cfn-nag 0.6.0 → 0.6.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (45) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/cfn_nag.rb +5 -0
  3. data/lib/cfn-nag/cfn_nag_config.rb +3 -0
  4. data/lib/cfn-nag/cfn_nag_executor.rb +1 -0
  5. data/lib/cfn-nag/cli_options.rb +11 -0
  6. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +2 -2
  7. data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -1
  8. data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -1
  9. data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -1
  10. data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -1
  11. data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb +1 -1
  12. data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -2
  13. data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -1
  14. data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -1
  15. data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -1
  16. data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -1
  17. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -1
  18. data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -1
  19. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -1
  20. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -2
  21. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -1
  22. data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -1
  23. data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -1
  24. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -2
  25. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -2
  26. data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -1
  27. data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -1
  28. data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -1
  29. data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -1
  30. data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +3 -2
  31. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -1
  32. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -1
  33. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -1
  34. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -1
  35. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -1
  36. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -1
  37. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -1
  38. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -1
  39. data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -1
  40. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -1
  41. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -1
  42. data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -1
  43. data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb +0 -2
  44. data/lib/cfn-nag/result_view/colored_stdout_results.rb +0 -2
  45. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ce61954c2ef415db38dfd9173ab93fb92145a7a2cf5778901bad880d3aabc762
4
- data.tar.gz: 8296a1bea671a836e464db5f9a4573d7b64ba87be90e841ce2ef5e823b61b49a
3
+ metadata.gz: fcec15f2d25123e50039b0618dbd0da02e2e798ade4b35fea7abb3f6e9035eba
4
+ data.tar.gz: 8eeea21427d600ce45addb7ebe595ddeeeec469b6ebf8fe7fde1f62685ad4b83
5
5
  SHA512:
6
- metadata.gz: 4d07a9749c20b7083b9f01b479e20ffdcc327be635d9285e3f7175f8be39c87d7d66fc5fd5d1a7d728d399d9d5fc96a92d7ea42ac90014b79528bcdf2a4786e7
7
- data.tar.gz: 227ef815606ef8eb763b1523de73ba0f4a0e8c6791afd809699057e41f37694ead17bd1714725838328516c45a369118852e5fadb76e334c75dde009ba459ed2
6
+ metadata.gz: b242c9866270499f2e1b87594043813dd6078ab7cea40eaaa6fff6835a48405c3645a1895e8e6630d1d04c337fbfb90d6a6b7c168cbffd97df8339076aec69dd
7
+ data.tar.gz: 02ec8b6dfc2b4409bffb5f9339e41e59a79f076b6d288d74d9752e1357ad9918acc0360ba07fa3017c633951c47ee238a6f6ad0a4deca7b61c7d43109c6e023e
@@ -102,9 +102,14 @@ class CfnNag
102
102
  violations << fatal_violation(error)
103
103
  end
104
104
 
105
+ violations = prune_fatal_violations(violations) if @config.ignore_fatal
105
106
  audit_result(violations)
106
107
  end
107
108
 
109
+ def prune_fatal_violations(violations)
110
+ violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION }
111
+ end
112
+
108
113
  def render_results(aggregate_results:,
109
114
  output_format:)
110
115
  results_renderer(output_format).new.render(aggregate_results)
@@ -9,6 +9,7 @@ class CfnNagConfig
9
9
  print_suppression: false,
10
10
  isolate_custom_rule_exceptions: false,
11
11
  fail_on_warnings: false,
12
+ ignore_fatal: false,
12
13
  rule_repository_definitions: [],
13
14
  rule_arguments: {})
14
15
  @rule_directory = rule_directory
@@ -24,6 +25,7 @@ class CfnNagConfig
24
25
  @fail_on_warnings = fail_on_warnings
25
26
  @rule_repositories = rule_repositories
26
27
  @rule_arguments = rule_arguments
28
+ @ignore_fatal = ignore_fatal
27
29
  end
28
30
  # rubocop:enable Metrics/ParameterLists
29
31
 
@@ -34,4 +36,5 @@ class CfnNagConfig
34
36
  attr_reader :blacklist_definition
35
37
  attr_reader :fail_on_warnings
36
38
  attr_reader :rule_repositories
39
+ attr_reader :ignore_fatal
37
40
  end
@@ -129,6 +129,7 @@ class CfnNagExecutor
129
129
  isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
130
130
  fail_on_warnings: opts[:fail_on_warnings],
131
131
  rule_repository_definitions: @rule_repository_definitions,
132
+ ignore_fatal: opts[:ignore_fatal],
132
133
  rule_arguments: merge_rule_arguments(opts)
133
134
  )
134
135
  end
@@ -100,6 +100,11 @@ class Options
100
100
  type: :string,
101
101
  required: false,
102
102
  default: nil
103
+ opt :ignore_fatal,
104
+ 'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
105
+ type: :boolean,
106
+ required: false,
107
+ default: false
103
108
  end
104
109
  end
105
110
 
@@ -193,6 +198,12 @@ class Options
193
198
  type: :string,
194
199
  required: false,
195
200
  default: nil
201
+ opt :ignore_fatal,
202
+ 'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
203
+ short: 'g',
204
+ type: :boolean,
205
+ required: false,
206
+ default: false
196
207
  end
197
208
  end
198
209
  # rubocop:enable Metrics/BlockLength
@@ -5,8 +5,8 @@ require_relative 'sub_property_with_list_password_base_rule'
5
5
 
6
6
  class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
7
7
  def rule_text
8
- 'AmazonMQ Broker Users Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.'
8
+ 'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
9
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppAccessTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App AccessToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppOauthTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App OauthToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -18,7 +18,7 @@ class ApiGatewayV2AccessLoggingRule < BaseRule
18
18
 
19
19
  def audit_impl(cfn_model)
20
20
  violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
21
- deployment.accessLogSetting.nil?
21
+ deployment.accessLogSettings.nil?
22
22
  end
23
23
 
24
24
  violating_deployments.map(&:logical_resource_id)
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
6
6
  class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
9
- 'must not be a plaintext string or a Ref to a NoEcho Parameter ' \
10
- 'with a Default value.'
9
+ 'must not be a plaintext string or a Ref to a Parameter ' \
10
+ 'with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
9
- 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'a plaintext string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class DMSEndpointPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'DMS Endpoint password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
7
7
  class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
8
8
  def rule_text
9
9
  'Directory Service Microsoft AD password must not be a plaintext string ' \
10
- 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ 'or a Ref to a Parameter with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
7
7
  class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
8
8
  def rule_text
9
9
  'DirectoryService SimpleAD password must not be a plaintext string ' \
10
- 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ 'or a Ref to a Parameter with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'DocDB DB Cluster master user password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
9
- 'plaintext string or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'plaintext string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
6
6
  class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \
9
- 'not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
10
- 'Default value.'
9
+ 'not be a plaintext string or a Ref to a Parameter with a ' \
10
+ 'Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \
9
- 'plaintext string or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'plaintext string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class IAMUserLoginProfilePasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'IAM User LoginProfile Password must not be a plaintext string or ' \
9
- 'a Ref to a NoEcho Parameter with a Default value.'
9
+ 'a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
6
6
  class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \
9
- 'must not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
10
- 'Default value.'
9
+ 'must not be a plaintext string or a Ref to a Parameter with a ' \
10
+ 'Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
6
6
  class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \
9
- 'must not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
10
- 'Default value.'
9
+ 'must not be a plaintext string or a Ref to a Parameter with a ' \
10
+ 'Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class LambdaPermissionEventSourceTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Lambda Permission EventSourceToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks App AppSource Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -5,8 +5,9 @@ require_relative 'sub_property_with_list_password_base_rule'
5
5
 
6
6
  class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
7
7
  def rule_text
8
- 'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
8
+ 'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'RDS DB Cluster master user password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'RDS instance master user password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
7
7
  class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
8
8
  def rule_text
9
9
  'RDS instance master username must not be a plaintext string ' \
10
- 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ 'or a Ref to a Parameter with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Redshift Cluster master user password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,6 @@ require 'set'
6
6
  class ConditionMetric
7
7
  include Weights
8
8
 
9
- # rubocop:disable Metrics/AbcSize
10
9
  def metric(statement)
11
10
  return 0 if statement.condition.nil?
12
11
 
@@ -18,7 +17,6 @@ class ConditionMetric
18
17
  aggregate += values_with_policy_tags(statement.condition)
19
18
  aggregate
20
19
  end
21
- # rubocop:enable Metrics/AbcSize
22
20
 
23
21
  private
24
22
 
@@ -6,7 +6,6 @@ require 'cfn-nag/violation'
6
6
  class ColoredStdoutResults < StdoutResults
7
7
  private
8
8
 
9
- # rubocop:disable Metrics/AbcSize
10
9
  def message(message_type:,
11
10
  color:,
12
11
  message:,
@@ -24,7 +23,6 @@ class ColoredStdoutResults < StdoutResults
24
23
  puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
25
24
  puts colorize(color, "| #{message}")
26
25
  end
27
- # rubocop:enable Metrics/AbcSize
28
26
 
29
27
  def color_code(color_symbol)
30
28
  case color_symbol
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-07 00:00:00.000000000 Z
11
+ date: 2020-06-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -72,14 +72,14 @@ dependencies:
72
72
  requirements:
73
73
  - - '='
74
74
  - !ruby/object:Gem::Version
75
- version: 0.5.0
75
+ version: 0.5.1
76
76
  type: :runtime
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - '='
81
81
  - !ruby/object:Gem::Version
82
- version: 0.5.0
82
+ version: 0.5.1
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: logging
85
85
  requirement: !ruby/object:Gem::Requirement
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
381
381
  - !ruby/object:Gem::Version
382
382
  version: '0'
383
383
  requirements: []
384
- rubygems_version: 3.1.2
384
+ rubygems_version: 3.1.3
385
385
  signing_key:
386
386
  specification_version: 4
387
387
  summary: cfn-nag