✨ cloudformation: add dependsOn, rules, and improve README

Add `dependsOn` field to `cloudformation.resource` exposing DependsOn
dependencies (both single-string and list forms). Add `rules()` to
`cloudformation.template` for parameter validation constraints. Expand
provider README with usage instructions and practical query examples.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/cloudformation/README.md

@@ -1,4 +1,70 @@
+# CloudFormation Provider
 
+Static analysis provider for AWS CloudFormation and SAM templates. Parses YAML/JSON templates locally without requiring AWS credentials or API access.
 
+## Usage
 
-https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-reference.html
+```shell
+mql shell cloudformation <path-to-template>
+```
+
+Supports both YAML and JSON template formats.
+
+```shell
+# Single template file
+mql shell cloudformation template.yaml
+
+# JSON format
+mql shell cloudformation stack.json
+```
+
+## Examples
+
+**List all resources in a template**
+
+```shell
+mql> cloudformation.template.resources { name type }
+cloudformation.template.resources: [
+  0: {
+    name: "MyVPC"
+    type: "AWS::EC2::VPC"
+  }
+  1: {
+    name: "MySubnet"
+    type: "AWS::EC2::Subnet"
+  }
+]
+```
+
+**Check that no resources use a specific type**
+
+```shell
+mql> cloudformation.template.resources.none(type == "AWS::IAM::User")
+```
+
+**Ensure all S3 buckets have versioning enabled**
+
+```shell
+mql> cloudformation.template.resources.where(type == "AWS::S3::Bucket") {
+       properties["VersioningConfiguration"]["Status"] == "Enabled"
+     }
+```
+
+**Check that all Lambda functions use a supported runtime**
+
+```shell
+mql> cloudformation.template.resources.where(type == "AWS::Lambda::Function") {
+       properties["Runtime"] == /^python3\.(11|12|13)$/
+     }
+```
+
+**One-shot query from the command line**
+
+```shell
+mql run cloudformation template.yaml -c "cloudformation.template.resources.where(type == /SecurityGroup/) { name properties }"
+```
+
+## References
+
+- [AWS CloudFormation Template Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/introduction.html)
+- [AWS SAM Template Specification](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification.html)

providers/cloudformation/go.mod

@@ -1,11 +1,11 @@
 module go.mondoo.com/mql/v13/providers/cloudformation
 
-go 1.25.6
+go 1.26.0
 
 replace go.mondoo.com/mql/v13 => ../..
 
 require (
-	github.com/aws-cloudformation/rain v1.24.2
+	github.com/aws-cloudformation/rain v1.24.3
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.11.1
 	go.mondoo.com/mql/v13 v13.0.0-rc7

providers/cloudformation/go.sum

@@ -77,8 +77,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/aws-cloudformation/rain v1.24.2 h1:mBlBwkZTavTdP3fr81gGR1NrQEAhcncs9hcKc1qn+jo=
-github.com/aws-cloudformation/rain v1.24.2/go.mod h1:mg8IIq7r1ss1wDClMqgtovZO2CDNokE+w9i9XRvvBEE=
+github.com/aws-cloudformation/rain v1.24.3 h1:n/ZylHMgGHTDcZLo49TjE9z0kWrsdPWLrmVoLuLh4ig=
+github.com/aws-cloudformation/rain v1.24.3/go.mod h1:/MdRW1x1OFuoTJJU52g6m6hMNNh4HLvVttrdlCtL8Bk=
 github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA=
 github.com/aws/aws-sdk-go-v2 v1.41.3/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
 github.com/aws/aws-sdk-go-v2/config v1.32.11 h1:ftxI5sgz8jZkckuUHXfC/wMUc8u3fG1vQS0plr2F2Zs=

providers/cloudformation/resources/cloudformation.lr

@@ -22,6 +22,8 @@ cloudformation.template @defaults("description") {
   metadata() map[string]dict
   // Template conditions
   conditions() map[string]dict
+  // Template rules for parameter validation
+  rules() map[string]dict
   // Template resources
   resources() []cloudformation.resource
   // Template outputs
@@ -44,6 +46,8 @@ cloudformation.resource @defaults("name") {
   attributes map[string]dict
   // Resource properties
   properties map[string]dict
+  // Resource dependencies (DependsOn)
+  dependsOn []string
 }
 
 // AWS CloudFormation Output

providers/cloudformation/resources/cloudformation.lr.go

@@ -7,6 +7,7 @@ cloudformation.output.properties 11.0.0
 cloudformation.resource 11.0.0
 cloudformation.resource.attributes 11.0.0
 cloudformation.resource.condition 11.0.0
+cloudformation.resource.dependsOn 13.0.1
 cloudformation.resource.documentation 11.0.0
 cloudformation.resource.name 11.0.0
 cloudformation.resource.properties 11.0.0
@@ -20,6 +21,7 @@ cloudformation.template.metadata 11.0.0
 cloudformation.template.outputs 11.0.0
 cloudformation.template.parameters 11.0.0
 cloudformation.template.resources 11.0.0
+cloudformation.template.rules 13.0.1
 cloudformation.template.transform 11.0.0
 cloudformation.template.types 11.0.0
 cloudformation.template.version 11.0.0

providers/cloudformation/resources/cloudformation.lr.versions

@@ -198,6 +198,43 @@ func TestCloudformationResources(t *testing.T) {
 		assert.Equal(t, 1, len(res.Data))
 	})
 
+	t.Run("cloudformation dependsOn", func(t *testing.T) {
+		path := "../testdata/dependson.yaml"
+		tpl, err := loadTemplate(path)
+		require.NoError(t, err)
+
+		res := tpl.GetResources()
+		require.NoError(t, res.Error)
+		assert.Equal(t, 4, len(res.Data))
+
+		for i := range res.Data {
+			resource := res.Data[i].(*mqlCloudformationResource)
+			switch resource.Name.Data {
+			case "MySubnet":
+				// single string DependsOn
+				assert.Equal(t, []any{"MyVPC"}, resource.DependsOn.Data)
+			case "MyInstance":
+				// list DependsOn
+				assert.Equal(t, []any{"MyVPC", "MySubnet"}, resource.DependsOn.Data)
+			case "MyVPC", "MyQueue":
+				// no DependsOn
+				assert.Empty(t, resource.DependsOn.Data)
+			}
+		}
+	})
+
+	t.Run("cloudformation rules", func(t *testing.T) {
+		path := "../testdata/rules.yaml"
+		tpl, err := loadTemplate(path)
+		require.NoError(t, err)
+
+		res := tpl.GetRules()
+		require.NoError(t, res.Error)
+		assert.Equal(t, 1, len(res.Data))
+		val := res.Data["ProdInstanceType"]
+		assert.NotNil(t, val)
+	})
+
 	t.Run("cloudformation transform", func(t *testing.T) {
 		path := "../testdata/transform.yaml"
 		tpl, err := loadTemplate(path)

providers/cloudformation/resources/cloudformation_test.go

@@ -12,6 +12,7 @@ import (
 	"go.mondoo.com/mql/v13/types"
 	"go.mondoo.com/ranger-rpc/codes"
 	"go.mondoo.com/ranger-rpc/status"
+	"gopkg.in/yaml.v3"
 )
 
 func initCloudformationTemplate(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
@@ -108,6 +109,10 @@ func (r *mqlCloudformationTemplate) conditions() (map[string]any, error) {
 	return r.extractDict(cft.Conditions)
 }
 
+func (r *mqlCloudformationTemplate) rules() (map[string]any, error) {
+	return r.extractDict(cft.Rules)
+}
+
 func (x *mqlCloudformationResource) id() (string, error) {
 	return x.Name.Data, nil
 }
@@ -162,13 +167,27 @@ func (r *mqlCloudformationTemplate) resources() ([]any, error) {
 			}
 		}
 
+		var dependsOn []any
+		_, val, err = gatherMapValue(valueNode, "DependsOn")
+		if err == nil {
+			switch val.Kind {
+			case yaml.ScalarNode:
+				dependsOn = []any{val.Value}
+			case yaml.SequenceNode:
+				for _, item := range val.Content {
+					dependsOn = append(dependsOn, item.Value)
+				}
+			}
+		}
+
 		pkg, err := CreateResource(r.MqlRuntime, "cloudformation.resource", map[string]*llx.RawData{
 			"name":          llx.StringData(keyNode.Value),
 			"type":          llx.StringData(resourceType),
 			"condition":     llx.StringData(resourceCondition),
 			"documentation": llx.StringData(resourceDocumentation),
 			"attributes":    llx.MapData(attrs, types.Dict),
 			"properties":    llx.MapData(props, types.Dict),
+			"dependsOn":     llx.ArrayData(dependsOn, types.String),
 		})
 		if err != nil {
 			return nil, err

providers/cloudformation/resources/template.go

@@ -0,0 +1,21 @@
+Resources:
+  MyVPC:
+    Type: "AWS::EC2::VPC"
+    Properties:
+      CidrBlock: "10.0.0.0/16"
+  MySubnet:
+    Type: "AWS::EC2::Subnet"
+    DependsOn: MyVPC
+    Properties:
+      VpcId: !Ref MyVPC
+      CidrBlock: "10.0.1.0/24"
+  MyInstance:
+    Type: "AWS::EC2::Instance"
+    DependsOn:
+      - MyVPC
+      - MySubnet
+    Properties:
+      ImageId: "ami-0ff8a91507f77f867"
+  MyQueue:
+    Type: "AWS::SQS::Queue"
+    Properties: {}

providers/cloudformation/testdata/dependson.yaml

@@ -0,0 +1,27 @@
+Parameters:
+  Environment:
+    Type: String
+    AllowedValues:
+      - dev
+      - staging
+      - prod
+  InstanceType:
+    Type: String
+Rules:
+  ProdInstanceType:
+    RuleCondition:
+      Fn::Equals:
+        - !Ref Environment
+        - prod
+    Assertions:
+      - Assert:
+          Fn::Contains:
+            - - m5.large
+              - m5.xlarge
+            - !Ref InstanceType
+        AssertDescription: "Production instances must be m5.large or m5.xlarge"
+Resources:
+  MyInstance:
+    Type: "AWS::EC2::Instance"
+    Properties:
+      InstanceType: !Ref InstanceType