[GENERAL ISSUE] Parsing Error with example "sns-cross-account-t-parameterized.guard"

[scottschreckengaust]

Describe the issue The guard example, https://github.com/aws-cloudformation/cloudformation-guard/blob/main/guard-examples/cross-account/sns-cross-account-t-parameterized.guard, is not useable as-is.

Any examples Please supply:

1. Example rules and template that you have tried, the sns-cross-account-t-parameterized.guard below.
2. The commands you used to invoke the tool

       cfn-guard test --verbose \
         --rules-file guard-examples/cross-account/sns-cross-account-t-parameterized.guard \
         --test-data guard-examples/cross-account/sns-cross-account-t-parameterized-tests.yaml

3. The output of a -v log level if it's not related to cfn-guard-lambda, or the relevant CloudWatch log messages if it is related to the cfn-guard-lambda

       Parse Error on ruleset file Parser Error when parsing Parsing Error Error parsing file sns-cross-account-t-parameterized.guard at line 6 at column 29, when handling , fragment (principals) {
            %principals in %allowed
       }
   
       rule check_aws_specified(principals) {
           %principals.AWS in %allowed
       }
   
       rule check_via_aws_service(statement) {
           when %statement.Principal.Service exists {
               %statement.Condition[ keys == /String(Equals|Like)|Arn(Equals|Like)/ ] not empty {
                   let source_accounts = this[ keys == /(aws|AWS):[sS]ource(Account|Owner|Arn|ARN)/ ]
                   %source_accounts in %allowed
               }
           }
       }
   
       rule check_only_allowed_aws_accounts(statement) {
           %statement
           {
               when Effect == 'Allow'
               {
                   check_direct_principals(Principal) or
                   check_aws_specified(Principal) or
                   check_via_aws_service(this)
               }
           }
       }
   
       rule check_sns_topic_cross_account {
           Resources[ Type == 'AWS::SNS::TopicPolicy' ] {
               check_only_allowed_aws_accounts(Properties.PolicyDocument.Statement[*])
           }
       }
   

   NOTE: Please be sure that the templates, rules and logs you provide as part of your issue do not contain any sensitive information.

Operating System: [eg, MacOS, Windows, Ubuntu, etc] MacOS using Docker pulling rust:latest and installing via cargo

OS Version [eg Catalina, 10, 18.04, etc] Mojave 12.6 Docker version 20.10.17, build 100c701

Additional context

$ git clone https://github.com/aws-cloudformation/cloudformation-guard.git
$ cd cloudformation-guard
$ docker run --rm -it -v `pwd`:`pwd` -w `pwd` rust
# cargo --version
cargo 1.64.0 (387270bc7 2022-09-16)
# cargo install cfn-guard
# cfn-guard --version
cfn-guard 2.0.4

[razcloud]

Hi @scottschreckengaust,

Thank you for your post. We noticed that your cfn-guard version is at 2.0.4 and parameterized rules is supported in 2.1.0. Can you please try rebuilding with 2.1 and see if it resolves your issue?

Thanks!

[razcloud]

@scottschreckengaust Please also note that due to some dependencies, installing from cargo is not currently at 2.1. We recommend building locally as mentioned at the top of the README.

[scottschreckengaust]

Okay, please close the issue. Updating the installation to below yields no parsing errors:

$ git clone https://github.com/aws-cloudformation/cloudformation-guard.git
$ docker run --rm -it -v `pwd`:`pwd` -w `pwd` rust
# cat cloudformation-guard/install-guard.sh | sh
# export PATH=${PATH}:~/.guard/bin
# cfn-guard --version
cfn-guard 2.1.0

[razcloud]

Great! Thanks @scottschreckengaust