lhitchon · October 18, 2018 21:27
diff --git a/rules.yml b/rules.yml
 #
 # Rules that can scan a CloudFormation ChangeSet and report a failure if a DynamoDB Table will be replaced
 #
 # Find config-lint here:  https://github.com/stelligent/config-lint
 #
 # Example usage:
 #
 # aws cloudformation describe-change-set --stack-name <STACK_NAME> --change-set-name <CHANGESET_NAME> |
 #      config-lint -rules rules.yml -
 #
 #
 # It's also possible to customize the output from config-lint to be a little more concise:
 #
 # aws cloudformation describe-change-set --stack-name <STACK_NAME> --change-set-name <CHANGESET_NAME> |
 #      config-lint -rules rules.yml -query 'Violations[].{ResourceID:ResourceID,RuleMessage:RuleMessage}' -
 #
 #
 version: 1
 description: Validate changes in a CloudFormation ChangeSet 
 type: JSON
 files:
  - "*.json"

 # describe the resources found in the JSON file being scanned, in this case the JSON output of describe-change-set
 resources:
  - type: Change                           # matches the resource attribute in a rule
    key: Changes                           # JMESPath to search in file being scanned, should return an array
    id: ResourceChange.PhysicalResourceId  # unique identifier in each element of array

 rules:
  - id: DDB_RECREATE
    message: ChangeSet should not delete a DynamoDB Table
    resource: Change
    # only check changes where ResourceType is a DynamoDB table
    conditions:
      - key: ResourceChange.ResourceType
        op: eq
        value: "AWS::DynamoDB::Table"
    # none of the Details should have RequireRecreation set to "Always"
    assertions:
      - none:
          key: ResourceChange.Details
          expressions: 
             - key: Target.RequiresRecreation
               op: eq
               value: Always
	#
	# Rules that can scan a CloudFormation ChangeSet and report a failure if a DynamoDB Table will be replaced
	#
	# Find config-lint here: https://github.com/stelligent/config-lint
	#
	# Example usage:
	#
	# aws cloudformation describe-change-set --stack-name <STACK_NAME> --change-set-name <CHANGESET_NAME> \|
	# config-lint -rules rules.yml -
	#
	#
	# It's also possible to customize the output from config-lint to be a little more concise:
	#
	# aws cloudformation describe-change-set --stack-name <STACK_NAME> --change-set-name <CHANGESET_NAME> \|
	# config-lint -rules rules.yml -query 'Violations[].{ResourceID:ResourceID,RuleMessage:RuleMessage}' -
	#
	#
	version: 1
	description: Validate changes in a CloudFormation ChangeSet
	type: JSON
	files:
	- "*.json"

	# describe the resources found in the JSON file being scanned, in this case the JSON output of describe-change-set
	resources:
	- type: Change # matches the resource attribute in a rule
	key: Changes # JMESPath to search in file being scanned, should return an array
	id: ResourceChange.PhysicalResourceId # unique identifier in each element of array

	rules:
	- id: DDB_RECREATE
	message: ChangeSet should not delete a DynamoDB Table
	resource: Change
	# only check changes where ResourceType is a DynamoDB table
	conditions:
	- key: ResourceChange.ResourceType
	op: eq
	value: "AWS::DynamoDB::Table"
	# none of the Details should have RequireRecreation set to "Always"
	assertions:
	- none:
	key: ResourceChange.Details
	expressions:
	- key: Target.RequiresRecreation
	op: eq
	value: Always