/** * Template-Level Analysis Types and Constants * * Template-level checks analyze the full CloudFormation template to detect * cross-resource patterns, AWS service limit violations, and policy issues * that cannot be found by analyzing resources individually. */ import type { AnalysisResults, CloudFormationStack, CreateFindingFunction, Severity, WAFPillars } from '../../types/analysis.types'; /** * Category for template-level check rule IDs. * TL-LIMIT-xxx = Service limit checks * TL-XRES-xxx = Cross-resource anti-pattern checks * TL-POL-xxx = Policy analysis checks * TL-DRIFT-xxx = CDK L1 schema-drift checks */ export type TemplateLevelCategory = 'serviceLimits' | 'crossResourceAntiPatterns' | 'policyAnalysis' | 'schemaDrift'; /** * App-wide context available to template-level checks that need to reason * about resources outside the current stack — e.g. validating * Fn::GetStackOutput targets against the outputs declared by sibling stacks * in the same CDK app. Optional; checks that only look at one template * should ignore it. */ export interface AppContext { /** outputLogicalIds declared in each stack, keyed by stackName. */ outputsByStack: Map>; } /** * A template-level check function. * Receives the FULL CloudFormation stack (all resources). * Returns AnalysisResults keyed by affected resource logical ID. * * Intentionally matches the AWSServiceCheckFunction signature so it * integrates seamlessly with the existing pipeline. */ export type TemplateLevelCheckFunction = (template: CloudFormationStack, createFinding: CreateFindingFunction, appContext?: AppContext) => AnalysisResults; /** * Metadata about a registered template-level check. */ export interface TemplateLevelCheckDefinition { /** Unique rule ID: TL-LIMIT-001, TL-XRES-001, TL-POL-001, etc. */ ruleId: string; /** Human-readable title */ title: string; /** Category for grouping */ category: TemplateLevelCategory; /** Default severity */ defaultSeverity: Severity; /** WAF pillar */ wafPillar: WAFPillars; /** The check function */ check: TemplateLevelCheckFunction; /** Description for documentation */ description: string; } /** * AWS service limits used by checks. * All values are in bytes unless noted otherwise. */ export declare const AWS_SERVICE_LIMITS: { readonly SQS_POLICY_MAX_BYTES: 8192; readonly SQS_POLICY_MAX_STATEMENTS: 20; readonly IAM_INLINE_POLICY_MAX_BYTES: 2048; readonly IAM_MANAGED_POLICY_MAX_BYTES: 6144; readonly IAM_ROLE_AGGREGATE_INLINE_MAX_BYTES: 10240; readonly LAMBDA_ENV_MAX_BYTES: 4096; readonly LAMBDA_MAX_LAYERS: 5; readonly S3_BUCKET_POLICY_MAX_BYTES: 20480; readonly SNS_TOPIC_POLICY_MAX_BYTES: 30720; readonly EVENTBRIDGE_RULES_PER_BUS_DEFAULT: 300; readonly CFN_MAX_RESOURCES: 500; readonly CFN_TEMPLATE_MAX_BYTES_DIRECT: 51200; readonly CFN_TEMPLATE_MAX_BYTES_S3: 460800; readonly SECURITY_GROUP_MAX_INBOUND_RULES: 60; readonly SECURITY_GROUP_MAX_OUTBOUND_RULES: 60; }; /** * Warning threshold ratio: flag when usage exceeds this fraction of the limit. * e.g., 0.8 means warn at 80% of the limit. */ export declare const WARNING_THRESHOLD = 0.8;