cloudformation-guard
cloudformation-guard copied to clipboard
Published
20 hours ago •
aws-cloudformation
aws-cloudformation
[BUG] Guard crashed when failing resources have a `/` in their name
Describe the bug
When a resource in the template has a LogicalId like Name/With/Slash, guard panics if there is a failing rule for that resource.
I know that CloudFormation does not support LogicalIds like this, but I'm not setting the type to CFNTemplate, and I'm using a tool to autogenerate templates, so I can run guard on resources not deployed by CloudFormation.
To Reproduce Template that cause a crash:
# test.yaml
Resources:
A/Resource/Name/With/Slash:
Metadata:
guard:
SuppressedRules:
- CW_LOGGROUP_RETENTION_PERIOD_CHECK]
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: !Ref AWS::NoValue
Templates that don't cause a crash:
Resources:
A/Resource/Name/With/Slash:
Metadata:
guard:
SuppressedRules:
- CW_LOGGROUP_RETENTION_PERIOD_CHECK
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: !Ref AWS::NoValue
Resources:
AResourceNameWithoutSlash:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: !Ref AWS::NoValue
Rules file:
# test.guard
let cloudwatch_logs_retention_period = Resources.*[ Type == 'AWS::Logs::LogGroup'
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
]
rule CW_LOGGROUP_RETENTION_PERIOD_CHECK when %cloudwatch_logs_retention_period !empty {
%cloudwatch_logs_retention_period.Properties.RetentionInDays IN [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
<<
Guard Rule Set: wa-Security-Pillar
Controls: SEC-4.2
Violation: CloudWatch Log LogsGroup does not have RetentionInDays set.
Fix: Set the RetentionInDays parameter to a value of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, or 3653.
>>
}
Outputs:
~$ cfn-guard --version
cfn-guard 2.1.0
~$ RUST_BACKTRACE=full cfn-guard validate --rules test.guard --data test.yaml --verbose
test.yaml Status = FAIL
FAILED rules
test.guard/CW_LOGGROUP_RETENTION_PERIOD_CHECK FAIL
---
thread 'main' panicked at 'internal error: entered unreachable code', guard/src/commands/validate/cfn.rs:181:22
stack backtrace:
0: 0x1059f1022 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h16d1a5d48aeff79a
1: 0x105a0725a - core::fmt::write::hd4894418914ead0b
2: 0x1059ddf18 - std::io::Write::write_fmt::h64d317bb018e2b5c
3: 0x1059e281d - std::panicking::default_hook::{{closure}}::h4fa7fb9660e915bb
4: 0x1059e24d5 - std::panicking::default_hook::hfc7c802f5856fff7
5: 0x1059e2e9f - std::panicking::rust_panic_with_hook::hac34d5423636aa62
6: 0x1059f173a - std::panicking::begin_panic_handler::{{closure}}::h20649726a6fa6320
7: 0x1059f1137 - std::sys_common::backtrace::__rust_end_short_backtrace::hc440a536609cc112
8: 0x1059e2963 - _rust_begin_unwind
9: 0x105a27123 - core::panicking::panic_fmt::h72d82fb70320b112
10: 0x105a27007 - core::panicking::panic::h87a58e33b7ea1a3b
11: 0x10584d60e - <cfn_guard::commands::validate::cfn::CfnAware as cfn_guard::commands::validate::Reporter>::report_eval::hc8d33ce1acba6d9d
12: 0x1058b956b - <cfn_guard::commands::validate::summary_table::SummaryTable as cfn_guard::commands::validate::Reporter>::report_eval::h8d37524a59a27ed9
13: 0x10583a46f - cfn_guard::commands::validate::evaluate_against_data_input::h1037e0c24b3f10a7
14: 0x105838411 - <cfn_guard::commands::validate::Validate as cfn_guard::command::Command>::execute::h46260735b9a23b17
15: 0x10586a8bc - cfn_guard::main::h8c97f5746ff0d553
16: 0x10581baab - std::sys_common::backtrace::__rust_begin_short_backtrace::h7155b2c6000cfb03
17: 0x105874788 - std::rt::lang_start::{{closure}}::hf4f32c13dc484b4b
18: 0x1059d5b65 - std::rt::lang_start_internal::hd120a3e2e99da107
19: 0x105870139 - _main
Operating System: MacOS OS Version Montery 12.4 (21F79)
