Creating Quality Gates in your CI/CD pipe line to test Cloud Formation Templates

All, so while working on a CI/CD pipeline project, we had to establish some quality gates for developers and test and deliver quality code. While CloudFormation simplifies the process to create and manage AWS resources, it doesn’t protect a developer from specifying resources in a way that is potentially insecure. Also, it is easy to make mistakes and forget to define value, references, etc.

CloudFormation templates are a great way to provision AWS resources. They allow an infrastructure developer to declare what resources are to be created instead of worrying about the potentially complex AWS API calls necessary to make it so.

It is recommended as a best practice to lint and test your CloudFormation templates in the early phases of the Software Development Life Cycle (SDLC). First, you run linting and testing actions for your templates on your workstation; next, you add template linting and testing practices to the Continuous Integration (CI) phase of your pipelines: you use the CI phase as an initial gating step for code promotion.

So as part of our quality Gates, we would like to have the ability for a developer and QA to run some static analysis testing on the cloud formation templates before they are allowed to commit that code.

Static code analysis is testing the code without actually running it. There are multiple types of static code analysis but we will be using Linters and Static Application Security Tests.

SAST analyzes code to find security vulnerabilities.

A linter does the following: flag programming errors, bugs, stylistic errors, and suspicious constructs.

So here are some tool you can use to remedy this issue or concerns.

You can include this in your pipeline as well.