-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] #567
Comments
This is a duplicate of a previous issue, but I got too busy and forgot to check on it. The comment on that was that the rules did not appear to be in the Issue, but they were, hence my bold heading highlighting that as silly as it seems, the rules above are the ones that were failing. |
Hi @Aaron-Garrett as mentioned in your previous issue, the rule from your provided output that fails is Again, this rule must be defined somewhere, so please provide it's definition so we can reproduce and help you. For future reference, please re-open the previous issue instead of creating a new one. Thanks, |
In addition to my above comment, to help you find it the output indicates the file this rule is defined in is |
Alright. I could not figure out how to reopen the issue. It is the correct rule, I have just updated the names since the error occurred in an attempt to bring more clarity to the output. |
Hi @Aaron-Garrett this above snippet still doesn't include the definition for the rule |
Hi @Aaron-Garrett I see you have edited your comment since my last reply. I want you to know I am unable to reproduce the issue (using cfn-guard v3.1.1) with everything you have provided.
|
Here is another one that just failed today. Here is the code in the CloudFormation template:
Here is the error from CFN-Guard:
And here is the CloudFormation guard script:
It seems to keep happening on DMS permissions. No idea why. |
Following up to see if there's any update. |
Following up again as I keep running into this issue and it is causing some issues in my use case. |
Hey @Aaron-Garrett sorry about the delay here. The issue with your rules is the way youre writing them. This can be seen with a verbose flag being added to your rules. when you write a check like this
what youre doing is essentially querying for a type map filter, and youre You have 2 options to re-write this check and all of them that are like this
or
note the difference between using the second option and what you had is in the second option youre not applying a map filter, youre doing a direct access query (like a key in a dictionary/hashmap). When using an access query, this results in a falsey value if the key DNE. Please let me know if that solves any/all issues youre having here. Thanks |
I will try that in my next release and let you know. Thank you for clarifying. To make sure I'm understanding correctly --> by using "some Resource...." I am confusing the program because I am asking if the policy document --> Statement structure exists and then within that I am ALSO asking if an Fn::Sub matches a pattern, so I am receiving "True" that the policy statement exists and skip since there is no !Sub? and to resolve this, if I remove the some from before Resources, I will not be doing an "and" function, but rather will be combining the Resource statement into the policy document statement as one chunk of code? |
Describe the bug
A clear and concise description of what the bug is.
The rule I wrote checking for S3 permissions on wildcard Resource is running and failing on IAM roles without any S3 permissions.
To Reproduce
Please supply:
Example rules and template that results in the error
Template:
CloudFormation Guard Rule:
I KNOW THIS SEEMS TOTALLY UNRELATED TO THE CODE ABOVE BUT THIS IS THE CHECK THAT KEEPS FAILING
Expected behavior
A clear and concise description of what you expected to happen.
The test should skip
Operating System:
[eg, MacOS, Windows, Ubuntu, etc]
Linux
OS Version
[eg Catalina, 10, 18.04, etc]
Ubuntu latest
The text was updated successfully, but these errors were encountered: