Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
[//]: # "
PR Title
We use the title to create changelog automatically and therefore only allow specific prefixes
- break: to indicate a breaking change, this supersedes any of the other types
- feat: to indicate new features or checks
- fix: to indicate a bugfix or handling of edge cases of existing checks
- docs: to indicate an update to our documentation
- chore: to indicate adjustments to workflow files or dependency updates
- platform: to indicate a change needed for the platform
Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.
#
Allowed prefixs:
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
#
ex.
feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance
"
Description
Pseudo Parameter in CFN is a parameter which is dynamically available (see reference).
As we do not render it on buildtime, we want to handle this case by keeping the reference itself without the
value, so we can at least build a semi-full resource.
[ ] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[ ] I have added tests that prove my feature, policy, or fix is effective and works
[ ] New and existing tests pass locally with my changes
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Introduce support for handling Fn::Sub with pseudo parameters in AWS CloudFormation templates. The CloudformationVariableRenderer class now includes a method _handle_sub_with_pseudo_param to manage these cases by retaining the reference without the value, ensuring a semi-complete resource build. The PseudoParameters enum is added to cfn_keywords.py to define available pseudo parameters. Test cases in test_render.py and new JSON/YAML resources validate the changes, ensuring that pseudo parameters are correctly processed and that the Fn::Sub function behaves as expected.
<table><tr><th>Topic</th><th>Details</th><tr><td><a href=https://baz.co/changes/bridgecrewio/checkov/6835?tool=ast&topic=New+Test+Resources>New Test Resources</a>
</td><td>Introduce new JSON/YAML resources and test cases to validate the <code>Fn::Sub</code> function and pseudo parameter handling in CloudFormation templates.<details><summary>Modified files (5)</summary><ul><li>tests/cloudformation/graph/graph_runner/test_running_graph_checks.py</li>
Enhance the CloudformationVariableRenderer to handle Fn::Sub with pseudo parameters, ensuring references are maintained without values for semi-complete resource builds.Modified files (1)
User description
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
[//]: # "
PR Title
"
Description
Pseudo Parameter in CFN is a parameter which is dynamically available (see reference). As we do not render it on buildtime, we want to handle this case by keeping the reference itself without the value, so we can at least build a semi-full resource.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
Checklist:
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Introduce support for handling
Fn::Subwith pseudo parameters in AWS CloudFormation templates. TheCloudformationVariableRendererclass now includes a method_handle_sub_with_pseudo_paramto manage these cases by retaining the reference without the value, ensuring a semi-complete resource build. ThePseudoParametersenum is added tocfn_keywords.pyto define available pseudo parameters. Test cases intest_render.pyand new JSON/YAML resources validate the changes, ensuring that pseudo parameters are correctly processed and that theFn::Subfunction behaves as expected.Latest Contributors(2)
PseudoParametersenum to define available pseudo parameters in CloudFormation templates.Modified files (1)
Latest Contributors(2)
CloudformationVariableRendererto handleFn::Subwith pseudo parameters, ensuring references are maintained without values for semi-complete resource builds.Modified files (1)
Latest Contributors(2)
Fn::Subwith pseudo parameters, ensuring correct processing and expected behavior.Modified files (3)
Latest Contributors(2)