diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py index 009af511e0..f4027ab2db 100644 --- a/src/cfnlint/rules/resources/HardCodedArnProperties.py +++ b/src/cfnlint/rules/resources/HardCodedArnProperties.py @@ -53,7 +53,8 @@ def _match_values(self, cfnelem, path): # Leaf node if isinstance(cfnelem, six.string_types): # and re.match(searchRegex, cfnelem): for variable in re.findall(self.regex, cfnelem): - values.append(path + [variable]) + if 'Fn::Sub' in path: + values.append(path + [variable]) return values diff --git a/test/fixtures/results/public/lambda-poller.json b/test/fixtures/results/public/lambda-poller.json index 110e475288..a2ad909770 100644 --- a/test/fixtures/results/public/lambda-poller.json +++ b/test/fixtures/results/public/lambda-poller.json @@ -25,30 +25,5 @@ "ShortDescription": "Check if EOL Lambda Function Runtimes are used", "Source": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html" } - }, - { - "Filename":"test/fixtures/templates/public/lambda-poller.yaml", - "Level":"Informational", - "Location":{ - "End":{ - "ColumnNumber":76, - "LineNumber":39 - }, - "Path":[ - "Resources", - "PollerFunctionIamRole" - ], - "Start":{ - "ColumnNumber":12, - "LineNumber":39 - } - }, - "Message":"ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule":{ - "Description":"Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id":"I3042", - "ShortDescription":"ARNs should use correctly placed Pseudo Parameters", - "Source":"" - } } ] diff --git a/test/fixtures/results/quickstart/cis_benchmark.json b/test/fixtures/results/quickstart/cis_benchmark.json index b13afb6460..ed73f487ea 100644 --- a/test/fixtures/results/quickstart/cis_benchmark.json +++ b/test/fixtures/results/quickstart/cis_benchmark.json @@ -1,144 +1,4 @@ [ - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 60, - "LineNumber": 89 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 89 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 64, - "LineNumber": 90 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 1 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 90 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 54, - "LineNumber": 91 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 2 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 91 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 92 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 3 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 92 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 93 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 4 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 93 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", @@ -1509,34 +1369,6 @@ "Source": "https://aws.amazon.com/blogs/devops/optimize-aws-cloudformation-templates/" } }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 1842 - }, - "Path": [ - "Resources", - "RoleForCloudWatchEvents", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 1842 - } - }, - "Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", @@ -1647,34 +1479,6 @@ "Source": "https://github.com/aws-cloudformation/cfn-python-lint/blob/master/docs/cfn-resource-specification.md#valueprimitivetype" } }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 2232 - }, - "Path": [ - "Resources", - "RoleForDisableUnusedCredentialsFunction", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 2232 - } - }, - "Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", diff --git a/test/fixtures/results/quickstart/non_strict/cis_benchmark.json b/test/fixtures/results/quickstart/non_strict/cis_benchmark.json index 741d62d05d..28793181c8 100644 --- a/test/fixtures/results/quickstart/non_strict/cis_benchmark.json +++ b/test/fixtures/results/quickstart/non_strict/cis_benchmark.json @@ -1,144 +1,4 @@ [ - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 60, - "LineNumber": 89 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 89 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 64, - "LineNumber": 90 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 1 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 90 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 54, - "LineNumber": 91 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 2 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 91 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 92 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 3 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 92 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 93 - }, - "Path": [ - "Resources", - "MasterConfigRole", - "Properties", - "ManagedPolicyArns", - 4 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 93 - } - }, - "Message": "ARN in Resource MasterConfigRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", @@ -1364,34 +1224,6 @@ "Source": "https://aws.amazon.com/blogs/devops/optimize-aws-cloudformation-templates/" } }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 1842 - }, - "Path": [ - "Resources", - "RoleForCloudWatchEvents", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 1842 - } - }, - "Message": "ARN in Resource RoleForCloudWatchEvents contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", @@ -1473,34 +1305,6 @@ "Source": "https://aws.amazon.com/blogs/devops/optimize-aws-cloudformation-templates/" } }, - { - "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 77, - "LineNumber": 2232 - }, - "Path": [ - "Resources", - "RoleForDisableUnusedCredentialsFunction", - "Properties", - "ManagedPolicyArns", - 0 - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 2232 - } - }, - "Message": "ARN in Resource RoleForDisableUnusedCredentialsFunction contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/cis_benchmark.yaml", "Level": "Warning", diff --git a/test/fixtures/results/quickstart/non_strict/openshift.json b/test/fixtures/results/quickstart/non_strict/openshift.json index 7f305273c5..2a942cefc2 100644 --- a/test/fixtures/results/quickstart/non_strict/openshift.json +++ b/test/fixtures/results/quickstart/non_strict/openshift.json @@ -336,38 +336,6 @@ "Source": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html" } }, - { - "Filename": "test/fixtures/templates/quickstart/openshift.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 21, - "LineNumber": 833 - }, - "Path": [ - "Resources", - "LambdaExecutionRole", - "Properties", - "Policies", - 0, - "PolicyDocument", - "Statement", - 0, - "Resource" - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 833 - } - }, - "Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/openshift.yaml", "Level": "Informational", diff --git a/test/fixtures/results/quickstart/openshift.json b/test/fixtures/results/quickstart/openshift.json index 0dda7038a2..4de06f2855 100644 --- a/test/fixtures/results/quickstart/openshift.json +++ b/test/fixtures/results/quickstart/openshift.json @@ -421,38 +421,6 @@ "Source": "https://github.com/aws-cloudformation/cfn-python-lint/blob/master/docs/cfn-resource-specification.md#valueprimitivetype" } }, - { - "Filename": "test/fixtures/templates/quickstart/openshift.yaml", - "Level": "Informational", - "Location": { - "End": { - "ColumnNumber": 21, - "LineNumber": 833 - }, - "Path": [ - "Resources", - "LambdaExecutionRole", - "Properties", - "Policies", - 0, - "PolicyDocument", - "Statement", - 0, - "Resource" - ], - "Start": { - "ColumnNumber": 13, - "LineNumber": 833 - } - }, - "Message": "ARN in Resource LambdaExecutionRole contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters", - "Rule": { - "Description": "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number", - "Id": "I3042", - "ShortDescription": "ARNs should use correctly placed Pseudo Parameters", - "Source": "" - } - }, { "Filename": "test/fixtures/templates/quickstart/openshift.yaml", "Level": "Error", diff --git a/test/fixtures/templates/bad/hard_coded_arn_properties.yaml b/test/fixtures/templates/bad/hard_coded_arn_properties.yaml index cfd48c7655..091e9bf32c 100644 --- a/test/fixtures/templates/bad/hard_coded_arn_properties.yaml +++ b/test/fixtures/templates/bad/hard_coded_arn_properties.yaml @@ -6,7 +6,7 @@ Resources: AccessControl: Private NotificationConfiguration: TopicConfigurations: - - Topic: arn:aws:sns:us-east-1:123456789012:TestTopic + - Topic: !Sub arn:aws:sns:us-east-1:123456789012:TestTopic Event: s3:ReducedRedundancyLostObject SampleBadBucketPolicy: diff --git a/test/integration/test_quickstart_templates_non_strict.py b/test/integration/test_quickstart_templates_non_strict.py index 9e98ed13ea..7372fb0b14 100644 --- a/test/integration/test_quickstart_templates_non_strict.py +++ b/test/integration/test_quickstart_templates_non_strict.py @@ -28,7 +28,7 @@ class TestQuickStartTemplates(BaseCliTestCase): { 'filename': 'test/fixtures/templates/quickstart/cis_benchmark.yaml', 'results_filename': 'test/fixtures/results/quickstart/non_strict/cis_benchmark.json', - 'exit_code': 12, + 'exit_code': 4, } ]