CFN nag error when running it on a template that contains intrinsic function Fn::ForEach
gopinjag opened this issue · 6 comments
We have a template that based on hostnames as identifier creates resources leveraging the Fn::ForEach Intrinsic function , sample example of the template
AWSTemplateFormatVersion: 2010-09-09
Transform: "AWS::LanguageExtensions"
Mappings:
Instances:
InstanceType:
B: m5.4xlarge
C: c5.2xlarge
ImageId:
A: ami-id1
Resources:
"Fn::ForEach::Instances":
- Identifier
- [A, B, C]
- "Instance${Identifier}":
Type: "AWS::EC2::Instance"
Properties:
InstanceType:
!FindInMap [
Instances,
InstanceType,
!Ref "Identifier",
{ DefaultValue: m5.xlarge },
]
ImageId:
!FindInMap [
Instances,
ImageId,
!Ref "Identifier",
{ DefaultValue: ami-id-default },
]
Outputs:
SecondInstanceId:
Description: Instance Id for InstanceB
Value: !Ref "InstanceB"
SecondPrivateIp:
Description: Private IP for InstanceB
Value: !GetAtt [InstanceB, PrivateIp]
When I run cfn nag scan on the template with the command cfn_nag_scan --input-path <> getting an error
opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:20:in `block in validate': no implicit conversion of String into Integer (TypeError)
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `each'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/resource_type_validator.rb:19:in `validate'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/schema_generator.rb:17:in `generate'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/validator/cloudformation_validator.rb:13:in `validate'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:220:in `pre_validate_model'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:62:in `parse_without_parameters'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-model-0.6.6/lib/cfn-model/parser/cfn_parser.rb:43:in `parse'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:87:in `audit'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:68:in `block in audit_aggregate_across_files'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `each'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:65:in `audit_aggregate_across_files'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag.rb:35:in `audit_aggregate_across_files_and_render_results'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:50:in `execute_aggregate_scan'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/lib/cfn-nag/cfn_nag_executor.rb:30:in `scan'
from /opt/homebrew/Cellar/gem-cfn-nag/0.8.10/gems/cfn-nag-0.8.10/bin/cfn_nag_scan:11:in `<top (required)>'
from /opt/homebrew/bin/cfn_nag_scan:6:in `load'
from /opt/homebrew/bin/cfn_nag_scan:6:in `<main>'
Commenting our that resource block from the template no error is being returned . Could the team confirm about the support for the intrinsic function
cfn nag version
cfn_nag_scan --version
0.8.10
Yup same here
+1 same issue here with ForEach
+1 same here (using version 0.8.10)
In addition it is preventing me from deploying a stack using ForEach via the manifest in Customizations for AWS Control Tower (CfCT) because cfn_nag is built into the AWS-controlled validation mechanism for it. (Theirs is pinned to version 0.7.2 and cant be changed...!)
In this situation a fix to cfn_nag won't solve the problem. Is there a workaround instead that still lets me use ForEach without cfn_nag breaking?
+1 Same here
Any fix for this issue?
Same here. I think this project is abandoned