Merge pull request #54 from awslabs/feat/region-from-env-var

now reads AWS_REGION env var if present

Author: liwadman

README.md

@@ -75,7 +75,7 @@ Exits with a non-zero error code if any findings categorized as blocking are fou
 | Arguments | Required |  Options | Description |
 | --------- | -------- | ---------| ----------- |
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
-| --region | Yes | REGION | The destination region the resources will be deployed to. |
+| --region | | REGION | The destination region the resources will be deployed to. If not specified, defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
 | --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
@@ -98,7 +98,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | Arguments | Required |  Options | Description |
 | --------- | -------- | ---------| ----------- |
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
-| --region | Yes | REGION | The destination region the resources will be deployed to. |
+| --region | | REGION | The destination region the resources will be deployed to. If not specified, defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
 | --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
@@ -120,7 +120,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | Arguments | Required |  Options | Description |
 | --------- | -------- | ---------| ----------- |
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
-| --region | Yes | REGION | The destination region the resources will be deployed to. |
+| --region | | REGION | The destination region the resources will be deployed to. If not specified, defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
 | --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
@@ -142,7 +142,7 @@ Parses resource-based policies from AWS CloudFormation templates. Then runs the
 | Arguments | Required |  Options | Description |
 | --------- | -------- | ---------| ----------- |
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
-| --region | Yes | REGION | The destination region the resources will be deployed to. |
+| --region | | REGION | The destination region the resources will be deployed to. If not specified, defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
 | --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
@@ -163,7 +163,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | Arguments | Required |  Options | Description |
 | --------- | -------- | ---------| ----------- |
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
-| --region | Yes | REGION | The destination region the resources will be deployed to. |
+| --region | | REGION | The destination region the resources will be deployed to. If not specified, defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
 | --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |

cfn_policy_validator/main.py

@@ -4,6 +4,7 @@
 """
 import argparse
 import logging
+import os
 import sys
 import traceback
 from cfn_policy_validator.validation import policy_analysis
@@ -95,6 +96,22 @@ def parse_from_cli(arguments):
     exit(0)
 
 
+def _resolve_region(region_from_cli):
+    """
+    Resolve the region from the CLI argument, or fall back to AWS_DEFAULT_REGION / AWS_REGION environment variables.
+    """
+    if region_from_cli is not None:
+        return region_from_cli
+
+    region = os.environ.get('AWS_REGION') or os.environ.get('AWS_DEFAULT_REGION')
+    if region is None:
+        raise ApplicationError(
+            'No region provided. Specify --region or set the AWS_REGION or AWS_DEFAULT_REGION environment variable.'
+        )
+
+    return validate_region(region)
+
+
 def main(args=None):
     if args is None:
         args = sys.argv[1:]
@@ -103,8 +120,10 @@ def main(args=None):
     parent_parser.add_argument('--template-path', metavar="TEMPLATE_PATH", dest="template_path", required=True,
                         help='The path to the CloudFormation template.')
 
-    parent_parser.add_argument('--region', dest="region", required=True, type=validate_region,
-                        help="The region the resources will be deployed to.")
+    parent_parser.add_argument('--region', dest="region", required=False, type=validate_region,
+                        help="The region the resources will be deployed to. "
+                             "Defaults to the AWS_REGION or AWS_DEFAULT_REGION environment variable if not specified.",
+                        default=None)
 
     parent_parser.add_argument('--parameters', action=DictionaryArgument, nargs="+", metavar="KEY=VALUE", dest="parameters",
                         help='Parameter key and value in the format -p Key1=Value1 Key2=Value2.  Only parameters'
@@ -250,6 +269,7 @@ def add_policy_analysis_subparsers():
     args = parser.parse_args(args)
 
     try:
+        args.region = _resolve_region(args.region)
         client.set_profile(args.profile)
         validate_credentials(args.region)
 

cfn_policy_validator/tests/test_cli.py

@@ -277,11 +277,61 @@ def test_path_is_required(self):
         self.validate_with_expected_error("the following arguments are required: --template-path")
 
     @mock_validation_setup()
-    def test_region_is_required(self):
+    def test_region_is_required_when_env_var_not_set(self):
         self.args = [
             'validate', '--template-path', 'abcdef'
         ]
-        self.validate_with_expected_error("the following arguments are required: --region")
+        with patch.dict(os.environ, {}, clear=True):
+            with self.assertRaises(SystemExit) as context_manager, captured_output() as (out, err):
+                main.main(self.args)
+            self.assertEqual(1, context_manager.exception.code)
+            self.assertIn("No region provided", err.getvalue())
+
+    @mock_validation_setup()
+    def test_region_falls_back_to_aws_default_region_env_var(self):
+        json_file_path = os.path.join(this_files_directory, '..', '..', 'test_files/test_file_2.json')
+        args = [
+            'validate',
+            '--template-path', json_file_path,
+            '--parameters', 'CodestarConnectionArn=fakeArn', 'EnvironmentName=prod',
+            '--treat-finding-type-as-blocking', 'NONE'
+        ]
+        with patch.dict(os.environ, {'AWS_DEFAULT_REGION': 'us-west-2'}, clear=False):
+            with patch.object(main, 'validate_from_cli') as mock:
+                main.main(args)
+            mock.assert_called_once()
+            self.assertEqual(mock.call_args[0][0].region, 'us-west-2')
+
+    @mock_validation_setup()
+    def test_region_falls_back_to_aws_region_env_var(self):
+        json_file_path = os.path.join(this_files_directory, '..', '..', 'test_files/test_file_2.json')
+        args = [
+            'validate',
+            '--template-path', json_file_path,
+            '--parameters', 'CodestarConnectionArn=fakeArn', 'EnvironmentName=prod',
+            '--treat-finding-type-as-blocking', 'NONE'
+        ]
+        with patch.dict(os.environ, {'AWS_REGION': 'eu-west-1'}, clear=False):
+            with patch.object(main, 'validate_from_cli') as mock:
+                main.main(args)
+            mock.assert_called_once()
+            self.assertEqual(mock.call_args[0][0].region, 'eu-west-1')
+
+    @mock_validation_setup()
+    def test_region_cli_flag_takes_precedence_over_env_var(self):
+        json_file_path = os.path.join(this_files_directory, '..', '..', 'test_files/test_file_2.json')
+        args = [
+            'validate',
+            '--template-path', json_file_path,
+            '--region', 'ap-southeast-1',
+            '--parameters', 'CodestarConnectionArn=fakeArn', 'EnvironmentName=prod',
+            '--treat-finding-type-as-blocking', 'NONE'
+        ]
+        with patch.dict(os.environ, {'AWS_DEFAULT_REGION': 'us-west-2'}, clear=False):
+            with patch.object(main, 'validate_from_cli') as mock:
+                main.main(args)
+            mock.assert_called_once()
+            self.assertEqual(mock.call_args[0][0].region, 'ap-southeast-1')
 
     @mock_validation_setup()
     def test_with_no_parameters(self):
@@ -484,11 +534,15 @@ def test_path_is_required(self):
         self.parse_with_expected_error("the following arguments are required: --template-path")
 
     @mock_validation_setup()
-    def test_region_is_required(self):
+    def test_region_is_required_when_env_var_not_set(self):
         self.args = [
             'parse', '--template-path', 'abcdef'
         ]
-        self.parse_with_expected_error("the following arguments are required: --region")
+        with patch.dict(os.environ, {}, clear=True):
+            with self.assertRaises(SystemExit) as context_manager, captured_output() as (out, err):
+                main.main(self.args)
+            self.assertEqual(1, context_manager.exception.code)
+            self.assertIn("No region provided", err.getvalue())
 
     @mock_validation_setup()
     def test_allow_dynamic_ref_without_version_default(self):