cloudformation-guard: [BUG] working v1 rules dealing with tags do not migrate well to v2
Describe the bug After using the migrate tool to move all our old v1 rules (a few thousand lines) to v2 none of them are in any working state whatsoever.
Most rules we got are about ensuring the presence of certain tags and sometimes ensuring their values.
To Reproduce Please supply:
- Example rules and template that results in the error
let EnvironmentType = [{"Key":"EnvironmentType","Value":"EnvironmentType"},{"Key":"EnvironmentType","Value":{"Ref":"EnvironmentType"}},{"Key":"EnvironmentType","PropagateAtLaunch":True,"Value":"EnvironmentType"},{"Key":"EnvironmentType","PropagateAtLaunch":True,"Value":{"Ref":"EnvironmentType"}}]
AWS::ECS::Cluster Tags.* IN %EnvironmentType
Migrates to:
rule migrated_rules {
let aws_ecs_cluster = Resources.*[ Type == "AWS::ECS::Cluster" ]
let EnvironmentType = [{"Key": "EnvironmentType", "Value": "EnvironmentType"}, {"Key": "EnvironmentType", "Value": {"Ref": "EnvironmentType"}}, {"Key": "EnvironmentType", "PropagateAtLaunch": true, "Value": "EnvironmentType"}, {"Key": "EnvironmentType", "PropagateAtLaunch": true, "Value": {"Ref": "EnvironmentType"}}]
%aws_ecs_cluster.Properties.Tags.* IN %EnvironmentType
}
CFN snippet:
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Ref ClusterName
Tags:
- Key: ClusterName
Value: !Ref ClusterName
- Key: EnvironmentType
Value: !Ref EnvironmentType
- Key: Scope
Value: ecs
- Key: Name
Value: !Ref ClusterName
- Key: OwnerContact
Value: !Ref OwnerContact
- The commands you used to invoke the tool
$ cfn-guard migrate -r ./v1-rules -o ./v2-rules
$ cfn-guard validate -r ./v2-rules -d test.yml
Summary Report Overall File Status = FAIL
PASS/SKIP rules
FAILED rules
migrated_rules FAIL
- The output of a
-vlog level if it’s not related to cfn-guard-lambda, or the relevant CloudWatch log messages if it is related to the cfn-guard-lambda
Summary Report Overall File Status = FAIL
PASS/SKIP rules
FAILED rules
tags FAIL
Evaluation Tree
Rule(tags, FAIL)
| Message: DEFAULT MESSAGE(FAIL)
Condition(tags, PASS)
| Message: DEFAULT MESSAGE(PASS)
Clause(Clause(Location[file:test2, line:4, column:16], Check: %aws_ecs_cluster NOT EMPTY ), PASS)
| From: Map((Path("/Resources/ECSCluster"), MapValue { keys: [String((Path("/Resources/ECSCluster/Type"), "Type")), String((Path("/Resources/ECSCluster/Properties"), "Properties"))], values: {"Type": String((Path("/Resources/ECSCluster/Type"), "AWS::ECS::Cluster")), "Properties": Map((Path("/Resources/ECSCluster/Properties"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/ClusterName"), "ClusterName")), String((Path("/Resources/ECSCluster/Properties/Tags"), "Tags"))], values: {"ClusterName": String((Path("/Resources/ECSCluster/Properties/ClusterName"), "ClusterName")), "Tags": List((Path("/Resources/ECSCluster/Properties/Tags"), [Map((Path("/Resources/ECSCluster/Properties/Tags/0"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/0/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/0/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/0/Key"), "ClusterName")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/0/Value"), "ClusterName"))} })), Map((Path("/Resources/ECSCluster/Properties/Tags/1"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/1/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/1/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/1/Key"), "EnvironmentType")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/1/Value"), "EnvironmentType"))} })), Map((Path("/Resources/ECSCluster/Properties/Tags/2"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/2/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/2/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/2/Key"), "Scope")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/2/Value"), "ecs"))} })), Map((Path("/Resources/ECSCluster/Properties/Tags/3"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/3/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/3/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/3/Key"), "Name")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/3/Value"), "ClusterName"))} })), Map((Path("/Resources/ECSCluster/Properties/Tags/4"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/4/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/4/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/4/Key"), "OwnerContact")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/4/Value"), "OwnerContact"))} }))]))} }))} }))
| Message: DEFAULT MESSAGE(PASS)
Clause(Clause(Location[file:test2, line:5, column:2], Check: %aws_ecs_cluster.Properties.Tags.* IN %EnvironmentType), FAIL)
| From: Map((Path("/Resources/ECSCluster/Properties/Tags/0"), MapValue { keys: [String((Path("/Resources/ECSCluster/Properties/Tags/0/Key"), "Key")), String((Path("/Resources/ECSCluster/Properties/Tags/0/Value"), "Value"))], values: {"Key": String((Path("/Resources/ECSCluster/Properties/Tags/0/Key"), "ClusterName")), "Value": String((Path("/Resources/ECSCluster/Properties/Tags/0/Value"), "ClusterName"))} }))
| Message: (DEFAULT: NO_MESSAGE)
NOTE: Please be sure that the templates, rules and logs you provide as part of your bug report do not contain any sensitive information.
Expected behavior Validation to pass
Screenshots log output should suffice.
Operating System: Ubuntu
OS Version 20.04.2
Additional context Any tips around how to match the existence of tags and in some cases also their values to a few accepted values would be great
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (10 by maintainers)
Interesting, YAML tags are being dropped when mapping values to
serde_json::Value. Thanks for reporting it