Exception when parsing custom resources

[jangroth]

We are using custom resources (SAM transformation) in our CFN:

Resources:
  VPC:
    Type: Versent::Network::VPC
[...]
Transform:
  Name: "123456789012::VPC"

This causes cfn_nag to throw an exception:

$ cfn_nag --debug ./aws/*.yaml
/usr/local/bundle/gems/cfn-model-0.4.0/lib/cfn-model/parser/cfn_parser.rb:218:in `generate_resource_class_from_type': Unknown namespace in resource type: Versent (RuntimeError)
	from /usr/local/bundle/gems/cfn-model-0.4.0/lib/cfn-model/parser/cfn_parser.rb:189:in `rescue in class_from_type_name'

Also, I don't seem to find a way to exclude an individual file from parsing? Would appreciate If someone could point me in the right direction.

[ghost]

yea, transforms are giving the underlying parser some troubles. right now it expects either AWS or Custom for the type, and raises that exception otherwise. i will work on having it relax that expectation.

As far as removing an individual file from parsing, you could do a find with proper exclusions and then pipe the files into cfn_nag.... if you are using cfn_nag_scan, there's likely not a great way to exclude a file.... you might be able to hack something together with a regexp pattern to --template-pattern but it's going to look ugly (er if you can even get it to work with negative lookahead?)

[twellspring]

@erickascic negative lookahead works. This pattern

cfn_nag_scan --input-path . --template-pattern='^((?!fail).)*$'

shows only files without the word fail.

Note, technically this is vulnerable to Regular expression Denial of Service attacks, but I'm not sure that is exploitable in any significant way.

[twellspring]

@jangroth Did the negative lookahead regex help you with excluding files from parsing?

[jangroth]

I ended up piping into cfn_nag:

ls -1 aws/*.yaml | grep -v "vpc.yaml" | xargs cfn_nag $1

[ayeks]

@twellspring The regex at its own works, however in combination with cfn_nag_scan it fails if there are any non cloudformation files in the directory.

Working example that parses every .yaml and .json file but no file that includes the word fail.

cfn_nag_scan --input-path . --template-pattern='^((?!fail).)*(.yaml|.json)$'

[twellspring]

Thanks @ayeks, that is a good addition to the regex. Seems like the excluding files part of this issue is answered.

@jangroth I just opened an issue in the cfn-model for the custom resource exception issue.
#223

[twellspring]

Leaving issue open for visibility

[ghost]

While we still need a major re-think on how to handle transforms, cfn-nag 0.4.52 has a fix that should at least stop the exception for this example. if not please open a new issue with a more complete piece of test data. thx!