Giters

trailofbits / algo

Set up a personal VPN in the cloud

Home Page:https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

EC2 CloudFormation linter identifies public key is not used

glennschler opened this issue · comments

commented

Describe the bug

AWS Cloudformation Linter fails a number of checks

  • Identifies that algo.pem.pub ssh key is being sent as parameter
    PublicSSHKeyParameter even though it is not used in cloud formation.
    This public key was moved into cloud-init data some time in the past.
  • Recommends stronger type checking for the ImageIdParameter
  • Identifies ten template resources with a warning to remove
    the DependsOn attribute: 'Obsolete DependsOn on resource'

To Reproduce

Steps to reproduce the behavior:

  1. Install linter pip install cfn-lint
  2. Run linter against the template:
  • cfn-lint roles/cloud-ec2/files/stack.yaml

Expected behavior

Linter should not identify any invalid values or best practices not
followed

Additional context

I think the most important issue to resolve is to remove the ssh key
parameter from being sent to cloud formation.

algo/roles/cloud-ec2/files/stack.yaml

Lines 8 to 9 in 1c6702d

PublicSSHKeyParameter:
Type: String

algo/roles/cloud-ec2/tasks/cloudformation.yml

Line 12 in 1c6702d

PublicSSHKeyParameter: "{{ lookup('file', SSH_keys.public) }}"

Secondly, a clean lint check is also a benefit.

Full log

W2001 Parameter PublicSSHKeyParameter not used.
roles/cloud-ec2/files/stack.yaml:8:3

W2506 Parameter ImageIdParameter should be of type [AWS::EC2::Image::Id, AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>]
roles/cloud-ec2/files/stack.yaml:10:3

W3005 Obsolete DependsOn on resource (InternetGateway), dependency already enforced by a "Ref" at Resources/Route/Properties/GatewayId/Ref
roles/cloud-ec2/files/stack.yaml:86:9

W3005 Obsolete DependsOn on resource (RouteTable), dependency already enforced by a "Ref" at Resources/Route/Properties/RouteTableId/Ref
roles/cloud-ec2/files/stack.yaml:87:9

W3005 Obsolete DependsOn on resource (InternetGateway), dependency already enforced by a "Ref" at Resources/RouteIPv6/Properties/GatewayId/Ref
roles/cloud-ec2/files/stack.yaml:97:9

W3005 Obsolete DependsOn on resource (RouteTable), dependency already enforced by a "Ref" at Resources/RouteIPv6/Properties/RouteTableId/Ref
roles/cloud-ec2/files/stack.yaml:98:9

W3005 Obsolete DependsOn on resource (VPC), dependency already enforced by a "Fn:GetAtt" at Resources/SubnetIPv6/Properties/Ipv6CidrBlock/Fn::Join/1/0/Fn::Select/1/Fn::Split/1/Fn::Select/1/Fn::GetAtt
roles/cloud-ec2/files/stack.yaml:109:9

W3005 Obsolete DependsOn on resource (RouteTable), dependency already enforced by a "Ref" at Resources/RouteSubnet/Properties/RouteTableId/Ref
roles/cloud-ec2/files/stack.yaml:122:9

W3005 Obsolete DependsOn on resource (Subnet), dependency already enforced by a "Ref" at Resources/RouteSubnet/Properties/SubnetId/Ref
roles/cloud-ec2/files/stack.yaml:123:9

W3005 Obsolete DependsOn on resource (Subnet), dependency already enforced by a "Ref" at Resources/EC2Instance/Properties/SubnetId/Ref
roles/cloud-ec2/files/stack.yaml:170:9

W3005 Obsolete DependsOn on resource (InstanceSecurityGroup), dependency already enforced by a "Ref" at Resources/EC2Instance/Properties/SecurityGroupIds/0/Ref
roles/cloud-ec2/files/stack.yaml:171:9

W3005 Obsolete DependsOn on resource (EC2Instance), dependency already enforced by a "Ref" at Resources/ElasticIP/Properties/InstanceId/Ref
roles/cloud-ec2/files/stack.yaml:208:9