search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.25k stars 209 forks source link

Faulty json output on cfn_nag_scan #608

Open isuftin opened 2 years ago

isuftin commented 2 years ago

Running cfn-nag 0.8.10, scanning a nested CloudFormation template, outputting json and am seeing:

Experimental SPCM rule is failing. Please report undefined method `gsub' for {"Ref"=>"RDSKMSKeyAlias"}:Hash

      value = value.gsub("${#{special_character}}", '')
                   ^^^^^ with the violating template

[ ... rest of json output ... ]

While the CloudFormation template(s) may be erroneous, we would not expect plaintext errors to make their way into JSON output as this output gets scanned later for test reporting in GitLab.

isuftin commented 2 years ago

The problem was found in the template and corrected which fixed the error in the output. Original template:

Wrong:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: My Description
      PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AliasBasedKMSAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - kms:List*
                  - kms:Describe*
                  - kms:Decrypt
                  - kms:Encrypt
                Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
                Condition:
                  ForAnyValue:StringEquals:
                    kms:ResourceAliases:
                      - !Ref RDSKMSKeyAlias

Right:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: My Description
      PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AliasBasedKMSAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - kms:List*
                  - kms:Describe*
                  - kms:Decrypt
                  - kms:Encrypt
                Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
                Condition:
                  ForAnyValue:StringEquals:
                    kms:ResourceAliases: !Ref RDSKMSKeyAlias

Specifically, cfn-nag was puking on this having a list instead of a string:

Condition:
  ForAnyValue:StringEquals:
    kms:ResourceAliases: ...
connelldave commented 1 year ago

Bumping as this caught me out today expecting valid JSON on stdout with -o.

I've raised a PR with the simplest fix I could see :)