Add rule W1051 to validate if dyn ref when arn (#3962)

kddejong · web-flow · commit b4d790dd57b3 · 2025-02-24T12:10:18.000-08:00
diff --git a/src/cfnlint/rules/functions/DynamicReference.py b/src/cfnlint/rules/functions/DynamicReference.py
@@ -77,6 +77,7 @@ def __init__(self) -> None:
         super().__init__()
         self.child_rules = {
             "E1051": None,
+            "W1051": None,
             "E1027": None,
         }
 
@@ -125,9 +126,10 @@ def dynamicReference(
                     evolved = validator.evolve(schema=_secrets_manager_arn)
                 else:  # this is secrets manager
                     evolved = validator.evolve(schema=_secrets_manager)
-                rule = self.child_rules["E1051"]
-                if rule and hasattr(rule, "validate"):
-                    yield from rule.validate(validator, {}, v, schema)
+                for rule_id in ["E1051", "W1051"]:
+                    rule = self.child_rules[rule_id]
+                    if rule and hasattr(rule, "validate"):
+                        yield from rule.validate(validator, {}, v, schema)
 
             for err in evolved.iter_errors(parts):
                 yield self._clean_errors(err)
diff --git a/src/cfnlint/rules/functions/DynamicReferenceSecretsManagerArn.py b/src/cfnlint/rules/functions/DynamicReferenceSecretsManagerArn.py
@@ -0,0 +1,61 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from typing import Any
+
+import regex as re
+
+from cfnlint.jsonschema import ValidationError, Validator
+from cfnlint.rules import CloudFormationLintRule
+
+
+class DynamicReferenceSecretsManagerArn(CloudFormationLintRule):
+    id = "W1051"
+    shortdesc = (
+        "Validate dynamic references to secrets manager "
+        "are not used when a secrets manager ARN was expected"
+    )
+    description = (
+        "Certain properties expect a secret manager ARN. This rule "
+        "validates if you may be accidently using a secret in place "
+        "of the ARN"
+    )
+    source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager"
+    tags = ["functions", "dynamic reference"]
+
+    def validate(self, validator: Validator, s: Any, instance: Any, schema: Any):
+
+        if "Fn::Sub" == validator.context.path.path[-1]:
+            if not re.match(r"^(\\\")?{{resolve:secretsmanager:.*}}(\\\")?$", instance):
+                return
+
+        if len(validator.context.path.path) < 3:
+            return
+
+        if (
+            validator.context.path.path[0] != "Resources"
+            or validator.context.path.path[2] != "Properties"
+        ):
+            return
+
+        fields = [
+            "SecretArn",
+            "SecretARN",
+            "SecretsManagerSecretId",
+            "SecretsManagerOracleAsmSecretId",
+            "SecretsManagerSecurityDbEncryptionSecretId",
+            "SecretsManagerConfiguration",
+        ]
+
+        for field in fields:
+            if any(field == p for p in validator.context.path.path):
+                yield ValidationError(
+                    (
+                        f"Dynamic reference {instance!r} to secrets manager when "
+                        f"the field {field!r} expects the ARN to the secret and "
+                        "not the secret"
+                    ),
+                    rule=self,
+                )
diff --git a/src/cfnlint/rules/functions/Sub.py b/src/cfnlint/rules/functions/Sub.py
@@ -31,6 +31,7 @@ def __init__(self) -> None:
             {
                 "W1019": None,
                 "W1020": None,
+                "W1051": None,
             }
         )
         self._functions = [
@@ -142,9 +143,14 @@ def fn_sub(
 
         # we know the structure is valid at this point
         # so any child rule doesn't have to revalidate it
+        value_validator = validator.evolve(
+            context=validator.context.evolve(
+                path=validator.context.path.descend(path=key)
+            )
+        )
         for _, rule in self.child_rules.items():
             if rule and hasattr(rule, "validate"):
-                for err in rule.validate(validator, s, instance.get("Fn::Sub"), schema):
+                for err in rule.validate(value_validator, s, value, schema):
                     err.path.append("Fn::Sub")
                     err.rule = rule
                     yield err
diff --git a/test/unit/rules/functions/test_dynamic_reference.py b/test/unit/rules/functions/test_dynamic_reference.py
@@ -47,6 +47,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -57,6 +58,7 @@ def context(cfn):
             {
                 "E1051": None,
                 "E1027": None,
+                "W1051": None,
             },
             [],
         ),
@@ -67,6 +69,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -77,6 +80,7 @@ def context(cfn):
             {
                 "E1051": None,
                 "E1027": None,
+                "W1051": None,
             },
             [],
         ),
@@ -87,6 +91,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -97,6 +102,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -107,6 +113,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [
                 ValidationError(
@@ -123,6 +130,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [
                 ValidationError(
@@ -139,6 +147,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -149,6 +158,7 @@ def context(cfn):
             {
                 "E1051": None,
                 "E1027": None,
+                "W1051": None,
             },
             [],
         ),
@@ -159,6 +169,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -169,6 +180,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [],
         ),
@@ -179,6 +191,7 @@ def context(cfn):
             {
                 "E1051": _TestRule(),
                 "E1027": _TestRule(),
+                "W1051": _TestRule(),
             },
             [
                 ValidationError(
diff --git a/test/unit/rules/functions/test_dynamic_reference_secrets_manager_arn.py b/test/unit/rules/functions/test_dynamic_reference_secrets_manager_arn.py
@@ -0,0 +1,102 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from collections import deque
+
+import pytest
+
+from cfnlint.jsonschema import ValidationError
+from cfnlint.rules.functions.DynamicReferenceSecretsManagerArn import (
+    DynamicReferenceSecretsManagerArn,
+)
+
+
+@pytest.fixture(scope="module")
+def rule():
+    rule = DynamicReferenceSecretsManagerArn()
+    yield rule
+
+
+@pytest.mark.parametrize(
+    "name,instance,path,expected",
+    [
+        (
+            "Valid secrets manager",
+            "{{resolve:secretsmanager:Parameter}}",
+            {
+                "path": deque(["Resources", "MyResource", "Properties", "Password"]),
+            },
+            [],
+        ),
+        (
+            "Valid sub not to secrets manaager",
+            "secretsmanager",
+            {
+                "path": deque(
+                    ["Resources", "MyResource", "Properties", "Password", "Fn::Sub"]
+                ),
+            },
+            [],
+        ),
+        (
+            "Valid secrets manager outside of Resources",
+            "{{resolve:secretsmanager:Parameter}}",
+            {
+                "path": deque(["Parameters", "Type", "Default"]),
+            },
+            [],
+        ),
+        (
+            "Valid secrets manager outside of Resources",
+            "{{resolve:secretsmanager:Parameter}}",
+            {
+                "path": deque(["Metadata", "Value"]),
+            },
+            [],
+        ),
+        (
+            "Invalid secrets manager when ARN was expected",
+            "{{resolve:secretsmanager:secret}}",
+            {
+                "path": deque(["Resources", "MyResource", "Properties", "SecretArn"]),
+            },
+            [
+                ValidationError(
+                    (
+                        "Dynamic reference '{{resolve:secretsmanager:secret}}'"
+                        " to secrets manager when the field 'SecretArn' expects "
+                        "the ARN to the secret and not the secret"
+                    ),
+                    rule=DynamicReferenceSecretsManagerArn(),
+                )
+            ],
+        ),
+        (
+            "Invalid secrets manager when ARN was expected",
+            '\\"{{resolve:secretsmanager:${MyParameter}}}\\"',
+            {
+                "path": deque(
+                    ["Resources", "MyResource", "Properties", "SecretArn", "Fn::Sub"]
+                ),
+            },
+            [
+                ValidationError(
+                    (
+                        "Dynamic reference "
+                        "'\\\\\"{{resolve:secretsmanager:${MyParameter}}}\\\\\"'"
+                        " to secrets manager when the field 'SecretArn' "
+                        "expects the ARN to the secret and not the secret"
+                    ),
+                    rule=DynamicReferenceSecretsManagerArn(),
+                )
+            ],
+        ),
+    ],
+    indirect=["path"],
+)
+def test_validate(name, instance, path, expected, validator, rule):
+    errs = list(rule.validate(validator, {}, instance, {}))
+
+    assert errs == expected, f"Test {name!r} got {errs!r}"
