cfn-check 0.6.1__py3-none-any.whl → 0.7.0__py3-none-any.whl

cfn_check/cli/render.py

@@ -3,6 +3,7 @@ from async_logging import LogLevelName, Logger, LoggingConfig
 from cocoa.cli import CLI
 
 from cfn_check.cli.utils.files import load_templates, write_to_file
+from cfn_check.cli.utils.stdout import write_to_stdout
 from cfn_check.rendering import Renderer
 from cfn_check.logging.models import InfoLog
 
@@ -10,36 +11,22 @@ from cfn_check.logging.models import InfoLog
 @CLI.command()
 async def render(
     path: str,
-    output_file: str  = 'rendered.yml',
+    output_file: str | None = None,
+    attributes: list[str] | None = None,
+    mappings: list[str] | None = None,
     parameters: list[str] | None = None,
     references: list[str] | None = None,
-    tags: list[str] = [
-        'Ref',
-        'Sub',
-        'Join',
-        'Select',
-        'Split',
-        'GetAtt',
-        'GetAZs',
-        'ImportValue',
-        'Equals',
-        'If',
-        'Not',
-        'And',
-        'Or',
-        'Condition',
-        'FindInMap',
-    ],
     log_level: LogLevelName = 'info',
 ):
     """
     Render a Cloud Formation template
 
     @param output_file Path to output the rendered CloudFormation template to
+    @param attributes A list of <key>=<value> input !GetAtt attributes to use
+    @param mappings A list of <key>=<value> input Mappings to use
     @param parameters A list of <key>=<value> input Parameters to use
     @param references A list of <key>=<value> input !Ref values to use
-    @param tags List of CloudFormation intrinsic function tags
-    @param log_level The log level to use
+    @param log-level The log level to use
     """
     logging_config = LoggingConfig()
     logging_config.update(
@@ -47,6 +34,18 @@ async def render(
         log_output='stderr',
     )
 
+    parsed_attributes: dict[str, str] | None = None
+    if attributes:
+        parsed_attributes = dict([
+            attribute.split('=', maxsplit=1) for attribute in attributes if len(attribute.split('=', maxsplit=1)) > 0
+        ])
+
+    parsed_mappings: dict[str, str] | None = None
+    if mappings:
+        parsed_mappings = dict([
+            mapping.split('=', maxsplit=1) for mapping in mappings if len(mapping.split('=', maxsplit=1)) > 0
+        ])
+
     parsed_parameters: dict[str, str] | None = None
     if parameters:
         parsed_parameters = dict([
@@ -72,10 +71,15 @@ async def render(
     renderer = Renderer()
     rendered = renderer.render(
         template,
+        attributes=parsed_attributes,
+        mappings=parsed_mappings,
         parameters=parsed_parameters,
         references=parsed_references,
     )
 
-    await write_to_file(output_file, rendered)
+    if output_file is False:
+        await write_to_file(output_file, rendered)
+        await logger.log(InfoLog(message=f'✅ {path} template rendered'))
 
-    await logger.log(InfoLog(message=f'✅ {path} template rendered'))
+    else:
+        await write_to_stdout(rendered)

cfn_check/cli/utils/files.py

@@ -67,7 +67,6 @@ async def localize_path(path: str, loop: asyncio.AbstractEventLoop):
 
 async def load_templates(
     path: str,
-    tags: list[str],
     file_pattern: str | None = None,
 ):
 

cfn_check/cli/utils/stdout.py

@@ -0,0 +1,18 @@
+import asyncio
+import sys
+from ruamel.yaml import YAML
+from ruamel.yaml.comments import CommentedBase
+
+async def write_to_stdout(data: CommentedBase):
+    loop = asyncio.get_event_loop()
+
+    yaml = YAML(typ=['rt'])
+    yaml.preserve_quotes = True
+    yaml.width = 4096
+    yaml.indent(mapping=2, sequence=4, offset=2)
+    await loop.run_in_executor(
+        None,
+        yaml.dump,
+        data,
+        sys.stdout,
+    )

cfn_check/cli/validate.py

@@ -11,36 +11,24 @@ from cfn_check.collection.collection import Collection
 from cfn_check.validation.validator import Validator
 
 
-@CLI.command()
+@CLI.command(
+    shortnames={
+        'flags': 'F'
+    }
+)
 async def validate(
     path: str,
     file_pattern: str | None = None,
     rules: ImportType[Collection] = None,
-    tags: list[str] = [
-        'Ref',
-        'Sub',
-        'Join',
-        'Select',
-        'Split',
-        'GetAtt',
-        'GetAZs',
-        'ImportValue',
-        'Equals',
-        'If',
-        'Not',
-        'And',
-        'Or',
-        'Condition',
-        'FindInMap',
-    ],
+    flags: list[str] | None = None,
     log_level: LogLevelName = 'info',
 ):
     '''
     Validate Cloud Foundation
     
-    @param rules Path to a file containing Collections
+    @param disabled A list of string features to disable during checks
     @param file_pattern A string pattern used to find template files
-    @param tags List of CloudFormation intrinsic function tags
+    @param rules Path to a file containing Collections
     @param log_level The log level to use
     '''
 
@@ -52,9 +40,11 @@ async def validate(
 
     logger = Logger()
 
+    if flags is None:
+        flags = []
+
     templates = await load_templates(
         path,
-        tags,
         file_pattern=file_pattern,
     )
 
@@ -71,7 +61,7 @@ async def validate(
         for rule in rules.data.values()
         for _, validation in inspect.getmembers(rule)
         if isinstance(validation, Validator)
-    ])
+    ], flags=flags)
     
     if validation_error := validation_set.validate([
         template_data for _, template_data in templates

cfn_check/evaluation/evaluator.py

@@ -12,7 +12,14 @@ from .parsing import QueryParser
 
 class Evaluator:
 
-    def __init__(self):
+    def __init__(
+        self,
+        flags: list[str] | None = None
+    ):
+        if flags is None:
+            flags = []
+
+        self.flags = flags
         self._query_parser = QueryParser()
         self._renderer = Renderer()
 
@@ -22,9 +29,11 @@ class Evaluator:
         path: str,
     ):
         items: Items = deque()
+        
+        if 'no-render' not in self.flags:
+            resources = self._renderer.render(resources)
 
-        rendered = self._renderer.render(resources)
-        items.append(rendered)
+        items.append(resources)
 
         segments = path.split("::")[::-1]
         # Queries can be multi-segment,

cfn_check/evaluation/validate.py

@@ -9,8 +9,13 @@ class ValidationSet:
     def __init__(
         self,
         validators: list[Validator],
+        flags: list[str] | None = None
     ):
-        self._evaluator = Evaluator()
+        
+        if flags is None:
+            flags = []
+
+        self._evaluator = Evaluator(flags=flags)
         self._validators = validators
 
     @property

cfn_check/rendering/cidr_solver.py

@@ -0,0 +1,66 @@
+class IPv4CIDRSolver:
+
+    def __init__(
+        self,
+        host: str,
+        desired: int,
+        bits: int,
+    ):
+        self.host = host
+        self.subnets_desired = desired
+        self.subnet_bits = bits
+
+        host_ip, mask = self.host.split('/', maxsplit=1)
+
+        self.host_ip = host_ip
+        self._host_mask_string = f'/{mask}'
+        self.host_mask = int(mask)
+
+        self.subnet_mask = 32 - bits
+
+        self._host_octets = [
+            int(octet) for octet in self.host.strip(self._host_mask_string).split('.')
+        ]
+    
+    def provision_subnets(self):
+        subnet_requested_ips = 2**self.subnet_bits
+        host_available_ips = 2**(32 - self.host_mask)
+
+        total_ips_requested = subnet_requested_ips * self.subnets_desired
+        if host_available_ips < total_ips_requested:
+            return []
+
+        return [
+            self._provision_subnet(
+                subnet_requested_ips,
+                idx
+            ) for idx in range(self.subnets_desired)
+        ]
+
+    
+    def _provision_subnet(
+        self,
+        requested_ips: int,
+        idx: int,
+    ):
+        increment = requested_ips
+        octet_idx = -1
+        if requested_ips > 255:
+            increment /= 256
+            octet_idx -= 1
+
+        increment *= idx
+
+        subnet = list(self._host_octets)
+
+        subnet[octet_idx] += increment
+
+        subnet_base_ip = '.'.join([
+            str(octet) for octet in subnet
+        ])
+
+        return f'{subnet_base_ip}/{self.subnet_mask}'
+
+
+
+    

cfn_check/rendering/renderer.py

@@ -2,10 +2,12 @@ from __future__ import annotations
 import base64
 import json
 import re
+import copy
 from typing import Callable, Any
 from collections import deque
 from ruamel.yaml.tag import Tag
 from ruamel.yaml.comments import TaggedScalar, CommentedMap, CommentedSeq
+from .cidr_solver import IPv4CIDRSolver
 from .utils import assign
 
 from cfn_check.shared.types import (
@@ -14,6 +16,14 @@ from cfn_check.shared.types import (
     YamlObject,
 )
 
+Resolver = Callable[
+    [
+        CommentedMap,
+        CommentedMap | CommentedSeq | TaggedScalar | YamlObject
+    ],
+    CommentedMap | CommentedSeq | TaggedScalar | YamlObject,
+]
+
 class Renderer:
 
     def __init__(self):
@@ -31,6 +41,44 @@ class Renderer:
         self._resources: dict[str, YamlObject] = CommentedMap()
         self._attributes: dict[str, str] = {}
 
+        self._inline_functions = {
+            'Fn::ForEach': re.compile(r'Fn::ForEach::\w+'),
+            'Fn::If': re.compile(r'Fn::If'),
+            'Fn::And': re.compile(r'Fn::And'),
+            'Fn::Equals': re.compile(r'Fn::Equals'),
+            'Fn::Not': re.compile(r'Fn::Not'),
+            'Fn::Or': re.compile(r'Fn::Or'),
+            'Fn:GetAtt': re.compile(r'Fn::GetAtt'),
+            'Fn::Join': re.compile(r'Fn::Join'),
+            'Fn::Sub': re.compile(r'Fn::Sub'),
+            'Fn::Base64': re.compile(r'Fn::Base64'),
+            'Fn::Split': re.compile(r'Fn::Split'),
+            'Fn::Select': re.compile(r'Fn::Select'),
+            'Fn::ToJsonString': re.compile(r'Fn::ToJsonString'),
+            'Fn::Condition': re.compile(r'Fn::Condition'),
+            'Fn::Cidr': re.compile(r'Fn::Cidr'),
+            'Fn::Length': re.compile(r'Fn::Length')
+        }
+
+        self._inline_resolvers = {
+            'Fn::ForEach': self._resolve_foreach,
+            'Fn::If': self._resolve_if,
+            'Fn::And': self._resolve_and,
+            'Fn::Equals': self._resolve_equals,
+            'Fn::Not': self._resolve_not,
+            'Fn::Or': self._resolve_or,
+            'Fn:GetAtt': self._resolve_getatt,
+            'Fn::Join': self._resolve_join,
+            'Fn::Sub': self._resolve_sub,
+            'Fn::Base64': self._resolve_base64,
+            'Fn::Split': self._resolve_split,
+            'Fn::Select': self._resolve_select,
+            'Fn::ToJsonString': self._resolve_tree_to_json,
+            'Fn::Condition': self._resolve_condition,
+            'Fn::Cidr': self._resolve_cidr,
+            'Fn::Length': self._resolve_length
+        }
+
         self._resolvers: dict[str, Callable[[CommentedMap, str], YamlObject]] = {
             '!Ref': self._resolve_ref,
             '!FindInMap': self._resolve_by_subset_query,
@@ -46,7 +94,8 @@ class Renderer:
             '!Condition': self._resolve_condition,
             '!And': self._resolve_and,
             '!Not': self._resolve_not,
-            '!Or': self._resolve_or
+            '!Or': self._resolve_or,
+            '!Cidr': self._resolve_cidr,
         }
 
     def render(
@@ -62,14 +111,6 @@ class Renderer:
 
         self._assemble_parameters(template)
 
-        attributes = {
-            'LambdaExecutionRole.Arn': 'This is a test',
-            'AllSecurityGroups.Value': [
-                '123456',
-                '112211'
-            ]
-
-        }
         if attributes:
             self._attributes = self._process_attributes(attributes)
 
@@ -96,7 +137,14 @@ class Renderer:
 
         while self.items:
             parent, accessor, node = self.items.pop()
-
+            if match := self._match_and_resolve_accessor_fn(
+                root,
+                parent,
+                accessor,
+                node,
+            ):
+                root.update(match)
+            
             if isinstance(node, TaggedScalar):
                 # Replace in parent
                 if parent is not None and (
@@ -142,31 +190,34 @@ class Renderer:
 
         return root
     
-    def _find_matching_key(
+    def _match_and_resolve_accessor_fn(
         self,
-        root: CommentedMap, 
-        search_key: str,
+        root: CommentedMap,
+        parent: CommentedMap | CommentedSeq | TaggedScalar | YamlObject | None,
+        accessor: str | int | None,
+        node: CommentedMap | CommentedSeq | TaggedScalar | YamlObject,
     ):
-        """Returns the first path (list of keys/indices) to a mapping with key == search_key, and the value at that path."""
-        stack = [(root, [])]
-        while stack:
-            node, path = stack.pop()
-            if isinstance(node, CommentedMap):
-                for k in node.keys():
-                    if k == search_key:
-                        return node[k]
-                    stack.append((node[k], path + [k]))
-            elif isinstance(node, CommentedSeq):
-                for idx, item in reversed(list(enumerate(node))):
-                    stack.append((item, path + [idx]))
+        if not isinstance(accessor, str):
+            return None
+        
+        resolver: Resolver | None  = None
+        matcher_pattern: re.Pattern | None = None
+        for key, pattern in self._inline_functions.items():
+            if pattern.match(accessor):
+                matcher_pattern = pattern
+                resolver = self._inline_resolvers[key]
+
+        if resolver is None:
+            return None
+        
+        result = resolver(root, node)
 
-        return None  # No match found
-    
-    def _assemble_parameters(self, resources: YamlObject):
-        params: dict[str, Data] = resources.get("Parameters", {})
-        for param_name, param in params.items():
-            if default := param.get("Default"):
-                self._parameters_with_defaults[param_name] = default
+        return self._replace_target(
+            root,
+            parent,
+            result,
+            matcher_pattern,
+        )
 
     def _resolve_tagged(self, root: CommentedMap, node: TaggedScalar | CommentedMap | CommentedSeq):
         resolver: Callable[[CommentedMap, str], YamlObject] | None = None
@@ -195,75 +246,10 @@ class Renderer:
             return ref
 
         else:
-            return self._find_matching_key(root, scalar.value)
-        
-    def _resolve_by_subset_query(
-        self, 
-        root: CommentedMap, 
-        subset: CommentedMap | CommentedSeq,
-    ) -> YamlObject | None:
-        """
-        Traverse `subset` iteratively. For every leaf (scalar or TaggedScalar) encountered in `subset`,
-        use its value as the next key/index into `root`. Return (path, value) where:
-        - path: list of keys/indices used to reach into `root`
-        - value: the value at the end of traversal, or None if a step was missing (early return)
-        TaggedScalar is treated as a leaf and its .value is used as the key component.
-        """
-        current = self._mappings
-        path = []
-
-        stack = [(subset, [])]
-        while stack:
-            node, _ = stack.pop()
-
-            if isinstance(node, CommentedMap):
-
-                if isinstance(node.tag, Tag) and node.tag.value is not None and (
-                    node != subset
-                ):
-                    resolved_node = self._resolve_tagged(root, node)
-                    stack.append((resolved_node, []))
-                
-                else:
-                    for k in reversed(list(node.keys())):
-                        stack.append((node[k], []))
-
-            elif isinstance(node, CommentedSeq):
-
-                if isinstance(node.tag, Tag) and node.tag.value is not None and (
-                    node != subset
-                ):
-                    resolved_node = self._resolve_tagged(root, node)
-                    stack.append((resolved_node, []))
-
-                else:
-                    for val in reversed(node):
-                        stack.append((val, []))
-            else:
-                # Leaf: scalar or TaggedScalar
-                key = self._resolve_tagged(
-                    self._selected_mappings,
-                    node,
-                ) if isinstance(node, TaggedScalar) else node
-                path.append(key)
-
-                if isinstance(current, CommentedMap):
-                    if key in current:
-                        current = current[key]
-                    else:
-                        return None
-                elif isinstance(current, CommentedSeq) and isinstance(key, int) and 0 <= key < len(current):
-                    current = current[key]
-                else:
-                    return None
-                
-        if isinstance(current, TaggedScalar):
-            return path, self._resolve_tagged(
-                self._selected_mappings,
-                current,
+            return self._resolve_subtree(
+                root,
+                self._find_matching_key(root, scalar.value),
             )
-
-        return current
     
     def _resolve_getatt(
         self,
@@ -271,16 +257,16 @@ class Renderer:
         query: TaggedScalar | CommentedMap | CommentedSeq,
     ) -> YamlObject | None:
         steps: list[str] = []
-
+        
         if isinstance(query, TaggedScalar):
             steps_string: str = query.value
             steps = steps_string.split('.')
 
         elif (
-            resolved := self._longest_path(root, query)
+            resolved := self._resolve_subtree(root, query)
         ) and isinstance(
             resolved,
-            list,
+            CommentedSeq,
         ):
             steps = resolved
 
@@ -289,8 +275,12 @@ class Renderer:
         ):
             return value
 
-        current = self._resources
-        for step in steps:
+        current = self._resources.get(steps[0], CommentedMap()).get(
+            'Properties',
+            CommentedMap(),
+        )
+
+        for step in steps[1:]:
             if step == 'Value':
                 return current
             # Mapping
@@ -404,6 +394,60 @@ class Renderer:
         
         return source
     
+    def _resolve_foreach(
+        self,
+        root: CommentedMap,
+        source: CommentedSeq | CommentedMap | TaggedScalar,
+    ):
+        if not isinstance(source, CommentedSeq) or len(source) < 3:
+            return source
+        
+        identifier = source[0]
+        if not isinstance(identifier, str):
+            identifier = self._resolve_subtree(root, identifier)
+
+        collection = source[1]
+        if not isinstance(collection, list):
+            return source
+        
+        collection: list[str] = self._resolve_subtree(root, collection)
+
+        output = source[2]
+        if not isinstance(output, CommentedMap):
+            return source
+
+        resolved_items = CommentedMap()
+        for item in collection:
+            self._references[identifier] = item
+            resolved_items.update(
+                self._resolve_foreach_item(
+                    root,
+                    self._copy_subtree(output),
+                ) 
+            )
+        
+        return resolved_items
+    
+    def _resolve_foreach_item(
+        self,
+        root: CommentedMap,
+        output_item: CommentedMap,
+    ):
+        output_map: dict[str, CommentedMap] = {}
+        for output_key, output_value in output_item.items():
+            variables = self._resolve_template_string(output_key)
+            resolved_key = self._resolve_sub_ref_queries(
+                variables,
+                output_key,
+            )
+
+            output_map[resolved_key] = self._resolve_subtree(
+                root,
+                output_value,
+            )
+
+        return output_map
+    
     def _resolve_split(
         self,
         root: CommentedMap,
@@ -504,6 +548,8 @@ class Renderer:
         ):
             condition_key = self._resolve_subtree(root, condition_key)
 
+        result = self._resolve_subtree(root, self._conditions.get(condition_key))
+
         true_result = source[1]
         if isinstance(
             true_result,
@@ -512,35 +558,8 @@ class Renderer:
             true_result = self._resolve_subtree(root, true_result)
 
         false_result = source[2]
-        if isinstance(
-            true_result,
-            (CommentedMap, CommentedSeq, TaggedScalar),
-        ):
-            false_result = self._resolve_subtree(root, false_result)
-
-        if (
-            condition := self._conditions.get(condition_key)
-        ) and isinstance(
-            condition,
-            (CommentedMap, CommentedSeq, TaggedScalar)
-        ) and (
-            result := self._resolve_subtree(root, condition)
-        ) and isinstance(
-            result,
-            bool,
-        ):
-            
-            return true_result if result else False
-
-        elif (
-            condition := self._conditions.get(condition_key)
-        ) and isinstance(
-            condition,
-            bool,
-        ):
-            return true_result if condition else False
         
-        return source
+        return true_result if isinstance(result, bool) and result else false_result
     
     def _resolve_condition(
         self,
@@ -646,6 +665,32 @@ class Renderer:
                 return source
         
         return any(resolved)
+    
+    def _resolve_cidr(
+        self,
+        root: CommentedMap,
+        source: CommentedSeq | CommentedMap | TaggedScalar,
+    ):
+        if not isinstance(
+            source,
+            CommentedSeq,
+        ) or len(source) < 3:
+            return source
+        
+        cidr = self._resolve_subtree(root, source[0])
+        if not isinstance(cidr, str):
+            return source
+
+        subnets_requested = source[1]
+        subnet_cidr_bits = source[2]
+
+        ipv4_solver = IPv4CIDRSolver(
+            cidr,
+            subnets_requested,
+            subnet_cidr_bits,
+        )
+
+        return CommentedSeq(ipv4_solver.provision_subnets())
 
     def _resolve_tree_to_json(
         self,
@@ -706,6 +751,201 @@ class Renderer:
                         stack.append((node, idx, val))
         
         return json.dumps(source)
+    
+    def _resolve_length(
+        self,
+        root: CommentedMap,
+        source: CommentedMap | CommentedSeq | TaggedScalar | YamlObject,
+    ):
+        items = CommentedSeq()
+        if isinstance(source, TaggedScalar):
+            items = self._resolve_tagged(root, source)
+
+        elif isinstance(source, (CommentedMap, CommentedSeq)):
+            items = self._resolve_subtree(root, source)
+
+        elif isinstance(source, (str, list, dict)):
+            items = source
+
+        else:
+            return source
+        
+        return len(items)
+
+    def _copy_subtree(
+        self,
+        root: CommentedMap | CommentedSeq | TaggedScalar | YamlObject,
+    ) -> Any:
+        """
+        Depth-first clone of a ruamel.yaml tree.
+        - Rebuilds CommentedMap/CommentedSeq
+        - Copies TaggedScalar (preserves tag and value)
+        - Scalars are copied as-is
+        Note: does not preserve comments/anchors.
+        """
+        if isinstance(root, CommentedMap):
+            root_clone: Any = CommentedMap()
+        elif isinstance(root, CommentedSeq):
+            root_clone = CommentedSeq()
+        elif isinstance(root, TaggedScalar):
+            return TaggedScalar(
+                value=root.value,
+                tag=root.tag,
+            )
+        else:
+            return root
+
+        stack: list[
+            tuple[
+                Any,
+                CommentedMap | CommentedSeq | None,
+                Any | None,
+            ]
+        ] = [(root, None, None)]
+
+        built: dict[
+            int,
+            CommentedMap | CommentedSeq,
+        ] = {id(root): root_clone}
+
+        while stack:
+            in_node, out_parent, out_key = stack.pop()
+
+            if isinstance(in_node, CommentedMap):
+                out_container = built.get(id(in_node))
+                if out_container is None:
+                    out_container = CommentedMap()
+                    built[id(in_node)] = out_container
+                assign(out_parent, out_key, out_container)
+
+                for k in reversed(list(in_node.keys())):
+                    v = in_node[k]
+                    if isinstance(v, CommentedMap):
+                        child = CommentedMap()
+                        built[id(v)] = child
+
+                        stack.append((v, out_container, k))
+                    elif isinstance(v, CommentedSeq):
+                        child = CommentedSeq()
+                        built[id(v)] = child
+
+                        stack.append((v, out_container, k))
+                    elif isinstance(v, TaggedScalar):
+                        ts = TaggedScalar(
+                            value=v.value,
+                            tag=v.tag,
+                        )
+
+                        out_container[k] = ts
+                    else:
+                        out_container[k] = v
+
+            elif isinstance(in_node, CommentedSeq):
+                out_container = built.get(id(in_node))
+                if out_container is None:
+                    out_container = CommentedSeq()
+                    built[id(in_node)] = out_container
+                assign(out_parent, out_key, out_container)
+
+                for idx in reversed(range(len(in_node))):
+                    v = in_node[idx]
+
+                    if isinstance(v, CommentedMap):
+                        child = CommentedMap()
+                        built[id(v)] = child
+
+                        stack.append((v, out_container, idx))
+                    elif isinstance(v, CommentedSeq):
+                        child = CommentedSeq()
+                        built[id(v)] = child
+
+                        stack.append((v, out_container, idx))
+                    elif isinstance(v, TaggedScalar):
+                        ts = TaggedScalar(
+                            value=v.value,
+                            tag=v.tag,
+                        )
+
+                        out_container.append(ts)
+                    else:
+                        out_container.append(v)
+
+            elif isinstance(in_node, TaggedScalar):
+                ts = TaggedScalar(
+                    value=in_node.value,
+                    tag=in_node.tag,
+                )
+
+                assign(out_parent, out_key, ts)
+
+            else:
+                assign(out_parent, out_key, in_node)
+
+        return root_clone
+
+    def _replace_target(
+        self,
+        root: CommentedMap,
+        target: CommentedMap,
+        replacement: Any,
+        matcher_pattern: re.Pattern
+    ) -> CommentedMap: 
+        if not isinstance(target, CommentedMap):
+            return root
+
+        if root is target:
+            return replacement
+        
+        stack: list[tuple[Any, Any | None, Any | None]] = [(root, None, None)]
+        
+        while stack:
+            node, parent, accessor = stack.pop()
+            
+            if isinstance(node, CommentedMap):
+                for k in reversed(list(node.keys())):
+                    child = node[k]
+                    if child is target and isinstance(child, CommentedMap):
+                        for key in list(target.keys()):
+                            if matcher_pattern.match(key):
+                                del child[key]
+
+                        if isinstance(replacement, CommentedMap):
+                            child.update(replacement)
+                            node[k] = child
+                            
+                        else:
+                            node[k] = replacement
+
+                        if parent:
+                            parent[accessor] = node
+
+                        return root
+                    
+                    stack.append((child, node, k))
+            
+            elif isinstance(node, CommentedSeq):
+                for idx in reversed(range(len(node))):
+                    child = node[idx]
+                    if child is target and isinstance(child, CommentedMap):
+                        for key in list(target.keys()):
+                            if matcher_pattern.match(key):
+                                del child[key]
+
+                        if isinstance(replacement, CommentedMap):
+                            child.update(replacement)
+                            node[idx] = child
+                            
+                        else:
+                            node[idx] = replacement
+
+                        if parent:
+                            parent[accessor] = node
+
+                        return root
+                    
+                    stack.append((child, node, idx))
+        
+        return root
 
     def _resolve_subtree(
         self,
@@ -718,8 +958,24 @@ class Renderer:
         """
         stack: list[tuple[CommentedMap | CommentedSeq | None, Any | None, Any]] = [(None, None, source)]
         
+        source_parent, source_index = self._find_parent(root, source)
+        
         while stack:
             parent, accessor, node = stack.pop()
+            if match := self._match_and_resolve_accessor_fn(
+                    root, 
+                    parent, 
+                    accessor,
+                    node,
+            ):
+                root.update(match)
+                # At this point we've likely (and completely)
+                # successfully nuked the source from orbit
+                # so we need to fetch it from the source parent
+                # to get it back (i.e. the ref is no longer 
+                # correct).
+                source = source_parent[source_index]
+
             if isinstance(node, TaggedScalar):
                 # Replace in parent
                 if parent is not None and (
@@ -768,62 +1024,130 @@ class Renderer:
         
         return source
     
-    def _longest_path(
-        self,
-        root: CommentedMap,
-        source: TaggedScalar | CommentedMap | CommentedSeq
-    ):
+    def _resolve_by_subset_query(
+        self, 
+        root: CommentedMap, 
+        subset: CommentedMap | CommentedSeq,
+    ) -> YamlObject | None:
         """
-        Return the longest path from `node` to any leaf as a list of strings.
-        - Map keys are appended as strings.
-        - Sequence indices are appended as strings.
-        - TaggedScalar and other scalars are leafs.
+        Traverse `subset` iteratively. For every leaf (scalar or TaggedScalar) encountered in `subset`,
+        use its value as the next key/index into `root`. Return (path, value) where:
+        - path: list of keys/indices used to reach into `root`
+        - value: the value at the end of traversal, or None if a step was missing (early return)
+        TaggedScalar is treated as a leaf and its .value is used as the key component.
         """
-        stack = [(source, [])]
-        longest: list[str] = []
+        current = self._mappings
+        path = []
 
+        stack = [(subset, [])]
         while stack:
-            current, path = stack.pop()
+            node, _ = stack.pop()
+
+            if isinstance(node, CommentedMap):
 
-            if isinstance(current, CommentedMap):
-                if not current:
-                    if len(path) > len(longest):
-                        longest = path
+                if isinstance(node.tag, Tag) and node.tag.value is not None and (
+                    node != subset
+                ):
+                    resolved_node = self._resolve_tagged(root, node)
+                    stack.append((resolved_node, []))
+                
                 else:
+                    for k in reversed(list(node.keys())):
+                        stack.append((node[k], []))
 
-                    if isinstance(current.tag, Tag) and current.tag.value is not None and (
-                        current != source
-                    ):
-                        resolved_node = self._resolve_tagged(root, current)
-                        stack.append((resolved_node, path))
+            elif isinstance(node, CommentedSeq):
+
+                if isinstance(node.tag, Tag) and node.tag.value is not None and (
+                    node != subset
+                ):
+                    resolved_node = self._resolve_tagged(root, node)
+                    stack.append((resolved_node, []))
 
-                    else:
-                        # Iterate in normal order; push in reverse to keep DFS intuitive
-                        keys = list(current.keys())
-                        for k in reversed(keys):
-                            stack.append((current[k], path + [str(k)]))
-
-            elif isinstance(current, CommentedSeq):
-                if not current:
-                    if len(path) > len(longest):
-                        longest = path
                 else:
-                    if isinstance(current.tag, Tag) and current.tag.value is not None and (
-                        current != source
-                    ):
-                        resolved_node = self._resolve_tagged(root, current)
-                        stack.append((resolved_node, path))
+                    for val in reversed(node):
+                        stack.append((val, []))
+            else:
+                # Leaf: scalar or TaggedScalar
+                key = self._resolve_tagged(
+                    self._selected_mappings,
+                    node,
+                ) if isinstance(node, TaggedScalar) else node
+                path.append(key)
 
+                if isinstance(current, CommentedMap):
+                    if key in current:
+                        current = current[key]
                     else:
-                        for idx in reversed(range(len(current))):
-                            stack.append((current[idx], path + [str(idx)]))
+                        return None
+                elif isinstance(current, CommentedSeq) and isinstance(key, int) and 0 <= key < len(current):
+                    current = current[key]
+                else:
+                    return None
+                
+        if isinstance(current, TaggedScalar):
+            return path, self._resolve_tagged(
+                self._selected_mappings,
+                current,
+            )
 
-            else:
-                # Scalar (incl. TaggedScalar) -> leaf
-                if len(path) > len(longest):
-                    longest = path
+        return current
+    
+    def _find_matching_key(
+        self,
+        root: CommentedMap, 
+        search_key: str,
+    ):
+        """Returns the first path (list of keys/indices) to a mapping with key == search_key, and the value at that path."""
+        stack = [(root, [])]
+        while stack:
+            node, path = stack.pop()
+            if isinstance(node, CommentedMap):
+                for k in reversed(list(node.keys())):
+                    if k == search_key:
+                        return node[k]
+                    stack.append((node[k], path + [k]))
+            elif isinstance(node, CommentedSeq):
+                for idx, item in reversed(list(enumerate(node))):
+                    stack.append((item, path + [idx]))
 
-        return longest
+        return None  # No match found
+    
+    def _find_parent(
+        self,
+        root: CommentedMap,
+        target: CommentedMap,
+    ) -> CommentedMap: 
+        
+        stack: list[tuple[Any, Any | None, Any | None]] = [(root, None, None)]
+        
+        while stack:
+            node, parent, accessor = stack.pop()
+            
+            if isinstance(node, CommentedMap):
+                for k in reversed(list(node.keys())):
+                    child = node[k]
+                    if child is target and isinstance(child, CommentedMap):
+                        return node, k
+                    
+                    stack.append((child, node, k))
+            
+            elif isinstance(node, CommentedSeq):
+                for idx in reversed(range(len(node))):
+                    child = node[idx]
+                    if child is target and isinstance(child, CommentedMap):
+                        return node, node.index(child)
+                    
+                    stack.append((child, node, idx))
+        
+        return None, None
+    
+    def _assemble_parameters(self, resources: YamlObject):
+        params: dict[str, Data] = resources.get("Parameters", {})
+        for param_name, param in params.items():
+            if isinstance(param, CommentedMap) and (
+                default := param.get("Default")
+            ):
+                self._parameters_with_defaults[param_name] = default
 
     def _assemble_mappings(self, mappings: dict[str, str]):
         for mapping, value in mappings.items():
@@ -920,7 +1244,6 @@ class Renderer:
         return root_out
 
     def _resolve_template_string(self, template: str):
-
         variables: list[tuple[str, str]] = []
         for match in self._sub_pattern.finditer(template):
             variables.append((

{cfn_check-0.6.1.dist-info → cfn_check-0.7.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cfn-check
-Version: 0.6.1
+Version: 0.7.0
 Summary: Validate Cloud Formation
 Author-email: Ada Lundhe <adalundhe@lundhe.audio>
 License: MIT License
@@ -34,7 +34,7 @@ Requires-Python: >=3.12
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: pydantic
-Requires-Dist: pyyaml
+Requires-Dist: ruamel.yaml
 Requires-Dist: hyperlight-cocoa
 Requires-Dist: async-logging
 Dynamic: license-file
@@ -50,7 +50,7 @@ Dynamic: license-file
 
 | Package     | cfn-check                                                           |
 | ----------- | -----------                                                     |
-| Version     | 0.3.3                                                           |
+| Version     | 0.7.0                                                           |
 | Download    | https://pypi.org/project/cfn-check/                             | 
 | Source      | https://github.com/adalundhe/cfn-check                          |
 | Keywords    | cloud-formation, testing, aws, cli                              |
@@ -70,15 +70,20 @@ problems inherint to `cfn-lint` more than `cfn-guard`, primarily:
 - Inability to parse non-resource wildcards
 - Inability to validate non-resource template data
 - Inabillity to use structured models to validate input
+- Poor ability to parse and render CloudFormation Refs/Functions
 
 In comparison to `cfn-guard`, `cfn-check` is pure Python, thus
 avoiding YADSL (Yet Another DSL) headaches. It also proves
 significantly more configurable/modular/hackable as a result.
+`cfn-check` can resolve _some_ (not all) CloudFormation Intrinsic
+Functions and Refs.
 
 CFN-Check uses a combination of simple depth-first-search tree
 parsing, friendly `cfn-lint` like query syntax, `Pydantic` models,
 and `pytest`-like assert-driven checks to make validating your
 Cloud Formation easy while offering both CLI and Python API interfaces.
+CFN-Check also uses a lightning-fast AST-parser to render your templates,
+allowing you to validate policy, not just a YAML document.
 
 <br/>
 
@@ -447,7 +452,7 @@ Resources::*::Type
 Selects all `Resource` objects. If we convert the Wildcard Token in the query to a Wildcard Range Token:
 
 ```
-Resources::*::Type
+Resources::[*]::Type
 ```
 
 The Rule will fail as below:
@@ -585,3 +590,52 @@ class ValidateResourceType(Collection):
 ```
 
 By deferring type and existence assertions to `Pydantic` models, you can focus your actual assertion logic on business/security policy checks.
+
+<br/>
+
+# The Rendering Engine
+
+### Overview
+
+In Version 0.6.X, CFN-Check introduced a rendering engine, which allows it
+to parse and execute Refs and all CloudFormation intrinsic functions via 
+either the CloudFormation document or user-supplied values. This additional
+also resulted in the:
+
+```bash
+cfn-check render <TEMPLATE_PATH >
+```
+
+command being added, allowing you to effectively "dry run" render your
+CloudFormation templates akin to the `helm template` command for Helm.
+
+By default, `cfn-check render` outputs to stdout, however you can easily
+save rendered output to a file via the `-o/--output-file` flag. For example:
+
+```bash
+cfn-check render template.yml -o rendered.yml
+```
+
+The `cfn-check render` command also offers the following options:
+
+- `-a/--attributes`:  A list of <key>=<value> input `!GetAtt` attributes to use
+- `-m/--mappings`: A list of <key>=<value> input `Mappings` to use
+- `-p/--parameters`: A list of <key>=<value> input `Parameters` to use
+- `-l/--log-level`: The log level to use
+
+### The Rendering Engine during Checks
+
+By default rendering is enabled when running `cfn-check` validation. You can 
+disable it by supplying `no-render` to the `-F/--flags` option as below:
+
+```bash
+cfn-check validate -F no-render -r rules.py template.yaml
+```
+
+Disabling rendering means CFN-Check will validate your template as-is, with
+no additional pre-processing and no application of user input values.
+
+> [!WARNING]
+> CloudFormation documents are <b>not</b> "plain yaml" and disabling
+> rendering means any dynamically determined values will likely fail
+> to pass validation, resulting in false positives for failures!

{cfn_check-0.6.1.dist-info → cfn_check-0.7.0.dist-info}/RECORD

@@ -1,17 +1,18 @@
 cfn_check/__init__.py,sha256=ccUo2YxBmuEmak1M5o-8J0ECLXNkDDUsLJ4mkm31GvU,96
 cfn_check/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cfn_check/cli/render.py,sha256=vexGsuvDol8Bn7evVzU0Kf6rAzDytvn3WCp5kTB20mY,2195
+cfn_check/cli/render.py,sha256=FWOrHAk5ZdGVP_Hch3YtC1gOTBoaOiwaTy_oJ3tQjXk,2735
 cfn_check/cli/root.py,sha256=Fi-G3nP-HQMY4iPenF2xnkQF798x5cNWDqJZs9TH66A,1727
-cfn_check/cli/validate.py,sha256=aQF-hCC7vcOpu5VNSkoM8DmrB2hZCgciQvFBHIrpnPc,2178
+cfn_check/cli/validate.py,sha256=QxGMRf-uoe8MRGd9SwiJOrGPw7Ui6-R8QUHjf8B2EWE,2019
 cfn_check/cli/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/cli/utils/attributes.py,sha256=hEMWJfNcTOKqWrleS8idWlZP81wAq2J06yV-JQm_WNw,340
-cfn_check/cli/utils/files.py,sha256=OVG95vfAbpfg-WdqoHT8UBGoa7KQima21KZTVp2mm6g,3378
+cfn_check/cli/utils/files.py,sha256=87F72INUuA61k3pQ1NNbg0vUwBYOY7-wn1rPqRWbrao,3357
+cfn_check/cli/utils/stdout.py,sha256=dztgy5cBF03oGHRr5ITvMVVf5qdopPbAQm6Rp0cHZq4,423
 cfn_check/collection/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/collection/collection.py,sha256=Fl5ONtvosLrksJklRoxER9j-YN5RUdPN45yS02Yw5jU,1492
 cfn_check/evaluation/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/evaluation/errors.py,sha256=yPJdtRYo67le4yMC9sYqcboCnkqKsJ3KPbSPFY2-Pi8,773
-cfn_check/evaluation/evaluator.py,sha256=VtYXydZFkp66VaADB9nDmJOBlPJ6lKASSM8AP1xHBZE,2377
-cfn_check/evaluation/validate.py,sha256=yy8byYAoHxFqkS2HfewHup22B3bYtrUH2PhPuNAc--A,1547
+cfn_check/evaluation/evaluator.py,sha256=GjwljK1fiFeJ_iRfLAAPaPpbZ6fBcDBIN1LhOHlmzMY,2565
+cfn_check/evaluation/validate.py,sha256=b5TpFKOnn9dutowCXGaoU5Jw3_l9HqpGaBpcTXFFzeY,1656
 cfn_check/evaluation/parsing/__init__.py,sha256=s5TxU4mzsbNIpbMynbwibGR8ac0dTcf_2qUfGkAEDvQ,52
 cfn_check/evaluation/parsing/query_parser.py,sha256=4J3CJQKAyb11gugfx6OZT-mfSdNDB5Al8Jiy9DbJZMw,3459
 cfn_check/evaluation/parsing/token.py,sha256=nrg7Tca182WY0VhRqfsZ1UgpxsUX73vdLToSeK50DZE,7055
@@ -19,7 +20,8 @@ cfn_check/evaluation/parsing/token_type.py,sha256=E5AVBerinBszMLjjc7ejwSSWEc0p0J
 cfn_check/logging/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/logging/models.py,sha256=-tBaK6p8mJ0cO8h2keEJ-VmtFX_VW4XzwAw2PtqbkF0,490
 cfn_check/rendering/__init__.py,sha256=atcbddYun4YHyY7bVGA9CgEYzzXpYzvkx9_Kg-gnD5w,42
-cfn_check/rendering/renderer.py,sha256=xbSPfjX6w-xcGULLJ_3m3k3PrnDNWdaB418OaVT-J8A,31389
+cfn_check/rendering/cidr_solver.py,sha256=aCUH3q9PvQ7-hkJd79VmUc175Ks-HifShPIMVnD8Ws8,1528
+cfn_check/rendering/renderer.py,sha256=hcs-DVuaNLUP80NB0h0OW4oNlskj7Lyc9bpbqEkYsPA,42207
 cfn_check/rendering/utils.py,sha256=MNaKePylbJ9Bs4kjuoV0PpCmPJYttPXXvKQILemCrUI,489
 cfn_check/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/rules/rule.py,sha256=_cKNQ5ciJgPj-exmtBUz31cU2lxWYxw2n2NWIlhYc3s,635
@@ -27,13 +29,13 @@ cfn_check/shared/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,
 cfn_check/shared/types.py,sha256=-om3DyZsjK_tJd-I8SITkoE55W0nB2WA3LOc87Cs7xI,414
 cfn_check/validation/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cfn_check/validation/validator.py,sha256=Z6S6T_4yQW1IUa5Kv3ohR9U8NDrhTvBadW2FEM8TRL8,1478
-cfn_check-0.6.1.dist-info/licenses/LICENSE,sha256=EbCpGNzOkyQ53ig7J2Iwgmy4Og0dgHe8COo3WylhIKk,1069
+cfn_check-0.7.0.dist-info/licenses/LICENSE,sha256=EbCpGNzOkyQ53ig7J2Iwgmy4Og0dgHe8COo3WylhIKk,1069
 example/multitag.py,sha256=QQfcRERGEDgTUCGqWRqRbXHrLwSX4jEOFq8ED4NJnz8,636
 example/pydantic_rules.py,sha256=6NFtDiaqmnYWt6oZIWB7AO_v5LJoZVOGXrmEe2_J_rI,4162
 example/renderer_test.py,sha256=XG5PVTSHztYXHrBw4bpwVuuYt1JNZdtLGJ-DZ9wPjFM,741
 example/rules.py,sha256=mWHB0DK283lb0CeSHgnyO5qiVTJJpybuwWXb4Yoa3zQ,3148
-cfn_check-0.6.1.dist-info/METADATA,sha256=NDxM34k-kIv2wZRAmdhe8Te7HdMAj4ABzy1-4FTgvCc,20459
-cfn_check-0.6.1.dist-info/WHEEL,sha256=zaaOINJESkSfm_4HQVc5ssNzHCPXhJm0kEUakpsEHaU,91
-cfn_check-0.6.1.dist-info/entry_points.txt,sha256=B4lCHoDHmwisABxKgRLShwqqFv7QwwDAFXoAChOnkwg,53
-cfn_check-0.6.1.dist-info/top_level.txt,sha256=hUn9Ya50yY1fpgWxEhG5iMgfMDDVX7qWQnM1xrgZnhM,18
-cfn_check-0.6.1.dist-info/RECORD,,
+cfn_check-0.7.0.dist-info/METADATA,sha256=-H4HezPbY-Z5Ka3bEpRjO8WGcUOKvwsdNdRvL_x_98c,22397
+cfn_check-0.7.0.dist-info/WHEEL,sha256=zaaOINJESkSfm_4HQVc5ssNzHCPXhJm0kEUakpsEHaU,91
+cfn_check-0.7.0.dist-info/entry_points.txt,sha256=B4lCHoDHmwisABxKgRLShwqqFv7QwwDAFXoAChOnkwg,53
+cfn_check-0.7.0.dist-info/top_level.txt,sha256=hUn9Ya50yY1fpgWxEhG5iMgfMDDVX7qWQnM1xrgZnhM,18
+cfn_check-0.7.0.dist-info/RECORD,,