search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.43k stars 588 forks source link

Incorrect E3006 Resource type 'AWS::SecretsManager::ResourcePolicy' does not exist in 'us-east-1' #3395

Closed sheridansmall closed 3 months ago

sheridansmall commented 3 months ago

CloudFormation Lint Version

cfn-lint 1.3.4

What operating system are you using?

Windows, Ubuntu

Describe the bug

When using AWS::SecretsManager::ResourcePolicy cfn-lint incorrectly reports "E3006 Resource type 'AWS::SecretsManager::ResourcePolicy' does not exist in 'us-east-1'".

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html makes no mention of any AWS region.

AWS::SecretsManager::ResourcePolicy can exist in other regions.

Expected behavior

I would not expect an error message when using AWS::SecretsManager::ResourcePolicy outside us-east-1 as AWS::SecretsManager::ResourcePolicy can exist in other regions.

Reproduction template

---
AWSTemplateFormatVersion: 2010-09-09
Description: CodePipeline sample

Resources:
  MySecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: This is a secret that I want to attach a resource-based policy to
  MySecretResourcePolicy:
    Type: AWS::SecretsManager::ResourcePolicy
    Properties:
      BlockPublicPolicy: True
      SecretId:
        Ref: MySecret
      ResourcePolicy:
        Version: '2012-10-17'
        Statement:
          - Resource: "*"
            Action: secretsmanager:DeleteSecret
            Effect: Deny
            Principal:
              AWS:
                Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
Zippy1999 commented 3 months ago

I have noticed this too - it looks like the specs AWS supply were updated over the last weekend and now include AWS::SecretsManager::ResourcePolicy - they were missing this when I downloaded the specs on Friday 21st June

I think one / both of these automated PRs will fix the issue

https://github.com/aws-cloudformation/cfn-lint/pull/3313 https://github.com/aws-cloudformation/cfn-lint/pull/3391

kddejong commented 3 months ago

Correct. Short term fix is to run cfn-lint --update-specs but should have a release today with the newest version of the schemas.

Zippy1999 commented 3 months ago

That is great to know @kddejong - thanks for your hard work on this 👍

kddejong commented 3 months ago

File is back in main https://github.com/aws-cloudformation/cfn-lint/blob/main/src/cfnlint/data/schemas/providers/us_east_1/aws-secretsmanager-resourcepolicy.json

Release PR is coming.

sheridansmall commented 3 months ago

Many thanks it's all working in 1.3.5

Zippy1999 commented 3 months ago

Tested with 1.3.6 - all working fine without having to run --update-specs