From 22bcdc7e01fae3372e1193fe5e46ea7f6d2f8e1d Mon Sep 17 00:00:00 2001 From: steven-l Date: Sat, 20 Aug 2022 23:41:44 +0800 Subject: [PATCH 1/6] add policy rule support --- rdk/rdk.py | 276 ++++++++++++------ .../cloudformation-guard2.0/rule_code.guard | 3 + 2 files changed, 186 insertions(+), 93 deletions(-) create mode 100644 rdk/template/runtime/cloudformation-guard2.0/rule_code.guard diff --git a/rdk/rdk.py b/rdk/rdk.py index 3e9c3fb1..3c654bdb 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -393,6 +393,7 @@ def get_rule_parser(is_required, command): "python3.9-lib", "dotnetcore1.0", "dotnetcore2.0", + "cloudformation-guard2.0" ], metavar="", ) @@ -1233,6 +1234,7 @@ def create(self): "nodejs6.10": ".js", "dotnetcore1.0": "cs", "dotnetcore2.0": "cs", + "cloudformation-guard2.0": "guard", } if self.args.runtime not in extension_mapping: print("rdk does not support that runtime yet.") @@ -1256,6 +1258,8 @@ def create(self): self.__create_java_rule() elif self.args.runtime in ["dotnetcore1.0", "dotnetcore2.0"]: self.__create_dotnet_rule() + elif self.args.runtime == "cloudformation-guard2.0": + self.__create_cloudformation_guard_rule() else: src = os.path.join( path.dirname(__file__), @@ -1895,99 +1899,140 @@ def deploy(self): continue - print(f"[{my_session.region_name}]: Found Custom Rule.") - - s3_src = "" - s3_dst = self.__upload_function_code(rule_name, rule_params, account_id, my_session, code_bucket_name) - - # create CFN Parameters for Custom Rules - lambdaRoleArn = "" - if self.args.lambda_role_arn: - print(f"[{my_session.region_name}]: Existing IAM Role provided: " + self.args.lambda_role_arn) - lambdaRoleArn = self.args.lambda_role_arn - elif self.args.lambda_role_name: - print(f"[{my_session.region_name}]: Building IAM Role ARN from Name: " + self.args.lambda_role_name) - arn = f"arn:{partition}:iam::{account_id}:role/{self.args.lambda_role_name}" - lambdaRoleArn = arn - - if self.args.boundary_policy_arn: - print(f"[{my_session.region_name}]: Boundary Policy provided: " + self.args.boundary_policy_arn) - boundaryPolicyArn = self.args.boundary_policy_arn - else: - boundaryPolicyArn = "" - try: rule_description = rule_params["Description"] except KeyError: rule_description = rule_name - my_params = [ - { - "ParameterKey": "RuleName", - "ParameterValue": rule_name, - }, - { - "ParameterKey": "RuleLambdaName", - "ParameterValue": self.__get_lambda_name(rule_name, rule_params), - }, - { - "ParameterKey": "Description", - "ParameterValue": rule_description, - }, - { - "ParameterKey": "LambdaRoleArn", - "ParameterValue": lambdaRoleArn, - }, - { - "ParameterKey": "BoundaryPolicyArn", - "ParameterValue": boundaryPolicyArn, - }, - { - "ParameterKey": "SourceBucket", - "ParameterValue": code_bucket_name, - }, - { - "ParameterKey": "SourcePath", - "ParameterValue": s3_dst, - }, - { - "ParameterKey": "SourceRuntime", - "ParameterValue": self.__get_runtime_string(rule_params), - }, - { - "ParameterKey": "SourceEvents", - "ParameterValue": source_events, - }, - { - "ParameterKey": "SourcePeriodic", - "ParameterValue": source_periodic, - }, - { - "ParameterKey": "SourceInputParameters", - "ParameterValue": json.dumps(combined_input_parameters), - }, - {"ParameterKey": "SourceHandler", "ParameterValue": self.__get_handler(rule_name, rule_params)}, - {"ParameterKey": "Timeout", "ParameterValue": str(self.args.lambda_timeout)}, - ] - layers = self.__get_lambda_layers(my_session, self.args, rule_params) + source_runtime = rule_params["SourceRuntime"] - if self.args.lambda_layers: - additional_layers = self.args.lambda_layers.split(",") - layers.extend(additional_layers) + print(f"[{my_session.region_name}]: Found Custom Rule.") - if layers: - my_params.append({"ParameterKey": "Layers", "ParameterValue": ",".join(layers)}) + if source_runtime != "cloudformation-guard2.0": + s3_src = "" + s3_dst = self.__upload_function_code(rule_name, rule_params, account_id, my_session, code_bucket_name) + + # create CFN Parameters for Custom Rules + lambdaRoleArn = "" + if self.args.lambda_role_arn: + print(f"[{my_session.region_name}]: Existing IAM Role provided: " + self.args.lambda_role_arn) + lambdaRoleArn = self.args.lambda_role_arn + elif self.args.lambda_role_name: + print(f"[{my_session.region_name}]: Building IAM Role ARN from Name: " + self.args.lambda_role_name) + arn = f"arn:{partition}:iam::{account_id}:role/{self.args.lambda_role_name}" + lambdaRoleArn = arn + + if self.args.boundary_policy_arn: + print(f"[{my_session.region_name}]: Boundary Policy provided: " + self.args.boundary_policy_arn) + boundaryPolicyArn = self.args.boundary_policy_arn + else: + boundaryPolicyArn = "" - if self.args.lambda_security_groups and self.args.lambda_subnets: - my_params.append( - {"ParameterKey": "SecurityGroupIds", "ParameterValue": self.args.lambda_security_groups} - ) - my_params.append({"ParameterKey": "SubnetIds", "ParameterValue": self.args.lambda_subnets}) + my_params = [ + { + "ParameterKey": "RuleName", + "ParameterValue": rule_name, + }, + { + "ParameterKey": "RuleLambdaName", + "ParameterValue": self.__get_lambda_name(rule_name, rule_params), + }, + { + "ParameterKey": "Description", + "ParameterValue": rule_description, + }, + { + "ParameterKey": "LambdaRoleArn", + "ParameterValue": lambdaRoleArn, + }, + { + "ParameterKey": "BoundaryPolicyArn", + "ParameterValue": boundaryPolicyArn, + }, + { + "ParameterKey": "SourceBucket", + "ParameterValue": code_bucket_name, + }, + { + "ParameterKey": "SourcePath", + "ParameterValue": s3_dst, + }, + { + "ParameterKey": "SourceRuntime", + "ParameterValue": self.__get_runtime_string(rule_params), + }, + { + "ParameterKey": "SourceEvents", + "ParameterValue": source_events, + }, + { + "ParameterKey": "SourcePeriodic", + "ParameterValue": source_periodic, + }, + { + "ParameterKey": "SourceInputParameters", + "ParameterValue": json.dumps(combined_input_parameters), + }, + {"ParameterKey": "SourceHandler", "ParameterValue": self.__get_handler(rule_name, rule_params)}, + {"ParameterKey": "Timeout", "ParameterValue": str(self.args.lambda_timeout)}, + ] + layers = self.__get_lambda_layers(my_session, self.args, rule_params) - # create json of CFN template - cfn_body = os.path.join(path.dirname(__file__), "template", "configRule.json") - template_body = open(cfn_body, "r").read() - json_body = json.loads(template_body) + if self.args.lambda_layers: + additional_layers = self.args.lambda_layers.split(",") + layers.extend(additional_layers) + + if layers: + my_params.append({"ParameterKey": "Layers", "ParameterValue": ",".join(layers)}) + + if self.args.lambda_security_groups and self.args.lambda_subnets: + my_params.append( + {"ParameterKey": "SecurityGroupIds", "ParameterValue": self.args.lambda_security_groups} + ) + my_params.append({"ParameterKey": "SubnetIds", "ParameterValue": self.args.lambda_subnets}) + + # create json of CFN template + cfn_body = os.path.join(path.dirname(__file__), "template", "configRule.json") + template_body = open(cfn_body, "r").read() + json_body = json.loads(template_body) + + else: # update policy rule + print(f"[{my_session.region_name}]: Updating policy rule for " + rule_name) + policy = os.path.join(os.getcwd(), rules_dir, rule_name, "rule_code.guard") + my_cfg = my_session.client("config") + response = my_cfg.put_config_rule( + ConfigRule={ + 'ConfigRuleName': rule_name, + 'Description': rule_description, + 'Scope': { + 'ComplianceResourceTypes': source_events.split(',') + }, + 'Source': { + 'Owner': 'CUSTOM_POLICY', + 'SourceDetails': [ + { + 'EventSource': 'aws.config', + 'MessageType': 'ConfigurationItemChangeNotification' + }, + { + 'EventSource': 'aws.config', + 'MessageType': 'OversizedConfigurationItemChangeNotification' + }, + ], + 'CustomPolicyDetails': { + 'PolicyRuntime': 'guard-2.x.x', + 'PolicyText': open(policy).read(), + 'EnableDebugLogDelivery': False + } + }, + 'InputParameters': json.dumps(combined_input_parameters), + }, + Tags=cfn_tags + ) + if response['ResponseMetadata']['HTTPStatusCode'] != 200: + print(f"[{my_session.region_name}]: API status error: " + response.__repr__()) + print(f"[{my_session.region_name}]: Update done.") + return remediation = "" if "Remediation" in rule_params: @@ -2064,14 +2109,15 @@ def deploy(self): else: raise - my_lambda_arn = self.__get_lambda_arn_for_stack(my_stack_name) + if source_runtime != "cloudformation-guard2.0": + my_lambda_arn = self.__get_lambda_arn_for_stack(my_stack_name) - print(f"[{my_session.region_name}]: Publishing Lambda code...") - my_lambda_client = my_session.client("lambda") - my_lambda_client.update_function_code( - FunctionName=my_lambda_arn, S3Bucket=code_bucket_name, S3Key=s3_dst, Publish=True - ) - print(f"[{my_session.region_name}]: Lambda code updated.") + print(f"[{my_session.region_name}]: Publishing Lambda code...") + my_lambda_client = my_session.client("lambda") + my_lambda_client.update_function_code( + FunctionName=my_lambda_arn, S3Bucket=code_bucket_name, S3Key=s3_dst, Publish=True + ) + print(f"[{my_session.region_name}]: Lambda code updated.") except ClientError as e: # If we're in the exception, the stack does not exist and we should create it. print(f"[{my_session.region_name}]: Creating CloudFormation Stack for " + rule_name) @@ -2094,9 +2140,25 @@ def deploy(self): if cfn_tags is not None and len(cfn_tags) > 0: self.__tag_config_rule(rule_name, cfn_tags, my_session) - print(f"[{my_session.region_name}]: Config deploy complete.") + def __get_cloudformation_guard_stack(self, rule_name): + # create json of CFN template + rule = os.path.join(os.getcwd(), rules_dir, rule_name, "rule_code.guard") + policy_text_list = [] + for l in open(rule, "r").readlines(): + l = l.replace('\n', '') + policy_text_list.append('"' + l + '"') + cfn_template = os.path.join(path.dirname(__file__), "template", "configRuleCloudformationGuard.json") + cfn_body = [] + with open(cfn_template) as f: + for line in f.readlines(): + replaced = line.replace("<%PolicyText%>", ",\n".join(policy_text_list)) + cfn_body.append(replaced) + template_body = "\n".join(cfn_body) + # for debugging + # print(template_body) + json_body = json.loads(template_body) + return json_body - return 0 def deploy_organization(self): self.__parse_deploy_organization_args() @@ -3101,6 +3163,26 @@ def __create_dotnet_rule(self): else: shutil.copytree(src, dst) + def __create_cloudformation_guard_rule(self): + src = os.path.join(path.dirname(__file__), "template", "runtime", "cloudformation-guard2.0", "rule_code.guard") + dst = os.path.join(os.getcwd(), rules_dir, self.args.rulename, "rule_code.guard") + shutil.copyfile(src, dst) + f = fileinput.input(files=dst, inplace=True) + for line in f: + if self.args.resource_types: + applicable_resource_list = ",".join(["'" + typ + "'" for typ in self.args.resource_types.split(",")]) + print( + line.replace("<%RuleName%>", self.args.rulename) + .replace( + "<%ApplicableResources%>", + " when resourceType IN [" + applicable_resource_list + "]", + ), + end="", + ) + else: + print(line.replace("<%RuleName%>", self.args.rulename), end="") + f.close() + def __print_log_event(self, event): time_string = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(event["timestamp"] / 1000)) @@ -3308,6 +3390,14 @@ def __parse_rule_args(self, is_required): print("You must specify either a resource type trigger or a maximum frequency.") sys.exit(1) + if is_required and self.args.runtime == "cloudformation-guard2.0": + if self.args.maximum_frequency: + print("maximum frequency can not be used on a cloudformation-guard policy rule.") + sys.exit(1) + if not self.args.resource_types: + print("You must specify either a resource type for cloudformation-guard policy.") + sys.exit(1) + if self.args.input_parameters: try: print(self.args.input_parameters) diff --git a/rdk/template/runtime/cloudformation-guard2.0/rule_code.guard b/rdk/template/runtime/cloudformation-guard2.0/rule_code.guard new file mode 100644 index 00000000..811f13ec --- /dev/null +++ b/rdk/template/runtime/cloudformation-guard2.0/rule_code.guard @@ -0,0 +1,3 @@ +rule <%RuleName%><%ApplicableResources%> { + # Add your custom logic here +} \ No newline at end of file From b6f82cffb20d9ddbfeb8b745482d4100b6da49a1 Mon Sep 17 00:00:00 2001 From: steven-l Date: Sat, 20 Aug 2022 23:47:43 +0800 Subject: [PATCH 2/6] format code --- rdk/rdk.py | 177 ++++++++++++++++++++++++++--------------------------- 1 file changed, 88 insertions(+), 89 deletions(-) diff --git a/rdk/rdk.py b/rdk/rdk.py index 3c654bdb..87060b22 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -1908,95 +1908,7 @@ def deploy(self): print(f"[{my_session.region_name}]: Found Custom Rule.") - if source_runtime != "cloudformation-guard2.0": - s3_src = "" - s3_dst = self.__upload_function_code(rule_name, rule_params, account_id, my_session, code_bucket_name) - - # create CFN Parameters for Custom Rules - lambdaRoleArn = "" - if self.args.lambda_role_arn: - print(f"[{my_session.region_name}]: Existing IAM Role provided: " + self.args.lambda_role_arn) - lambdaRoleArn = self.args.lambda_role_arn - elif self.args.lambda_role_name: - print(f"[{my_session.region_name}]: Building IAM Role ARN from Name: " + self.args.lambda_role_name) - arn = f"arn:{partition}:iam::{account_id}:role/{self.args.lambda_role_name}" - lambdaRoleArn = arn - - if self.args.boundary_policy_arn: - print(f"[{my_session.region_name}]: Boundary Policy provided: " + self.args.boundary_policy_arn) - boundaryPolicyArn = self.args.boundary_policy_arn - else: - boundaryPolicyArn = "" - - my_params = [ - { - "ParameterKey": "RuleName", - "ParameterValue": rule_name, - }, - { - "ParameterKey": "RuleLambdaName", - "ParameterValue": self.__get_lambda_name(rule_name, rule_params), - }, - { - "ParameterKey": "Description", - "ParameterValue": rule_description, - }, - { - "ParameterKey": "LambdaRoleArn", - "ParameterValue": lambdaRoleArn, - }, - { - "ParameterKey": "BoundaryPolicyArn", - "ParameterValue": boundaryPolicyArn, - }, - { - "ParameterKey": "SourceBucket", - "ParameterValue": code_bucket_name, - }, - { - "ParameterKey": "SourcePath", - "ParameterValue": s3_dst, - }, - { - "ParameterKey": "SourceRuntime", - "ParameterValue": self.__get_runtime_string(rule_params), - }, - { - "ParameterKey": "SourceEvents", - "ParameterValue": source_events, - }, - { - "ParameterKey": "SourcePeriodic", - "ParameterValue": source_periodic, - }, - { - "ParameterKey": "SourceInputParameters", - "ParameterValue": json.dumps(combined_input_parameters), - }, - {"ParameterKey": "SourceHandler", "ParameterValue": self.__get_handler(rule_name, rule_params)}, - {"ParameterKey": "Timeout", "ParameterValue": str(self.args.lambda_timeout)}, - ] - layers = self.__get_lambda_layers(my_session, self.args, rule_params) - - if self.args.lambda_layers: - additional_layers = self.args.lambda_layers.split(",") - layers.extend(additional_layers) - - if layers: - my_params.append({"ParameterKey": "Layers", "ParameterValue": ",".join(layers)}) - - if self.args.lambda_security_groups and self.args.lambda_subnets: - my_params.append( - {"ParameterKey": "SecurityGroupIds", "ParameterValue": self.args.lambda_security_groups} - ) - my_params.append({"ParameterKey": "SubnetIds", "ParameterValue": self.args.lambda_subnets}) - - # create json of CFN template - cfn_body = os.path.join(path.dirname(__file__), "template", "configRule.json") - template_body = open(cfn_body, "r").read() - json_body = json.loads(template_body) - - else: # update policy rule + if source_runtime == "cloudformation-guard2.0": print(f"[{my_session.region_name}]: Updating policy rule for " + rule_name) policy = os.path.join(os.getcwd(), rules_dir, rule_name, "rule_code.guard") my_cfg = my_session.client("config") @@ -2034,6 +1946,93 @@ def deploy(self): print(f"[{my_session.region_name}]: Update done.") return + s3_src = "" + s3_dst = self.__upload_function_code(rule_name, rule_params, account_id, my_session, code_bucket_name) + + # create CFN Parameters for Custom Rules + lambdaRoleArn = "" + if self.args.lambda_role_arn: + print(f"[{my_session.region_name}]: Existing IAM Role provided: " + self.args.lambda_role_arn) + lambdaRoleArn = self.args.lambda_role_arn + elif self.args.lambda_role_name: + print(f"[{my_session.region_name}]: Building IAM Role ARN from Name: " + self.args.lambda_role_name) + arn = f"arn:{partition}:iam::{account_id}:role/{self.args.lambda_role_name}" + lambdaRoleArn = arn + + if self.args.boundary_policy_arn: + print(f"[{my_session.region_name}]: Boundary Policy provided: " + self.args.boundary_policy_arn) + boundaryPolicyArn = self.args.boundary_policy_arn + else: + boundaryPolicyArn = "" + + my_params = [ + { + "ParameterKey": "RuleName", + "ParameterValue": rule_name, + }, + { + "ParameterKey": "RuleLambdaName", + "ParameterValue": self.__get_lambda_name(rule_name, rule_params), + }, + { + "ParameterKey": "Description", + "ParameterValue": rule_description, + }, + { + "ParameterKey": "LambdaRoleArn", + "ParameterValue": lambdaRoleArn, + }, + { + "ParameterKey": "BoundaryPolicyArn", + "ParameterValue": boundaryPolicyArn, + }, + { + "ParameterKey": "SourceBucket", + "ParameterValue": code_bucket_name, + }, + { + "ParameterKey": "SourcePath", + "ParameterValue": s3_dst, + }, + { + "ParameterKey": "SourceRuntime", + "ParameterValue": self.__get_runtime_string(rule_params), + }, + { + "ParameterKey": "SourceEvents", + "ParameterValue": source_events, + }, + { + "ParameterKey": "SourcePeriodic", + "ParameterValue": source_periodic, + }, + { + "ParameterKey": "SourceInputParameters", + "ParameterValue": json.dumps(combined_input_parameters), + }, + {"ParameterKey": "SourceHandler", "ParameterValue": self.__get_handler(rule_name, rule_params)}, + {"ParameterKey": "Timeout", "ParameterValue": str(self.args.lambda_timeout)}, + ] + layers = self.__get_lambda_layers(my_session, self.args, rule_params) + + if self.args.lambda_layers: + additional_layers = self.args.lambda_layers.split(",") + layers.extend(additional_layers) + + if layers: + my_params.append({"ParameterKey": "Layers", "ParameterValue": ",".join(layers)}) + + if self.args.lambda_security_groups and self.args.lambda_subnets: + my_params.append( + {"ParameterKey": "SecurityGroupIds", "ParameterValue": self.args.lambda_security_groups} + ) + my_params.append({"ParameterKey": "SubnetIds", "ParameterValue": self.args.lambda_subnets}) + + # create json of CFN template + cfn_body = os.path.join(path.dirname(__file__), "template", "configRule.json") + template_body = open(cfn_body, "r").read() + json_body = json.loads(template_body) + remediation = "" if "Remediation" in rule_params: remediation = self.__create_remediation_cloudformation_block(rule_params["Remediation"]) From b32012ed703159e5544e77c9b672d639036f94a0 Mon Sep 17 00:00:00 2001 From: steven-l Date: Sat, 20 Aug 2022 23:49:16 +0800 Subject: [PATCH 3/6] format code --- rdk/rdk.py | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/rdk/rdk.py b/rdk/rdk.py index 87060b22..9303284d 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -2139,25 +2139,6 @@ def deploy(self): if cfn_tags is not None and len(cfn_tags) > 0: self.__tag_config_rule(rule_name, cfn_tags, my_session) - def __get_cloudformation_guard_stack(self, rule_name): - # create json of CFN template - rule = os.path.join(os.getcwd(), rules_dir, rule_name, "rule_code.guard") - policy_text_list = [] - for l in open(rule, "r").readlines(): - l = l.replace('\n', '') - policy_text_list.append('"' + l + '"') - cfn_template = os.path.join(path.dirname(__file__), "template", "configRuleCloudformationGuard.json") - cfn_body = [] - with open(cfn_template) as f: - for line in f.readlines(): - replaced = line.replace("<%PolicyText%>", ",\n".join(policy_text_list)) - cfn_body.append(replaced) - template_body = "\n".join(cfn_body) - # for debugging - # print(template_body) - json_body = json.loads(template_body) - return json_body - def deploy_organization(self): self.__parse_deploy_organization_args() From 9009cd990e7c29181f8871dca12d97c49e3e0eb9 Mon Sep 17 00:00:00 2001 From: steven-l Date: Sat, 20 Aug 2022 23:50:39 +0800 Subject: [PATCH 4/6] format code --- rdk/rdk.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rdk/rdk.py b/rdk/rdk.py index 9303284d..7fe595a7 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -2108,15 +2108,14 @@ def deploy(self): else: raise - if source_runtime != "cloudformation-guard2.0": - my_lambda_arn = self.__get_lambda_arn_for_stack(my_stack_name) + my_lambda_arn = self.__get_lambda_arn_for_stack(my_stack_name) - print(f"[{my_session.region_name}]: Publishing Lambda code...") - my_lambda_client = my_session.client("lambda") - my_lambda_client.update_function_code( - FunctionName=my_lambda_arn, S3Bucket=code_bucket_name, S3Key=s3_dst, Publish=True - ) - print(f"[{my_session.region_name}]: Lambda code updated.") + print(f"[{my_session.region_name}]: Publishing Lambda code...") + my_lambda_client = my_session.client("lambda") + my_lambda_client.update_function_code( + FunctionName=my_lambda_arn, S3Bucket=code_bucket_name, S3Key=s3_dst, Publish=True + ) + print(f"[{my_session.region_name}]: Lambda code updated.") except ClientError as e: # If we're in the exception, the stack does not exist and we should create it. print(f"[{my_session.region_name}]: Creating CloudFormation Stack for " + rule_name) From 11ab514382c0914d343837e1e52761b383607177 Mon Sep 17 00:00:00 2001 From: steven-l Date: Sat, 20 Aug 2022 23:53:28 +0800 Subject: [PATCH 5/6] update error msg --- rdk/rdk.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rdk/rdk.py b/rdk/rdk.py index 7fe595a7..1ff9d4bc 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -3371,10 +3371,10 @@ def __parse_rule_args(self, is_required): if is_required and self.args.runtime == "cloudformation-guard2.0": if self.args.maximum_frequency: - print("maximum frequency can not be used on a cloudformation-guard policy rule.") + print("maximum frequency can not be used on a custom policy rule.") sys.exit(1) if not self.args.resource_types: - print("You must specify either a resource type for cloudformation-guard policy.") + print("You must specify a resource type for a custom policy rule.") sys.exit(1) if self.args.input_parameters: From 79c91b9a93b6e91c94f4f1e4682ce019657f9ed4 Mon Sep 17 00:00:00 2001 From: steven-l Date: Sun, 21 Aug 2022 00:08:43 +0800 Subject: [PATCH 6/6] fix create template --- rdk/rdk.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rdk/rdk.py b/rdk/rdk.py index 1ff9d4bc..146b38f7 100644 --- a/rdk/rdk.py +++ b/rdk/rdk.py @@ -3149,17 +3149,18 @@ def __create_cloudformation_guard_rule(self): f = fileinput.input(files=dst, inplace=True) for line in f: if self.args.resource_types: - applicable_resource_list = ",".join(["'" + typ + "'" for typ in self.args.resource_types.split(",")]) + rule_name = self.args.rulename.replace("-", "_") + resource_types = ",".join(["'" + typ + "'" for typ in self.args.resource_types.split(",")]) print( - line.replace("<%RuleName%>", self.args.rulename) + line.replace("<%RuleName%>", rule_name) .replace( "<%ApplicableResources%>", - " when resourceType IN [" + applicable_resource_list + "]", + " when resourceType IN [" + resource_types + "]", ), end="", ) else: - print(line.replace("<%RuleName%>", self.args.rulename), end="") + print(line.replace("<%RuleName%>", rule_name), end="") f.close() def __print_log_event(self, event):