cfn-lint icon indicating copy to clipboard operation
cfn-lint copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Enhancement proposal for ARN linting

Open ashemedai opened this issue 7 years ago • 5 comments

Given that the ARN format always starts with arn:aws: and for each product has a clear defined syntax it seems like an ideal candidate to add to the linter (and the roadmap agrees).

My naive thinking currently says: check normal ARNs via something like regular expressions, keeping in mind that there's a fair amount that are essentially variable length. Could be a simple switch logic based on product and test for presence of fields/number of colons and test fields whether they comply to expected syntax.

Substitute syntax will be an interesting case to lint, like !Sub "arn:aws:iam::${SomeAccountId}:user.

What do you think, @cmmeyer and @kddejong? See any potential hurdles with the above?

There's time within our company to pick this up and work on it.

ashemedai avatar Jul 24 '18 10:07 ashemedai

I have debated this a few times. There is also this article from AWS that has all the valid ARN syntaxes. I think there are some other tricky areas like IAM that doesn't have a region etc that would be helpful to help people to syntax.

Other areas of possibilities.

  • Cross region relationships that may not work. CWE can't use a Lambda in another region, etc.
  • Best practices could be done here... like not hard coding a region into a ARN.

I think the possibilities of getting this setup well could be awesome but we should probably start small.

Some part of me wants to relate this to #50 but instead of allowed values using a Regex.

@cmmeyer thoughts?

kddejong avatar Jul 24 '18 14:07 kddejong

@kddejong any new thoughts/ideas on this that we could perhaps contribute to?

SanderKnape avatar Sep 03 '18 14:09 SanderKnape

@SanderKnape we are starting to cover this with Regex checking.

An Iam Role Arn has to match the following pattern. "AllowedPatternRegex": "arn:(aws[a-zA-Z-]*)?:iam::(\\d{12}|aws):policy/[a-zA-Z_0-9+=,.@\\-_/]+"

We still have work to build out all those AllowedPatternRegex values but this capability now exists.

kddejong avatar May 11 '19 12:05 kddejong

  • Best practices could be done here... like not hard coding a region into a ARN.

I like the idea of a non-Error level rule that could flag ARNs with hardcoded partitions, regions, accounts, or resources

PatMyron avatar Feb 24 '20 07:02 PatMyron

@kddejong Given all progress since this issue was created, does it make sense to keep it open still?

ashemedai avatar Jan 18 '22 11:01 ashemedai