Does Cfn_nag traverse Global section of SAM tempaltes?

[suhaibchishti]

Hi,

Sorry to bother you.
I created a rule to make Tags mandatory for Lambda Functions however my rule doesn't check Global section of SAM template. Does Cfn_nag support this kind of check?

###LambdaFunctionTaggingMandatoryRule###
require 'cfn-nag/violation'
require 'cfn-nag/custom_rules/base'

class LambdaFunctionTaggingMandatoryRule < BaseRule
def rule_text
'Lambda Function is missing tags, please add tags to Lambda Function'
end

def rule_type
Violation::FAILING_VIOLATION
end

def rule_id
'F8000'
end

def audit_impl(cfn_model)
violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Function').select do |lambda_function|
lambda_function.tags.nil?
end

violating_lambdas.map { |violating_lambda| violating_lambda.logical_resource_id }

end
end

[suhaibchishti]

If the tags are placed in Global section the rules fails as expected. Can we make rules check global section?

[ghost]

Honestly, I'm not sure. the SAM support was added recently without me taking a careful look. Will try to look tonight or tomorrow and see where things are at.

[suhaibchishti]

Thank you for your reply. I am aware SAM support is new so i'm running my tests against cloudformation created from SAM template by aws cloudformation package command. I am not running tests against SAM template directly.

In converted export-template.yml cloudformation file Global section appears like this.

Conditions:
  isTestingStage:
    Fn::Not:
    - Fn::Equals:
      - Ref: Stage
      - prod
Description: 'This template is for creating the entire stack for Reference Data Management
  (RDM) service.

  '
Globals:
  Function:
    AutoPublishAlias:
      Ref: Stage
    Environment:
      Variables:
        LOG_LEVEL:
           Ref: LoggingLevel
    Runtime: nodejs8.10
    Tags:
      Team: Dev```

[ghost]

Ok, so if you are developing your own rule, and operating against the template you just posted (with a Globals key), you can write a rule that runs against the "raw" model of the cfn template.

Globals isn't "processed" by the cfn-model objects..... but you can access the Hash from the direct parse of the yaml inside your rule and make a decision on your own about what to do. There's nothing wrong with directly accessing the Hash, but where cfn-model provides "support" - there is typically a better abstraction that simplifies the rule and allows it to ignore missing properties and issues with multiplicity.

An example of accessing the "raw" model is here:

cfn_nag/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb

Line 19 in 7504a33

cfn_model.raw_model['Resources'].each do |resource_name, resource|

[ghost]

Consult the code here:
stelligent/cfn-model@fa4856e

the serverless transform object in cfn-model is consulting Globals for a few properties - the code, runtime, handler, etc. to finish this issue, we can generalize to cover all the Globals