admin管理员组

文章数量:1134247

I am trying to verify the template generated by cdk synth using pytest.

This is part of the template. I am interested in checking the first "AWS" field.

"Resources": {
  "rdskey*******": {
   "Type": "AWS::KMS::Key",
   "Properties": {
    "Description": "KMS key for RDS Postgres encryption",
    "EnableKeyRotation": true,
    "KeyPolicy": {
     "Statement": [
      {
       "Action": "kms:*",
       "Effect": "Allow",
       "Principal": {
        "AWS": "arn:aws:iam::**********:root"
       },
       "Resource": "*"
      },
      {
       "Action": "kms:*",
       "Effect": "Allow",
       "Principal": {
        "AWS": "*"
       },
       "Resource": "'"
      },
      {
       "Action": [
        "kms:CreateGrant",
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
       ],
       "Condition": {
        "StringEquals": {
         "kms:ViaService": "secretsmanager.eu-central-1.amazonaws"
        }
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": "arn:aws:iam::*********:root"
       },
       "Resource": "*"
      },
      {
       "Action": "kms:Decrypt",
       "Condition": {
        "StringEquals": {
         "kms:ViaService": "secretsmanager.eu-central-1.amazonaws"
        }
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": {
         "Fn::GetAtt": [
          "fbodbInitDbLambdaServiceRole******",
          "Arn"
         ]
        }
       },
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },

Using the following code, I would expect to give me positive result, however I get the following error:

template.has_resource_properties("AWS::KMS::Key", {
        "KeyPolicy": {
            "Statement": Match.array_with([
                Match.object_equals({
                    "Action": "kms:*",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": Match.string_like_regexp("arn:aws:iam") # BUG DOES NOT WORK

                    },
                    "Resource": "*"
                })
            ])
        }
    })

I get this error. I don't understand where the "Fn::Join": [ ... ] comes from.

E           RuntimeError: Error: Template has 1 resources with type AWS::KMS::Key, but none match as expected.
E           The 1 closest matches:
E           rdskey8C828B6D :: {
E             "DeletionPolicy": "Delete",
E             "Properties": {
E               "Description": "KMS key for RDS Postgres encryption",
E               "EnableKeyRotation": true,
E               "KeyPolicy": {
E                 "Statement": [
E           !!       Could not match arrayWith pattern 0. This is the closest match
E                   {
E                     "Action": "kms:*",
E                     "Effect": "Allow",
E                     "Principal": {
E           !!           Expected type string but received object
E                       "AWS": {
E                         "Fn::Join": [ ... ]
E                       }
E                     },
E                     "Resource": "*"
E                   },
E                   { ... },
E                   { ... },
E                   { ... }
E                 ],
E                 "Version": "2012-10-17"
E               },
E               "KeySpec": "SYMMETRIC_DEFAULT",
E               "RotationPeriodInDays": 90
E             },
E             "Type": "AWS::KMS::Key",
E             "UpdateReplacePolicy": "Delete"
E           }
.venv/lib/python3.10/site-packages/jsii/_kernel/providers/process.py:342: RuntimeError

本文标签: aws cdkAWSCDK Verifying TemplateStack Overflow

版权声明:本文标题:aws cdk - AWS_CDK Verifying Template - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736786005a1952864.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。