# validate Validates data against AWS CloudFormation Guard rules to determine success or failure. ## Syntax ``` cfn-guard validate --data --output-format --rules --show-summary --type ``` ## Parameters `-a`, `--alphabetical` Validates files in a directory that is ordered alphabetically. `-h`, `--help` Prints help information. `-m`, `--last-modified` Validates files in a directory that is ordered by last-modified times. `-P`, `--payload` Provide rules and data in the following JSON format via `stdin`: ``` {"rules":["", "", ...], "data":["", "", ...]} ``` For example: ``` {"data": ["{\"Resources\":{\"NewVolume\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":500,\"Encrypted\":false,\"AvailabilityZone\":\"us-west-2b\"}},\"NewVolume2\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":50,\"Encrypted\":false,\"AvailabilityZone\":\"us-west-2c\"}}},\"Parameters\":{\"InstanceName\":\"TestInstance\"}}","{\"Resources\":{\"NewVolume\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":500,\"Encrypted\":false,\"AvailabilityZone\":\"us-west-2b\"}},\"NewVolume2\":{\"Type\":\"AWS::EC2::Volume\",\"Properties\":{\"Size\":50,\"Encrypted\":false,\"AvailabilityZone\":\"us-west-2c\"}}},\"Parameters\":{\"InstanceName\":\"TestInstance\"}}"], "rules" : [ "Parameters.InstanceName == \"TestInstance\"","Parameters.InstanceName == \"TestInstance\"" ]} ``` For "rules", specify a list of string version of rules files. For "data", specify a list of string version of data files. When `--payload` is specified `--rules` and `--data` cannot be specified. `-p`, `--print-json` Prints the output in JSON format. `-s`, `--show-clause-failures` Shows clause failure including a summary. `-V`, `--version` Prints version information. `-v`, `--verbose` Increases the output verbosity. Can be specified multiple times. `-z`, `--structured` Prints out a list of structured and valid JSON/YAML. This argument conflicts with the following arguments: verbose, print-json, show-summary: all/fail/pass/skip, output-format: single-line-summary ## Options `-d`, `--data` (string) Provides a data file or directory of data files in JSON or YAML. Supports passing multiple values by using this option repeatedly. Example: `--data template1.yaml --data ./data-dir1 --data template2.yaml` For directory arguments such as `data-dir1` above, scanning is only supported for files with following extensions: .yaml, .yml, .json, .jsn, .template If you specify the `--payload` flag, don't specify the `--data` option. `-i`, `--input-parameters` (string) Provides a parameter file or directory of parameter files in JSON or YAML that specifies any additional parameters to use along with data files to be used as a combined context. All the parameter files passed as input get merged and this combined context is again merged with each file passed as an argument for `data`. Due to this, every file is expected to contain mutually exclusive properties, without any overlap. Supports passing multiple values by using this option repeatedly. For directory arguments, scanning is only supported for files with following extensions: .yaml, .yml, .json, .jsn, .template `-o`, `--output-format` (string) Specifies the format for the output. *Default*: `single-line-summary` *Allowed values*: `json` \$1 `yaml` \$1 `single-line-summary` \$1 `junit` \$1 `sarif` `-r`, `--rules` (string) Provides a rules file or a directory of rules files. Supports passing multiple values by using this option repeatedly. Example: `--rules rule1.guard --rules ./rules-dir1 --rules rule2.guard` For directory arguments such as `rules-dir1` above, scanning is only supported for files with following extensions: .guard, .ruleset If you specify the `--payload` flag, do not specify the `--rules` option. `--show-summary` (string) Controls if the summary table needs to be displayed. `--show-summary fail` (default) or `--show-summary pass,fail` (only show rules that did pass/fail) or `--show-summary none` (to turn it off) or `--show-summary all` (to show all the rules that pass, fail or skip). *Default*: `fail` *Allowed values*: `none` \$1 `all` \$1 `pass` \$1 `fail` \$1 `skip` `-t`, `--type` (string) Provides the format of your input data. When you specify the input data type, Guard displays the logical names of CloudFormation template resources in the output. By default, Guard displays property paths and values, such as `Property [/Resources/vol2/Properties/Encrypted`. *Allowed values*: `CFNTemplate` ## Example ``` cfn-guard validate --data example.json --rules rules.guard ``` ## Output If Guard successfully validates the templates, the `validate` command returns an exit status of `0` (`$?` in bash). If Guard identifies a rule violation, the `validate` command returns a status report of the rules that failed. ``` example.json Status = FAIL FAILED rules rules.guard/policy_effect_is_deny FAIL --- Evaluation of rules rules.guard against data example.json -- Property [/path/to/Effect] in data [example.json] is not compliant with [policy_effect_is_deny] because provided value ["Allow"] did not match expected value ["Deny"]. Error Message [ Policy statement "Effect" must be "Deny".] ``` ## See also + [Validating input data against Guard rules](validating-rules.md) + [Using input parameters with Guard rules](using-input-parameters.md)