From 93a4e9e1205987c6313fc1b00a50adb39e33d2dd Mon Sep 17 00:00:00 2001
From: p_magyar <magyarpatrick@gmail.com>
Date: Sat, 27 Jul 2024 09:04:26 +0200
Subject: [PATCH 1/2] added examples for "Parameter" rules

---
 .../check-default-parameters-tests.yaml       | 78 +++++++++++++++++++
 .../check-default-parameters.guard            | 44 +++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 guard-examples/parameter-schemas/check-default-parameters-tests.yaml
 create mode 100644 guard-examples/parameter-schemas/check-default-parameters.guard

diff --git a/guard-examples/parameter-schemas/check-default-parameters-tests.yaml b/guard-examples/parameter-schemas/check-default-parameters-tests.yaml
new file mode 100644
index 000000000..4e28e4077
--- /dev/null
+++ b/guard-examples/parameter-schemas/check-default-parameters-tests.yaml
@@ -0,0 +1,78 @@
+---
+- input:
+    Parameters: {}
+  expectations:
+    rules:
+      assert_default_parameters_exists: SKIP
+      assert_default_parameter_configuration: SKIP
+      assert_ConstraintDescription: SKIP
+- input:
+    Description: "Test if default parameters exists PASS"
+    Parameters:
+      Parameter1: {}
+      Parameter2: {}
+      Stage: {}
+  expectations:
+    rules:
+      assert_default_parameters_exists: PASS
+      assert_default_parameter_configuration: FAIL
+      assert_ConstraintDescription: SKIP
+- input:
+    Description: "Test if default parameters exists FAILED "
+    Parameters:
+      Parameter1: {}
+      Parameter3: {}
+      Stage: {}
+  expectations:
+    rules:
+      assert_default_parameters_exists: FAIL
+      assert_default_parameter_configuration: SKIP
+      assert_ConstraintDescription: SKIP
+- input:
+    Description: "correct Parameter configuration"
+    Parameters:
+      Parameter1:
+        Description: 'Parameter1'
+        Type: String
+        AllowedPattern: '[a-z0-9]+'
+        ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
+      Parameter2:
+        Description: 'Parameter2'
+        Type: String
+        AllowedPattern: '[a-z0-9]+'
+        ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
+      Stage:
+        Type: String
+        Description: 'Stage setting'
+        AllowedValues:
+          - stage1
+          - stage2
+          - stage3
+  expectations:
+    rules:
+      assert_default_parameters_exists: PASS
+      assert_default_parameter_configuration: PASS
+      assert_ConstraintDescription: PASS
+- input:
+    Description: "wrong configuration Parameter1 (Missing Type and ConstraintDescription)"
+    Parameters:
+      Parameter1:
+        Description: 'Parameter1'
+        AllowedPattern: '[a-z0-9]+'
+      Parameter2:
+        Description: 'Parameter2'
+        Type: String
+        AllowedPattern: '[a-z0-9]+'
+        ConstraintDescription: "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
+      Stage:
+        Type: String
+        Description: 'Stage setting'
+        AllowedValues:
+          - stage1
+          - stage2
+          - stage3
+  expectations:
+    rules:
+      assert_default_parameters_exists: PASS
+      assert_default_parameter_configuration: FAIL
+      assert_ConstraintDescription: FAIL
diff --git a/guard-examples/parameter-schemas/check-default-parameters.guard b/guard-examples/parameter-schemas/check-default-parameters.guard
new file mode 100644
index 000000000..d272d7ac2
--- /dev/null
+++ b/guard-examples/parameter-schemas/check-default-parameters.guard
@@ -0,0 +1,44 @@
+# This ruleset checks if Parameters are configured correctly.
+# It is usefull if you must have the same parameters in multiple templates (e.g. for tagging or name schema)
+
+# Exception that proves the rule. ;D Maybe you have templates which does not need those parameters. In this scenario we have the cloudformation templates from https://github.com/aws-solutions/aws-waf-security-automations in our template dir. The exlude list is based of the template description. You can use Metadata or other ways as well. 
+let exclude = [
+  /(SO0006-FA) - Security Automations for AWS WAF - FA:/,
+  /(SO0006-WebACL) - Security Automations for AWS WAF:/,
+  /(SO0006) - Security Automations for AWS WAF:/
+  ]
+
+
+# Now we check if our default parameters exists in templates which we have not excluded
+rule assert_default_parameters_exists when Description not in %exclude {
+    Parameters.Parameter1 exists
+    Parameters.Parameter2 exists
+    Parameters.Stage exists
+}
+
+# our default parameters must have always the same configuration
+rule assert_default_parameter_configuration when assert_default_parameters_exists {
+    Parameters.Parameter1 {
+      Description == 'Parameter1'
+      Type == 'String'
+      AllowedPattern == '[a-z0-9]+'
+      ConstraintDescription == "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
+    }
+    Parameters.Parameter2 {
+      Description == 'Parameter2'
+      Type == 'String'
+      AllowedPattern == '[a-z0-9]+'
+      ConstraintDescription == "Invalid input. Allowed Pattern = '[a-z0-9]+'. Parameter must not be empty."
+    }
+    Parameters.Stage {
+      Type == 'String'
+      Description == 'Stage setting'
+      AllowedValues == ['stage1', 'stage2', 'stage3']
+    }
+}
+
+# All parameters with an AllowedPattern must have a ConstraintDescription
+let parameters  = some Parameters.*[AllowedPattern exists]
+rule assert_ConstraintDescription when %parameters exists {
+    %parameters.ConstraintDescription exists
+}

From f5ba47423b1215acf390de769234fd5e69fb103f Mon Sep 17 00:00:00 2001
From: p_magyar <magyarpatrick@gmail.com>
Date: Mon, 19 Aug 2024 11:17:27 +0200
Subject: [PATCH 2/2] fix typos

---
 .../parameter-schemas/check-default-parameters.guard          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/guard-examples/parameter-schemas/check-default-parameters.guard b/guard-examples/parameter-schemas/check-default-parameters.guard
index d272d7ac2..6558c23f5 100644
--- a/guard-examples/parameter-schemas/check-default-parameters.guard
+++ b/guard-examples/parameter-schemas/check-default-parameters.guard
@@ -1,7 +1,7 @@
 # This ruleset checks if Parameters are configured correctly.
-# It is usefull if you must have the same parameters in multiple templates (e.g. for tagging or name schema)
+# It is useful if you must have the same parameters in multiple templates (e.g. for tagging or name schema)
 
-# Exception that proves the rule. ;D Maybe you have templates which does not need those parameters. In this scenario we have the cloudformation templates from https://github.com/aws-solutions/aws-waf-security-automations in our template dir. The exlude list is based of the template description. You can use Metadata or other ways as well. 
+# Exception that proves the rule. ;D Maybe you have templates which does not need those parameters. In this scenario we have the cloudformation templates from https://github.com/aws-solutions/aws-waf-security-automations in our template dir. The exclude list is based of the template description. You can use Metadata or other ways as well. 
 let exclude = [
   /(SO0006-FA) - Security Automations for AWS WAF - FA:/,
   /(SO0006-WebACL) - Security Automations for AWS WAF:/,