Open dengmingtong opened 5 days ago
Using the latest version of cfn-lint and this condition I cannot replicate this error.
"IngestionCommonResourcesCreateApplicationLoadBalancerauthEnableConditionF2B09238": {
"Fn::Not": [
{
"Fn::Equals": [
{"Ref": "AuthenticationSecretArn"},
""
]
}
]
}
I wrote a cloudformation example template as below:
AWSTemplateFormatVersion: '2010-09-09'
Description: A CloudFormation template that creates an IAM policy conditionally.
Parameters:
enable:
Type: String
Description: Parameter to enable or disable the creation of the IAM policy.
AllowedValues:
- "Yes"
- "No"
Default: "No"
secretArn:
Type: String
Default: ""
Description: The ARN of the secret to use in the IAM policy.
Conditions:
CreatePolicy: !Equals [!Ref enable, "Yes"]
Resources:
MyIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: ['sts:AssumeRole']
Path: "/"
Policies:
- PolicyName: LambdaExecutionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "arn:aws:logs:*:*:*"
ConditionalIAMPolicy:
Type: AWS::IAM::Policy
Condition: CreatePolicy
Properties:
PolicyName: ConditionalSecretPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref secretArn
Roles:
- !Ref MyIAMRole
execute: cfn-lint -e -t ./E3510-test.yaml
got below error:
E3510 {'Ref': 'secretArn'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:](:(?:\d{12}|\*|aws)?:.+|)|\)$' when 'Ref' is resolved E3510-test.yaml:15:5
This is similar to #3378. The error is coming from the fact that I can leave secretArn
empty and have enable as yes
. As it stands those two parameters really have no relationship in the conditions section.
The way we typically see this solved is something like:
!And [!Equals [!Ref enable, "Yes"], !Not [!Equals [!Ref secretArn, ""]]]
or
!Not [!Equals [!Ref secretArn, ""]]
Is this feature request related to a new rule or cfn-lint capabilities?
No response
Describe the feature you'd like to request
Hello, We have below use case.
We have a cloudformation template to create Policy as below:
And AuthenticationSecretArn is input parameter as below:
Now the cfn-lint throw the below error: E3510 {'Ref': 'AuthenticationSecretArn'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:](:(?:\d{12}|\*|aws)?:.+|)|\)$' when 'Ref' is resolved
Our use case is the Policy is controlled by a condition IngestionCommonResourcesCreateApplicationLoadBalancerauthEnableConditionF2B09238
If the AuthenticationSecretArn is '', condition will be false and policy will not be created.
Could you think about this use case and do some change to support this case?
Thanks, Mingtong
Describe the solution you'd like
If the AuthenticationSecretArn is '', condition will be false and policy will not be created.
Could you think about this use case and do some change to support this case?
Additional context
No response
Is this something that you'd be interested in working on?
Would this feature include a breaking change?