""" Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 """ from cfnlint.helpers import bool_compare from cfnlint.rules import CloudFormationLintRule, RuleMatch class NoEcho(CloudFormationLintRule): id = "W4002" shortdesc = "Check for NoEcho References" description = "Check if there is a NoEcho enabled parameter referenced within a resources Metadata section" source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#parameters-section-structure-properties" tags = ["resources", "NoEcho"] def _get_no_echo_params(self, cfn): """Get no Echo Params""" no_echo_params = [] for parameter_name, parameter_value in cfn.get_parameters().items(): if isinstance(parameter_value, dict): noecho = parameter_value.get("NoEcho", default=False) if bool_compare(noecho, True): no_echo_params.append(parameter_name) return no_echo_params def _check_ref(self, cfn, no_echo_params): """Check Refs""" matches = [] refs = cfn.search_deep_keys("Ref") for ref in refs: if ref[-1] in no_echo_params: if len(ref) > 3: if ref[0] == "Resources" and ref[2] == "Metadata": matches.append( RuleMatch( ref, 'As the resource "metadata" section contains ' + 'reference to a "NoEcho" parameter ' + str(ref[-1]) + ", CloudFormation will display the parameter value in " + "plaintext", ) ) return matches def _check_sub(self, cfn, no_echo_params): """Check Subs""" matches = [] subs = cfn.search_deep_keys("Fn::Sub") for sub in subs: if isinstance(sub[-1], str): params = cfn.get_sub_parameters(sub[-1]) for param in params: if param in no_echo_params: if len(sub) > 2: if sub[0] == "Resources" and sub[2] == "Metadata": matches.append( RuleMatch( sub[:-1], 'As the resource "metadata" section contains ' + 'reference to a "NoEcho" parameter ' + str(param) + ", CloudFormation will display the parameter value in " + "plaintext", ) ) return matches def match(self, cfn): matches = [] no_echo_params = self._get_no_echo_params(cfn) if not no_echo_params: return matches matches.extend(self._check_ref(cfn, no_echo_params)) matches.extend(self._check_sub(cfn, no_echo_params)) return matches
Name | Type | Size | Permission | Actions |
---|---|---|---|---|
__pycache__ | Folder | 0755 |
|
|
backup | Folder | 0755 |
|
|
certificatemanager | Folder | 0755 |
|
|
cloudformation | Folder | 0755 |
|
|
cloudfront | Folder | 0755 |
|
|
codepipeline | Folder | 0755 |
|
|
dynamodb | Folder | 0755 |
|
|
ecs | Folder | 0755 |
|
|
ectwo | Folder | 0755 |
|
|
elasticache | Folder | 0755 |
|
|
elb | Folder | 0755 |
|
|
events | Folder | 0755 |
|
|
iam | Folder | 0755 |
|
|
lmbd | Folder | 0755 |
|
|
properties | Folder | 0755 |
|
|
rds | Folder | 0755 |
|
|
route53 | Folder | 0755 |
|
|
stepfunctions | Folder | 0755 |
|
|
updatepolicy | Folder | 0755 |
|
|
ApproachingLimitName.py | File | 686 B | 0644 |
|
ApproachingLimitNumber.py | File | 690 B | 0644 |
|
BothUpdateReplacePolicyDeletionPolicyNeeded.py | File | 1.74 KB | 0644 |
|
CircularDependency.py | File | 1.18 KB | 0644 |
|
Configuration.py | File | 6.97 KB | 0644 |
|
DeletionPolicy.py | File | 3.91 KB | 0644 |
|
DependsOn.py | File | 2.7 KB | 0644 |
|
DependsOnObsolete.py | File | 3.01 KB | 0644 |
|
HardCodedArnProperties.py | File | 4.71 KB | 0644 |
|
LimitName.py | File | 704 B | 0644 |
|
LimitNumber.py | File | 692 B | 0644 |
|
Modules.py | File | 2.8 KB | 0644 |
|
Name.py | File | 688 B | 0644 |
|
NoEcho.py | File | 3.2 KB | 0644 |
|
PreviousGenerationInstanceType.py | File | 4.2 KB | 0644 |
|
ResourceSchema.py | File | 1.74 KB | 0644 |
|
RetentionPeriodOnResourceTypesWithAutoExpiringContent.py | File | 6.42 KB | 0644 |
|
ServerlessTransform.py | File | 1.59 KB | 0644 |
|
UniqueNames.py | File | 924 B | 0644 |
|
UpdateReplacePolicy.py | File | 4.07 KB | 0644 |
|
UpdateReplacePolicyDeletionPolicyOnStatefulResourceTypes.py | File | 2.09 KB | 0644 |
|
__init__.py | File | 106 B | 0644 |
|