re-enable resource lookup policies #37
Conversation
nhakmiller
requested review from
austinbyers,
jacknagz and
kostaspap
as code owners
| # Verify that the bucket exists in the same account | ||
| resource['Bucket']['Location'] is None) | ||
| bucket_arn = 'arn:aws:s3:::' + resource['S3BucketName'] | ||
| bucket = resource_lookup(bucket_arn) |
There was a problem hiding this comment.
How does resource_lookup behave if there's nothing found?
There was a problem hiding this comment.
It raises an exception. I thought about catching the exception, but then users wouldn't know if there bucket was messed up. For example, we have a cloudtrail raising an exception here because it's logging to a bucket that no longer exists! Not sure if that info should just be tossed away. Although I suppose that could be a different policy...
I updated the README and the policy specification files with warnings. Unfortunately, we currently do not support mocking function calls so unit testing is not possible with functions that need that type of thing. |
* Added imports for And, Regex from schemas -- Added Regex match for
DisplayName, GlobalID, PolicyID, and RuleID
* Added '(' and ')' to the allowable characters
* Hotfix: Rule Schema DisplayName improper definition
* Update panther_analysis_tool/schemas.py
Removed character escaping for readability
Co-authored-by: Austin Byers <austin.byers@runpanther.io>
* Added unit tests
* Removed unnecessary &
Co-authored-by: Austin Byers <austin.byers@runpanther.io>
Background
For a period of time we had resource lookup based policies disabled because the Panther backend and packing tools did not fully support them. Now that they are fully supported again, they have been re-enabled.
Changes
Testing
make ci