Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

W1011 - Use dynamic references over parameters for secrets #3418

Closed
isuftin opened this issue Jun 26, 2024 · 2 comments
Closed

W1011 - Use dynamic references over parameters for secrets #3418

isuftin opened this issue Jun 26, 2024 · 2 comments
Labels
question Further information is requested

Comments

@isuftin
Copy link

isuftin commented Jun 26, 2024
edited
Loading

cfn-lint Version - 1.3.4

Provide additional details e.g. code snippets. Be sure to remove any sensitive data.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: My App
Transform: AWS::LanguageExtensions
Resources:
  RDSMasterUserPassword:
    DeletionPolicy: !If
      - IsProduction
      - Retain
      - Delete
    UpdateReplacePolicy: !If
      - IsProduction
      - Retain
      - Delete
    Type: AWS::SecretsManager::Secret
    Condition: IsDefaultRegion
    Properties:
      Description: The master user password
      Name: !Sub /${AWS::AccountId}/${Environment}/rds/master_user_password
      KmsKeyId: !Ref MultiRegionKMSKeyAlias
      ReplicaRegions:
        - Region: us-east-1
          KmsKeyId: !Ref MultiRegionKMSKeyAlias
      GenerateSecretString:
        PasswordLength: 24
        ExcludePunctuation: true
        ExcludeCharacters: '"@/\'
  RDS:
    Type: AWS::RDS::DBInstance
    Condition: IsDefaultRegionOrIsDisasterRecovery
    Properties:
      CutOutABunchOf: Properties
      MasterUserPassword: !If
        - IsDefaultRegion
        - !Sub '{{resolve:secretsmanager:${RDSMasterUserPassword}}}'
        - !Sub '{{resolve:secretsmanager:/${AWS::AccountId}/${Environment}/rds/master_user_password}}'

This has cfn-lint returning: W1011 - Use dynamic references over parameters for secrets

This seems to be a newer error showing up but I'm wondering what the best way to deal with this is or why it's triggering on the MasterUserPassword param here.
@isuftin isuftin added the question Further information is requested label Jun 26, 2024
@kddejong
Copy link
Contributor

We resolved this is in a new version. Going forward we are just looking just for Ref and not a Ref inside another function.

@kddejong
Copy link
Contributor

Why we fixed the issue.... we are trying to push towards the recommendation of using secrets manager. You are which is why we resolved that issue.

Technically we will now allow !Sub "${MyDbPassword}" but we can try to address that going forward.

Parameters:
  MyDbPassword:
    Type: String
Conditions:
  IsDefaultRegion: !Equals [!Ref AWS::Region, us-east-1]
Resources:
  RDS:
    Type: AWS::RDS::DBInstance
    Condition: IsDefaultRegionOrIsDisasterRecovery
    Properties:
      CutOutABunchOf: Properties
      MasterUserPassword: !If
        - IsDefaultRegion
        - !Ref MyDbPassword
        - !Sub '{{resolve:secretsmanager:/${AWS::AccountId}/${Environment}/rds/master_user_password}}'

@kddejong kddejong mentioned this issue Jun 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isuftin @kddejong