fix: ci (#202)

* removing bin details
* fix mapping rule set failure
* setup ci for publish branch

.github/workflows/build.yml

@@ -1,35 +1,27 @@
-name: Build Rules
+name: Build Artifacts
 
 on:
   push:
     branches:
       - main
 
-env:
-  AWS_DEFAULT_REGION: ${{ secrets.ECR_REGION }}
-  AWS_DEFAULT_OUTPUT: json
-  AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
-  ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
-  ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
-  VERSION: '1.0'
-
 jobs:
   testRules:
-    # cfn-guard binary for macos
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: Run guard rules tests
       shell: bash
       run: |
-        bin/cfn-guard test -d ./rules/
+        curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+        export PATH=${PATH}:~/.guard/bin
+        cfn-guard test -d ./rules/
     ## If test fails run step to pull out only failed tests
     - name: Display Failed Rules Only
       if: ${{ failure() }}
       shell: bash
       run: |
-        bin/cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
+        cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
 
   buildRuleSet:
     runs-on: ubuntu-latest
@@ -44,31 +36,4 @@ jobs:
         with:
           name: ruleset-build
           path: docker/output/
-          if-no-files-found: error
-
-  buildDocker:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@v2
-      - run: |
-          chmod +x ./mappings/build.py
-          python3 ./mappings/build.py
-        shell: bash
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.ECR_REGION }}
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
-      - name: Build, tag, and push image to Amazon ECR
-        run: |
-          aws ecr-public get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
-          cd ./docker
-          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
-          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION
+          if-no-files-found: error

.github/workflows/ci.yml

@@ -8,17 +8,18 @@ on:
 
 jobs:
   testRules:
-    # cfn-guard binary for macos
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: Run guard rules tests
       shell: bash
       run: |
-        bin/cfn-guard test -d ./rules/
+        curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+        export PATH=${PATH}:~/.guard/bin
+        cfn-guard test -d ./rules/
     ## If test fails run step to pull out only failed tests
     - name: Display Failed Rules Only
       if: ${{ failure() }}
       shell: bash
       run: |
-        bin/cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
+        cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1

.github/workflows/publish.yml

@@ -0,0 +1,81 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - publish
+    tags: '[0-9]+.[0-9]+.[0-9]+'
+
+env:
+  AWS_DEFAULT_REGION: ${{ secrets.ECR_REGION }}
+  AWS_DEFAULT_OUTPUT: json
+  AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+  ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
+  ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
+
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  testRules:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Run guard rules tests
+      shell: bash
+      run: |
+        curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+        export PATH=${PATH}:~/.guard/bin
+        cfn-guard test -d ./rules/
+    ## If test fails run step to pull out only failed tests
+    - name: Display Failed Rules Only
+      if: ${{ failure() }}
+      shell: bash
+      run: |
+        cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
+
+  buildRuleSet:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v2
+      - run: |
+          chmod +x ./mappings/build.py
+          python3 ./mappings/build.py
+        shell: bash
+      - uses: actions/upload-artifact@v3
+        with:
+          name: ruleset-build
+          path: docker/output/
+          if-no-files-found: error
+
+  buildDockerRelease:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v2
+      - run: |
+          chmod +x ./mappings/build.py
+          python3 ./mappings/build.py
+        shell: bash
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.ECR_REGION }}
+      - name: Retrieve git tag for version
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+      - name: Build, tag, and push image to Amazon ECR
+        run: |
+          aws ecr-public get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
+          cd ./docker
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ steps.get_version.outputs.VERSION }} .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:${{ steps.get_version.outputs.VERSION }}

CONTRIBUTING.md

@@ -5,6 +5,10 @@ Thank you for your interest in contributing to our project. Whether it's a bug r
 Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
 information to effectively respond to your bug report or contribution.
 
+## Good First Contribution
+
+Guard Rules Registry has several staged Guard rule files to do best of effort representation of AWS Config Managed rules and have yet to be implemented. These Guard rules are listed as open issues labeled `good first issue`. If you are looking to start adding to the project, start by completing one of the `good first issue` guard rules.
+
 
 ## Reporting Bugs/Feature Requests
 

README.md

@@ -5,13 +5,13 @@ AWS Guard Rules Registry is an open-source repository of [AWS CloudFormation Gua
 ## TL;DR
 
 **Leverage the existing AWS Guard Registry Rule Sets currently available:**
-* Read the [Using Guard Rules Registry Guide](./docs/USING_GUARD_RULES_REGISTRY.md) for information on how to integrate into your existing continuous integration and development processes. Then pick from the list of [Guard Rules Registry Managed Rule Sets](#managed-rule-sets).
+* Read the [Using Guard Rules Registry Guide](./docs/Using-Guard-Rules-Registry.md) for information on how to integrate into your existing continuous integration and development processes. Then pick from the list of [Guard Rules Registry Managed Rule Sets](#managed-rule-sets).
 
 **Contribute to the individual AWS Guard Registry Rules:**
-* Read the [Guard Rules Development Guide](./docs/GUARD_RULES_DEV_GUIDE.md) for details in how to contribute and develop Guard Registry Rules.
+* Read the [Guard Rules Development Guide](./docs/Guard-Rules-Dev-Guide.md) for details in how to contribute and develop Guard Rules Registry rules. Additionally, Guard Rules Registry has several staged Guard rule files that have yet to be implemented. These Guard rules are to be a *best of effort* representation of AWS Config Managed rules. To get started look for an open issues labeled `good first issue`.
 
 **Create and contribute your own open source AWS Guard Rules Registry custom rule set:**
-* Read the [Guard Rule Sets Development Guide](./docs/GUARD_RULE_SETS_DEV_GUIDE.md) for details on creating or updating the Guard Map rule set files.
+* Read the [Guard Rule Sets Development Guide](./docs/Guard-Rule-Sets-Dev-Guide.md) for details on creating or updating the Guard Map rule set files.
 
 ## About
 
@@ -25,8 +25,7 @@ The Guard Rules Registry offers the following value:
 * Individual Guard Rule files giving *best effort* to correspond to an AWS Config Managed Rule
 * Rule Set mapping process to compile single rule set files for public consumption
 * A centralized location for users, teams, and organizations to manage and open source their custom Guard rule sets
-* Resource level rule suppress! See [Using Guard Rules Registry Rule Suppression](./docs/USING_GUARD_RULES_REGISTRY.md#guard-rules-registry-rule-suppression) for more details.
-
+* Resource level rule suppress! See [Using Guard Rules Registry Rule Suppression](./docs/Using-Guard-Rules-Registry.md#guard-rules-registry-rule-suppression) for more details.
 
 ### Registry Rules Files
 
@@ -51,7 +50,7 @@ Many of the Guard rules are supported by AWS and correspond or complement associ
 
 > **Note:** Guard rule names that are in all uppercase are intentionally set this way. The names reflects the AWS Config Managed rule identifier the guard rule is satisfying.
 
-Within each directory that contains Guard rules, there is a `tests` sub-directory contains unit tests for some of the corner cases we expect Guard rule to `PASS`/`FAIL`/`SKIP`. The `test` sub-directory contains the corresponding test file for the Guard rule with the suffix `_tests` and can have the extension of `.yml` or `.json`. To learn more, see [Guard Rules Dev Guide](./docs/GUARD_RULES_DEV_GUIDE.md#writing-unit-tests) for more detail on how to create unit tests for your guard rule.
+Within each directory that contains Guard rules, there is a `tests` sub-directory contains unit tests for some of the corner cases we expect Guard rule to `PASS`/`FAIL`/`SKIP`. The `test` sub-directory contains the corresponding test file for the Guard rule with the suffix `_tests` and can have the extension of `.yml` or `.json`. To learn more, see [Guard Rules Dev Guide](./docs/Guard-Rules-Dev-Guide.md#writing-unit-tests) for more detail on how to create unit tests for your guard rule.
 
 ### Managed Rule Sets
 

docs/GUARD_RULES_DEV_GUIDE.md → docs/Guard-Rules-Dev-Guide.md

@@ -282,21 +282,31 @@ Within the current directory where you developed the guard rule, there should be
 
 ## Running unit tests and validations
 
-All commands assume you are running from the the root of the project for current working directory.
+Running unit tests and validations prior to putting in a Pull-Request helps mitigate risks of rework or bugs working into the managed rule sets. Please run the full checks listed below at minimum. **All commands assume you are running from the the root of the project for current working directory.**
 
-1. To run an individual unit test, execute the following command:
+> **Dev Note:** Leverage cfn-guard 2.0 or greater when developing Guard Rules Registry rules. Installation instructions can be found at [cfn-guard github repository installation documentation](https://github.com/aws-cloudformation/cloudformation-guard#installation)
+
+1. Validate you are running **cfn-guard 2.0 or later**:
+  ```
+  cfn-guard -V
+  ```
+2. To run an individual unit test, execute the following command:
     ```
-    bin/cfn-guard test --rules-file rules/aws/dynamodb/dynamodb_pitr_enabled.guard --test-data rules/aws/dynamodb/tests/dynamodb_pitr_enabled_tests.yml
+    cfn-guard test --rules-file rules/aws/dynamodb/dynamodb_pitr_enabled.guard --test-data rules/aws/dynamodb/tests/dynamodb_pitr_enabled_tests.yml
     ```
-2. To run all tests in a directory, execute the following command:
+3. To run all tests in a directory, execute the following command:
     ```
-    bin/cfn-guard test -d rules
+    cfn-guard test -d rules
     ```
-3. To quickly discover and display the failed rules execute the following command:
+4. To quickly discover and display the failed rules execute the following command:
     ```
-    bin/cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
+    cfn-guard test -d ./rules/ | grep "FAIL Rules:" -B 2 -A 1
     ```
-4. To identify rules that have an error processing run the following command:
+5. To identify rules that have an error processing run the following command:
     ```
-    bin/cfn-guard test -d ./rules/ | grep "Error processing" -B 2 -A 2
-    ```
+    cfn-guard test -d ./rules/ | grep "Error processing" -B 2 -A 2
+    ```
+
+The `cfn-guard test` command supports the additional parameter of `-v` to show verbose output. Leverage the verbose output when diving into an issue or opening a Issue or Pull-Request of *bug* or *fix*.
+
+Once all of your testing is complete, you can submit a Pull-Request to the `main` branch to start a formal publication of a new release. Please visit the [Release](./Release.md) documentation as well as the [CONTRIBUTING](../CONTRIBUTING.md) for guidance on the release process and creating a pull-request.

docs/Release.md

@@ -0,0 +1,3 @@
+# Guard Registry Rule Set Releases
+
+Guard Rule Sets are versioned and tracked in the Guard Rule Registry managed rules release process.The process entails our open-source community creating Pull-Request from forking and submitting the Pull-Request targeting the main branch.  Upon Pull-Request approval, all Guard Registry Rule Sets located in the [./mapping](../mappings/) directory are tested,  built and bundled into a single artifact zip file suffixed with timestamp. The artifacts are available for download and beta testing. A formal publishing process will happen when the Guard Rules Registry admin team create a version tag, release notes, and merge the main branch into the publish branch. The publishing branch entails a pipeline that builds the Guard Registry Rule Set based on the git tag version and updates the AWS ECR docker image with the latest tag.

mappings/rule_set_ABS_CCIGv2_Material.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "ABS-CCIGv2-Material",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for ABS Cloud Computing Implementation Guide 2.0 - Material Workloads",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_ABS_CCIGv2_Standard.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "ABS-CCIGv2-Standard",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for ABS Cloud Computing Implementation Guide 2.0 - Standard Workloads",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_FDA_21CFR_Part_11.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "FDA-21CFR-Part-11",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Title 21 of the Code of Federal Regulations (CFR) Part 11",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_acsc_essential_8.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "acsc-essential-8",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_acsc_ism.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "acsc-ism",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) 2020-06",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_apra_cpg_234.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "apra-cpg-234",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Australian Prudential Regulation Authority (APRA) CPG 234",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_bnm_rmit.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "bnm-rmit",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT)",
   "contact": "[email protected]",
   "mappings": [

mappings/rule_set_cis_aws_benchmark_level_1.json

@@ -1,7 +1,7 @@
 {
   "owner": "AWS",
   "ruleSetName": "cis-aws-benchmark-level-1",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "AWS Guard rule set for Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 1",
   "contact": "[email protected]",
   "mappings": [