Allow asterisks for rule I3042 (#3954)

aws-cloudformation · Feb 11, 2025 · b4b7e4e · b4b7e4e
1 parent f6952aa
commit b4b7e4e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py
@@ -101,7 +101,7 @@ def match(self, cfn: Template) -> RuleMatches:
             # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
             # is valid even with aws as the account #.  This handles empty string
             if self.config["partition"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::Partition}|$", candidate[0]
+                r"^\$\{\w+}|\$\{AWS::Partition}|\*|$", candidate[0]
             ):
                 # or not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$',candidate[1])
                 # or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
@@ -111,7 +111,7 @@ def match(self, cfn: Template) -> RuleMatches:
                 )
                 matches.append(RuleMatch(path, message.format(path[1])))
             if self.config["region"] and not re.match(
-                r"^(\$\{\w+}|\$\{AWS::Region}|)$", candidate[1]
+                r"^(\$\{\w+}|\$\{AWS::Region}|\*|)$", candidate[1]
             ):
                 # or  or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
                 message = (
@@ -123,7 +123,7 @@ def match(self, cfn: Template) -> RuleMatches:
             # Lambda is added for authorizer's Uniform Resource Identifier (URI)
             # https://github.com/aws-cloudformation/cfn-lint/issues/3716
             if self.config["accountId"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|$", candidate[2]
+                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|\*|$", candidate[2]
             ):
                 if candidate[2] not in ["cloudfront"]:
                     message = (

diff --git a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
@@ -26,3 +26,15 @@ Resources:
               AWS: !Sub arn:${AWS::Partition}:iam::cloudfront:user/CloudFront Origin Access Identity E15MNIMTCFKK4C
             Action: s3:GetObject
             Resource: arn:aws:s3:::bucket/*
+  Policy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+        - Effect: "Allow"
+          Action: "*"
+          Resource:
+          - !Sub "arn:*:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/*"
+          - !Sub "arn:${AWS::Partition}:quicksight:*:${AWS::AccountId}:dataset/*"
+          - !Sub "arn:${AWS::Partition}:quicksight:${AWS::Region}:*:dataset/*"