search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.25k stars 209 forks source link

Fn::Join not resolved #589

Closed Poweranimal closed 2 years ago

Poweranimal commented 2 years ago

Hi,

It seems that Fn::Join statements are not resolved.

Example

...
"LambdaServiceRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          }
        }
      ],
      "Version": "2012-10-17"
    },
    "ManagedPolicyArns": [
      {
        "Fn::Join": [
          "",
          [
            "arn:",
            {
              "Ref": "AWS::Partition"
            },
            ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
          ]
        ]
      }
    ]
  }
}
...

Expected Result

No violation to be found.

Actual Result

| WARN W58
|
| Resource: ["Lambda"]
| Line Numbers: [93]
|
| Lambda functions require permission to write CloudWatch Logs
Poweranimal commented 2 years ago

The issues was not Fn::Join. Instead it was AWS::Partition not being resolved. Although the documentation describes it as being set by default: https://github.com/stelligent/cfn_nag#aws-pseudofunctions

I was able to fix it by adding a paramaters.json file like this one:

{
  "Parameters": {
    "AWS::Partition": "aws"
  }
}

Then I run: cfn_nag_scan -t '..*\.template.json' -i cdk.out -a parameters.json

Gicminos commented 2 years ago

It is good to have a workaround, but shouldn't this get fixed?

Poweranimal commented 2 years ago

Yes, you’re right. Though I think it’s worth to create a dedicated issue for this problem.