cfn_nag v0.7.2 fails on templates for lambdas that are packaged as containers

[lots2learn]

trafficstars

We have a lambda packaged as a container image we want to deploy using CfCT. The Cloudformation template itself is valid and a current version of cfn_nag (v0.8.9) finds no failures. In the CfCT pipeline the validation phase fails because cfn_nag v0.7.2 that is used shows a Failure when Handler and Runtime are not defined.

The error message we get using cfn_nag v0.7.2 is:

Basic CloudFormation syntax error:[#<Kwalify::ValidationError: [/Resources/LambdaFunction/Properties] key 'Handler:' is required.>, #<Kwalify::ValidationError: [/Resources/LambdaFunction/Properties] key 'Runtime:' is required.>]

The newest versions of cfn_nag do allow for the fact that lambdas can be packaged as containers.

I kindly request to update the cfn_nag package used version in CfCT.

Best regards, Marcel

[balltrev]

Thanks for bringing this up @lots2learn, I've gone ahead and created a backlog item with the team to address this

[lots2learn]

Thanks @balltrev. You get my +1 of removing cfn_nag from the pipeline validation stage. Additional to using cfn_nag before committing, we've written a script that does all kinds of other validations before we commit and kick off the pipeline. This includes checking if all resource files exist, target OUs, Accounts and regions are valid and if all parameters that are mentioned in the manifest actually exist in the resource templates. So lots of overlap of what is done in the pipeline as well, but when there are issues we catch them sooner.