Cfn-python-lint: Enhancement proposal for ARN linting

Created on 24 Jul 2018  路  4Comments  路  Source: aws-cloudformation/cfn-python-lint

Given that the ARN format always starts with arn:aws: and for each product has a clear defined syntax it seems like an ideal candidate to add to the linter (and the roadmap agrees).

My native thinking currently says: check normal ARNs via something like regular expressions, keeping in mind that there's a fair amount that are essentially variable length. Could be a simple switch logic based on product and test for presence of fields/number of colons and test fields whether they comply to expected syntax.

Substitute syntax will be an interesting case to lint, like !Sub "arn:aws:iam::${SomeAccountId}:user.

What do you think, @cmmeyer and @kddejong? See any potential hurdles with the above?

There's time within our company to pick this up and work on it.

enhancement new rule question

Most helpful comment

@SanderKnape we are starting to cover this with Regex checking.

An Iam Role Arn has to match the following pattern.
"AllowedPatternRegex": "arn:(aws[a-zA-Z-]*)?:iam::(\\d{12}|aws):policy/[a-zA-Z_0-9+=,.@\\-_/]+"

We still have work to build out all those AllowedPatternRegex values but this capability now exists.

All 4 comments

I have debated this a few times. There is also this article from AWS that has all the valid ARN syntaxes. I think there are some other tricky areas like IAM that doesn't have a region etc that would be helpful to help people to syntax.

Other areas of possibilities.

  • Cross region relationships that may not work. CWE can't use a Lambda in another region, etc.
  • Best practices could be done here... like not hard coding a region into a ARN.

I think the possibilities of getting this setup well could be awesome but we should probably start small.

Some part of me wants to relate this to #50 but instead of allowed values using a Regex.

@cmmeyer thoughts?

@kddejong any new thoughts/ideas on this that we could perhaps contribute to?

@SanderKnape we are starting to cover this with Regex checking.

An Iam Role Arn has to match the following pattern.
"AllowedPatternRegex": "arn:(aws[a-zA-Z-]*)?:iam::(\\d{12}|aws):policy/[a-zA-Z_0-9+=,.@\\-_/]+"

We still have work to build out all those AllowedPatternRegex values but this capability now exists.

  • Best practices could be done here... like not hard coding a region into a ARN.

I like the idea of a non-Error level rule that could flag ARNs with hardcoded partitions, regions, accounts, or resources

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Sergei-Rudenkov picture Sergei-Rudenkov  路  5Comments

KarthickEmis picture KarthickEmis  路  4Comments

ow-krioles picture ow-krioles  路  5Comments

unacceptable picture unacceptable  路  3Comments

LukasMusebrink picture LukasMusebrink  路  3Comments