search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.46k stars 596 forks source link

Bug when validating policy with resources from CommaDelimitedList from parameter (E3510) #3787

Closed pgambowski closed 4 weeks ago

pgambowski commented 4 weeks ago

CloudFormation Lint Version

1.18.1

What operating system are you using?

Ubuntu

Describe the bug

I'm using the parameter with CommaDelimitedList to pass the list of ARNs to the policy's "Resource" attribute. Linter reads the values from parameter with new line symbol and throws following error: E3510 '\narn:aws:iam::123456789123:role/bar\n' does not match '^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\d{12}|\\*)?:.+|\\*)$' when 'Ref' is resolved It is possible to pass list in this way to "Principal" attribute.

Expected behavior

It is possible to pass list to Resource attribute

Reproduction template

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  RolesToAssume:
    Type: CommaDelimitedList
    Default: |
      arn:aws:iam::123456789123:role/foo,
      arn:aws:iam::123456789123:role/bar

Resources:
  Role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: AllowToAssumeRole
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              Effect: Allow
              Action: sts:AssumeRole
              Resource: !Ref RolesToAssume