search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.4k stars 576 forks source link

W1011 - Use dynamic references over parameters for secrets #3418

Closed isuftin closed 5 days ago

isuftin commented 6 days ago

cfn-lint Version - 1.3.4

Provide additional details e.g. code snippets. Be sure to remove any sensitive data.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: My App
Transform: AWS::LanguageExtensions
Resources:
  RDSMasterUserPassword:
    DeletionPolicy: !If
      - IsProduction
      - Retain
      - Delete
    UpdateReplacePolicy: !If
      - IsProduction
      - Retain
      - Delete
    Type: AWS::SecretsManager::Secret
    Condition: IsDefaultRegion
    Properties:
      Description: The master user password
      Name: !Sub /${AWS::AccountId}/${Environment}/rds/master_user_password
      KmsKeyId: !Ref MultiRegionKMSKeyAlias
      ReplicaRegions:
        - Region: us-east-1
          KmsKeyId: !Ref MultiRegionKMSKeyAlias
      GenerateSecretString:
        PasswordLength: 24
        ExcludePunctuation: true
        ExcludeCharacters: '"@/\'
  RDS:
    Type: AWS::RDS::DBInstance
    Condition: IsDefaultRegionOrIsDisasterRecovery
    Properties:
      CutOutABunchOf: Properties
      MasterUserPassword: !If
        - IsDefaultRegion
        - !Sub '{{resolve:secretsmanager:${RDSMasterUserPassword}}}'
        - !Sub '{{resolve:secretsmanager:/${AWS::AccountId}/${Environment}/rds/master_user_password}}'

This has cfn-lint returning: W1011 - Use dynamic references over parameters for secrets

This seems to be a newer error showing up but I'm wondering what the best way to deal with this is or why it's triggering on the MasterUserPassword param here.

kddejong commented 6 days ago

We resolved this is in a new version. Going forward we are just looking just for Ref and not a Ref inside another function.

kddejong commented 6 days ago

Why we fixed the issue.... we are trying to push towards the recommendation of using secrets manager. You are which is why we resolved that issue.

Technically we will now allow !Sub "${MyDbPassword}" but we can try to address that going forward.

Parameters:
  MyDbPassword:
    Type: String
Conditions:
  IsDefaultRegion: !Equals [!Ref AWS::Region, us-east-1]
Resources:
  RDS:
    Type: AWS::RDS::DBInstance
    Condition: IsDefaultRegionOrIsDisasterRecovery
    Properties:
      CutOutABunchOf: Properties
      MasterUserPassword: !If
        - IsDefaultRegion
        - !Ref MyDbPassword
        - !Sub '{{resolve:secretsmanager:/${AWS::AccountId}/${Environment}/rds/master_user_password}}'