An opinionated Cloud Custodian build script with examples
- Some guidance for creating policy files.
- Folder structure
- Naming conventions
Testing
- Localstack and moto testing
- End-to-end testing
- Plugin development
Scripts
- Build scripts (are the artifacts good? Interpolate variables, set defaults, merge)
- Deployment scripts (Send to a custodian runner)
- The policy file
- The CC teardown file
- A pytest unit test and fixture to provision the resources, run the policy, assert, and then teardown.
- A folder for each policy
- Some sort of templating strategy for creating slightly different versions, e.g. development/production
- TBD: yq? other?
- Development here can have two meanings, a place to prove your policies, but also the environment where the enterprise developers other applications, which might have different levels of strictness.
- One policy per file. Policies can be compiled into a single file.
- The name should match the policy.
- Description should be present.
- Validate yaml
- Lint yaml with yamllint.
- Lint with AI
- Validate policy against schema.
- Tests need to be able to create infrastructure and tear it down.
- There isn't a one size fits all way to create infrastructure.
- Code Custodian can't create resources, but it can tear down a lot of resources.
- Each policy needs at least two tests, a pass and a fail.
- Running on real AWS costs money, so tests should be equally happy to run on
Some code copy-pasted from the Cloud Custodian project, see source file header.
Rest of code is Apache license for compatibility.