search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.45k stars 593 forks source link

ERROR: E3030 You must specify a valid value for ComplianceResourceTypes (AWS::KMS::Key) #1152

Closed MBali-GitHub closed 4 years ago

MBali-GitHub commented 5 years ago

*cfn-lint version: latest

AWS::KMS:Key is a valid value for ComplianceResourceTypes in a ConfigRule, and the stack updates successfully with this value set. However, cfn-lint fails for this with error given below.

Type: AWS::Config::ConfigRule
Properties:
  Scope:
    ComplianceResourceTypes:
    - AWS::KMS::Key

ERROR: E3030 **You must specify a valid value for ComplianceResourceTypes (AWS::KMS::Key)**. Valid values are [u'AWS::ACM::Certificate', u'AWS::AutoScaling::AutoScalingGroup', u'AWS::AutoScaling::LaunchConfiguration', u'AWS::AutoScaling::ScalingPolicy', u'AWS::AutoScaling::ScheduledAction', u'AWS::CloudFormation::Stack', u'AWS::CloudFront::Distribution', u'AWS::CloudFront::StreamingDistribution', u'AWS::CloudTrail::Trail', u'AWS::CloudWatch::Alarm', u'AWS::CodeBuild::Project', u'AWS::CodePipeline::Pipeline', u'AWS::DynamoDB::Table', u'AWS::EC2::CustomerGateway', u'AWS::EC2::EIP', u'AWS::EC2::Host', u'AWS::EC2::Instance', u'AWS::EC2::InternetGateway', u'AWS::EC2::NetworkAcl', u'AWS::EC2::NetworkInterface', u'AWS::EC2::RouteTable', u'AWS::EC2::SecurityGroup', u'AWS::EC2::Subnet', u'AWS::EC2::Volume', u'AWS::EC2::VPC', u'AWS::EC2::VPNConnection', u'AWS::EC2::VPNGateway', u'AWS::ElasticBeanstalk::Application', u'AWS::ElasticBeanstalk::ApplicationVersion', u'AWS::ElasticBeanstalk::Environment', u'AWS::ElasticLoadBalancing::LoadBalancer', u'AWS::ElasticLoadBalancingV2::LoadBalancer', u'AWS::IAM::Group', u'AWS::IAM::Policy', u'AWS::IAM::Role', u'AWS::IAM::User', u'AWS::Lambda::Function', u'AWS::RDS::DBInstance', u'AWS::RDS::DBSecurityGroup', u'AWS::RDS::DBSnapshot', u'AWS::RDS::DBSubnetGroup', u'AWS::RDS::EventSubscription', u'AWS::Redshift::Cluster', u'AWS::Redshift::ClusterParameterGroup', u'AWS::Redshift::ClusterSecurityGroup', u'AWS::Redshift::ClusterSnapshot', u'AWS::Redshift::ClusterSubnetGroup', u'AWS::Redshift::EventSubscription', u'AWS::S3::Bucket', u'AWS::ServiceCatalog::CloudFormationProduct', u'AWS::ServiceCatalog::CloudFormationProvisionedProduct', u'AWS::ServiceCatalog::Portfolio', u'AWS::Shield::Protection', u'AWS::ShieldRegional::Protection', u'AWS::SSM::AssociationCompliance', u'AWS::SSM::ManagedInstanceInventory', u'AWS::SSM::PatchCompliance', u'AWS::WAF::RateBasedRule', u'AWS::WAF::Rule', u'AWS::WAF::RuleGroup', u'AWS::WAF::WebACL', u'AWS::WAFRegional::RateBasedRule', u'AWS::WAFRegional::Rule', u'AWS::WAFRegional::RuleGroup', u'AWS::WAFRegional::WebACL', u'AWS::XRay::EncryptionConfig']

Checking this project, the validation seems to be defined at -https://raw.githubusercontent.com/aws-cloudformation/cfn-python-lint/master/src/cfnlint/data/CloudSpecs/eu-west-1.json. It is using the ConfigurationRecorder Resource Types list to validate here, but the valid values for that may vary.

    "ComplianceResourceTypes": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configrule-scope.html#cfn-config-configrule-scope-complianceresourcetypes",
      "DuplicatesAllowed": false,
      "PrimitiveItemType": "String",
      "Required": false,
      "Type": "List",
      "UpdateType": "Mutable",
      "Value": {
        "ValueType": "**AWS::Config::ConfigurationRecorder.ResourceTypes**"
      }
    }
kddejong commented 5 years ago

I was trying to verify that AWS::KMS::Key is part of AWS Config but I can't find any documentation on it. Do you have a link to the documentation for this?

MBali-GitHub commented 5 years ago

Here it is - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configrule-scope.html#cfn-config-configrule-scope-complianceresourcetypes

I understand that it lets you use any of the AWS resource types.

kddejong commented 5 years ago

I think it has to be a supported resource type. https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

However I could have this wrong. I'll have to test it and see. Even if your rule gets created does it trigger?

MBali-GitHub commented 5 years ago

Yes, it is being created and getting triggered too.

kddejong commented 5 years ago

I'm trying to replicate the KMS key rule here but still haven't gotten it to work. It deploys fine but there are no resources found.

Worth noting this will also work. Technically the template will succeed with whatever string for a scope. The question will be is it what the author intended. 

    Type: AWS::Config::ConfigRule
    Properties:
      Scope:
        ComplianceResourceTypes:
          - "AWS::This::WillAlsoWork"
MBali-GitHub commented 5 years ago

Thanks for this. I believe this leaves a scope for getting incorrect values in too. But given that there doesn't seem to be any documentation around a list which gives valid values for this, i find your solution better than current restrictions. We would atleast be able to create the resources that are needed.

kddejong commented 4 years ago

Sorry for the delay on response to this. I was waiting for this announcement.
https://aws.amazon.com/about-aws/whats-new/2019/11/aws-config-adds-support-for-aws-key-management-service-and-amazon-elasticsearch/

1197

kddejong commented 4 years ago

@MBali-GitHub the newest version of cfn-lint should include the KMS Key.