Skip to content

Commit

Permalink
Allow for configuration for rule I3042
Browse files Browse the repository at this point in the history
  • Loading branch information
@kddejong
kddejong committed Feb 17, 2021
1 parent fd28b41 commit 27ef569
Show file tree
Hide file tree
Showing 7 changed files with 83 additions and 24 deletions.
37 changes: 35 additions & 2 deletions src/cfnlint/rules/resources/HardCodedArnProperties.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,25 @@ class HardCodedArnProperties(CloudFormationLintRule):
tags = ['resources']
regex = re.compile(r'arn:(\$\{[^:]*::[^:]*}|[^:]*):[^:]+:(\$\{[^:]*::[^:]*}|[^:]*):(\$\{[^:]*::[^:]*}|[^:]*)')

def __init__(self):
"""Init"""
super(HardCodedArnProperties, self).__init__()
self.config_definition = {
'partition': {
'default': True,
'type': 'boolean',
},
'region': {
'default': False,
'type': 'boolean',
},
'accountId': {
'default': False,
'type': 'boolean',
},
}
self.configure()

def _match_values(self, cfnelem, path):
"""Recursively search for values matching the searchRegex"""
values = []
Expand Down Expand Up @@ -61,8 +80,22 @@ def match(self, cfn):

# !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
# is valid even with aws as the account #. This handles empty string
if not re.match(r'^\$\{\w+}|\$\{AWS::Partition}|$', candidate[0]) or not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$', candidate[1]) or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
message = 'ARN in Resource {0} contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters'
if self.config['partition'] and not re.match(r'^\$\{\w+}|\$\{AWS::Partition}|$', candidate[0]):
# or not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$', candidate[1]) or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
message = 'ARN in Resource {0} contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters'
matches.append(RuleMatch(
path,
message.format(path[1])
))
if self.config['region'] and not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$', candidate[1]):
# or or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
message = 'ARN in Resource {0} contains hardcoded Region in ARN or incorrectly placed Pseudo Parameters'
matches.append(RuleMatch(
path,
message.format(path[1])
))
if self.config['accountId'] and not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
message = 'ARN in Resource {0} contains hardcoded AccountId in ARN or incorrectly placed Pseudo Parameters'
matches.append(RuleMatch(
path,
message.format(path[1])
Expand Down
2 changes: 1 addition & 1 deletion test/fixtures/results/public/lambda-poller.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
"LineNumber":39
}
},
"Message":"ARN in Resource LambdaExecutionRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message":"ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule":{
"Description":"Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id":"I3042",
Expand Down
14 changes: 7 additions & 7 deletions test/fixtures/results/quickstart/cis_benchmark.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"LineNumber": 89
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -47,7 +47,7 @@
"LineNumber": 90
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -75,7 +75,7 @@
"LineNumber": 91
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -103,7 +103,7 @@
"LineNumber": 92
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -131,7 +131,7 @@
"LineNumber": 93
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -1529,7 +1529,7 @@
"LineNumber": 1842
}
},
"Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -1667,7 +1667,7 @@
"LineNumber": 2232
}
},
"Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down
14 changes: 7 additions & 7 deletions test/fixtures/results/quickstart/non_strict/cis_benchmark.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"LineNumber": 89
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -47,7 +47,7 @@
"LineNumber": 90
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -75,7 +75,7 @@
"LineNumber": 91
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -103,7 +103,7 @@
"LineNumber": 92
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -131,7 +131,7 @@
"LineNumber": 93
}
},
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -1384,7 +1384,7 @@
"LineNumber": 1842
}
},
"Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -1493,7 +1493,7 @@
"LineNumber": 2232
}
},
"Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down
4 changes: 2 additions & 2 deletions test/fixtures/results/quickstart/non_strict/openshift.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,7 @@
"LineNumber": 833
}
},
"Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -602,7 +602,7 @@
"LineNumber": 1674
}
},
"Message": "ARN in Resource SetupRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource SetupRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down
4 changes: 2 additions & 2 deletions test/fixtures/results/quickstart/openshift.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,7 +445,7 @@
"LineNumber": 833
}
},
"Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down Expand Up @@ -1207,7 +1207,7 @@
"LineNumber": 1674
}
},
"Message": "ARN in Resource SetupRole contains hardcoded Partition, Region, and/or Account Number in ARN or incorrectly placed Pseudo Parameters",
"Message": "ARN in Resource SetupRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters",
"Rule": {
"Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number",
"Id": "I3042",
Expand Down
32 changes: 29 additions & 3 deletions test/unit/rules/resources/test_hardcodedarnproperties.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,32 @@ def test_file_positive(self):
"""Test Positive"""
self.helper_file_positive() # By default, a set of "correct" templates are checked

def test_file_negative(self):
"""Test failure"""
self.helper_file_negative('test/fixtures/templates/bad/hard_coded_arn_properties.yaml', 5) # Amount of expected matches
def test_file_negative_partition(self):
self.helper_file_rule_config(
'test/fixtures/templates/bad/hard_coded_arn_properties.yaml',
{
'partition': True,
'region': False,
'accountId': False,
}, 2
)

def test_file_negative_region(self):
self.helper_file_rule_config(
'test/fixtures/templates/bad/hard_coded_arn_properties.yaml',
{
'partition': False,
'region': True,
'accountId': False,
}, 4
)

def test_file_negative_accountid(self):
self.helper_file_rule_config(
'test/fixtures/templates/bad/hard_coded_arn_properties.yaml',
{
'partition': False,
'region': False,
'accountId': True,
}, 1
)

0 comments on commit 27ef569

Please sign in to comment.