forked from aws-cloudformation/cfn-lint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
DeletionPolicy.py
66 lines (55 loc) · 2.56 KB
/
DeletionPolicy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
import six
from cfnlint.helpers import valid_snapshot_types
from cfnlint.rules import CloudFormationLintRule
from cfnlint.rules import RuleMatch
class DeletionPolicy(CloudFormationLintRule):
"""Check Base Resource Configuration"""
id = 'E3035'
shortdesc = 'Check DeletionPolicy values for Resources'
description = 'Check that the DeletionPolicy values are valid'
source_url = 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html'
tags = ['resources', 'deletionpolicy']
def check_value(self, key, path, res_type):
"""Check resource names for DeletionPolicy"""
matches = []
valid_values = [
'Delete',
'Retain',
'Snapshot'
]
if not isinstance(key, (six.text_type, six.string_types)):
message = 'DeletionPolicy values should be of string at {0}'
matches.append(RuleMatch(path, message.format('/'.join(map(str, path)))))
return matches
if key not in valid_values:
message = 'DeletionPolicy should be only one of {0} at {1}'
matches.append(RuleMatch(
path,
message.format(', '.join(map(str, valid_values)),
'/'.join(map(str, path)))))
if key == 'Snapshot' and res_type not in valid_snapshot_types:
message = 'DeletionPolicy cannot be Snapshot for resources of type {0} at {1}'
matches.append(RuleMatch(
path,
message.format(res_type,
'/'.join(map(str, path)))))
return matches
def match(self, cfn):
matches = []
resources = cfn.get_resources()
for resource_name, resource_values in resources.items():
deletion_policies = resource_values.get('DeletionPolicy')
if deletion_policies:
path = ['Resources', resource_name, 'DeletionPolicy']
res_type = resource_values.get('Type')
self.logger.debug('Validating DeletionPolicy for %s base configuration', resource_name)
if isinstance(deletion_policies, list):
message = 'Only one DeletionPolicy allowed per resource at {0}'
matches.append(RuleMatch(path, message.format('/'.join(map(str, path)))))
else:
matches.extend(self.check_value(deletion_policies, path, res_type))
return matches