cfn-model 0.4.30 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4cfb10903ae3fbf18dc0c8d07db826851348197984e10834dde228a4f40d453d
-  data.tar.gz: 9c2e9362dd9e75eb6ee7b90566468b579d5d725fbd23e1791f1af46926af4f8a
+  metadata.gz: 527a99ce24b15e3dc115ecfc163034c4a01599632b0ef0afb94ae9a232058d35
+  data.tar.gz: 3b230f07cad2a3369745a60684acbca599b6241fced5cb8c2c986e24304af258
 SHA512:
-  metadata.gz: 6e5d026023c580e5ace9123da3ecf62cfd265b424c584c83156e5ee595c3ed863a2d783d971bc8f4b3fb3629007aa795156257ad75ea6a1a6084723ec64005b3
-  data.tar.gz: 7798edc1e68b7073e3e880e4f66687c3f8e80bb3a5740f397a6af060d8d9fafa1b9912ad5393e71da26d0b65ff0d2b38da7418bf27e73474b33e33b0cf87c38b
+  metadata.gz: a4569f552dbc5c8776daa0f82277c25ec1d2af7c7e00814574b9031bf4daf318e956b40add9297e0a45c6dcb12401603c8b84260ef7d6fbdcd1d98bee31b9158
+  data.tar.gz: e8d001e530ccaeb57e05d9bcada2c914f7ef311e71912e9ac03bf5846c61389ed1d2b73c38a4ebdfb2e59a907b968b7d22d5f67b88c5dc7045bdd92b977fe0ec

data/lib/cfn-model/model/references.rb

@@ -9,6 +9,10 @@ require 'cfn-model/parser/parser_error'
 # references yet... in the meantime pile things up here and hope a pattern becomes
 # clear
 module References
+  def self.unsupported_passthru?(value)
+    value.has_key?('Fn::GetAtt') || value.has_key?('Fn::ImportValue') || value.has_key?('Fn::Transform') || value.has_key?('Fn::Cidr')
+  end
+
   def self.resolve_value(cfn_model, value)
     if value.is_a? Hash
       if value.has_key?('Ref')
@@ -17,7 +21,21 @@ module References
         resolve_map(cfn_model, value)
       elsif value.has_key?('Fn::If')
         resolve_if(cfn_model, value)
-      else
+      elsif value.has_key?('Fn::Sub')
+        resolve_sub(cfn_model, value)
+      elsif value.has_key?('Fn::GetAZs')
+        resolve_getazs(cfn_model, value)
+      elsif value.has_key?('Fn::Split')
+        resolve_split(cfn_model, value)
+      elsif value.has_key?('Fn::Join')
+        resolve_join(cfn_model, value)
+      elsif value.has_key?('Fn::Base64')
+        resolve_base64(cfn_model, value)
+      elsif value.has_key?('Fn::Select')
+        resolve_select(cfn_model, value)
+      elsif unsupported_passthru?(value)
+        value
+      else # another mapping
         value.map do |k,v|
           [k, resolve_value(cfn_model, v)]
         end.to_h
@@ -101,6 +119,107 @@ module References
 
   private
 
+  def self.resolve_sub(cfn_model, expression)
+    if expression['Fn::Sub'].is_a? String
+      resolve_shorthand_sub(cfn_model, expression)
+    elsif expression['Fn::Sub'].is_a? Array
+      resolve_longform_sub(cfn_model, expression)
+    else
+      expression
+    end
+  end
+
+  def self.resolve_select(cfn_model, reference)
+    index = reference['Fn::Select'][0]
+    collection = References.resolve_value(cfn_model, reference['Fn::Select'][1])
+    if collection.is_a? Array
+      collection[index]
+    else
+      reference
+    end
+  end
+
+  def self.resolve_base64(cfn_model, reference)
+    References.resolve_value(cfn_model, reference['Fn::Base64'])
+  end
+
+  def self.resolve_join(cfn_model, reference)
+    delimiter = reference['Fn::Join'][0]
+    items = References.resolve_value(cfn_model, reference['Fn::Join'][1])
+    return reference unless items.is_a?(Array)
+    items.join(delimiter)
+  end
+
+  def self.resolve_split(cfn_model, reference)
+    delimiter = reference['Fn::Split'][0]
+    target_string = References.resolve_value(cfn_model, reference['Fn::Split'][1])
+    return reference unless target_string.is_a?(String)
+    target_string.split(delimiter)
+  end
+
+  def self.resolve_getazs(cfn_model, reference)
+    number_azs = References.resolve_value(cfn_model, { 'Ref' => 'AWS::NumberAZs' })
+    region = reference['Fn::GetAZs']
+    if region == '' || region == { 'Ref' => 'AWS::Region' }
+      region = References.resolve_value(cfn_model, { 'Ref' => 'AWS::Region' })
+    end
+    (('a'.ord)..('a'.ord+number_azs)).map do |az_number|
+      "#{region}#{az_number.chr}"
+    end
+  end
+
+  def self.strip_cfn_interpolation(reference)
+    reference[2..-2]
+  end
+
+  def self.references_in_sub(string_value)
+    # ignore ${!foo} as cfn interprets that as the literal ${foo}
+    references = string_value.scan /\${[^!].*?}/
+    references.map { |reference| strip_cfn_interpolation(reference) }
+  end
+
+  def self.resolvable_reference?(cfn_model, reference)
+    resolved_value = References.resolve_value(cfn_model, {'Ref'=>reference})
+    resolved_value != {'Ref'=>reference}
+  end
+
+  def self.resolve_shorthand_sub(cfn_model, expression)
+    string_value = expression['Fn::Sub']
+    subbed_string_value = string_value
+    has_unresolved_references = false
+    references_in_sub(string_value).each do |reference|
+      if resolvable_reference?(cfn_model, reference)
+        subbed_string_value = subbed_string_value.gsub(
+          "${#{reference}}",
+          References.resolve_value(cfn_model, {'Ref'=>reference})
+        )
+      end
+    end
+    subbed_string_value
+  end
+
+  def self.resolve_longform_sub(cfn_model, expression)
+    array_value = expression['Fn::Sub']
+    subbed_string_value = array_value[0]
+    substitution_mapping = array_value[1]
+    references_in_sub(subbed_string_value).each do |reference|
+      if substitution_mapping.has_key? reference
+        if References.resolve_value(cfn_model, substitution_mapping[reference]).is_a?(String)
+          subbed_string_value = subbed_string_value.gsub(
+            "${#{reference}}",
+            References.resolve_value(cfn_model, substitution_mapping[reference])
+          )
+        end
+      elsif resolvable_reference?(cfn_model, reference)
+        subbed_string_value = subbed_string_value.gsub(
+          "${#{reference}}",
+          References.resolve_value(cfn_model, {'Ref'=>reference})
+        )
+      end
+    end
+    subbed_string_value
+  end
+
   def self.resolve_if(cfn_model, expression)
     if_expression = expression['Fn::If']
     condition_name = if_expression[0]

data/lib/cfn-model/parser/cfn_parser.rb

@@ -44,6 +44,9 @@ class CfnParser
 
     apply_parameter_values(cfn_model, parameter_values_json)
 
+    # pass 2: tie together separate resources only where necessary to make life easier for rule logic
+    post_process_resource_model_elements cfn_model
+
     cfn_model
   end
 
@@ -87,8 +90,7 @@ class CfnParser
     transform_hash_into_parameters cfn_hash, cfn_model
     transform_hash_into_globals cfn_hash, cfn_model
 
-    # pass 2: tie together separate resources only where necessary to make life easier for rule logic
-    post_process_resource_model_elements cfn_model
+
 
     cfn_model
   end
@@ -279,7 +281,7 @@ class CfnParser
 
   def map_non_aws_resource_name_to_class_name(module_names)
     # this is a little hacky.  we've been ignoring Custom so more for
-    # backward compat.  for Alexa and other transformed resources just jam the whole
+    # backward compat. for Alexa and other transformed resources just jam the whole
     # thing together
     if module_names.first == 'Custom'
       first_module_index = 1
@@ -306,7 +308,8 @@ class CfnParser
     else
       custom_resource_class_name = map_non_aws_resource_name_to_class_name(module_names)
       begin
-        resource_class = Object.const_get custom_resource_class_name
+        custom_class = Object.const_get custom_resource_class_name
+        resource_class = custom_class if custom_class.is_a?(ModelElement)
       rescue NameError
         Object.const_set(custom_resource_class_name, resource_class)
       end

data/lib/cfn-model/parser/iam_group_parser.rb

@@ -2,6 +2,7 @@
 
 require 'cfn-model/model/iam_role'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamGroupParser
@@ -12,8 +13,8 @@ class IamGroupParser
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
     iam_group

data/lib/cfn-model/parser/iam_role_parser.rb

@@ -2,20 +2,21 @@
 
 require 'cfn-model/model/iam_role'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamRoleParser
   def parse(cfn_model:, resource:)
     iam_role = resource
 
-    iam_role.assume_role_policy_document = PolicyDocumentParser.new.parse(iam_role.assumeRolePolicyDocument)
+    iam_role.assume_role_policy_document = PolicyDocumentParser.new.parse(cfn_model, iam_role.assumeRolePolicyDocument)
 
     iam_role.policy_objects = iam_role.policies.map do |policy|
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
 

data/lib/cfn-model/parser/iam_user_parser.rb

@@ -2,6 +2,7 @@
 
 require 'cfn-model/model/policy_document'
 require 'cfn-model/model/policy'
+require 'cfn-model/model/references'
 require_relative 'policy_document_parser'
 
 class IamUserParser
@@ -12,8 +13,8 @@ class IamUserParser
       next unless policy.has_key? 'PolicyName'
 
       new_policy = Policy.new
-      new_policy.policy_name = policy['PolicyName']
-      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy.policy_name = References.resolve_value(cfn_model, policy['PolicyName'])
+      new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, policy['PolicyDocument'])
       new_policy
     end.reject { |policy| policy.nil? }
 
@@ -22,8 +23,8 @@ class IamUserParser
     user_to_group_additions = cfn_model.resources_by_type 'AWS::IAM::UserToGroupAddition'
     user_to_group_additions.each do |user_to_group_addition|
 
-      if user_to_group_addition_has_username(user_to_group_addition.users,iam_user)
-        iam_user.group_names << user_to_group_addition.groupName
+      if user_to_group_addition_has_username(user_to_group_addition.users, iam_user)
+        iam_user.group_names << References.resolve_value(cfn_model, user_to_group_addition.groupName)
 
         # we need to figure out the story on resolving Refs i think for this to be real
       end

data/lib/cfn-model/parser/kms_key_parser.rb

@@ -9,7 +9,7 @@ class KmsKeyParser
     kms_key = resource
 
     new_policy = Policy.new
-    new_policy.policy_document = PolicyDocumentParser.new.parse(kms_key.keyPolicy)
+    new_policy.policy_document = PolicyDocumentParser.new.parse(cfn_model, kms_key.keyPolicy)
     kms_key.key_policy = new_policy
 
     kms_key

data/lib/cfn-model/parser/parameter_substitution.rb

@@ -43,7 +43,8 @@ class ParameterSubstitution
       'AWS::AccountId' => '111111111111',
       'AWS::Region' => 'us-east-1',
       'AWS::StackId' => 'arn:aws:cloudformation:us-east-1:111111111111:stack/stackname/51af3dc0-da77-11e4-872e-1234567db123',
-      'AWS::StackName' => 'stackname'
+      'AWS::StackName' => 'stackname',
+      'AWS::NumberAZs' => 2
     }
     pseudo_function_defaults.each do |function_name, default_value|
       parameter = Parameter.new

data/lib/cfn-model/parser/policy_document_parser.rb

@@ -1,16 +1,18 @@
 # frozen_string_literal: true
 
 require 'cfn-model/model/iam_policy'
+require 'cfn-model/model/references'
+
 require 'cfn-model/model/policy_document'
 
 class PolicyDocumentParser
-  def parse(raw_policy_document)
+  def parse(cfn_model, raw_policy_document)
     policy_document = PolicyDocument.new
 
-    policy_document.version = raw_policy_document['Version']
+    policy_document.version = References.resolve_value(cfn_model, raw_policy_document['Version'])
 
     policy_document.statements = streamline_array(raw_policy_document['Statement']) do |statement|
-      parse_statement statement
+      parse_statement cfn_model, statement
     end
 
     policy_document
@@ -18,17 +20,17 @@ class PolicyDocumentParser
 
   private
 
-  def parse_statement(raw_statement)
+  def parse_statement(cfn_model, raw_statement)
     statement = Statement.new
-    statement.effect = raw_statement['Effect']
-    statement.sid = raw_statement['Sid']
-    statement.condition = raw_statement['Condition']
-    statement.actions = streamline_array(raw_statement['Action'])
-    statement.not_actions = streamline_array(raw_statement['NotAction'])
-    statement.resources = streamline_array(raw_statement['Resource'])
-    statement.not_resources = streamline_array(raw_statement['NotResource'])
-    statement.principal = raw_statement['Principal']
-    statement.not_principal = raw_statement['NotPrincipal']
+    statement.effect = References.resolve_value(cfn_model, raw_statement['Effect'])
+    statement.sid = References.resolve_value(cfn_model, raw_statement['Sid'])
+    statement.condition = References.resolve_value(cfn_model, raw_statement['Condition'])
+    statement.actions = References.resolve_value(cfn_model, streamline_array(raw_statement['Action']))
+    statement.not_actions = References.resolve_value(cfn_model, streamline_array(raw_statement['NotAction']))
+    statement.resources = References.resolve_value(cfn_model, streamline_array(raw_statement['Resource']))
+    statement.not_resources = References.resolve_value(cfn_model, streamline_array(raw_statement['NotResource']))
+    statement.principal = References.resolve_value(cfn_model, raw_statement['Principal'])
+    statement.not_principal = References.resolve_value(cfn_model, raw_statement['NotPrincipal'])
     statement
   end
 

data/lib/cfn-model/parser/security_group_parser.rb

@@ -38,7 +38,7 @@ class SecurityGroupParser
       ingress_object = AWS::EC2::SecurityGroupIngress.new cfn_model
       ingress.each do |k, v|
         silently_fail do
-          ingress_object.send("#{initialLower(k)}=", v)
+          ingress_object.send("#{initialLower(k)}=", References.resolve_value(cfn_model, v))
           mapped_at_least_one_attribute = true
         end
       end
@@ -59,7 +59,7 @@ class SecurityGroupParser
       egress.each do |k, v|
         next if k.match /::/
         silently_fail do
-          egress_object.send("#{initialLower(k)}=", v)
+          egress_object.send("#{initialLower(k)}=", References.resolve_value(cfn_model, v))
           mapped_at_least_one_attribute = true
         end
 

data/lib/cfn-model/parser/with_policy_document_parser.rb

@@ -6,7 +6,7 @@ require_relative 'policy_document_parser'
 
 class WithPolicyDocumentParser
   def parse(cfn_model:, resource:)
-    resource.policy_document = PolicyDocumentParser.new.parse(resource.policyDocument)
+    resource.policy_document = PolicyDocumentParser.new.parse(cfn_model, resource.policyDocument)
     resource
   end
 end

data/lib/cfn-model/transforms/serverless.rb

@@ -112,8 +112,14 @@ class CfnModel
                                                           resource_name,
                                                           with_line_numbers)
 
-        cfn_hash['Resources'][resource_name] = lambda_function lambda_fn_params
-
+        cfn_hash['Resources'][resource_name] = lambda_function(
+          handler: lambda_fn_params[:handler],
+          code_bucket: lambda_fn_params[:code_bucket],
+          code_key: lambda_fn_params[:code_key],
+          role: lambda_fn_params[:role],
+          runtime: lambda_fn_params[:runtime],
+          with_line_numbers: lambda_fn_params[:with_line_numbers]
+        )
         unless serverless_function['Properties']['Role']
           cfn_hash['Resources'][resource_name + 'Role'] = function_role(serverless_function,
                                                                         resource_name,
@@ -122,6 +128,13 @@ class CfnModel
 
         transform_function_events(cfn_hash, serverless_function, resource_name, with_line_numbers) if \
           serverless_function['Properties']['Events']
+
+        # Handle passing along cfn-nag specific metadata. SAM itself does not support metadata during transformation.
+        # https://github.com/aws/serverless-application-model/issues/264
+        if serverless_function.key?('Metadata') && serverless_function['Metadata'].key?('cfn_nag')
+          cfn_hash['Resources'][resource_name]['Metadata'] = serverless_function['Metadata']
+          cfn_hash['Resources'][resource_name + 'Role']['Metadata'] = serverless_function['Metadata']
+        end
       end
 
       def lambda_service_can_assume_role

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-model
 version: !ruby/object:Gem::Version
-  version: 0.4.30
+  version: 0.5.3
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-04 00:00:00.000000000 Z
+date: 2020-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -165,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: cfn-model