Adding support for new resource types in check-no-public-access api.#49
Adding support for new resource types in check-no-public-access api.#49mponaws merged 1 commit intoawslabs:mainfrom
Conversation
| | AWS::SNS::TopicPolicy | x | | x | | ||
| | AWS::SecretsManager::ResourcePolicy | x | | x | | ||
| | AWS::IAM::Role (trust policy) | x | x | x | | ||
| | AWS::S3Tables::TableBucket | | | x | |
| from cfn_policy_validator import client | ||
| from cfn_policy_validator.application_error import ApplicationError | ||
|
|
||
| def get_dashboard_created_time(region, resource_name, resource=None): |
There was a problem hiding this comment.
Q: why resource as parameter if it's anyway never going to be used?
There was a problem hiding this comment.
the method call in cfn_policy_validator/parsers/utils/intrinsic_functions/fn_get_att_evaluator.py is from a map of resource types to appropriate method. For one of them resource is needed. Hence, ended up adding to all.
|
|
||
|
|
||
| def get_dashboard_attribute(region, resource_name, attribute): | ||
| supported_attributes = ['Type', 'CreatedTimestamp', 'Status', 'UpdatedTimestamp'] |
There was a problem hiding this comment.
let's define it as an enum, instead of copy-pasting the literal string values.
|
|
||
| def parse(self, _, resource): | ||
| evaluated_resource = resource.eval(rest_api_policy_schema) | ||
| properties = evaluated_resource['Properties'] |
There was a problem hiding this comment.
probably in a separate PR, but i think we will be benefited from integrating with https://github.com/keleshev/schema, rather than defining our own json based schema here
| name = properties['Name'] | ||
|
|
||
| policy = Policy('Policy', policy_document) | ||
| resource = Resource(name, 'AWS::ApiGateway::RestApi', policy) |
There was a problem hiding this comment.
Shall we have a enum for all the different type of resource types like AWS::ApiGateway::RestApi?
it can be in a separate CR
| 'AWS::CloudFront::CloudFrontOriginAccessIdentity': { | ||
| 'S3CanonicalUserId': get_canonical_user | ||
| }, | ||
| 'AWS::ApiGateway::RestApi': { |
There was a problem hiding this comment.
would love to have these as enums, or at least global variables
|
|
||
| # Resolution of the rest api id. | ||
| def get_rest_api_id(region, rest_api_name, resource=None): | ||
| if rest_api_name in api_cache: |
There was a problem hiding this comment.
nit: this cache-validation logic can be moved to get_attributes method
|
Will take care of the following changes in a separate PR
|
3 participants
Description of changes:
Adding support for the following resource types in check-no-public-access api.
Changes made include the following -
a. Add a parser to extract the policy from the cloud formation template.
b. Add logic to evaluate supported intrinsic functions (Ref, GetAttr)
c. Add tests under tests/parser_tests/resource_tests
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.