Add guard rule to enforce tag property is not create only (#76)

pultormi · web-flow · commit c2f98e82996e · 2024-12-18T14:44:53.000-08:00
* Add guard rule to enforce tag property is not create only

* Fixed issue in tag018 condition
diff --git a/src/rpdk/guard_rail/rule_library/tags/schema-linter-core-tagging-rules.guard b/src/rpdk/guard_rail/rule_library/tags/schema-linter-core-tagging-rules.guard
@@ -144,6 +144,26 @@ rule ensure_property_tags_exists_v2 when tagging exists {
                 }
                 >>
             }
+            when createOnlyProperties exists {
+                tagging.tagProperty !IN createOnlyProperties
+                <<
+                {
+                    "result": "WARNING",
+                    "check_id": "TAG017",
+                    "message": "`tagProperty` MUST NOT be a part of `createOnlyProperties`"
+                }
+                >>
+                when tagging.tagProperty IN createOnlyProperties {
+                    tagging.tagUpdatable == false
+                    <<
+                    {
+                        "result": "WARNING",
+                        "check_id": "TAG018",
+                        "message": "`tagProperty` MUST NOT be a part of `createOnlyProperties` when `tagUpdatable` is true"
+                    }
+                    >>
+                }
+            }
         }
         tagging.permissions exists
         <<
@@ -161,7 +181,7 @@ rule ensure_property_tags_exists_v2 when tagging exists {
         {
             "result": "NON_COMPLIANT",
             "check_id": "TAG016",
-            "message": "`tagging.taggable` MUST be true when Taging Property is defined in the schema"
+            "message": "`tagging.taggable` MUST be true when Tagging Property is defined in the schema"
         }
         >>
     }
diff --git a/tests/integ/data/schema-tag-property-createonly-updatable.json b/tests/integ/data/schema-tag-property-createonly-updatable.json
@@ -0,0 +1,16 @@
+{
+    "properties": {
+        "Tags": {},
+        "Arn": {}
+    },
+    "createOnlyProperties": [
+        "/properties/Tags"
+    ],
+    "tagging": {
+        "taggable": true,
+        "tagOnCreate": true,
+        "tagUpdatable": true,
+        "cloudFormationSystemTags": false,
+        "tagProperty": "/properties/Tags"
+    }
+}
diff --git a/tests/integ/data/schema-tag-property-createonly.json b/tests/integ/data/schema-tag-property-createonly.json
@@ -0,0 +1,16 @@
+{
+    "properties": {
+        "Tags": {},
+        "Arn": {}
+    },
+    "createOnlyProperties": [
+        "/properties/Tags"
+    ],
+    "tagging": {
+        "taggable": true,
+        "tagOnCreate": true,
+        "tagUpdatable": false,
+        "cloudFormationSystemTags": false,
+        "tagProperty": "/properties/Tags"
+    }
+}
diff --git a/tests/integ/runner/test_integ_runner.py b/tests/integ/runner/test_integ_runner.py
@@ -285,6 +285,73 @@
             },
             {},
         ),
+        (
+            collect_schemas(
+                schemas=[
+                    "file:/"
+                    + str(
+                        Path(os.path.dirname(os.path.realpath(__file__))).joinpath(
+                            "../data/schema-tag-property-createonly-updatable.json"
+                        )
+                    )
+                ]
+            ),
+            [],
+            {
+                "ensure_property_tags_exists_v2": {
+                    GuardRuleResult(
+                        check_id="TAG012",
+                        message="Resource MUST provide `permissions` if `tagging.taggable` is true",
+                        path="",
+                    ),
+                },
+            },
+            {
+                "ensure_property_tags_exists_v2": {
+                    GuardRuleResult(
+                        check_id="TAG017",
+                        message="`tagProperty` MUST NOT be a part of `createOnlyProperties`",
+                        path="/tagging/tagProperty",
+                    ),
+                    GuardRuleResult(
+                        check_id="TAG018",
+                        message="`tagProperty` MUST NOT be a part of `createOnlyProperties` when `tagUpdatable` is true",
+                        path="/tagging/tagUpdatable",
+                    ),
+                },
+            },
+        ),
+        (
+            collect_schemas(
+                schemas=[
+                    "file:/"
+                    + str(
+                        Path(os.path.dirname(os.path.realpath(__file__))).joinpath(
+                            "../data/schema-tag-property-createonly.json"
+                        )
+                    )
+                ]
+            ),
+            [],
+            {
+                "ensure_property_tags_exists_v2": {
+                    GuardRuleResult(
+                        check_id="TAG012",
+                        message="Resource MUST provide `permissions` if `tagging.taggable` is true",
+                        path="",
+                    ),
+                },
+            },
+            {
+                "ensure_property_tags_exists_v2": {
+                    GuardRuleResult(
+                        check_id="TAG017",
+                        message="`tagProperty` MUST NOT be a part of `createOnlyProperties`",
+                        path="/tagging/tagProperty",
+                    ),
+                },
+            },
+        ),
         (
             collect_schemas(
                 schemas=[
@@ -499,7 +566,7 @@ def test_exec_compliance_stateless_tagging_permission_specified(
                 "ensure_property_tags_exists_v2": {
                     GuardRuleResult(
                         check_id="TAG016",
-                        message="`tagging.taggable` MUST be true when Taging Property is defined in the schema",
+                        message="`tagging.taggable` MUST be true when Tagging Property is defined in the schema",
                         path="/properties/StageDescription/Tags",
                     ),
                 }
