How to access multi line values in yaml

[roco1234]

I have a cloudformation template that I want to write a rego policy for

Resources:
  SQSQueuePolicy:
    Type: "AWS::SQS::QueuePolicy"
    Properties:
      Queues:
        - "https://sqs.us-east-2.amazonaws.com/444455556666/example-queue"
      PolicyDocument:
        Fn::Sub: |
          {
            "Version": "2012-10-17",
            "Id": "QueuePolicy",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "*",
                "Resource": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue",
                "Condition": {
                  "ArnEquals": {
                    "aws:SourceArn": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic"
                  }
                }
              }
            ]
          }

Where a multi line operator is used Fn::Sub: |, I cannot access the property values. Outputs are:

input.PolicyDocument = ["AWS::Region", "AWS::AccountId", "AWS::Region", "AWS::AccountId"]
input.PolicyDocument["Fn::Sub"] = undefined

If I use Fn::Sub: Outputs are:

input.PolicyDocument = {\"Fn::Sub\": {\"Id\": \"QueuePolicy\", \"Statement\": [{\"Action\": \"*\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic\"}}, \"Effect\": \"Allow\", \"Principal\": \"*\", \"Resource\": \"arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue\"}], \"Version\": \"2012-10-17\"}}

input.PolicyDocument["Fn::Sub"] = {\"Id\": \"QueuePolicy\", \"Statement\": [{\"Action\": \"*\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic\"}}, \"Effect\": \"Allow\", \"Principal\": \"*\", \"Resource\": \"arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue\"}], \"Version\": \"2012-10-17\"}

Is there some way to ensure values are not stripped when using a multi line operator in this way?

Sorry I can't create a playground example as there is no yaml option

[anderseknert]

Hi there!

The Rego Playground may not support YAML, but providing a more complete example, including the command(s) you run to evaluate this would help.

Using just the YAML file you provided for evaluation seems to work fine:

p.yaml

Resources:
  SQSQueuePolicy:
    Type: "AWS::SQS::QueuePolicy"
    Properties:
      Queues:
        - "https://sqs.us-east-2.amazonaws.com/444455556666/example-queue"
      PolicyDocument:
        Fn::Sub: |
          {
            "Version": "2012-10-17",
            "Id": "QueuePolicy",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "*",
                "Resource": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue",
                "Condition": {
                  "ArnEquals": {
                    "aws:SourceArn": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic"
                  }
                }
              }
            ]
          }

➜ opa eval -f pretty -d p.yaml 'data.Resources.SQSQueuePolicy.Properties.PolicyDocument["Fn::Sub"]'
"{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"QueuePolicy\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": \"*\",\n      \"Action\": \"*\",\n      \"Resource\": \"arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue\",\n      \"Condition\": {\n        \"ArnEquals\": {\n          \"aws:SourceArn\": \"arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic\"\n        }\n      }\n    }\n  ]\n}"

➜ opa eval -f raw -d p.yaml 'data.Resources.SQSQueuePolicy.Properties.PolicyDocument["Fn::Sub"]'
{
  "Version": "2012-10-17",
  "Id": "QueuePolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:example-queue",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:example-topic"
        }
      }
    }
  ]
}