template-validator

# Template Validator

## Quick Start

Validate CloudFormation templates for syntax errors, security issues, and adherence to best practices before deployment.

## Instructions

### Step 1: Validate template syntax

```bash
# Basic validation
aws cloudformation validate-template \
  --template-body file://template.yaml

# Validation with parameters
aws cloudformation validate-template \
  --template-body file://template.yaml \
  --parameters ParameterKey=Param1,ParameterValue=Value1
```

**Check for:**
- Valid YAML/JSON syntax
- Required template sections
- Valid resource types
- Correct intrinsic function usage
- Parameter references

### Step 2: Use cfn-lint for comprehensive checks

```bash
# Install cfn-lint
pip install cfn-lint

# Validate template
cfn-lint template.yaml

# Validate with specific rules
cfn-lint template.yaml --ignore-checks W

# Output as JSON
cfn-lint template.yaml --format json
```

**cfn-lint checks:**
- Template structure
- Resource properties
- Best practices
- Security issues
- Regional availability

### Step 3: Security validation

**Check IAM policies:**
```yaml
# Review for overly permissive policies
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AppPolicy
          PolicyDocument:
            Statement:
              # Avoid wildcards
              - Effect: Allow
                Action: s3:*  # Too permissive!
                Resource: '*'  # Too broad!
```

**Better approach:**
```yaml
Policies:
  - PolicyName: AppPolicy
    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - s3:GetObject
            - s3:PutObject
          Resource: !Sub '${MyBucket.Arn}/*'
```

**Check security groups:**
```yaml
# Avoid open access
Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityG