When running a continuous delivery pipeline to reliably deploy AWS CloudFormation infrastructure, you want to run tests on your code to validate it is written well before it gets deployed.
aws cloudformation validate
, the AWS command line interface command, is the most common solution used to verify your stacks, but since the command doesn’t have the ability to check IAM_CAPABILITY’, it can’t effectively validate IAM resources.
PROBLEM – VALIDATING CLOUDFORMATION
For instance, the example below will pass a validation check using aws cloudformation validate
, even though property ‘BadField’ doesn’t exist.
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role example
Resources:
CFNLintExample:
Type: AWS::IAM::Role
Properties:
RoleName: cfn-lint-example
*** BadField: ThisWillNotWork ***
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Service: ec2.amazon.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/S3ReadOnlyAccess
The response when running aws cloudformation validate-template --template-body file://iam.yaml
will output:
{
"Parameters": [],
"Description": "IAM Roles for example cfn-lint",
"Capabilities": [
"CAPABILITY_NAMED_IAM"
],
"CapabilitiesReason": "The following resource(s) require capabilities: [AWS::IAM::Role]"
}
The output above will not tell if you the IAM is validated or not, and will continue along unaware the IAM role in the CloudFormation stack will fail during deployment.
SOLUTION: CFN-LINT!
cfn-lint, a tool available from the awslabs open source github repository, is used to analyse Cloudformation code for errors, stylistic errors and bugs, and can be used as an alternative method to aws cloudformation validate
to validate all Cloudformation, including IAM resources.
VALUE OF SOLUTION
By using cfn-lint you will be able to effectively validate IAM resources inside CloudFormation stacks before deployment, instead of waiting to get to the deployment stages of continuous delivery pipeline to have to guess the reason why your stacks are failing.
Validating the example above running cfn-lint iam.yaml
will produce the following output:
iE3002 Invalid Property Resources/CFNLintexample/Properties/RandomField
iam.yaml:8:7
This will give an error and fail the build, since the property doesn’t exist.
SUMMARY
Validating Cloudformation code with aws cloudformation validate
, does not validate IAM resources due to missing CAPABILITY_IAM switch in the command. One way to get around this limitation is to use cfn-lint, which not only checks Cloudformation for bad formatting, but also checks for resource creation errors, including IAM. This makes it handy to integrate Cloudformation into a continuous delivery pipeline so code can be tested before it gets deployed.
cfn-lint is available from the aws-labs repository at the following link https://github.com/awslabs/cfn-python-lint where it can be installed by running pip install cfn-lint
.