Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add workaround for inconsistent resource type schema #96

Merged
merged 2 commits into from
Dec 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
137 changes: 106 additions & 31 deletions artifacts/bicep/aws/aws.accessanalyzer/default/types.json
Original file line number Diff line number Diff line change
@@ -1,17 +1,37 @@
[
{
"$type": "ObjectType",
"name": "AnalysisRuleCriteria",
"properties": {
"AccountIds": {
"type": {
"$ref": "#/7"
},
"flags": 0,
"description": "A list of AWS account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers."
},
"ResourceTags": {
"type": {
"$ref": "#/9"
},
"flags": 0,
"description": "An array of key-value pairs to match for your resources. You can use the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.\n\nFor the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with aws:.\n\nFor the tag value, you can specify a value that is 0 to 256 characters in length. If the specified tag value is 0 characters, the rule is applied to all principals with the specified tag key."
}
}
},
{
"$type": "ObjectType",
"name": "ArchiveRule",
"properties": {
"Filter": {
"type": {
"$ref": "#/4"
"$ref": "#/10"
},
"flags": 1
},
"RuleName": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 1,
"description": "The archive rule name"
Expand All @@ -24,31 +44,31 @@
"properties": {
"Contains": {
"type": {
"$ref": "#/6"
"$ref": "#/11"
},
"flags": 0
},
"Eq": {
"type": {
"$ref": "#/7"
"$ref": "#/12"
},
"flags": 0
},
"Exists": {
"type": {
"$ref": "#/8"
"$ref": "#/13"
},
"flags": 0
},
"Neq": {
"type": {
"$ref": "#/9"
"$ref": "#/14"
},
"flags": 0
},
"Property": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 1
}
Expand All @@ -60,52 +80,82 @@
"properties": {
"Key": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 1,
"description": "The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. "
},
"Value": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 1,
"description": "The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. "
"flags": 0,
"description": "The value for the tag. You can specify a value that is 0 to 255 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -. "
}
}
},
{
"$type": "ObjectType",
"name": "Tags",
"properties": {}
},
{
"$type": "ObjectType",
"name": "UnusedAccessConfiguration",
"properties": {
"AnalysisRule": {
"type": {
"$ref": "#/17"
},
"flags": 0,
"description": "Contains information about rules for the analyzer."
},
"UnusedAccessAge": {
"type": {
"$ref": "#/10"
"$ref": "#/18"
},
"flags": 0,
"description": "The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days."
"description": "The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days."
}
}
},
{
"$type": "StringType"
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/1"
"$ref": "#/6"
}
},
{
"$type": "StringType"
"$type": "ArrayType",
"itemType": {
"$ref": "#/3"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/5"
"$ref": "#/8"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/5"
"$ref": "#/2"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/6"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/6"
}
},
{
Expand All @@ -114,7 +164,32 @@
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/5"
"$ref": "#/6"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/3"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/0"
}
},
{
"$type": "ObjectType",
"name": "Analyzer_AnalysisRule",
"properties": {
"Exclusions": {
"type": {
"$ref": "#/16"
},
"flags": 0,
"description": "A list of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings."
}
}
},
{
Expand All @@ -130,7 +205,7 @@
"properties": {
"UnusedAccessConfiguration": {
"type": {
"$ref": "#/3"
"$ref": "#/5"
},
"flags": 0
}
Expand All @@ -139,13 +214,13 @@
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/0"
"$ref": "#/1"
}
},
{
"$type": "ArrayType",
"itemType": {
"$ref": "#/2"
"$ref": "#/3"
}
},
{
Expand All @@ -154,41 +229,41 @@
"properties": {
"AnalyzerConfiguration": {
"type": {
"$ref": "#/12"
"$ref": "#/20"
},
"flags": 0,
"description": "The configuration for the analyzer"
},
"AnalyzerName": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 0,
"description": "Analyzer name"
},
"ArchiveRules": {
"type": {
"$ref": "#/13"
"$ref": "#/21"
},
"flags": 0
},
"Arn": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 18,
"description": "Amazon Resource Name (ARN) of the analyzer"
},
"Tags": {
"type": {
"$ref": "#/14"
"$ref": "#/22"
},
"flags": 0,
"description": "An array of key-value pairs to apply to this resource."
},
"Type": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 1,
"description": "The type of the analyzer, must be one of ACCOUNT, ORGANIZATION, ACCOUNT_UNUSED_ACCESS or ORGANIZATION_UNUSED_ACCESS"
Expand All @@ -201,21 +276,21 @@
"properties": {
"name": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 0,
"description": "the resource name"
},
"alias": {
"type": {
"$ref": "#/5"
"$ref": "#/6"
},
"flags": 17,
"description": "the resource alias"
},
"properties": {
"type": {
"$ref": "#/15"
"$ref": "#/23"
},
"flags": 17,
"description": "properties of the resource"
Expand All @@ -227,7 +302,7 @@
"name": "AWS.AccessAnalyzer/Analyzer@default",
"scopeType": 0,
"body": {
"$ref": "#/16"
"$ref": "#/24"
},
"flags": 0
}
Expand Down
18 changes: 16 additions & 2 deletions artifacts/bicep/aws/aws.accessanalyzer/default/types.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,19 @@
* **name**: string: the resource name
* **properties**: [AWS.AccessAnalyzer/AnalyzerProperties](#awsaccessanalyzeranalyzerproperties) (Required, Identifier): properties of the resource

## AnalysisRuleCriteria
### Properties
* **AccountIds**: string[]: A list of AWS account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
* **ResourceTags**: [Tag](#tag)[][]: An array of key-value pairs to match for your resources. You can use the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with aws:.

For the tag value, you can specify a value that is 0 to 256 characters in length. If the specified tag value is 0 characters, the rule is applied to all principals with the specified tag key.

## Analyzer_AnalysisRule
### Properties
* **Exclusions**: [AnalysisRuleCriteria](#analysisrulecriteria)[]: A list of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings.

## Analyzer_AnalyzerConfiguration
### Properties
* **UnusedAccessConfiguration**: [UnusedAccessConfiguration](#unusedaccessconfiguration)
Expand Down Expand Up @@ -36,9 +49,10 @@
## Tag
### Properties
* **Key**: string (Required): The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
* **Value**: string (Required): The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
* **Value**: string: The value for the tag. You can specify a value that is 0 to 255 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.

## UnusedAccessConfiguration
### Properties
* **UnusedAccessAge**: int: The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.
* **AnalysisRule**: [Analyzer_AnalysisRule](#analyzeranalysisrule): Contains information about rules for the analyzer.
* **UnusedAccessAge**: int: The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days.

Loading
Loading