in cdk/app/awsconfig/S3_block_public_access.py [0:0]
def evaluate_compliance(client, event, configuration_item, valid_rule_parameters):
# Get Resource from Cloud Control API
resource = get_resource(client, configuration_item)
# Convert into a CF formatted template
cf_template = resource_to_cftemplate([resource])
# Convert dictionary into JSON with indent of 4 spaces and write to temporary file
tf = get_tempfile(json.dumps(cf_template, indent=4))
# Setup cfn-guard command
# command = "cfn-guard validate -r {} -d {} --show-summary none -o json | jq -s '.'".format('./rules/cfn-guard/s3/bucket_public_exposure.guard', tf.name)
command = "cfn-guard validate -r {} -d {} --show-summary none -o json | jq -s '.'".format(valid_rule_parameters['GUARD_FILE'], tf.name)
# Run the command and get the output
output = run_process(command)
print(output)
evaluations = []
for rule_eval in output:
print(rule_eval)
if rule_eval['not_compliant']:
# for non_compliant in rule_eval['not_compliant']:
evaluations.append(
build_evaluation_from_config_item(
configuration_item,
'NON_COMPLIANT',
annotation=','.join([non_compliant['Rule']['name'] for non_compliant in rule_eval['not_compliant']])
# annotation="{}".format(non_compliant['Rule']['name'])
# annotation="{}: {}".format(non_compliant['Rule']['name'], '\n'.join([n['Clause']['Binary']['check']['Resolved']['from']['path'] for n in non_compliant ['Rule']['checks']]))
)
)
else:
# for compliant in rule_eval['compliant']:
evaluations.append(
build_evaluation_from_config_item(
configuration_item, 'COMPLIANT', annotation=",".join([compliant for compliant in rule_eval['compliant']])
)
)
return evaluations