Exceptions for hardcoded authorizer uri in I3042 (#3684)

* Exceptions for hardcoded authorizer uri in I3042
aws-cloudformation · Sep 11, 2024 · 3100f8c · 3100f8c
1 parent 6376c63
commit 3100f8c
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py
@@ -47,6 +47,12 @@ def __init__(self):
                 "type": "boolean",
             },
         }
+        self.exceptions = {
+            "AWS::ApiGateway::Authorizer": [
+                ["Properties", "AuthorizerUri"],
+            ]
+        }
+
         self.configure()
 
     def _match_values(self, cfnelem, path):
@@ -96,6 +102,17 @@ def match(self, cfn: Template) -> RuleMatches:
             path = ["Resources"] + parameter_string_path[:-1]
             candidate = parameter_string_path[-1]
 
+            resource_name = path[1]
+            _type = cfn.template.get("Resources", {}).get(resource_name, {}).get("Type")
+            is_exception = False
+            if _type in self.exceptions:
+                for exception in self.exceptions[_type]:
+                    if all(x[0] == x[1] for x in zip(path[2:], exception)):
+                        is_exception = True
+
+            if is_exception:
+                continue
+
             # ruff: noqa: E501
             # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
             # is valid even with aws as the account #.  This handles empty string

diff --git a/test/fixtures/templates/bad/hard_coded_arn_properties.yaml b/test/fixtures/templates/bad/hard_coded_arn_properties.yaml
@@ -77,3 +77,11 @@ Resources:
               - !Sub arn:${AWS::Partition}:sns:${AWS::Partition}:${AWS::AccountId}:TestTopic
       Roles:
         - !Ref SampleRole
+
+  Authorizer:
+    Type: AWS::ApiGateway::Authorizer
+    Properties:
+      AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
+      RestApiId: RestApiId
+      Type: REQUEST
+      Name: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
diff --git a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
@@ -0,0 +1,8 @@
+Resources:
+  Authorizer:
+    Type: AWS::ApiGateway::Authorizer
+    Properties:
+      AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
+      RestApiId: RestApiId
+      Type: REQUEST
+      Name: Name
diff --git a/test/unit/rules/resources/test_hardcodedarnproperties.py b/test/unit/rules/resources/test_hardcodedarnproperties.py
@@ -19,6 +19,7 @@ def setUp(self):
         super(TestHardCodedArnProperties, self).setUp()
         self.collection.register(HardCodedArnProperties())
         self.success_templates = [
+            "test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml",
             "test/fixtures/templates/good/resources/properties/hard_coded_arn_properties_sam.yaml",
         ]
 
@@ -70,7 +71,7 @@ def test_file_negative_region(self):
     def test_file_negative_accountid(self):
         self.helper_file_negative(
             "test/fixtures/templates/bad/hard_coded_arn_properties.yaml",
-            1,
+            2,
             ConfigMixIn(
                 [],
                 include_experimental=True,