Skip to content
Network as Code

Overview

A CLI tool to perform syntactic and semantic validation of YAML files.

$ nac-validate --help


 Usage: nac-validate [OPTIONS] PATHS...


 A CLI tool to perform syntactic and semantic validation of YAML files.


╭─ Arguments ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ *    paths      PATHS...  List of paths pointing to YAML files or directories. [default: None] [required]                                                              │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --verbosity   -v      [DEBUG|INFO|WARNING|ERROR|CRITICAL]  Verbosity level. [env var: NAC_VALIDATE_VERBOSITY] [default: WARNING]                                       │
│ --schema      -s      FILE                                 Path to schema file. [env var: NAC_VALIDATE_SCHEMA] [default: .schema.yaml]                                 │
│ --rules       -r      DIRECTORY                            Path to directory with semantic validation rules. [env var: NAC_VALIDATE_RULES] [default: .rules]           │
│ --output      -o      FILE                                 Write merged content from YAML files to a new YAML file. [env var: NAC_VALIDATE_OUTPUT] [default: None]     │
│ --non-strict                                               Accept unexpected elements in YAML files. [env var: NAC_VALIDATE_NON_STRICT]                                │
│ --version                                                  Display version number.                                                                                     │
│ --help                                                     Show this message and exit.                                                                                 │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Syntactic validation is done by basic YAML syntax validation (e.g., indentation) and by providing a Yamale schema and validating all YAML files against that schema. Semantic validation is done by providing a set of rules (implemented in Python) which are then validated against the YAML data. Every rule is implemented as a Python class and should be placed in a .py file located in the --rules path.

Each .py file must have a single class named Rule. This class must have the following attributes: id, description and severity. It must implement a classmethod() named match that has a single function argument data which is the data read from all YAML files. It can optionally also have a second argument schema which would then provide the Yamale schema. It should return a list of strings, one for each rule violation with a descriptive message. A sample rule can be found below.

class Rule:
    id = "101"
    description = "Verify child naming restrictions"
    severity = "HIGH"


    @classmethod
    def match(cls, data):
        results = []
        try:
            for child in data["root"]["children"]:
                if child["name"] == "FORBIDDEN":
                    results.append("root.children.name" + " - " + str(child["name"]))
        except KeyError:
            pass
        return results

Installation

Section titled “Installation”

Python 3.10+ is required to install nac-validate. Don’t have Python 3.10 or later? See Python 3 Installation & Setup Guide.

nac-validate can be installed in a virtual environment using pip:

pip install nac-validate

Pre-Commit Hook

Section titled “Pre-Commit Hook”

The tool can be integrated via a pre-commit hook with the following config (.pre-commit-config.yaml), assuming the default values (.schema.yaml, .rules/) are appropriate:

repos:
  - repo: https://github.com/netascode/nac-validate
    rev: v0.3.0
    hooks:
      - id: nac-validate

In case the schema or validation rules are located somewhere else the required CLI arguments can be added like this:

repos:
  - repo: https://github.com/netascode/nac-validate
    rev: v0.3.0
    hooks:
      - id: nac-validate
        args:
          - '-s'
          - 'my_schema.yaml'
          - '-r'
          - 'rules/'

Ansible Vault Support

Section titled “Ansible Vault Support”

Values can be encrypted using Ansible Vault. This requires Ansible (ansible-vault command) to be installed and the following two environment variables to be defined:

export ANSIBLE_VAULT_ID=dev
export ANSIBLE_VAULT_PASSWORD=Password123

ANSIBLE_VAULT_ID is optional, and if not defined will be omitted.

Additional Tags

Section titled “Additional Tags”

Reading Environment Variables

Section titled “Reading Environment Variables”

The !env YAML tag can be used to read values from environment variables.

root:
  name: !env VAR_NAME