npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

cloudpatrol

v0.0.3

Published

Policy as Code for the CDK

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

skorfmannskorfmann

Keywords

Readme

cloudpatrol.png

Policy as Code for the Cloud Development Kit

Cloud Patrol let's you define common policies with remediation strategies for your AWS CDK stacks and enforce them across your CDK stacks / applications.

NB: This is an alpha release - Everything might change.

Use Cases

Make sure your Cloud resources are:

  • Tagged properly
  • Secure by default
  • Following naming conventions
  • Within your budget
  • Not provisioned with hardcoded secrets
  • Pretty much whatever you can think of :)

Geetting Started

yarn add cloudpatrol

Example

Given this example:

import * as cdk from '@aws-cdk/core';
import { ExampleStack } from '../lib/example-stack';
import { AwsCdkPatrol } from 'cloudpatrol/lib'
import { awsDefaults } from 'cloudpatrol/policies/aws/packs/good-defaults'

const app = new cdk.App();
const stack = new ExampleStack(app, 'ExampleStack');

const cloudPatrol = new AwsCdkPatrol(awsDefaults)
cloudPatrol.check(stack)

We can do the following:

example

Check the full example.

Reports

Currently, there are two reporting mechanisms:

AWS CDK inline report

As part of your normal CDK commands (e.g. cdk synth --app bin/example.js), will perform reporting on the Construct nodes itself and stop the synth process on errors.

Terminal Report

For CI / CD workflows and local testing, just execute your CDK app directly with node (e.g. node ./bin/example.js). This is great for dedicated validation of policies without the synthesized output.

Custom Reporting

Hasn't been implemented, yet. But it's on the agenda, and probably possible right now with a bit of effort.

Policies

Full Example

/**
 * This Policy ensures that a bucket is properly versioned
 *
 * @cloudformationResource AWS::S3::Bucket
 * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html
 */
export class BucketVersioningPolicy extends Policy implements PolicyInterface {  
  public policyName = 'Bucket Versioning'
  public description = 'This ensures that a bucket is properly versioned'
  public link = 'https//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html'
  public scope = s3.CfnBucket
  
  public validator(node: s3.CfnBucket, reporter: Reportable): void { 
    if (!node.versioningConfiguration || 
      (!cdk.Tokenization.isResolvable(node.versioningConfiguration) && node.versioningConfiguration.status !== 'Enabled')) {
      reporter.addWarning(node, this, 'Bucket versioning is not enabled');
    }
  }
}

Implemented Policies

Custom Policies

Policies have to follow this schema

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
}

Scope

There are two options to define the scope of a Policy:

Define an explicit scope:

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public scope = s3.CfnBucket
  //...
}

Overwrite isApplicable:

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public isApplicable(node: cdk.Resource): boolean {
    // your custom logic here
  }
  //...

Policy Validation Logic

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public validator(node: s3.CfnBucket, reporter: Reportable, context: PolicyContext): void { 
    // your custom logic here.
  }
  //...

Found issues can be reported via the reporter object. You can report multiple issues per Policy. There are three different issue severities:

  • Info
  • Warning
  • Error

context is persistent across the entire Stack validation and can be passed in for dynamic information.

How does it work?

Cloud Patrol makes use of Aspects to visit all nodes in a given Construct (e.g. your stack). Aspects will be applied in the prepare stage, which will be called before synthesizing the stack. That's great if you're going to synthesize anyway. However, if you just wanna run the Cloud Patrol checks, we have to invoke the preparation by ourselves. Something along the lines of this:

  stack.node.applyAspect(this);
  cdk.ConstructNode.prepare(stack.node);

Roadmap

  • [ ] Simplify Policy definition
  • [ ] Drop dependency to aws-cdk/core where possible, extract the rest to dedicated package
  • [ ] Implement remediation strategies
  • [ ] Documentation
  • [ ] Policy generator
  • [ ] Modularize and detangle Reporter to allow multiple ways of reporting
  • [ ] Github Actions for easy integration
  • [ ] .cloudpatrol file?
  • [ ] Provide more policies out of the box
  • [ ] CLI which autodetects Stacks for inspection
  • [ ] Integration tests against the last X releases of the AWS CDK
  • [ ] Integrate supported languages of jsii
  • [ ] Integrate in CDK based frameworks like cdk8s and terrastack