Tool fails to parse template with KMS Key Policies that have function based statement
CPMellows opened this issue · comments
Christian Mellows commented
If I have a template that contains a KeyPolicy that contains a function based statement I receive a set of Attribute Errors from the tool even though it is a valid cloud formation template. I would expect this to be parsable
Discovered while using version 1.0.7
Template:
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "The AWS CloudFormation template for this Serverless application",
"Resources": {
"CustomerMasterKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "customerKey",
"Enabled": true,
"EnableKeyRotation": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Fn::If": [
"IsRightRole",
{
"Sid": "Allow role to use key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::ImportValue": "RoleArn"
}
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
},
{
"Ref": "AWS::NoValue"
}
]
}
]
},
"KeyUsage": "ENCRYPT_DECRYPT",
"PendingWindowInDays": 7,
"Tags": []
}
}
},
"Conditions": {
"IsRightRole": {
"Fn::Or": [
{
"Fn::Equals": [
"wrong",
"right"
]
},
{
"Fn::Equals": [
"right",
"right"
]
}
]
}
}
}
cfripper output:
~cfripper ~/tmp/template.json
Analysing ~/tmp/template.json...
Not adding KMSKeyCrossAccountTrustRule failure in CustomerMasterKey because no AWS Account ID was found in the config.
KMSKeyCrossAccountTrustRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
result += rule.invoke(cfmodel, extras)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/cross_account_trust.py", line 59, in invoke
self._do_statement_check(result, logical_id, statement, filters_available_context)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/cross_account_trust.py", line 65, in _do_statement_check
if statement.Effect == "Allow":
AttributeError: 'FunctionDict' object has no attribute 'Effect'
KMSKeyWildcardPrincipalRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
result += rule.invoke(cfmodel, extras)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/kms_key_wildcard_principal.py", line 41, in invoke
if statement.Effect == "Allow" and statement.principals_with(self.CONTAINS_WILDCARD_PATTERN):
AttributeError: 'FunctionDict' object has no attribute 'Effect'
WildcardResourceRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
result += rule.invoke(cfmodel, extras)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/base_rules.py", line 104, in invoke
result += self.resource_invoke(resource=resource, logical_id=logical_id, extras=extras)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/wildcard_resource_rule.py", line 58, in resource_invoke
self._check_policy_document(result, logical_id, resource.Properties.KeyPolicy, None, extras)
File "/usr/local/lib/python3.9/site-packages/cfripper/rules/wildcard_resource_rule.py", line 70, in _check_policy_document
for statement in policy_document.statements_with(REGEX_IS_STAR):
File "/usr/local/lib/python3.9/site-packages/pycfmodel/model/resources/properties/policy_document.py", line 42, in statements_with
return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
File "/usr/local/lib/python3.9/site-packages/pycfmodel/model/resources/properties/policy_document.py", line 42, in <listcomp>
return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
AttributeError: 'FunctionDict' object has no attribute 'resources_with'
Oliver Crawford commented
Hey @CPMellows , if you try and run the tool with the --resolve
flag, the issue should resolve :)
cfripper ~/tmp/template.json --resolve
Christian Mellows commented
@ocrawford555 Thanks so much, appreciate the quick response.