[BUG] Suppression Rules Ignored For Certain Checks #636
Description
Describe the bug
Suppression rules on resources are being ignored for certain rules, resulting in a template failing validation. Most suppression rules are adhered and do not result in failures.
To Reproduce
Please supply:
Resources:
ElasticContainerTaskExecutionRole:
Type: AWS::IAM::Role
Metadata:
guard:
SuppressedRules:
- CFN_NO_EXPLICIT_RESOURCE_NAMES # Needlessly restrictive
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
RoleName: task-execution-role
Command:
cfn-guard validate --rules /home/redacted/development/aws-guard-rules-registry/rules/aws --data /home/redacted/development/ecs/task/product.template
Result:
/home/redacted/development/ecs/task/product.template Status = FAIL
FAILED rules
cfn_no_explicit_resource_names.guard/CFN_NO_EXPLICIT_RESOURCE_NAMES FAIL
---
Evaluating data /home/redacted/development/ecs/task/product.template against rules cfn_no_explicit_resource_names.guard
Number of non-compliant resources 2
Resource = ElasticContainerTaskExecutionRole {
Type = AWS::IAM::Role
Rule = CFN_NO_EXPLICIT_RESOURCE_NAMES {
ALL {
Check = RoleName EMPTY {
ComparisonError {
Error = Check was not compliant as property [/Resources/ElasticContainerTaskExecutionRole/Properties/RoleName[L:309,C:16]] was not empty.
PropertyPath = /Resources/ElasticContainerTaskExecutionRole/Properties/RoleName[L:309,C:16]
Operator = EMPTY
Code:
307. Service: ecs-tasks.amazonaws.com
308. ManagedPolicyArns:
309. - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
310. RoleName: task-execution-role
311.
312. ExternalRecordSet:
}
}
}
}
}
Expected behavior
Suppressing a rule on a resource should not result in failures.
Operating System:
Ubuntu
OS Version
24.04