From ab42796af5dcb9d1fc99b29b20134533ce9481ba Mon Sep 17 00:00:00 2001
From: Corey Cole <3700879+corey-cole@users.noreply.github.com>
Date: Sun, 1 May 2022 12:11:12 -0700
Subject: [PATCH 1/2] #241 First pass at CloudFormation parameter validation

---
 .../check-wellformed-parameters-tests.yaml    | 30 +++++++++++++++++++
 .../check-wellformed-parameters.guard         | 20 +++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
 create mode 100644 guard-examples/external-cfn-parameters/check-wellformed-parameters.guard

diff --git a/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml b/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
new file mode 100644
index 000000000..26fc55d54
--- /dev/null
+++ b/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
@@ -0,0 +1,30 @@
+---
+- name: DoesNotApplyToEmptyFiles
+  input: []
+  expectations:
+    rules:
+      has_correct_keys: SKIP
+- name: FindsRequiredKeys
+  input: [
+    {"ParameterKey": "pIgnore", "ParameterValue": "arn:aws:s3:::bucket_name/key_name"}
+  ]
+  expectations:
+    rules:
+      has_correct_keys: PASS
+      has_likely_valid_arn: PASS
+- name: FindsMalformedArn
+  input: [
+    {"ParameterKey": "pIgnore", "ParameterValue": "arn:aws:foo:bar:baz"}
+  ]
+  expectations:
+    rules:
+      has_correct_keys: PASS
+      has_likely_valid_arn: FAIL
+- name: ChecksForMissingKeys
+  input: [
+    {"ParameterKey": "pIgnore", "ParmeterValue": "arn:aws:s3:::bucket_name/key_name"}
+  ]
+  expectations:
+    rules:
+      has_correct_keys: FAIL
+      has_likely_valid_arn: SKIP
diff --git a/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard b/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard
new file mode 100644
index 000000000..5beda9872
--- /dev/null
+++ b/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard
@@ -0,0 +1,20 @@
+let all_parameters = this[*]
+let arn_parameters = this[ParameterValue == /^arn:aws/]
+
+rule has_correct_keys when %all_parameters !empty {
+    %all_parameters[*] {
+        ParameterKey exists
+        ParameterValue exists
+        << Required keys exist >>
+    }
+}
+
+# Check that parameters that contain an ARN value conform to
+# defined ARN format:
+# arn:partition:service:region:namespace:relative-id
+rule has_likely_valid_arn when %arn_parameters !empty {
+    %arn_parameters.ParameterValue {
+        this == /^arn:\w+:\w+:[^:]*:[^:]*:\S+$/
+        << ARN parameter appears valid >>
+    }
+}
\ No newline at end of file

From 675bb874ea7f759fa87bd8ae5f68622959eea9dc Mon Sep 17 00:00:00 2001
From: Corey Cole <3700879+corey-cole@users.noreply.github.com>
Date: Sun, 1 May 2022 13:05:25 -0700
Subject: [PATCH 2/2] #241 Updated to include unsupported keys

---
 .../check-wellformed-parameters-tests.yaml               | 9 +++++++++
 .../check-wellformed-parameters.guard                    | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml b/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
index 26fc55d54..517ef152c 100644
--- a/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
+++ b/guard-examples/external-cfn-parameters/check-wellformed-parameters-tests.yaml
@@ -4,6 +4,7 @@
   expectations:
     rules:
       has_correct_keys: SKIP
+      has_likely_valid_arn: SKIP
 - name: FindsRequiredKeys
   input: [
     {"ParameterKey": "pIgnore", "ParameterValue": "arn:aws:s3:::bucket_name/key_name"}
@@ -12,6 +13,14 @@
     rules:
       has_correct_keys: PASS
       has_likely_valid_arn: PASS
+- name: FindsUnsupportedKeys
+  input: [
+    {"ParameterKey": "pIgnore", "ParameterValue": "whatever", "UsePreviousValue": "true"}
+  ]
+  expectations:
+    rules:
+      has_correct_keys: FAIL
+      has_likely_valid_arn: SKIP
 - name: FindsMalformedArn
   input: [
     {"ParameterKey": "pIgnore", "ParameterValue": "arn:aws:foo:bar:baz"}
diff --git a/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard b/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard
index 5beda9872..ac35fab25 100644
--- a/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard
+++ b/guard-examples/external-cfn-parameters/check-wellformed-parameters.guard
@@ -6,6 +6,8 @@ rule has_correct_keys when %all_parameters !empty {
         ParameterKey exists
         ParameterValue exists
         << Required keys exist >>
+        UsePreviousValue not exists
+        ResolvedValue not exists
     }
 }