@@ -114,35 +114,54 @@ jobs:
114114 node_modules
115115 .git
116116
117- name : Check for CloudFormation templates
118- id : check_cfn_templates
117+ name : Check for SAM templates
118+ id : check_sam_templates
119119 run : |
120- if [ -d "cloudformation" ] || [ -d " SAMtemplates" ]; then
121- echo "exists =true" >> $GITHUB_OUTPUT
120+ if [ -d "SAMtemplates" ]; then
121+ echo "sam_exists =true" >> $GITHUB_OUTPUT
122122 else
123- echo "exists =false" >> $GITHUB_OUTPUT
123+ echo "sam_exists =false" >> $GITHUB_OUTPUT
124124 fi
125125
126- name : Install cfn-lint
127- if : steps.check_cfn_templates.outputs.exists == 'true'
128- run : pip install cfn-lint
126+ name : Check for cloudformation templates
127+ id : check_cf_templates
128+ run : |
129+ if [ -d "cloudformation" ]; then
130+ echo "cf_exists=true" >> $GITHUB_OUTPUT
131+ else
132+ echo "cf_exists=false" >> $GITHUB_OUTPUT
133+ fi
134+
135+ - name : Check for cdk
136+ id : check_cdk
137+ run : |
138+ if [ -d "packages/cdk" ]; then
139+ echo "cdk_exists=true" >> $GITHUB_OUTPUT
140+ else
141+ echo "cdk_exists=false" >> $GITHUB_OUTPUT
142+ fi
129143
130144name : Run cfn-lint
131- if : steps.check_cfn_templates .outputs.exists == 'true'
145+ if : steps.check_sam_templates.outputs.exists == 'true' || steps.check_cf_templates .outputs.exists == 'true'
132146 run : |
147+ pip install cfn-lint
133148 cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
134149 cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
135150
136151name : Run unit tests
137152 run : make test
138-
153+
154+ - name : Run cdk-synth
155+ if : steps.check_cdk.outputs.exists == 'true'
156+ run : |
157+ make cdk-synth
158+
139159 - name : Install AWS SAM CLI
140- if : steps.check_cfn_templates .outputs.exists == 'true'
160+ if : steps.check_sam_templates .outputs.exists == 'true'
141161 run : |
142162 pip install aws-sam-cli
143163
144- name : Run cfn-guard script
145- if : steps.check_cfn_templates.outputs.exists == 'true'
164+ name : Init cfn-guard
146165 run : |
147166 #!/usr/bin/env bash
148167 set -eou pipefail
@@ -157,6 +176,12 @@ jobs:
157176
158177 mkdir -p cfn_guard_output
159178
179+ name : Run cfn-guard script for sam templates
180+ if : steps.check_sam_templates.outputs.exists == 'true'
181+ run : |
182+ #!/usr/bin/env bash
183+ set -eou pipefail
184+
160185 declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
161186 for ruleset in "${rulesets[@]}"
162187 do
@@ -176,7 +201,39 @@ jobs:
176201 done < <(find ./SAMtemplates -name '*.y*ml' -print0)
177202 done
178203
179- rm -rf /tmp/ruleset
204+ name : Run cfn-guard script for cloudformation templates
205+ if : steps.check_cf_templates.outputs.exists == 'true'
206+ run : |
207+ #!/usr/bin/env bash
208+
209+ declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
210+ for ruleset in "${rulesets[@]}"
211+ do
212+ echo "Checking all templates in cloudformation folder with ruleest $ruleset"
213+
214+ ~/.guard/bin/cfn-guard validate \
215+ --data cloudformation \
216+ --rules "/tmp/ruleset/output/$ruleset.guard" \
217+ --show-summary fail \
218+ > "cfn_guard_output/cloudformation_$ruleset.txt"
219+ done
220+
221+ name : Run cfn-guard script for cdk templates
222+ if : steps.check_cdk.outputs.exists == 'true'
223+ run : |
224+ #!/usr/bin/env bash
225+
226+ declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
227+ for ruleset in "${rulesets[@]}"
228+ do
229+ echo "Checking all templates in cdk.out folder with ruleest $ruleset"
230+
231+ ~/.guard/bin/cfn-guard validate \
232+ --data cdk.out \
233+ --rules "/tmp/ruleset/output/$ruleset.guard" \
234+ --show-summary fail \
235+ > "cfn_guard_output/cdk.out_$ruleset.txt"
236+ done
180237
181238name : Show cfn-guard output
182239 if : failure()
0 commit comments