fix: adds validation for trusted principal arns in 'seedfarmer bootst…

…rap toolchain'
awslabs · Aug 1, 2024 · 17f5b95 · 17f5b95
1 parent 5c03f7c
commit 17f5b95
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch
 ### Changes
 
 ### Fixes
-
+- Adds validation for trusted principal arns in `seedfarmer bootstrap toolchain`
 
 ## v4.0.4 (2024-07-19)
 

diff --git a/seedfarmer/cli_groups/_bootstrap_group.py b/seedfarmer/cli_groups/_bootstrap_group.py
@@ -57,8 +57,7 @@ def bootstrap() -> None:
     help="""ARN of Principals trusted to assume the Toolchain Role.
     This can be used multiple times to create a list.""",
     multiple=True,
-    required=False,
-    default=[],
+    required=True,
 )
 @click.option(
     "--permissions-boundary",

diff --git a/seedfarmer/commands/_bootstrap_commands.py b/seedfarmer/commands/_bootstrap_commands.py
@@ -15,6 +15,7 @@
 import json
 import logging
 import os
+import re
 import sys
 from typing import Any, Dict, List, Optional, Tuple, cast
 
@@ -96,6 +97,10 @@ def bootstrap_toolchain_account(
     if qualifier and not valid_qualifier(qualifier):
         raise seedfarmer.errors.InvalidConfigurationError("The Qualifier must be alphanumeric and 6 characters or less")
 
+    for arn in principal_arns:
+        if not re.match(r"arn:aws:(sts|iam)::(\d{12}|\*):.*$", arn):
+            raise seedfarmer.errors.InvalidConfigurationError(f"Trusted principal: {arn} is not a valid principal arn")
+
     role_stack_name = get_toolchain_role_name(project_name=project_name, qualifier=cast(str, qualifier))
     template = get_toolchain_template(
         project_name=project_name,

diff --git a/test/unit-test/test_commands_bootstrap.py b/test/unit-test/test_commands_bootstrap.py
@@ -187,6 +187,24 @@ def test_bootstrap_toolchain_account_synth_with_qualifier_fail(mocker, session):
         )
 
 
+@pytest.mark.commands
+@pytest.mark.commands_bootstrap
+@pytest.mark.parametrize("session", [boto3.Session()])
+def test_bootstrap_toolchain_account_synth_with_invalid_principal(mocker, session):
+    mocker.patch("seedfarmer.commands._bootstrap_commands.apply_deploy_logic", return_value="")
+
+    with pytest.raises(seedfarmer.errors.InvalidConfigurationError):
+        bc.bootstrap_toolchain_account(
+            project_name="testing",
+            principal_arns=["arn:aws:iam::foobar:role/AdminRole"],
+            permissions_boundary_arn=None,
+            region_name="us-east-1",
+            qualifier="asdfghdd",
+            synthesize=True,
+            as_target=False,
+        )
+
+
 @pytest.mark.commands
 @pytest.mark.commands_bootstrap
 @pytest.mark.parametrize("session", [boto3.Session()])