Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CFN nag error when running it on a template that contains intrinsic function Fn::ForEach #621

Open
gopinjag opened this issue Nov 15, 2023 · 6 comments
Open

CFN nag error when running it on a template that contains intrinsic function Fn::ForEach #621

gopinjag opened this issue Nov 15, 2023 · 6 comments

Comments

@gopinjag
Copy link

We have a template that based on hostnames as identifier creates resources leveraging the Fn::ForEach Intrinsic function , sample example of the template

AWSTemplateFormatVersion: 2010-09-09
Transform: "AWS::LanguageExtensions"
Mappings:
  Instances:
    InstanceType:
      B: m5.4xlarge
      C: c5.2xlarge
    ImageId:
      A: ami-id1
Resources:
  "Fn::ForEach::Instances":
    - Identifier
    - [A, B, C]
    - "Instance${Identifier}":
        Type: "AWS::EC2::Instance"
        Properties:
          InstanceType:
            !FindInMap [
              Instances,
              InstanceType,
              !Ref "Identifier",
              { DefaultValue: m5.xlarge },
            ]
          ImageId:
            !FindInMap [
              Instances,
              ImageId,
              !Ref "Identifier",
              { DefaultValue: ami-id-default },
            ]
Outputs:
  SecondInstanceId:
    Description: Instance Id for InstanceB
    Value: !Ref "InstanceB"
  SecondPrivateIp:
    Description: Private IP for InstanceB
    Value: !GetAtt [InstanceB, PrivateIp]

When I run cfn nag scan on the template with the command cfn_nag_scan --input-path <> getting an error

opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:20:in `block in validate': no implicit conversion of String into Integer (TypeError)
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `each'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `validate'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/schema_generator.rb:17:in `generate'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/cloudformation_validator.rb:13:in `validate'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:220:in `pre_validate_model'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:62:in `parse_without_parameters'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:43:in `parse'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:87:in `audit'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:68:in `block in audit_aggregate_across_files'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `each'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `audit_aggregate_across_files'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:35:in `audit_aggregate_across_files_and_render_results'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:50:in `execute_aggregate_scan'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:30:in `scan'
	from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/bin/cfn_nag_scan:11:in `<top (required)>'
	from /opt/homebrew/bin/cfn_nag_scan:6:in `load'
	from /opt/homebrew/bin/cfn_nag_scan:6:in `<main>'

Commenting our that resource block from the template no error is being returned . Could the team confirm about the support for the intrinsic function

cfn nag version

cfn_nag_scan --version
0.8.10
@cnfait cnfait mentioned this issue Nov 16, 2023
Merged
@joegajeckyj
Copy link

Yup same here

@ap-hyperbole
Copy link

+1 same issue here with ForEach

@dicknetherlands
Copy link

dicknetherlands commented Jan 3, 2024
edited

+1 same here (using version 0.8.10)

In addition it is preventing me from deploying a stack using ForEach via the manifest in Customizations for AWS Control Tower (CfCT) because cfn_nag is built into the AWS-controlled validation mechanism for it. (Theirs is pinned to version 0.7.2 and cant be changed...!)

In this situation a fix to cfn_nag won't solve the problem. Is there a workaround instead that still lets me use ForEach without cfn_nag breaking?

@elelkhoury
Copy link

+1 Same here

@mumehta
Copy link

mumehta commented Mar 5, 2024

Any fix for this issue?

@jpSimkins
Copy link

Same here. I think this project is abandoned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jpSimkins @mumehta @ap-hyperbole @dicknetherlands @joegajeckyj @elelkhoury @gopinjag