From 7c834a1479370528938d7e3f37476a4381877a93 Mon Sep 17 00:00:00 2001 From: Kevin DeJong Date: Mon, 11 Nov 2024 12:15:11 -0800 Subject: [PATCH 1/2] Allow cloudfront to be used in ARNs for accountId --- .../rules/resources/HardCodedArnProperties.py | 11 ++++++----- .../properties/hard_coded_arn_properties.yaml | 12 ++++++++++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py index a88329e9a8..10dbd80da5 100644 --- a/src/cfnlint/rules/resources/HardCodedArnProperties.py +++ b/src/cfnlint/rules/resources/HardCodedArnProperties.py @@ -125,10 +125,11 @@ def match(self, cfn: Template) -> RuleMatches: if self.config["accountId"] and not re.match( r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|$", candidate[2] ): - message = ( - "ARN in Resource {0} contains hardcoded AccountId in ARN or" - " incorrectly placed Pseudo Parameters" - ) - matches.append(RuleMatch(path, message.format(path[1]))) + if candidate[2] not in ["cloudfront"]: + message = ( + "ARN in Resource {0} contains hardcoded AccountId in ARN or" + " incorrectly placed Pseudo Parameters" + ) + matches.append(RuleMatch(path, message.format(path[1]))) return matches diff --git a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml index 0250c3225b..8e8add11fb 100644 --- a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml +++ b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml @@ -14,3 +14,15 @@ Resources: TemplateURL: !Sub https://s3_bucket_name.s3.${AWS::Region}.amazonaws.com/template.yaml Parameters: AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:FunctionName/invocations + Bucket: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: bucket + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: !Sub arn:${AWS::Partition}:iam::cloudfront:user/CloudFront Origin Access Identity E15MNIMTCFKK4C + Action: s3:GetObject + Resource: arn:aws:s3:::bucket/* From 5cfec6c07172540e57c401abd640259c379da933 Mon Sep 17 00:00:00 2001 From: Kevin DeJong Date: Tue, 12 Nov 2024 07:10:45 -0800 Subject: [PATCH 2/2] Make sure config is all True --- .../resources/test_hardcodedarnproperties.py | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/test/unit/rules/resources/test_hardcodedarnproperties.py b/test/unit/rules/resources/test_hardcodedarnproperties.py index bee996d3e7..2e2663d347 100644 --- a/test/unit/rules/resources/test_hardcodedarnproperties.py +++ b/test/unit/rules/resources/test_hardcodedarnproperties.py @@ -28,6 +28,26 @@ def test_file_positive(self): # By default, a set of "correct" templates are checked self.helper_file_positive() + def test_file_positive_with_config(self): + self.helper_file_negative( + "test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml", + 0, + ConfigMixIn( + [], + include_experimental=True, + include_checks=[ + "I", + ], + configure_rules={ + "I3042": { + "partition": True, + "region": True, + "accountId": True, + } + }, + ), + ) + def test_file_negative_partition(self): self.helper_file_negative( "test/fixtures/templates/bad/hard_coded_arn_properties.yaml",