search

awslabs / aws-cloudformation-iam-policy-validator

MIT No Attribution
132 stars 20 forks source link

Getting DATA_TYPE_MISMATCH when using If-condition with "AWS::NoValue" #29

Open delenamalan opened 1 year ago

delenamalan commented 1 year ago

I'm getting the DATA_TYPE_MISMATCH error ("The text does not match the expected JSON data type String, Number, or Boolean.") for my policy when I use an If-condition with an else value of !Ref "AWS::NoValue" in the Resource array.

If I use either !Ref mySecondSecret or !Ref "AWS::NoValue" directly in the Resource array, I don't get the error anymore.

This my policy, for example:

      Policies:
        - PolicyName: my_policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "secretsmanager:GetSecretValue"
                Resource:
                  - !Ref myFirstSecret
                  - !If
                    - MyCondition
                    - !Ref mySecondSecret
                    - !Ref "AWS::NoValue"
mluttrell commented 1 year ago

The tool does not yet support the Fn:If conditional function (!If in your template) so the tool treats it as a literal string. I'll leave this open for tracking.

SamPlatek commented 1 year ago

Is it currently on the roadmap to add !If intrinsic function support to this tool?

mluttrell commented 1 year ago

We do plan to support this in time. It does, however, require supporting the whole conditional language first (e.g. equals/and/or/etc).

mluttrell commented 10 months ago

We just recently added support for conditions (including the !If function). Please give it a try, when you get a chance, and see if it resolves your issue.