Fix YAML syntax error in deployment validation script

Taniya Mathur · Taniya Mathur · commit aad1dded1fc4 · 2025-09-22T18:14:20.000Z
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -114,85 +114,86 @@ deployment_validation:
     # Validate CloudFormation service role template syntax
     - aws cloudformation validate-template --template-body file://iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml --no-cli-pager
     # Check if service role has sufficient permissions for main stack deployment
-    - python3 -c "
-import yaml
-import sys
-import os
-import glob
-
-def extract_aws_services_from_template(template_path):
-    '''Extract AWS services used in a CloudFormation template'''
-    try:
-        with open(template_path, 'r') as f:
-            template = yaml.safe_load(f)
-        
-        services = set()
-        if 'Resources' in template:
-            for resource in template['Resources'].values():
-                if 'Type' in resource:
-                    resource_type = resource['Type']
-                    if resource_type.startswith('AWS::'):
-                        service = resource_type.split('::')[1].lower()
-                        services.add(service)
-        return services
-    except Exception as e:
-        print(f'Error processing {template_path}: {e}')
-        return set()
-
-def extract_permissions_from_role(role_template_path):
-    '''Extract permissions from IAM role template'''
-    with open(role_template_path, 'r') as f:
-        role_template = yaml.safe_load(f)
-    
-    permissions = set()
-    for resource in role_template['Resources'].values():
-        if resource['Type'] == 'AWS::IAM::Role':
-            for policy in resource['Properties']['Policies']:
-                for statement in policy['PolicyDocument']['Statement']:
-                    if statement['Effect'] == 'Allow':
-                        actions = statement['Action']
-                        if isinstance(actions, str):
-                            permissions.add(actions)
-                        else:
-                            permissions.update(actions)
-    return permissions
-
-# Extract permissions from service role
-role_permissions = extract_permissions_from_role('iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml')
-
-# Find all CloudFormation templates
-template_files = []
-template_files.append('template.yaml')  # Main template
-template_files.extend(glob.glob('patterns/*/template.yaml'))
-template_files.extend(glob.glob('options/*/template.yaml'))
-
-# Extract required services from all templates
-required_services = set()
-for template_file in template_files:
-    if os.path.exists(template_file):
-        services = extract_aws_services_from_template(template_file)
-        required_services.update(services)
-        print(f'Services in {template_file}: {sorted(services)}')
-
-print(f'\\nAll required services: {sorted(required_services)}')
-
-# Check if role has permissions for each service
-missing_services = []
-for service in required_services:
-    # Check if role has wildcard or specific permissions for this service
-    has_permission = any(
-        perm == f'{service}:*' or 
-        perm.startswith(f'{service}:') or
-        perm == '*'
-        for perm in role_permissions
-    )
-    if not has_permission:
-        missing_services.append(service)
-
-if missing_services:
-    print(f'\\nWARNING: Service role may be missing permissions for: {sorted(missing_services)}')
-    sys.exit(1)
-else:
-    print(f'\\nSUCCESS: Service role appears to have sufficient permissions for all required services')
-"
+    - |
+      python3 -c "
+      import yaml
+      import sys
+      import os
+      import glob
+
+      def extract_aws_services_from_template(template_path):
+          '''Extract AWS services used in a CloudFormation template'''
+          try:
+              with open(template_path, 'r') as f:
+                  template = yaml.safe_load(f)
+              
+              services = set()
+              if 'Resources' in template:
+                  for resource in template['Resources'].values():
+                      if 'Type' in resource:
+                          resource_type = resource['Type']
+                          if resource_type.startswith('AWS::'):
+                              service = resource_type.split('::')[1].lower()
+                              services.add(service)
+              return services
+          except Exception as e:
+              print(f'Error processing {template_path}: {e}')
+              return set()
+
+      def extract_permissions_from_role(role_template_path):
+          '''Extract permissions from IAM role template'''
+          with open(role_template_path, 'r') as f:
+              role_template = yaml.safe_load(f)
+          
+          permissions = set()
+          for resource in role_template['Resources'].values():
+              if resource['Type'] == 'AWS::IAM::Role':
+                  for policy in resource['Properties']['Policies']:
+                      for statement in policy['PolicyDocument']['Statement']:
+                          if statement['Effect'] == 'Allow':
+                              actions = statement['Action']
+                              if isinstance(actions, str):
+                                  permissions.add(actions)
+                              else:
+                                  permissions.update(actions)
+          return permissions
+
+      # Extract permissions from service role
+      role_permissions = extract_permissions_from_role('iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml')
+
+      # Find all CloudFormation templates
+      template_files = []
+      template_files.append('template.yaml')  # Main template
+      template_files.extend(glob.glob('patterns/*/template.yaml'))
+      template_files.extend(glob.glob('options/*/template.yaml'))
+
+      # Extract required services from all templates
+      required_services = set()
+      for template_file in template_files:
+          if os.path.exists(template_file):
+              services = extract_aws_services_from_template(template_file)
+              required_services.update(services)
+              print(f'Services in {template_file}: {sorted(services)}')
+
+      print(f'\\nAll required services: {sorted(required_services)}')
+
+      # Check if role has permissions for each service
+      missing_services = []
+      for service in required_services:
+          # Check if role has wildcard or specific permissions for this service
+          has_permission = any(
+              perm == f'{service}:*' or 
+              perm.startswith(f'{service}:') or
+              perm == '*'
+              for perm in role_permissions
+          )
+          if not has_permission:
+              missing_services.append(service)
+
+      if missing_services:
+          print(f'\\nWARNING: Service role may be missing permissions for: {sorted(missing_services)}')
+          sys.exit(1)
+      else:
+          print(f'\\nSUCCESS: Service role appears to have sufficient permissions for all required services')
+      "
   
