search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.25k stars 209 forks source link

CFN nag error when running it on a template that contains intrinsic function Fn::ForEach #621

Open gopinjag opened 9 months ago

gopinjag commented 9 months ago

We have a template that based on hostnames as identifier creates resources leveraging the Fn::ForEach Intrinsic function , sample example of the template 

AWSTemplateFormatVersion: 2010-09-09
Transform: "AWS::LanguageExtensions"
Mappings:
  Instances:
    InstanceType:
      B: m5.4xlarge
      C: c5.2xlarge
    ImageId:
      A: ami-id1
Resources:
  "Fn::ForEach::Instances":
    - Identifier
    - [A, B, C]
    - "Instance${Identifier}":
        Type: "AWS::EC2::Instance"
        Properties:
          InstanceType:
            !FindInMap [
              Instances,
              InstanceType,
              !Ref "Identifier",
              { DefaultValue: m5.xlarge },
            ]
          ImageId:
            !FindInMap [
              Instances,
              ImageId,
              !Ref "Identifier",
              { DefaultValue: ami-id-default },
            ]
Outputs:
  SecondInstanceId:
    Description: Instance Id for InstanceB
    Value: !Ref "InstanceB"
  SecondPrivateIp:
    Description: Private IP for InstanceB
    Value: !GetAtt [InstanceB, PrivateIp]

When I run cfn nag scan on the template with the command cfn_nag_scan --input-path <> getting an error 

opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:20:in `block in validate': no implicit conversion of String into Integer (TypeError)
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `each'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `validate'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/schema_generator.rb:17:in `generate'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/cloudformation_validator.rb:13:in `validate'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:220:in `pre_validate_model'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:62:in `parse_without_parameters'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:43:in `parse'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:87:in `audit'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:68:in `block in audit_aggregate_across_files'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `each'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `audit_aggregate_across_files'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:35:in `audit_aggregate_across_files_and_render_results'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:50:in `execute_aggregate_scan'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:30:in `scan'
    from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/bin/cfn_nag_scan:11:in `<top (required)>'
    from /opt/homebrew/bin/cfn_nag_scan:6:in `load'
    from /opt/homebrew/bin/cfn_nag_scan:6:in `<main>'

Commenting our that resource block from the template no error is being returned . Could the team confirm about the support for the intrinsic function

cfn nag version 

cfn_nag_scan --version
0.8.10
joegajeckyj commented 9 months ago

Yup same here

ap-hyperbole commented 9 months ago

+1 same issue here with ForEach

dicknetherlands commented 8 months ago

+1 same here (using version 0.8.10)

In addition it is preventing me from deploying a stack using ForEach via the manifest in Customizations for AWS Control Tower (CfCT) because cfn_nag is built into the AWS-controlled validation mechanism for it. (Theirs is pinned to version 0.7.2 and cant be changed...!)

In this situation a fix to cfn_nag won't solve the problem. Is there a workaround instead that still lets me use ForEach without cfn_nag breaking?

elelkhoury commented 7 months ago

+1 Same here

mumehta commented 6 months ago

Any fix for this issue?

jpSimkins commented 4 months ago

Same here. I think this project is abandoned