awslabs/aws-cloudformation-iam-policy-validator

Managed Policy Name different to Logical ID

Closed this issue · 3 comments

Hey Team, great work on this package. Super useful and really interested in incorporating it into more workflows.

I've noticed an interesting behaviour in v0.0.12 that occurs where the Cloudformation Logical ID is different to the managed policy name. An example Cloudformation snippet might look like this (excuse the formatting):

Resources: SampleRole: Type: AWS::IAM::Role Properties: RoleName: 'SampleRole' ManagedPolicyArns: - !Ref SamplePolicy Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: { Service: ec2.amazonaws.com } Action: - sts:AssumeRole SamplePolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: Sample_Policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Describe*' Resource: '*'

Running cfn-policy-validator validate --template-path role.yaml --region ap-southeast-2 is met with the following error:
ERROR: Could not find managed policy with arn:aws:iam::{accountID}:policy/SamplePolicy in template or in environment.

I've noticed when I align the ManagedPolicyName with the Logical ID (i.e SamplePolicy), the validation is executed as expected. Could you validate whether this is behaviour you see at your end, or if there's something obvious I'm missing?

Keep up the good work!

Thanks Ben! And thank you for reporting this issue.

This does not look like the expected behavior and does seem to be a bug. We'll get this fixed.

I just pushed v0.0.13 to fix this issue. Closing this issue, but please reopen it if you're still experiencing an issue.

The fix seems to be working well. Thanks for jumping on this so quickly Matt!