Handle Custom Resources

Question

Handle Custom Resources

Opened this issue 3 years ago · 2 comments

Hi,
I am using the Custom Resource backed by Lambda function in the same template.

ExampleS3PolicyRun:
    Type: Custom::ExampleS3Policy
    Condition: CreateExampleS3Bucket
    Properties:
      ServiceToken: !GetAtt ExampleS3PolicyFunction.Arn
      Environment: !Ref EnvironmentName
      ExampleS3PolicyMappings: !Ref ExampleS3PolicyMappings

But I got

ERROR: Invalid resource type: Custom::ExampleS3Policy

Answer 1 · 2022-02-24T14:47:51.000Z

Hi, thank you for opening this issue. It looks like you have an IAM policy that references this custom resource?

This is not something that the tool currently supports, though the error message could be better. The problem is that the tool could not know what type of ARN your custom resource generates since it could be any AWS resource. The tool throws an error in this type of situation so that a bad actor couldn't use this strategy as a way to get around policy validation checks.

I think what could be added in the future is some sort of configuration that allows you to intentionally ignore situations like this, but that does not exist today.

Answer 2 · 2022-02-28T11:08:52.000Z

@mluttrell Thanks. Yes will be helpful if we have option to silently ignore this situation.