fix CFTs to support evaluation mode except org rules

integration/config-opscenter-integration-example/s3EncryptedConfigRule.yaml

@@ -36,7 +36,7 @@ Resources:
            - 'Config Rules Compliance Change'
          detail:
            configRuleName:
-             - !Ref S3BucketServerSideEncryptionEnabled
+             - Ref: S3BucketServerSideEncryptionEnabled
            newEvaluationResult:
              complianceType:
                - NON_COMPLIANT

pyproject.toml

@@ -7,7 +7,7 @@
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 [tool.poetry]
 name = "rdk"
-version = "0.17.11"
+version = "0.17.12"
 description = "Rule Development Kit CLI for AWS Config"
 authors = [
     "AWS RDK Maintainers <[email protected]>",
@@ -123,6 +123,7 @@ isort = {extras = ["toml"], version = "^5.11.4"}
 mypy = "^1.3.0"
 debugpy = "^1.6.7"
 ruff = "^0.0.269"
+checkov = "^3.2.0"
 
 [tool.poetry.group.security.dependencies]
 bandit = "^1.7.7"

rdk/__init__.py

@@ -6,4 +6,4 @@
 #
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 
-MY_VERSION = "0.17.11"
+MY_VERSION = "2"

rdk/rdk.py

@@ -237,14 +237,14 @@ def get_modify_parser():
 
 
 def get_rule_parser(is_required, command):
-    usage_string = "[--runtime <runtime>] [--resource-types <resource types>] [--maximum-frequency <max execution frequency>] [--input-parameters <parameter JSON>] [--tags <tags JSON>] [--rulesets <RuleSet tags>]"
+    # usage_string = "[--runtime <runtime>] [--resource-types <resource types>] [--maximum-frequency <max execution frequency>] [--input-parameters <parameter JSON>] [--tags <tags JSON>] [--rulesets <RuleSet tags>]"
 
-    if is_required:
-        usage_string = "[ --resource-types <resource types> | --maximum-frequency <max execution frequency> ] [optional configuration flags] [--runtime <runtime>] [--rulesets <RuleSet tags>]"
+    # if is_required:
+    #     usage_string = "[ --resource-types <resource types> | --maximum-frequency <max execution frequency> ] [optional configuration flags] [--runtime <runtime>] [--rulesets <RuleSet tags>]"
 
     parser = argparse.ArgumentParser(
         prog="rdk " + command,
-        usage="rdk " + command + " <rulename> " + usage_string,
+        # usage="rdk " + command + " <rulename> " + usage_string, # Commented out to avoid double-documentation; will use auto-generated output
         description="Rules are stored in their own directory along with their metadata.  This command is used to "
         + command
         + " the Rule and metadata.",
@@ -382,6 +382,12 @@ def get_rule_parser(is_required, command):
         required=False,
         help="[optional] Comma-separated list of AWS accounts to exclude from the rule. Will only be used for organizational rules.",
     )
+    parser.add_argument(
+        "--evaluation-mode",
+        required=False,
+        default="DETECTIVE",
+        help="[optional] The evaluation mode to deploy the rule into, either DETECTIVE (default), PROACTIVE, or BOTH. DETECTIVE rules are typical Config rules, whereas PROACTIVE rules are used to evaluate resources in CFTs prior to deployment.",
+    )
 
     return parser
 
@@ -1387,8 +1393,8 @@ def modify(self):
             self.args.source_identifier = old_params["SourceIdentifier"]
 
         # TODO - is this appropriate?
-        if not self.args.source_identifier and "EvaluationMode" in old_params:
-            self.args.source_identifier = old_params["EvaluationMode"]
+        if not self.args.evaluation_mode and "EvaluationMode" in old_params:
+            self.args.evaluation_mode = old_params["EvaluationMode"]
 
         if not self.args.tags and tags:
             self.args.tags = tags
@@ -1758,6 +1764,10 @@ def deploy(self):
                         "ParameterKey": "SourceIdentifier",
                         "ParameterValue": rule_params["SourceIdentifier"],
                     },
+                    {
+                        "ParameterKey": "EvaluationMode",
+                        "ParameterValue": rule_params["EvaluationMode"],
+                    },
                 ]
                 my_cfn = my_session.client("cloudformation")
                 if "Remediation" in rule_params:
@@ -1768,7 +1778,7 @@ def deploy(self):
                         "configManagedRuleWithRemediation.yaml",
                     )
                     template_body = open(cfn_body, "r").read()
-                    yaml_body = yaml.loads(template_body)
+                    yaml_body = yaml.safe_load(template_body)
                     remediation = self.__create_remediation_cloudformation_block(rule_params["Remediation"])
                     yaml_body["Resources"]["Remediation"] = remediation
 
@@ -1988,10 +1998,10 @@ def deploy(self):
                     "ParameterKey": "SourceBucket",
                     "ParameterValue": code_bucket_name,
                 },
-                {
-                    "ParameterKey": "SourcePath",
-                    "ParameterValue": s3_dst,
-                },
+                # {
+                #     "ParameterKey": "SourcePath",
+                #     "ParameterValue": s3_dst,
+                # },
                 {
                     "ParameterKey": "SourceRuntime",
                     "ParameterValue": self.__get_runtime_string(rule_params),
@@ -2016,6 +2026,10 @@ def deploy(self):
                     "ParameterKey": "Timeout",
                     "ParameterValue": str(self.args.lambda_timeout),
                 },
+                {
+                    "ParameterKey": "EvaluationMode",
+                    "ParameterValue": rule_params["EvaluationMode"],
+                },
             ]
             layers = self.__get_lambda_layers(my_session, self.args, rule_params)
 
@@ -2043,7 +2057,7 @@ def deploy(self):
             # create json of CFN template
             cfn_body = os.path.join(path.dirname(__file__), "template", "configRule.yaml")
             template_body = open(cfn_body, "r").read()
-            yaml_body = yaml.loads(template_body)
+            yaml_body = yaml.safe_load(template_body)
 
             remediation = ""
             if "Remediation" in rule_params:
@@ -2385,10 +2399,10 @@ def deploy_organization(self):
                     "ParameterKey": "SourceBucket",
                     "ParameterValue": code_bucket_name,
                 },
-                {
-                    "ParameterKey": "SourcePath",
-                    "ParameterValue": s3_dst,
-                },
+                # {
+                #     "ParameterKey": "SourcePath",
+                #     "ParameterValue": s3_dst,
+                # },
                 {
                     "ParameterKey": "SourceRuntime",
                     "ParameterValue": self.__get_runtime_string(rule_params),
@@ -2444,7 +2458,7 @@ def deploy_organization(self):
             # create json of CFN template
             cfn_body = os.path.join(path.dirname(__file__), "template", "configRuleOrganization.yaml")
             template_body = open(cfn_body, "r").read()
-            yaml_body = yaml.loads(template_body)
+            yaml_body = yaml.safe_load(template_body)
 
             # debugging
             # print(json.dumps(json_body, indent=2))
@@ -2697,7 +2711,7 @@ def test_remote(self):
                 print("\t\tTesting CI " + my_ci["resourceType"])
 
                 # Generate test event from templates
-                test_event = yaml.load(
+                test_event = yaml.safe_load(
                     open(
                         os.path.join(path.dirname(__file__), "template", event_template_filename),
                         "r",
@@ -3739,6 +3753,7 @@ def __populate_params(self):
             "RuleName": self.args.rulename,
             "Description": description,
             "SourceRuntime": self.args.runtime,
+            "EvaluationMode": self.args.evaluation_mode,
             # 'CodeBucket': code_bucket_prefix + account_id,
             "CodeKey": self.args.rulename + my_session.region_name + ".zip",
             "InputParameters": json.dumps(my_input_params),

rdk/template/configManagedRule.yaml

@@ -32,6 +32,14 @@ Parameters:
     Description: Input Parameters
     Type: String
     Default: "{}"
+  EvaluationMode:
+    Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH.
+    Type: String
+    Default: DETECTIVE
+    AllowedValues:
+      - DETECTIVE
+      - PROACTIVE
+      - BOTH
 Conditions:
   RemoveEventScope:
     Fn::Or:
@@ -54,6 +62,10 @@ Conditions:
       - Fn::Equals:
           - Ref: SourcePeriodic
           - NONE
+  UseBothEvaluationModes:
+    Fn::Equals:
+      - Ref: EvaluationMode
+      - "BOTH"
 Resources:
   rdkConfigRule:
     Type: AWS::Config::ConfigRule
@@ -79,3 +91,12 @@ Resources:
           Ref: SourceIdentifier
       InputParameters:
         Ref: SourceInputParameters
+      EvaluationModes:
+        Fn::If:
+          - UseBothEvaluationModes
+          - 
+            - Mode: DETECTIVE
+            - Mode: PROACTIVE
+          - 
+            - Mode:
+                Ref: EvaluationMode

rdk/template/configManagedRuleWithRemediation.yaml

@@ -32,6 +32,14 @@ Parameters:
     Description: Input Parameters
     Type: String
     Default: "{}"
+  EvaluationMode:
+    Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH.
+    Type: String
+    Default: DETECTIVE
+    AllowedValues:
+      - DETECTIVE
+      - PROACTIVE
+      - BOTH
 Conditions:
   RemoveEventScope:
     Fn::Or:
@@ -54,6 +62,10 @@ Conditions:
       - Fn::Equals:
           - Ref: SourcePeriodic
           - NONE
+  UseBothEvaluationModes:
+    Fn::Equals:
+      - Ref: EvaluationMode
+      - "BOTH"
 Resources:
   rdkConfigRule:
     Type: AWS::Config::ConfigRule
@@ -79,3 +91,12 @@ Resources:
           Ref: SourceIdentifier
       InputParameters:
         Ref: SourceInputParameters
+      EvaluationModes:
+        Fn::If:
+          - UseBothEvaluationModes
+          - 
+            - Mode: DETECTIVE
+            - Mode: PROACTIVE
+          - 
+            - Mode:
+                Ref: EvaluationMode

rdk/template/configRule.yaml

@@ -80,6 +80,10 @@ Parameters:
     Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH.
     Type: String
     Default: DETECTIVE
+    AllowedValues:
+      - DETECTIVE
+      - PROACTIVE
+      - BOTH
 Conditions:
   RemoveEventScope:
     Fn::Or:
@@ -128,7 +132,7 @@ Conditions:
               - ""
   UseBothEvaluationModes:
     Fn::Equals:
-      - !Ref EvaluationMode
+      - Ref: EvaluationMode
       - "BOTH"
 Resources:
   rdkRuleCodeLambda:
@@ -190,11 +194,6 @@ Resources:
       Action: lambda:InvokeFunction
       Principal: config.amazonaws.com
   rdkConfigRule:
-    Metadata:
-      cfn-lint:
-        config:
-          ignore_checks:
-            - E3002 # cfn-lint is not familiar with newer property names like EvaluationModeConfiguration
     Type: AWS::Config::ConfigRule
     DependsOn:
       - ConfigPermissionToCallrdkRuleCodeLambda
@@ -209,15 +208,15 @@ Resources:
           - Ref: AWS::NoValue
           - ComplianceResourceTypes:
               Ref: SourceEvents
-      EvaluationModeConfiguration:
-        - Fn::If:
-            - UseBothEvaluationModes
-            - 
-              - Mode: DETECTIVE
-              - Mode: PROACTIVE
-            - 
-              - Mode:
-                  Ref: EvaluationMode
+      EvaluationModes:
+        Fn::If:
+          - UseBothEvaluationModes
+          - 
+            - Mode: DETECTIVE
+            - Mode: PROACTIVE
+          - 
+            - Mode:
+                Ref: EvaluationMode
       Source:
         Owner: CUSTOM_LAMBDA
         SourceIdentifier: