Update IAM resource ARN patterns (#3389)

kddejong · web-flow · commit 3d9be79618e8 · 2024-06-24T13:09:41.000-07:00
* Update IAM resource policy pattern
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -16,7 +16,7 @@
    ]
   },
   "AwsArn": {
-   "pattern": "^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\d{12}|\\*|aws)?:.+|\\*)$",
+   "pattern": "(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)|\\*)$",
    "type": "string"
   },
   "AwsPrincipalArn": {
diff --git a/test/fixtures/results/quickstart/nist_application.json b/test/fixtures/results/quickstart/nist_application.json
@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "ec06918e-fb60-f3d0-e930-a45d55f4f680",
+        "Id": "81670f17-4f0b-a2b6-f94e-4385058cb73d",
         "Level": "Error",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\\\d{12}|\\\\*|aws)?:.+|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies.",
diff --git a/test/fixtures/results/quickstart/non_strict/nist_application.json b/test/fixtures/results/quickstart/non_strict/nist_application.json
@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "ec06918e-fb60-f3d0-e930-a45d55f4f680",
+        "Id": "81670f17-4f0b-a2b6-f94e-4385058cb73d",
         "Level": "Error",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\\\d{12}|\\\\*|aws)?:.+|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies.",
diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py
@@ -102,6 +102,7 @@ def test_object_statements(self):
                                 "arn:${AWS::Partition}:iam::123456789012:role/object-role"
                             ]
                         },
+                        "arn:aws:medialive:*",
                     ],
                 }
             ],

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`]`
`17`	`17`	`},`
`18`	`18`	`"AwsArn": {`
`19`		`- "pattern": "^(arn:(aws\|aws-cn\|aws-us-gov):[^:]+:[^:]:(?:\\d{12}\|\\\|aws)?:.+\|\\*)$",`
	`19`	`+ "pattern": "(^arn:(aws\|aws-cn\|aws-us-gov):[^:]+:[^:](:(?:\\d{12}\|\\\|aws)?:.+\|)\|\\*)$",`
`20`	`20`	`"type": "string"`
`21`	`21`	`},`
`22`	`22`	`"AwsPrincipalArn": {`
Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,7 @@ def test_object_statements(self):`
`102`	`102`	`"arn:${AWS::Partition}:iam::123456789012:role/object-role"`
`103`	`103`	`]`
`104`	`104`	`},`
	`105`	`+ "arn:aws:medialive:*",`
`105`	`106`	`],`
`106`	`107`	`}`
`107`	`108`	`],`