From 9040c028d22bf4adb338c7ef6acd4c92c57091cf Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 5 Feb 2024 18:05:29 +0100 Subject: [PATCH 1/6] KeyPolicy made optional for KMS Key --- pycfmodel/model/resources/kms_key.py | 2 +- tests/resources/test_kms_key.py | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pycfmodel/model/resources/kms_key.py b/pycfmodel/model/resources/kms_key.py index 40820c0..86971c5 100644 --- a/pycfmodel/model/resources/kms_key.py +++ b/pycfmodel/model/resources/kms_key.py @@ -28,7 +28,7 @@ class KMSKeyProperties(CustomModel): Description: Optional[ResolvableStr] = None Enabled: Optional[ResolvableBool] = None EnableKeyRotation: Optional[ResolvableBool] = None - KeyPolicy: Resolvable[PolicyDocument] + KeyPolicy: Optional[Resolvable[PolicyDocument]] = None KeySpec: Optional[ResolvableStr] = None KeyUsage: Optional[ResolvableStr] = None MultiRegion: Optional[ResolvableBool] = None diff --git a/tests/resources/test_kms_key.py b/tests/resources/test_kms_key.py index 861a77b..d879ac2 100644 --- a/tests/resources/test_kms_key.py +++ b/tests/resources/test_kms_key.py @@ -63,6 +63,19 @@ def kms_key(): ) +@pytest.fixture() +def kms_key_no_policy(): + return KMSKey( + **{ + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": True, + "EnableKeyRotation": True, + } + } + ) + + def test_actions(kms_key): assert [ "kms:CancelKeyDeletion", @@ -168,3 +181,7 @@ def test_kms_policy_documents(kms_key): ), ) ] + + +def test_kms_no_policy(kms_key_no_policy): + assert kms_key_no_policy.Properties.KeyPolicy == None From a13ea558af5be9357d554794769e6e4216191130 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 5 Feb 2024 18:09:49 +0100 Subject: [PATCH 2/6] make format --- tests/resources/test_kms_key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/resources/test_kms_key.py b/tests/resources/test_kms_key.py index d879ac2..9257324 100644 --- a/tests/resources/test_kms_key.py +++ b/tests/resources/test_kms_key.py @@ -71,7 +71,7 @@ def kms_key_no_policy(): "Properties": { "Enabled": True, "EnableKeyRotation": True, - } + }, } ) From 7cd78b57fc810037e28d46049f28d6c6f7a2752d Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 5 Feb 2024 18:11:02 +0100 Subject: [PATCH 3/6] fix test --- tests/resources/test_kms_key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/resources/test_kms_key.py b/tests/resources/test_kms_key.py index 9257324..44db252 100644 --- a/tests/resources/test_kms_key.py +++ b/tests/resources/test_kms_key.py @@ -184,4 +184,4 @@ def test_kms_policy_documents(kms_key): def test_kms_no_policy(kms_key_no_policy): - assert kms_key_no_policy.Properties.KeyPolicy == None + assert kms_key_no_policy.Properties.KeyPolicy is None From 0782de6c4936fdf29c7a9725f64dd56736670ab1 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 5 Feb 2024 18:14:32 +0100 Subject: [PATCH 4/6] python3 scripts/generate_cloudformation_actions_file.py --- pycfmodel/cloudformation_actions.py | 45 +++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/pycfmodel/cloudformation_actions.py b/pycfmodel/cloudformation_actions.py index 3e48620..e9b884f 100644 --- a/pycfmodel/cloudformation_actions.py +++ b/pycfmodel/cloudformation_actions.py @@ -1535,6 +1535,7 @@ "cases:CreateTemplate", "cases:DeleteDomain", "cases:GetCase", + "cases:GetCaseAuditEvents", "cases:GetCaseEventConfiguration", "cases:GetDomain", "cases:GetLayout", @@ -2572,16 +2573,19 @@ "codebuild:BatchDeleteBuilds", "codebuild:BatchGetBuildBatches", "codebuild:BatchGetBuilds", + "codebuild:BatchGetFleets", "codebuild:BatchGetProjects", "codebuild:BatchGetReportGroups", "codebuild:BatchGetReports", "codebuild:BatchPutCodeCoverages", "codebuild:BatchPutTestCases", + "codebuild:CreateFleet", "codebuild:CreateProject", "codebuild:CreateReport", "codebuild:CreateReportGroup", "codebuild:CreateWebhook", "codebuild:DeleteBuildBatch", + "codebuild:DeleteFleet", "codebuild:DeleteOAuthToken", "codebuild:DeleteProject", "codebuild:DeleteReport", @@ -2601,6 +2605,7 @@ "codebuild:ListBuildsForProject", "codebuild:ListConnectedOAuthAccounts", "codebuild:ListCuratedEnvironmentImages", + "codebuild:ListFleets", "codebuild:ListProjects", "codebuild:ListReportGroups", "codebuild:ListReports", @@ -2617,6 +2622,7 @@ "codebuild:StartBuildBatch", "codebuild:StopBuild", "codebuild:StopBuildBatch", + "codebuild:UpdateFleet", "codebuild:UpdateProject", "codebuild:UpdateProjectVisibility", "codebuild:UpdateReport", @@ -3934,6 +3940,7 @@ "datazone:ListDataSourceRuns", "datazone:ListDataSources", "datazone:ListDomains", + "datazone:ListEnvironmentBlueprintConfigurationSummaries", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:ListEnvironmentBlueprints", "datazone:ListEnvironmentProfiles", @@ -4710,6 +4717,7 @@ "dynamodb:ExportTableToPointInTime", "dynamodb:GetItem", "dynamodb:GetRecords", + "dynamodb:GetResourcePolicy", "dynamodb:GetShardIterator", "dynamodb:ImportTable", "dynamodb:ListBackups", @@ -5878,6 +5886,7 @@ "elasticmapreduce:RemoveManagedScalingPolicy", "elasticmapreduce:RemoveTags", "elasticmapreduce:RunJobFlow", + "elasticmapreduce:SetKeepJobFlowAliveWhenNoSteps", "elasticmapreduce:SetTerminationProtection", "elasticmapreduce:SetVisibleToAllUsers", "elasticmapreduce:StartEditor", @@ -7634,9 +7643,11 @@ "inspector2:BatchUpdateMemberEc2DeepInspectionStatus", "inspector2:CancelFindingsReport", "inspector2:CancelSbomExport", + "inspector2:CreateCisScanConfiguration", "inspector2:CreateFilter", "inspector2:CreateFindingsReport", "inspector2:CreateSbomExport", + "inspector2:DeleteCisScanConfiguration", "inspector2:DeleteFilter", "inspector2:DescribeOrganizationConfiguration", "inspector2:Disable", @@ -7644,6 +7655,8 @@ "inspector2:DisassociateMember", "inspector2:Enable", "inspector2:EnableDelegatedAdminAccount", + "inspector2:GetCisScanReport", + "inspector2:GetCisScanResultDetails", "inspector2:GetConfiguration", "inspector2:GetDelegatedAdminAccount", "inspector2:GetEc2DeepInspectionConfiguration", @@ -7652,6 +7665,10 @@ "inspector2:GetMember", "inspector2:GetSbomExport", "inspector2:ListAccountPermissions", + "inspector2:ListCisScanConfigurations", + "inspector2:ListCisScanResultsAggregatedByChecks", + "inspector2:ListCisScanResultsAggregatedByTargetResource", + "inspector2:ListCisScans", "inspector2:ListCoverage", "inspector2:ListCoverageStatistics", "inspector2:ListDelegatedAdminAccounts", @@ -7663,8 +7680,13 @@ "inspector2:ListUsageTotals", "inspector2:ResetEncryptionKey", "inspector2:SearchVulnerabilities", + "inspector2:SendCisSessionHealth", + "inspector2:SendCisSessionTelemetry", + "inspector2:StartCisSession", + "inspector2:StopCisSession", "inspector2:TagResource", "inspector2:UntagResource", + "inspector2:UpdateCisScanConfiguration", "inspector2:UpdateConfiguration", "inspector2:UpdateEc2DeepInspectionConfiguration", "inspector2:UpdateEncryptionKey", @@ -7779,6 +7801,7 @@ "iot:CreateAuthorizer", "iot:CreateBillingGroup", "iot:CreateCertificateFromCsr", + "iot:CreateCertificateProvider", "iot:CreateCustomMetric", "iot:CreateDimension", "iot:CreateDomainConfiguration", @@ -7811,6 +7834,7 @@ "iot:DeleteBillingGroup", "iot:DeleteCACertificate", "iot:DeleteCertificate", + "iot:DeleteCertificateProvider", "iot:DeleteCustomMetric", "iot:DeleteDimension", "iot:DeleteDomainConfiguration", @@ -7849,6 +7873,7 @@ "iot:DescribeBillingGroup", "iot:DescribeCACertificate", "iot:DescribeCertificate", + "iot:DescribeCertificateProvider", "iot:DescribeCustomMetric", "iot:DescribeDefaultAuthorizer", "iot:DescribeDetectMitigationActionsTask", @@ -7911,6 +7936,7 @@ "iot:ListAuthorizers", "iot:ListBillingGroups", "iot:ListCACertificates", + "iot:ListCertificateProviders", "iot:ListCertificates", "iot:ListCertificatesByCA", "iot:ListCustomMetrics", @@ -8000,6 +8026,7 @@ "iot:UpdateBillingGroup", "iot:UpdateCACertificate", "iot:UpdateCertificate", + "iot:UpdateCertificateProvider", "iot:UpdateCustomMetric", "iot:UpdateDimension", "iot:UpdateDomainConfiguration", @@ -8508,6 +8535,7 @@ "ivs:CreateChannel", "ivs:CreateEncoderConfiguration", "ivs:CreateParticipantToken", + "ivs:CreatePlaybackRestrictionPolicy", "ivs:CreateRecordingConfiguration", "ivs:CreateStage", "ivs:CreateStorageConfiguration", @@ -8515,6 +8543,7 @@ "ivs:DeleteChannel", "ivs:DeleteEncoderConfiguration", "ivs:DeletePlaybackKeyPair", + "ivs:DeletePlaybackRestrictionPolicy", "ivs:DeleteRecordingConfiguration", "ivs:DeleteStage", "ivs:DeleteStorageConfiguration", @@ -8525,6 +8554,7 @@ "ivs:GetEncoderConfiguration", "ivs:GetParticipant", "ivs:GetPlaybackKeyPair", + "ivs:GetPlaybackRestrictionPolicy", "ivs:GetRecordingConfiguration", "ivs:GetStage", "ivs:GetStageSession", @@ -8539,6 +8569,7 @@ "ivs:ListParticipantEvents", "ivs:ListParticipants", "ivs:ListPlaybackKeyPairs", + "ivs:ListPlaybackRestrictionPolicies", "ivs:ListRecordingConfigurations", "ivs:ListStageSessions", "ivs:ListStages", @@ -8555,6 +8586,7 @@ "ivs:TagResource", "ivs:UntagResource", "ivs:UpdateChannel", + "ivs:UpdatePlaybackRestrictionPolicy", "ivs:UpdateStage", "ivschat:CreateChatToken", "ivschat:CreateLoggingConfiguration", @@ -8897,12 +8929,15 @@ "lakeformation:CommitTransaction", "lakeformation:CreateDataCellsFilter", "lakeformation:CreateLFTag", + "lakeformation:CreateLakeFormationIdentityCenterConfiguration", "lakeformation:CreateLakeFormationOptIn", "lakeformation:DeleteDataCellsFilter", "lakeformation:DeleteLFTag", + "lakeformation:DeleteLakeFormationIdentityCenterConfiguration", "lakeformation:DeleteLakeFormationOptIn", "lakeformation:DeleteObjectsOnCancel", "lakeformation:DeregisterResource", + "lakeformation:DescribeLakeFormationIdentityCenterConfiguration", "lakeformation:DescribeResource", "lakeformation:DescribeTransaction", "lakeformation:ExtendTransaction", @@ -8935,6 +8970,7 @@ "lakeformation:StartTransaction", "lakeformation:UpdateDataCellsFilter", "lakeformation:UpdateLFTag", + "lakeformation:UpdateLakeFormationIdentityCenterConfiguration", "lakeformation:UpdateResource", "lakeformation:UpdateTableObjects", "lakeformation:UpdateTableStorageOptimizer", @@ -9829,6 +9865,7 @@ "mediaconnect:DeregisterGatewayInstance", "mediaconnect:DescribeBridge", "mediaconnect:DescribeFlow", + "mediaconnect:DescribeFlowSourceMetadata", "mediaconnect:DescribeGateway", "mediaconnect:DescribeGatewayInstance", "mediaconnect:DescribeOffering", @@ -11899,6 +11936,7 @@ "rds:CreateDBProxy", "rds:CreateDBProxyEndpoint", "rds:CreateDBSecurityGroup", + "rds:CreateDBShardGroup", "rds:CreateDBSnapshot", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", @@ -11920,6 +11958,7 @@ "rds:DeleteDBProxy", "rds:DeleteDBProxyEndpoint", "rds:DeleteDBSecurityGroup", + "rds:DeleteDBShardGroup", "rds:DeleteDBSnapshot", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", @@ -11951,6 +11990,7 @@ "rds:DescribeDBProxyTargets", "rds:DescribeDBRecommendations", "rds:DescribeDBSecurityGroups", + "rds:DescribeDBShardGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", @@ -11995,6 +12035,7 @@ "rds:ModifyDBProxyEndpoint", "rds:ModifyDBProxyTargetGroup", "rds:ModifyDBRecommendation", + "rds:ModifyDBShardGroup", "rds:ModifyDBSnapshot", "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBSubnetGroup", @@ -12008,6 +12049,7 @@ "rds:PurchaseReservedDBInstancesOffering", "rds:RebootDBCluster", "rds:RebootDBInstance", + "rds:RebootDBShardGroup", "rds:RegisterDBProxyTargets", "rds:RemoveFromGlobalCluster", "rds:RemoveRoleFromDBCluster", @@ -13155,6 +13197,7 @@ "sagemaker:DeleteHubContent", "sagemaker:DeleteHumanLoop", "sagemaker:DeleteHumanTaskUi", + "sagemaker:DeleteHyperParameterTuningJob", "sagemaker:DeleteImage", "sagemaker:DeleteImageVersion", "sagemaker:DeleteInferenceComponent", @@ -13464,11 +13507,13 @@ "schemas:UpdateRegistry", "schemas:UpdateSchema", "scn:AssignAdminPermissionsToUser", + "scn:CreateBillOfMaterialsImportJob", "scn:CreateInstance", "scn:CreateSSOApplication", "scn:DeleteInstance", "scn:DeleteSSOApplication", "scn:DescribeInstance", + "scn:GetBillOfMaterialsImportJob", "scn:ListAdminUsers", "scn:ListInstances", "scn:ListTagsForResource", From 99bafa2630d38fead36cfbf0084c7857ce084255 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 6 Feb 2024 14:41:58 +0100 Subject: [PATCH 5/6] Update version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index a65481d..cb4911d 100644 --- a/setup.py +++ b/setup.py @@ -28,7 +28,7 @@ setup( name="pycfmodel", - version="0.21.2", + version="0.21.3", description="A python model for CloudFormation scripts", author="Skyscanner Product Security", author_email="security@skyscanner.net", From 097a8c26c421b45ca64236273ebae4ef72e8a590 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 6 Feb 2024 15:51:28 +0100 Subject: [PATCH 6/6] Update changelog --- CHANGELOG.md | 4 ++++ setup.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac46845..114bb84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # Change Log All notable changes to this project will be documented in this file. +## 0.22.0 +### Fixes +- KeyPolicy made optional for KMS Key resource type. + ## 0.21.2 ### Fixes - Add the BypassPolicyLockoutSafetyCheck and Origin fields in the KMS resource diff --git a/setup.py b/setup.py index cb4911d..c6711fb 100644 --- a/setup.py +++ b/setup.py @@ -28,7 +28,7 @@ setup( name="pycfmodel", - version="0.21.3", + version="0.22.0", description="A python model for CloudFormation scripts", author="Skyscanner Product Security", author_email="security@skyscanner.net",