Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Library for converting AWS Config to CFN Schema #45

Open
fabiodouek opened this issue Apr 14, 2023 · 8 comments
Open

Library for converting AWS Config to CFN Schema #45

fabiodouek opened this issue Apr 14, 2023 · 8 comments

Comments

@fabiodouek
Copy link

I'm looking for libraries to convert AWS Config Schema to CFN Schema. Is there any public Python library available for that?
@iainelder
Copy link

Can you give an example of a conversion? I don't get what you mean by "CFN schema".

@fabiodouek
Copy link
Author

Hi @iainelder , sure. By CFN I mean, CloudFormation.

@iainelder
Copy link

It's the "schema" word that confuses me in a CloudFormation context.

Can you show an example of what you mean to convert from AWS Config Schema?

Are you looking for how each property in the AWS Config schema maps to a property of a CloudFormation resource?

@fabiodouek
Copy link
Author

Hi @iainelder , apologies. Let me give you more context here.

The AWS Config resources are represented as a JSON object.
The CloudFormation resources are represented also as an JSON object.
However, as you know AWS Config and CloudFormation JSON object structure is completely different.

I've successfully written Python code to map for example AWS Config resource (S3Bucket) to CloudFormation (S3Bucket and S3Bucket Policy).

However, it's a tedious process and requires additional testing. Therefore I was wondering if AWS has a library to allow this conversion oob.

@iainelder
Copy link

iainelder commented Apr 20, 2023
edited
Loading

I don't know of an existing solution that would do that mapping for you.

Sounds like you are the first to write that library :-)

Just wondering: why do you need that mapping? Do you see inconsistencies between CloudFormation state and AWS Config state?

@fabiodouek
Copy link
Author

Hi @iainelder ,

The use case is to have validation rules to be used both preventative (with CloudFormation hooks), and scanning CloudFormation templates in pipelines. Also detective integrated with AWS Config.

To achieve that I could either have two set of rules across CFN and Config, which is a very bad idea as I would have to test the rules, maintain, etc... Or second option is to convert the Config to CFN as a pre-processor and then evaluate against the rules which handles against CloudFormation resources.

@iainelder
Copy link

Have you tried AWS Config proactive compliance?

See the feature anouncement from November 2022.

See turning on proactive evaluation in the developer guide.

I haven't used it yet, but it sounds like it might fit your use case.

@fabiodouek
Copy link
Author

fabiodouek commented Apr 21, 2023
edited
Loading

Yes I've evaluated Config Proactive, which was a big disappointment. It's not production ready yet.

It supports a handful of resources and the "Proactive" on the name is mis-leading, since you have to programatically invoke the rule to be evaluated, either from the Pipeline or create cfn-hooks to invoke the evaluation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iainelder @fabiodouek