from pydantic import BaseModel, StrictStr
+
+class Resource(BaseModel):
+    Type: StrictStr
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: Resource):
+        assert value is not None
+```
 
-Which is both more concise *and* more representitave of our intention to select only the array.
+By deferring type and existence assertions to `Pydantic` models, you can focus your actual assertion logic on business/security policy checks.

{cfn_check-0.3.1 → cfn_check-0.3.3}/cfn_check/evaluation/evaluator.py

@@ -47,7 +47,7 @@ class Evaluator:
 
                 composite_keys = updated_keys
 
-        assert len(composite_keys) == len(items), f'❌ {len(items)} returned for {len(composite_keys)} keys. Are you sure you used a range ([*]) selector?'
+        assert len(composite_keys) == len(items), f'❌ {len(items)} matches returned for {len(composite_keys)} keys. Are you sure you used a range ([*]) selector?'
 
         results: list[tuple[str, Data]] = []
         for idx, item in enumerate(list(items)):

{cfn_check-0.3.1 → cfn_check-0.3.3}/cfn_check/evaluation/parsing/token.py

@@ -146,7 +146,7 @@ class Token:
             (idx, item)
             for idx, item in enumerate(node)
             if self.selector.match(item) or (
-                isinstance(item, dict, list)
+                isinstance(item, (dict, list))
                 and any([
                     self.selector.match(val)
                     for val in item
@@ -155,8 +155,8 @@ class Token:
         ]
         
         return (
-            [str(idx) for idx in matches],
-            [item for item in matches]
+            [str(idx) for idx, _ in matches],
+            [item for _, item in matches]
         )
     
     def _match_unbound_range(
@@ -185,14 +185,29 @@ class Token:
             ) for idx, value in enumerate(node) if (
                 str(value) == self.selector
             ) or (
-                isinstance(value, dict, list)
-                and value in self.selector
+                isinstance(value, (dict, list))
+                and self.selector in value
             )
         ]
 
+        for idx, match in enumerate(matches):
+            match_idx, item = match
+
+            if isinstance(item, dict):
+                matches[idx] = (
+                    match_idx,
+                    item.get(self.selector),
+                )
+
+            elif isinstance(item, list):
+                match_idx[idx] = (
+                    match_idx,
+                    matches[match_idx],
+                )
+
         return (
-            [str(idx) for idx in matches],
-            [item for item in matches]
+            [str(idx) for idx, _ in matches],
+            [item for _, item in matches]
         )
     
     def _match_nested_range(
@@ -243,7 +258,10 @@ class Token:
             return None, None
         
         if isinstance(node, dict):
-            return ['*'], node.values()
+            return (
+                ['*' for _ in node],
+                node.values()
+            )
         
         elif isinstance(node, list):
             return (

{cfn_check-0.3.1 → cfn_check-0.3.3}/cfn_check.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cfn-check
-Version: 0.3.1
+Version: 0.3.3
 Summary: Validate Cloud Formation
 Author-email: Ada Lundhe <adalundhe@lundhe.audio>
 License: MIT License
@@ -50,7 +50,7 @@ Dynamic: license-file
 
 | Package     | cfn-check                                                           |
 | ----------- | -----------                                                     |
-| Version     | 0.2.0                                                           |
+| Version     | 0.3.3                                                           |
 | Download    | https://pypi.org/project/cfn-check/                             | 
 | Source      | https://github.com/adalundhe/cfn-check                          |
 | Keywords    | cloud-formation, testing, aws, cli                              |
@@ -314,7 +314,7 @@ class ValidateSecurityGroups(Collection):
         "Resources::SecurityGroup::Properties::(SecurityGroup)",
         "It checks Security Groups are correctly definined",
     )
-    def validate_test(self, value: list[dict]):
+    def validate_security_groups(self, value: list[dict]):
       assert len(value) > 0
       
       for item in value:
@@ -352,7 +352,7 @@ To select all `Resource` objects, then further extract the `Type` field from eac
 Ranges allow you to perform sophisticated selection of objects or data within a CloudFormation document.
 
 > [!IMPORTANT]
-> Range Tokens *only* work on list items. This means that any
+> Range Tokens *only* work on arrays. This means that any
 > values or other objects/data in the selected section of the
 > CloudFormation document will be *ignored* and filtered out.
 
@@ -456,7 +456,7 @@ The Rule will fail as below:
 error: ❌ No results matching results for query Resources::[*]::Type
 ```
 
-As we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
+as we're selecting objects, not an array! A valid use would be in validating the deeply nested zipfile code of a Lambda's `AppendItemToListFunction`:
 
 ```yaml
   AppendItemToListFunction:
@@ -514,7 +514,7 @@ will select any EC2 ImageIds that start with either `AWSRegion` or `Custom`.
 
 ### Nested Ranges
 
-CloudFormation often involes nested arrays, and navigates these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
+CloudFormation often involes nested arrays, and navigating these can make for long and difficult-to-read Queries. To help reduce Query length, `cfn-check` supports nesting Range Tokens. For example, when evaluating:
 
 ```yaml
 ZipFile: !Join
@@ -537,5 +537,51 @@ With Nested Ranges, this can be shortened to:
 
 ```
 Resources::AppendItemToListFunction::Properties::Code::ZipFile::[[]]
+```
 
 Which is both more concise *and* more representitave of our intention to select only the array.
+
+<br/>
+
+# Using Pydantic Models
+
+In addition to traditional `pytest`-like assert statements, `cfn-lint` can validate results returned by queries via `Pydantic` models.
+
+For example, consider again the initial example where we validate the `Type` field of `Resource` objects.
+
+```python
+from cfn_check import Collection, Rule
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*::Type",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: str): 
+        assert value is not None, '❌ Resource Type not defined'
+        assert isinstance(value, str), '❌ Resource Type not a string'
+```
+
+Rather than explicitly querying for the type field and writing assertions, we can instead define a `Pydantic` schema, then pass all `Resource` objects to that schema by specifying it as a Python type hint in our `Rule` method's signature.
+
+```python
+from cfn_check import Collection, Rule
+from pydantic import BaseModel, StrictStr
+
+class Resource(BaseModel):
+    Type: StrictStr
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: Resource):
+        assert value is not None
+```
+
+By deferring type and existence assertions to `Pydantic` models, you can focus your actual assertion logic on business/security policy checks.

{cfn_check-0.3.1 → cfn_check-0.3.3}/cfn_check.egg-info/SOURCES.txt

@@ -34,4 +34,5 @@ cfn_check/shared/__init__.py
 cfn_check/shared/types.py
 cfn_check/validation/__init__.py
 cfn_check/validation/validator.py
+example/pydantic_rules.py
 example/rules.py

cfn_check-0.3.3/example/pydantic_rules.py

@@ -0,0 +1,15 @@
+from cfn_check import Collection, Rule
+from pydantic import BaseModel, StrictStr
+
+class Resource(BaseModel):
+    Type: StrictStr
+
+
+class ValidateResourceType(Collection):
+
+    @Rule(
+        "Resources::*",
+        "It checks Resource::Type is correctly definined",
+    )
+    def validate_test(self, value: Resource):
+        assert value is not None

{cfn_check-0.3.1 → cfn_check-0.3.3}/example/rules.py

@@ -41,7 +41,7 @@ class ResourcesChecks(Collection):
         "Resources::SecurityGroup::Properties::(SecurityGroup)::[]",
         "It checks Security Groups are correctly definined",
     )
-    def validate_test(self, value: list[dict]):
+    def validate_security_groups(self, value: list[dict]):
       assert len(value) > 0
       
       for item in value:
@@ -68,4 +68,13 @@ class ResourcesChecks(Collection):
     def validate_lambda_code_zipfile(self, value: list[str]):
         assert value is not None, '❌ Lambda zipfile code is not defined'
         assert isinstance(value, list), '❌ Lambda execution zipfile code not a list'
-        assert len(value) > 0,'❌ Lambda execution zipfile code empty'
+        assert len(value) > 0,'❌ Lambda execution zipfile code empty'
+
+    @Rule(
+        "Resources::SecurityGroup::Properties::(SecurityGroup)::[IpProtocol]",
+        "It checks Security Groups IpProtocols are tcp",
+    )
+    def validate_ip_protocols(self, ip_protocol: str):
+        assert ip_protocol is not None
+        assert isinstance(ip_protocol, str)
+        assert ip_protocol == "tcp"

{cfn_check-0.3.1 → cfn_check-0.3.3}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cfn-check"
-version = "0.3.1"
+version = "0.3.3"
 requires-python = ">=3.12"
 description = "Validate Cloud Formation"
 readme = "README.md"