Adding support for nested results on Fn:GetAtt

liwadman · liwadman · commit 4af83fa3e875 · 2026-04-06T15:24:43.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -5,5 +5,5 @@ dist/*
 *.egg-info/*
 .run
 .tox
-
+.venv
 __pycache__
diff --git a/cfn_policy_validator/parsers/utils/intrinsic_functions/fn_get_att_evaluator.py b/cfn_policy_validator/parsers/utils/intrinsic_functions/fn_get_att_evaluator.py
@@ -93,6 +93,12 @@ def evaluate(self, get_att_lookup, visited_nodes=None):
 		# IAM policy
 		properties = resource.get('Properties', {})
 		property_value = properties.get(attribute_name)
+
+		# Support nested GetAtt attributes (e.g. MasterUserSecret.SecretArn, which is split as a dotted attribute name).
+		# Traverse into nested properties when the attribute contains a dot.
+		if property_value is None and '.' in attribute_name:
+			property_value = self._resolve_nested_property(properties, attribute_name)
+
 		if property_value is None:
 			raise ApplicationError(f'Call to GetAtt not supported for: {logical_name_of_resource}.{attribute_name}')
 
@@ -103,6 +109,22 @@ def evaluate(self, get_att_lookup, visited_nodes=None):
 		# there are many return types for GetAtt, so it's the caller's responsibility to validate expected type
 		return self.node_evaluator.eval(property_value, visited_nodes=visited_nodes)
 
+	@staticmethod
+	def _resolve_nested_property(properties, attribute_name):
+		"""Resolve dotted attribute names by traversing nested properties.
+		For example, 'MasterUserSecret.SecretArn' looks up properties['MasterUserSecret']['SecretArn'].
+		"""
+		parts = attribute_name.split('.')
+		current = properties
+		for part in parts:
+			if isinstance(current, dict):
+				current = current.get(part)
+			else:
+				return None
+			if current is None:
+				return None
+		return current
+
 	def get_code_artifact_name(self, region, resource_name, resource):
 		properties = resource.get('Properties',[])
 		return properties.get('DomainName')
diff --git a/cfn_policy_validator/tests/cfn_tools_tests/test_yaml_parser.py b/cfn_policy_validator/tests/cfn_tools_tests/test_yaml_parser.py
@@ -122,3 +122,12 @@ def test_dates_are_parsed_to_string(self):
 			'Version': '2012-10-21'
 		}
 		self.assert_parsed_result_is_expected(expected_template, raw_template)
+
+	def test_get_att_shorthand_with_nested_dotted_attribute_is_replaced(self):
+		raw_template = """
+!GetAtt RdsDbCluster.MasterUserSecret.SecretArn
+"""
+		expected_template = {
+			'Fn::GetAtt': ['RdsDbCluster', 'MasterUserSecret.SecretArn']
+		}
+		self.assert_parsed_result_is_expected(expected_template, raw_template)
diff --git a/cfn_policy_validator/tests/parsers_tests/utils_tests/intrinsic_functions_tests/test_get_att_evaluator.py b/cfn_policy_validator/tests/parsers_tests/utils_tests/intrinsic_functions_tests/test_get_att_evaluator.py
@@ -233,3 +233,61 @@ def test_raises_an_error(self):
             node_evaluator.eval(template['Resources']['ResourceA']['Properties']['RoleName'])
 
         self.assertEqual("Additional items are not allowed ('Value2' was unexpected), Path: Fn::GetAtt", str(cm.exception))
+
+
+class WhenEvaluatingAPolicyWithAGetAttForANestedDottedAttribute(unittest.TestCase):
+	"""Reproduces the customer issue where !GetAtt RdsDbCluster.MasterUserSecret.SecretArn
+	fails with 'Call to GetAtt not supported'."""
+
+	@mock_node_evaluator_setup()
+	def test_returns_nested_property_value(self):
+		template = load_resources({
+			'RdsDbCluster': {
+				'Type': 'AWS::RDS::DBCluster',
+				'Properties': {
+					'MasterUserSecret': {
+						'SecretArn': 'arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret'
+					}
+				}
+			},
+			'ResourceA': {
+				'Type': 'AWS::Random::Service',
+				'Properties': {
+					'PolicyProperty': {
+						'Fn::GetAtt': ['RdsDbCluster', 'MasterUserSecret.SecretArn']
+					}
+				}
+			}
+		})
+
+		node_evaluator = build_node_evaluator(template)
+
+		result = node_evaluator.eval(template['Resources']['ResourceA']['Properties']['PolicyProperty'])
+		self.assertEqual('arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret', result)
+
+	@mock_node_evaluator_setup()
+	def test_raises_exception_when_nested_property_does_not_exist(self):
+		template = load_resources({
+			'RdsDbCluster': {
+				'Type': 'AWS::RDS::DBCluster',
+				'Properties': {
+					'MasterUserSecret': {
+						'OtherProp': 'value'
+					}
+				}
+			},
+			'ResourceA': {
+				'Type': 'AWS::Random::Service',
+				'Properties': {
+					'PolicyProperty': {
+						'Fn::GetAtt': ['RdsDbCluster', 'MasterUserSecret.SecretArn']
+					}
+				}
+			}
+		})
+
+		node_evaluator = build_node_evaluator(template)
+
+		with self.assertRaises(ApplicationError) as context:
+			node_evaluator.eval(template['Resources']['ResourceA']['Properties']['PolicyProperty'])
+		self.assertEqual('Call to GetAtt not supported for: RdsDbCluster.MasterUserSecret.SecretArn', str(context.exception))
