UNPKG

@aws-cdk/cloud-assembly-schema

Version:

Schema for the protocol between CDK framework and CDK CLI

github.com/aws/aws-cdk

aws/aws-cdk-cli

251 lines (250 loc) 7.08 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
/** * JSON schema for validation-report.json * * This file is written to the cloud assembly directory by aws-cdk-lib * during synthesis and consumed by the CDK CLI's validate command. */ /** * The top-level structure of the policy validation report file. * * @example * import { PolicyValidationReportJson } from '@aws-cdk/cloud-assembly-schema'; * * const report: PolicyValidationReportJson = { * version: '1.0', * pluginReports: [{ * pluginName: 'my-plugin', * conclusion: 'success', * violations: [], * }], * }; */ export interface PolicyValidationReportJson { /** * Protocol version */ readonly version: string; /** * Report title, if present. */ readonly title?: string; /** * Reports from all validation plugins that ran during synthesis. */ readonly pluginReports: PluginReportJson[]; } /** * A report from a single validation plugin. * * @example * import { PluginReportJson } from '@aws-cdk/cloud-assembly-schema'; * * const report: PluginReportJson = { * pluginName: 'my-plugin', * conclusion: 'success', * violations: [], * }; */ export interface PluginReportJson { /** * The name of the plugin that produced this report. */ readonly pluginName: string; /** * Version of the plugin that produced this report. * * @default - no version */ readonly pluginVersion?: string; /** * Whether the plugin's validation passed or failed. */ readonly conclusion: PolicyValidationReportConclusion; /** * Additional plugin-specific metadata. * * @default - no metadata */ readonly metadata?: { readonly [key: string]: string; }; /** * Violations found by this plugin. */ readonly violations: PolicyViolationJson[]; /** * Violations that were suppressed via acknowledgement. * * These violations matched an acknowledged rule ID and were excluded * from the active violations list. They are retained for audit * trail and reporting purposes. * * @default - no suppressed violations */ readonly suppressedViolations?: SuppressedViolationJson[]; } /** * The final conclusion of a validation report. */ export type PolicyValidationReportConclusion = 'success' | 'failure'; /** * A single policy violation found by a validation plugin. * * @example * import { PolicyViolationJson } from '@aws-cdk/cloud-assembly-schema'; * * const violation: PolicyViolationJson = { * ruleName: 'no-public-access', * description: 'S3 bucket should not allow public access', * severity: 'error', * violatingConstructs: [{ constructPath: 'MyStack/MyBucket' }], * }; */ export interface PolicyViolationJson { /** * The name of the rule that was violated. */ readonly ruleName: string; /** * A description of the violation. */ readonly description: string; /** * How to fix the violation. * * @default - no fix provided */ readonly suggestedFix?: string; /** * The severity of the violation. */ readonly severity: PolicyViolationSeverity; /** * If the plugin wants to report using a non-standard severity, put it here */ readonly customSeverity?: string; /** * Additional rule-specific metadata. * * @default - no metadata */ readonly ruleMetadata?: { readonly [key: string]: string; }; /** * Constructs that violated the rule. */ readonly violatingConstructs: ViolatingConstructJson[]; } /** * The severity of a policy violation. * * If you need to use a severity level that doesn't exist as a static member, * use `custom`. */ export type PolicyViolationSeverity = 'fatal' | 'error' | 'warning' | 'info' | 'custom'; /** * A construct that violated a policy rule. */ export interface ViolatingConstructJson { /** * The construct path as defined in the application. * * @default - no construct path */ readonly constructPath: string; /** * The fully qualified name of the construct class (includes the library name) * * @default - no construct info */ readonly constructFqn?: string; /** * The version of the library that contains this construct. * * The library name is the first component of the construct FQN. * * @default - no version info */ readonly libraryVersion?: string; /** * If this construct violation regards a CloudFormation resource, a reference to the resource details */ readonly cloudFormationResource?: CloudFormationResourceJson; /** * Stack traces associated with this violation * * This can be all the stack traces where a violating property got its value, * or just the construct creation stack trace. * * Every element of the array is a stack trace, where each stack trace is a `\n`-delimited string. * * @default - No stack traces */ readonly stackTraces?: string[]; } /** * A violation that was acknowledged/suppressed and excluded from the * active violation set. * * @example * import { SuppressedViolationJson } from '@aws-cdk/cloud-assembly-schema'; * * const suppressed: SuppressedViolationJson = { * ruleName: 'no-public-access', * description: 'S3 bucket should not allow public access', * severity: 'warning', * violatingConstructs: [{ constructPath: 'MyStack/MyBucket' }], * acknowledgedId: 'my-plugin::no-public-access', * }; */ export interface SuppressedViolationJson extends PolicyViolationJson { /** * The acknowledgement ID that caused this violation to be suppressed. * * Format: `<plugin-name>::<rule-name>` (spaces replaced with hyphens). */ readonly acknowledgedId: string; /** * The reason given for the acknowledgement, if provided. * * @default - no reason given */ readonly reason?: string; /** * The construct path where the acknowledgement was declared. * * @default - unknown */ readonly acknowledgedAt?: string; /** * Stack trace showing where the acknowledgement was declared. * * A `\n`-delimited string of stack frames. * * @default - no stack trace */ readonly acknowledgedStackTrace?: string; } /** * A node in the construct creation stack trace. */ export interface CloudFormationResourceJson { /** * The path to the CloudFormation template containing this resource. */ readonly templatePath: string; /** * The logical ID of the resource in the CloudFormation template. */ readonly logicalId: string; /** * Properties within the construct where the violation was detected. * * Either a single component, in which case it regards a top-level property * name, or a JSON path (starting with `$.`) to indicate a deeper property. * * @default - no locations */ readonly propertyPaths?: string[]; }