# Sample usage for AwsCommunity::Lambda::Invoker hook

This is a sample for how to write and deploy resources to enable compliance 
checks on CloudFormation templates using the `AwsCommunity::Lambda::Invoker` hook.
This hook is a central point for invoking a series of Lambda functions that you 
write to check templates before they are deployed. These lambda functions can 
also be easily invoked by template developers before deployment, to catch errors
early.

## WARNING

The type configuration for the sample is set to WARN on failures. If you change 
that to FAIL, this sample will cause any subsequent CloudFormation deployments in 
your account to fail if they are not compliant with the checks in `compliance.yaml`.
Don't deploy this in a production account, and be sure to clean up resources 
using the `destroy.sh` script when you are done evaluating the solution.

## Pre-requisites

Make sure you have activated the public resource type `AwsCommunity::DynamoDB::Item` 
in your account/region before deploying this sample.

Rain v1.4.1 is required for module support. You can `brew install rain` or install it from GitHub with `GO111MODULE=on go install github.com/aws-cloudformation/rain/cmd/rain@latest`.

## Files

### compliance.yaml

This template creates the registration table in DynamoDB to store the Arns of
your lambda functions. It also uses a
[rain](https://github.com/aws-cloudformation/rain) module to simplify the
template by encapsulating the CloudFormation code needed to register the
functions.

### compliance-pkg.yaml

Auto-generated by rain based on `compliance.yaml` and `module.yaml`.

### deploy.sh

This script assumes you are privately registering the hook. It packages and deploys 
`compliance.yaml`, and then registers the hook with CloudFormation.

### module.yaml

This is a rain module, which is a snippet of CloudFormation that inherits from 
`AWS::Lambda::Function` to simplify the code in `compliance.yaml`.

### type-config.json

CloudFormation registry extensions must be configured when they are registered. This 
file is used to tell the hook the ARN of the DynamoDB table that contains a list of
your compliance lambda functions.

### destroy.sh

Clean up resources created by deploy.sh

### lambda/*

This directory has a Python lambda function with dependencies, to demonstrate how 
a more complex function can be deployed with CloudFormation and rain.

### invalid.yaml

After deploying the solution, this template should fail if you try to deploy it.

### valid.yaml

After deploying the solution, this template should succeed if you try to deploy it.

### validate.py

Validates the templates by directly invoking the Lambda functions. This could be 
used by a template developer to make sure code is compliant before actually 
deploying the stack.