From b4b7e4e59169dff23ad130562e69fa4eb5a12192 Mon Sep 17 00:00:00 2001
From: Kevin DeJong <kddejong@amazon.com>
Date: Tue, 11 Feb 2025 10:57:47 -0800
Subject: [PATCH] Allow asterisks for rule I3042 (#3954)

---
 .../rules/resources/HardCodedArnProperties.py        |  6 +++---
 .../properties/hard_coded_arn_properties.yaml        | 12 ++++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py
index 10dbd80da5..fff3548942 100644
--- a/src/cfnlint/rules/resources/HardCodedArnProperties.py
+++ b/src/cfnlint/rules/resources/HardCodedArnProperties.py
@@ -101,7 +101,7 @@ def match(self, cfn: Template) -> RuleMatches:
             # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
             # is valid even with aws as the account #.  This handles empty string
             if self.config["partition"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::Partition}|$", candidate[0]
+                r"^\$\{\w+}|\$\{AWS::Partition}|\*|$", candidate[0]
             ):
                 # or not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$',candidate[1])
                 # or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
@@ -111,7 +111,7 @@ def match(self, cfn: Template) -> RuleMatches:
                 )
                 matches.append(RuleMatch(path, message.format(path[1])))
             if self.config["region"] and not re.match(
-                r"^(\$\{\w+}|\$\{AWS::Region}|)$", candidate[1]
+                r"^(\$\{\w+}|\$\{AWS::Region}|\*|)$", candidate[1]
             ):
                 # or  or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
                 message = (
@@ -123,7 +123,7 @@ def match(self, cfn: Template) -> RuleMatches:
             # Lambda is added for authorizer's Uniform Resource Identifier (URI)
             # https://github.com/aws-cloudformation/cfn-lint/issues/3716
             if self.config["accountId"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|$", candidate[2]
+                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|\*|$", candidate[2]
             ):
                 if candidate[2] not in ["cloudfront"]:
                     message = (
diff --git a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
index 8e8add11fb..337a6d0e9c 100644
--- a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
+++ b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
@@ -26,3 +26,15 @@ Resources:
               AWS: !Sub arn:${AWS::Partition}:iam::cloudfront:user/CloudFront Origin Access Identity E15MNIMTCFKK4C
             Action: s3:GetObject
             Resource: arn:aws:s3:::bucket/*
+  Policy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+        - Effect: "Allow"
+          Action: "*"
+          Resource:
+          - !Sub "arn:*:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/*"
+          - !Sub "arn:${AWS::Partition}:quicksight:*:${AWS::AccountId}:dataset/*"
+          - !Sub "arn:${AWS::Partition}:quicksight:${AWS::Region}:*:dataset/*"