awslabs
diff --git a/‎README.md‎
Lines changed: 5 additions & 5 deletions b/‎README.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎cfn_policy_validator/main.py‎
Lines changed: 7 additions & 5 deletions b/‎cfn_policy_validator/main.py‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎cfn_policy_validator/parameters.py‎
Lines changed: 91 additions & 12 deletions b/‎cfn_policy_validator/parameters.py‎
Lines changed: 91 additions & 12 deletions
@@ -77,7 +77,7 @@ Exits with a non-zero error code if any findings categorized as blocking are fou
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
 | --region | Yes | REGION | The destination region the resources will be deployed to. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
-| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file.  Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15
+| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
 | --enable-logging | | | Enables log output to stdout |
 | --ignore-finding | | FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE | Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE").  Names of finding codes may change in IAM Access Analyzer over time.
@@ -100,7 +100,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
 | --region | Yes | REGION | The destination region the resources will be deployed to. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
-| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file.  Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15
+| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
 | --enable-logging | | | Enables log output to stdout |
 | --ignore-finding | | FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE | Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE").  Names of finding codes may change in IAM Access Analyzer over time.
@@ -122,7 +122,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
 | --region | Yes | REGION | The destination region the resources will be deployed to. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
-| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file.  Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15
+| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
 | --enable-logging | | | Enables log output to stdout |
 | --ignore-finding | | FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE | Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE").  Names of finding codes may change in IAM Access Analyzer over time.
@@ -144,7 +144,7 @@ Parses resource-based policies from AWS CloudFormation templates. Then runs the
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
 | --region | Yes | REGION | The destination region the resources will be deployed to. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
-| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file.  Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15
+| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
 | --enable-logging | | | Enables log output to stdout |
 | --ignore-finding | | FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE | Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE").  Names of finding codes may change in IAM Access Analyzer over time.
@@ -165,7 +165,7 @@ Parses IAM identity-based and resource-based policies from AWS CloudFormation te
 | --template-path | Yes | FILE_NAME | The path to the CloudFormation template. |
 | --region | Yes | REGION | The destination region the resources will be deployed to. |
 | --parameters | | KEY=VALUE [KEY=VALUE ...] | Keys and values for CloudFormation template parameters.  Only parameters that are referenced by IAM policies in the template are required. |
-| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Everything except for parameters are ignored from this file. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15
+| --template-configuration-file | | FILE_PATH.json | A JSON formatted file that specifies template parameter values. Identical values passed in the --parameters flag override parameters in this file. Supports three formats: the [CodePipeline template configuration file](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15) format (`{"Parameters": {"Key": "Value"}}`), the [CloudFormation parameter file](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/deploy.html) format (`[{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]`), and a simple Key=Value string array (`["Key1=Value1", "Key2=Value2"]`).
 | --profile | | PROFILE | The named profile to use for AWS API calls. |
 | --enable-logging | | | Enables log output to stdout |
 | --allow-dynamic-ref-without-version | | | Override the default behavior and allow dynamic SSM references without version numbers.  The version number ensures that the SSM parameter value that was validated is the one that is deployed. |
 
@@ -111,11 +111,13 @@ def main(args=None):
                              ' that are referenced by IAM policies are required.', default={})
 
     parent_parser.add_argument('--template-configuration-file', metavar='FILE_PATH.json', dest="template_configuration_file",
-                               help="A JSON formatted file that specifies template parameter values, a stack policy, and tags."
-                                    "Everything but parameters are ignored from this file. Identical values passed in "
-                                    "the --parameters flag override parameters in this file\n"
-                                    "See CloudFormation documentation on format for this file: "
-                                    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15")
+                               help="A JSON formatted file that specifies template parameter values. "
+                                    "Identical values passed in the --parameters flag override parameters in this file.\n"
+                                    "Supports multiple formats:\n"
+                                    "  - CodePipeline configuration: {\"Parameters\": {\"Key\": \"Value\"}}\n"
+                                    "  - CloudFormation-style list: [{\"ParameterKey\": \"Key\", \"ParameterValue\": \"Value\"}, ...]\n"
+                                    "  - Key=Value string list: [\"Key1=Value1\", \"Key2=Value2\"]\n"
+                                    "See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15")
 
     parent_parser.add_argument('--profile', help='The named profile to use for AWS API calls.')
 
 
@@ -20,15 +20,9 @@ def merge(parameters, template_configuration_file_path):
 	Merge parameters passed in via the parameters argument with parameters from the template configuration file.
 	"""
 
-	template_configuration_file = {}
+	parameters_from_config_file = {}
 	if template_configuration_file_path is not None:
-		template_configuration_file = _read_template_configuration_file(template_configuration_file_path)
-
-	parameters_from_config_file = template_configuration_file.get('Parameters', {})
-	if not isinstance(parameters_from_config_file, dict):
-		raise ApplicationError(f'The value for "Parameters" in the template configuration value must be a JSON object.\n'
-								'See CloudFormation documentation on format for this file: '
-								'"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15"')
+		parameters_from_config_file = _read_parameters_from_file(template_configuration_file_path)
 
 	if parameters is None:
 		parameters = {}
@@ -40,15 +34,100 @@ def merge(parameters, template_configuration_file_path):
 	return parameters_from_config_file
 
 
-def _read_template_configuration_file(template_configuration_file_path):
+def _read_parameters_from_file(file_path):
+	"""
+	Read parameters from a configuration file. Supports multiple formats:
+
+	1. CodePipeline template configuration file (existing format):
+	   {"Parameters": {"Key1": "Value1", "Key2": "Value2"}}
+
+	2. CloudFormation-style parameter list:
+	   [{"ParameterKey": "Key1", "ParameterValue": "Value1"}, ...]
+
+	3. Key=Value string list (as used by AWS CLI deploy --parameter-overrides):
+	   ["Key1=Value1", "Key2=Value2"]
+	"""
+	parsed = _read_json_file(file_path)
+	return _normalize_parameters(parsed)
+
+
+def _read_json_file(file_path):
 	try:
-		with open(template_configuration_file_path, 'r') as stream:
+		with open(file_path, 'r') as stream:
 			raw_file = stream.read()
 			return json.loads(raw_file)
 	except FileNotFoundError:
-		raise ApplicationError(f'Template configuration file not found: {template_configuration_file_path}')
+		raise ApplicationError(f'Template configuration file not found: {file_path}')
 	except JSONDecodeError:
-		raise ApplicationError(f'Template configuration file contains invalid json: {template_configuration_file_path}')
+		raise ApplicationError(f'Template configuration file contains invalid json: {file_path}')
+
+
+def _normalize_parameters(parsed):
+	"""
+	Detect the format of the parsed JSON and normalize to a flat {key: value} dict.
+	"""
+
+	# Format 1: CodePipeline template configuration file - {"Parameters": {"Key": "Value"}}
+	if isinstance(parsed, dict):
+		parameters = parsed.get('Parameters', {})
+		if not isinstance(parameters, dict):
+			raise ApplicationError(
+				'The value for "Parameters" in the template configuration file must be a JSON object.\n'
+				'See CloudFormation documentation on format for this file: '
+				'"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c21c15c15"'
+			)
+		return parameters
+
+	# Format 2 & 3: JSON array
+	if isinstance(parsed, list):
+		if len(parsed) == 0:
+			return {}
+
+		first = parsed[0]
+
+		# Format 2: CloudFormation-style [{"ParameterKey": "Key1", "ParameterValue": "Value1"}, ...]
+		if isinstance(first, dict):
+			return _parse_cfn_style_parameters(parsed)
+
+		# Format 3: Key=Value string list ["Key1=Value1", "Key2=Value2"]
+		if isinstance(first, str):
+			return _parse_key_value_string_parameters(parsed)
+
+	raise ApplicationError(
+		'Unsupported parameter file format. Supported formats:\n'
+		'  - CodePipeline configuration: {"Parameters": {"Key": "Value"}}\n'
+		'  - CloudFormation-style list:  [{"ParameterKey": "Key", "ParameterValue": "Value"}, ...]\n'
+		'  - Key=Value string list:      ["Key1=Value1", "Key2=Value2"]'
+	)
+
+
+def _parse_cfn_style_parameters(parameter_list):
+	"""Parse [{"ParameterKey": "K", "ParameterValue": "V"}, ...] into {K: V}."""
+	result = {}
+	for item in parameter_list:
+		if not isinstance(item, dict):
+			raise ApplicationError(
+				f'Expected a JSON object with "ParameterKey" and "ParameterValue" but got: {item}'
+			)
+		if 'ParameterKey' not in item or 'ParameterValue' not in item:
+			raise ApplicationError(
+				f'Each parameter object must contain "ParameterKey" and "ParameterValue". Got: {json.dumps(item)}'
+			)
+		result[item['ParameterKey']] = item['ParameterValue']
+	return result
+
+
+def _parse_key_value_string_parameters(parameter_list):
+	"""Parse ["Key1=Value1", "Key2=Value2"] into {Key1: Value1}."""
+	result = {}
+	for item in parameter_list:
+		if not isinstance(item, str) or '=' not in item:
+			raise ApplicationError(
+				f'Expected a parameter string in the format "Key=Value" but got: {item}'
+			)
+		key, value = item.split('=', 1)
+		result[key] = value
+	return result
 
 
 def validate_region(region):