Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@aws-c2a/rules
Advanced tools
@aws-c2a/rules - npm Package Compare versions
Comparing version 0.4.0 to 0.5.0
| { | ||
| "name": "@aws-c2a/rules", | ||
| "version": "0.4.0", | ||
| "version": "0.5.0", | ||
| "description": "The rules language and processor for CDK Change Analyzer", | ||
@@ -29,3 +29,3 @@ "main": "lib/index.js", | ||
| "dependencies": { | ||
| "@aws-c2a/models": "^0.4.0", | ||
| "@aws-c2a/models": "^0.5.0", | ||
| "fifinet": "0.1.7" | ||
@@ -54,3 +54,3 @@ }, | ||
| }, | ||
| "gitHead": "7a9a43b4f9dd00bcedeaa378b2022014337ee211" | ||
| "gitHead": "ca8a2214e9258a7193110857687cb90320fc20ac" | ||
| } |
193
README.md
@@ -1,138 +0,97 @@ | ||
| # AWS CDK Change Analyzer (C2A) - Engine | ||
| # AWS CDK Change Analyzer (C2A) - Rules | ||
| `@aws-c2a/engine` is a package that the toolkit consumes to analyze two CloudFormation templates, extract | ||
| their differences and produce a report of changes, customizable with a rules language. | ||
| `@aws-c2a/rules` is a package that defines the rules language for CDK Change Analyzer. | ||
| The rules language lets you define changes, components, or behaviors that you deem | ||
| high risk. These behaviors will then be caught and surfaced by `aws-c2a diff`. | ||
| ## Table of Contents | ||
| 1. [Platform Mapping](#Platform-Mapping) | ||
| 2. [Model Diffing](#Model-Diffing) | ||
| 3. [Aggregations](#Aggregations) | ||
| 4. [User Configuration](#User-Configuration) | ||
| This rules language maps finds the objects in the graph generated from the | ||
| [InfraModelDiff](../../README.md#InfraModelDiff) and traverses its edges when | ||
| relating objects, such as when navigating properties or checking whether a change | ||
| applies to an object. | ||
| ## Platform Mapping | ||
| ## Rule Definition | ||
| The `platform-mapping` directory holds parsers that transform an artifact into an [InfraModel](../../README.md#InfraModel) - in this case, CloudFormation templates. | ||
| You can write rules that classify the risk of any change and automatically | ||
| approve/reject them. These rules are based on a custom grammar in JSON syntax. | ||
| Take the following example of a rule: | ||
| ### CloudFormation Parser | ||
| ```json | ||
| { | ||
| "description": "Allow all insert operations", | ||
| "let": { | ||
| "insertChange": { "change": {"type": "INSERT" } } | ||
| }, | ||
| "effect": { | ||
| "target": "insertChange", | ||
| "risk": "low", | ||
| "action": "approve" | ||
| } | ||
| } | ||
| ``` | ||
| The CloudFormation parser takes any CloudFormation template and generates an [InfraModel](../../README.md#InfraModel) | ||
| This is a very simple rule that approves and marks all component operations of | ||
| type `INSERT` as a low risk change. It is broken down below: | ||
| The type of CloudFormation entity ([e.g. Resource, Parameter, Output](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html)) gets mapped to the type of _Component_. In the case of CloudFormation resources, in particular, their type gets mapped to the _Component_'s subtype (i.e. an AWS Lambda Function resource generates a _Component_ with type "Resource" and subtype "AWS::Lambda::Function"). | ||
| **let** | ||
| The `let` field defines the bindings for a given rule. In this case, the identifier, | ||
| `insertChange`, is bound to the query that matches all `change` objects of type `INSERT`. | ||
| The `let` field acts as a scope for the rule, where each binding is executed in order, | ||
| allowing you to chain bindings in a sequential manner. | ||
| The CloudFormation parser builds instances of **CFEntity**'s subclasses, which have the responsibility of properly building the respective _Components_, _Property Values_, and outgoing _Dependency Relationships_. | ||
| **effect** | ||
| The `effect` field defines the outcome of any objects, identified as `target`, returned | ||
| from the queries. In this case, the `target` is `insertChange`, which corresponds to all | ||
| insert operations. The risk and automatic approval behavior for these changes are | ||
| specified in the fields `risk` and `action` respectively. | ||
|  | ||
| ## Nested Rules | ||
| The **CFRef** class extracts references to entities in an entity's declaration, from the used intrinsic functions and resources' _DependsOn_ field. | ||
| Every rule has a scope; defined by the bindings that are declared in the `let` field. | ||
| You can utilize the notion of scope to chain rules together in a nested style. | ||
| The following image is an example of the created relationships: | ||
|  | ||
| - References in intrinsic functions and in _DependsOn_ fields are transformed into Dependency Relationships | ||
| - Structural Relationships connect resources to their stack | ||
| ### AWS CDK Parser | ||
| Parsing CDK-generated CloudFormation templates begins by using the [CloudFormation parser](#CloudFormation-Parser) and adding a _Component_ for each CDK Construct (extracted from the CloudFormation resources metadata). Afterwards, the stack _Component_ and its _Structural Relationships_ are removed and the CDK Construct Components are connected to the corresponding CloudFormation resource Components, as seen here: | ||
|  | ||
| ## Model Diffing | ||
| The process of diffing InfraModels is contained in the `model-diffing` directory. | ||
| In the context of AWS CDK/CloudFormation, this is where we extract the operations (changes) that occurred between the old CloudFormation template and the new one. | ||
| The basic diff is created in `model-diffing/diff-creator.ts`. It groups components of the same type and subtype and matches them based on their name and similarity. This similarity is calculated by comparing the properties of each component, in `model-diffing/property-diff.ts`. | ||
| Since detecting property operations and determining their similarity require the same underlying logic, they are both done simultaneously in `model-diffing/property-diff.ts`. A few notes on how this property diffing currently works: | ||
| - When calculating similarity, there is currently no distinction between arrays and sets, so property array order is not considered. In other words, moving elements in an array as no effect on similarity. However, _Move_ operations are still created if an element at index 0 is matched with an element at index 1, for example. | ||
| - A weight is associated with a given similarity value, which is the number of primitive values of the structure it applies to. Consider the following: | ||
| ``` | ||
| { | ||
| a: {b: "string", c: "string}, | ||
| d: "string" | ||
| } | ||
| ``` | ||
| Let's consider the string value of key "d" has been changed and the similarity between the new and old value is 0.5. However, the value of key "a" will have similarity 1 because it has not been changed. We can calculate the similarity of the full properties by doing a weighted average between both similarities. "a" will have a weight of 4 (because it holds 4 unchanged values with similarity 1, two keys and two values) and "d" will have a weight of 1 (because it has only 1 primitive value). The similarity for this example is 1*(4/5)+0.5*(1/5)=0.9. | ||
| ### Change Propagation | ||
| `change-propagator.ts` is responsible for taking the observed changes and propagating them. This means: | ||
| - Modified properties with _componentUpdateType_ of "REPLACEMENT" or "POSSIBLE_REPLACEMENT" generate an operation (change) of type _Replace_ for their component. | ||
| - Renamed _Components_ have an new _Replace_ operation. | ||
| - _Replace_ operations in _Components_ with incoming _Dependency Relationships_ generate an Update _Operation_ to the source property of such relationships, indicating that a referenced value may have changed. | ||
| ## Aggregations | ||
| Aggregations are structures that group Operations (changes) in a tree-like structure. based on their characteristics, according to a given structure. These are used to collapse changes when presenting them in an interface. Take the following example: | ||
|  | ||
| These are resulting aggregations that narrow down operations by: | ||
| - type and subtype of the affected Component | ||
| - type of the operation | ||
| - whether it affects a full component or just a property and, in case of the latter, the property path. | ||
| The characteristics that should be grouped at each level, and how, are described in `aggregations/component-operation/module-tree.ts`. Aggregation modules define how to split a group of operations and a module tree is a configuration of these modules that is used to generate the aggregations. | ||
| ## User Configuration | ||
| Users can write rules classify the risk of each change and if it should be automatically approved or rejected. These rules are based on a custom grammar in JSON syntax. Take the following example of a rule: | ||
| ``` | ||
| ```json | ||
| { | ||
| "description": "Allow all insert operations", | ||
| "let": { | ||
| "insertChange": { "change": {"type": "INSERT" } } | ||
| "description": "CLOUDFRONT", | ||
| "let": { "cf": { "Resource": "AWS::CloudFront::Distribution" } }, | ||
| "then": [ | ||
| { | ||
| "description": "Cloudfront Distributions origin changes are risky", | ||
| "let": { | ||
| "change": { "change": {}, "where": "change appliesTo cf.Properties.DistributionConfig.Origins" } | ||
| }, | ||
| "effect": { | ||
| "risk": "high" | ||
| } | ||
| }, | ||
| "effect": { | ||
| "target": "insertChange", | ||
| { | ||
| "description": "Cloudfront Distributions origin protocol security can increase", | ||
| "let": { | ||
| "change": { "change": {}, "where": [ | ||
| "change appliesTo cf.Properties.DistributionConfig.Origins.*.OriginProtocolPolicy", | ||
| "change.old == 'http-only'", | ||
| "change.new == 'https-only'" | ||
| ] | ||
| } | ||
| }, | ||
| "effect": { | ||
| "risk": "low", | ||
| "action": "approve" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
| This is a very simple rule that sets automatic approval and low risk for all operations of type "INSERT". It is broken down below: | ||
| - the "let" field associates objects with identifiers. In this case, there is only one identifier ("insertChange"). An identifier takes the value of all objects that match the query on the right. In this example, the query is matching all "change" objects of type "INSERT". So "insertChange" represents all insertions that occured. | ||
| - the "effect" field applies consequences to a given change, identified as the "target". In this case, the "target" is "insertChange", which corresponds to all insert operations. The risk and automatic approval behavior for these changes are specified in the fields "risk" and "action" respectively. | ||
| Below is a more complex rule: | ||
| **then** | ||
| In this rule, the `then` field is used to apply sub-rules that have access to the bindings | ||
| declared in their parent scope. | ||
| ``` | ||
| { | ||
| "description": "CLOUDFRONT", | ||
| "let": {"cf": { "Resource": "AWS::CloudFront::Distribution" } }, | ||
| "then": [{ | ||
| "description": "Cloudfront Distributions origin changes are risky", | ||
| "let": { | ||
| "change": { "change": {}, "where": "change appliesTo cf.Properties.DistributionConfig.Origins" } | ||
| }, | ||
| "effect": { | ||
| "risk": "high" | ||
| } | ||
| }, { | ||
| "description": "Cloudfront Distributions origin protocol security can increase", | ||
| "let": { | ||
| "change": { "change": {}, "where": [ | ||
| "change appliesTo cf.Properties.DistributionConfig.Origins.*.OriginProtocolPolicy", | ||
| "change.old == 'http-only'", | ||
| "change.new == 'https-only'" | ||
| ] | ||
| } | ||
| }, | ||
| "effect": { | ||
| "risk": "low", | ||
| "action": "approve" | ||
| } | ||
| }] | ||
| } | ||
| ``` | ||
| In this rule, the "then" field is also used, which allows applying sub-rules that have access to the identifiers declared in their parent. | ||
| **where** | ||
| The `where` field defines conditions that the query must satisfy. These conditions include, | ||
| but are not limited to, checking if a change applies to a given object (Component or Property) | ||
| with the operator `appliesTo`; comparing old and new values of changes to properties with | ||
| the `.old` accessor and `==` operator. | ||
| Component and Property objects allow accessing their inner properties by using the dot (".") notation. For example `component.someArray.*.property` will correspond to all values of key "property" in elements of array "someArray" inside "component". | ||
| You can also notice that queries can have a "when" field, specifying further conditions, such as: checking if a change applies to a given object (Component or Property) with the operator "applies to"; comparing old and new values of changes to properties with the ".old" accessor and "==" operator. | ||
| This rules language maps finds the objects in the graph generated from the [InfraModelDiff](../../README.md#InfraModelDiff) and traverses its edges when relating objects, such as when navigating properties or checking whether a change applies to an object. | ||
| > Component and Property objects allow accessing their inner properties by using the dot (".") | ||
| notation. For example `component.someArray.*.property` will correspond to all values of key | ||
| "property" in elements of array "someArray" inside "component". |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
- decreased by-5.81%
91840
- Number of lines in readme file
- decreased by-29.5%
98
Dependency changes
+ Added@aws-c2a/models@0.5.0(transitive)
- Removed@aws-c2a/models@0.4.0(transitive)
Updated@aws-c2a/models@^0.5.0