Stop logging when conditions are ignored (#202)

* pass instead of logging when ignoring conditions * update version and changelog Co-authored-by: Ramon <[email protected]>
Skyscanner · Feb 9, 2022 · d1522b4 · d1522b4
1 parent 407401b
commit d1522b4
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.3.2] - 2022-1-27
+### Updates
+- Stop logging when conditions are ignored in `CrossAccountCheckingRule`, `KMSKeyWildcardPrincipalRule`, `S3BucketPolicyPrincipalRule`, `SQSQueuePolicyPublicRule` and `GenericWildcardPrincipalRule`.
+
 ## [1.3.1] - 2022-1-17
 ### Fixes
 - Fixes `CrossAccountCheckingRule` when checking resources without `PROPERTY_WITH_POLICYDOCUMENT`.

diff --git a/cfripper/__version__.py b/cfripper/__version__.py
@@ -1,3 +1,3 @@
-VERSION = (1, 3, 1)
+VERSION = (1, 3, 2)
 
 __version__ = ".".join(map(str, VERSION))
diff --git a/cfripper/rules/cross_account_trust.py b/cfripper/rules/cross_account_trust.py
@@ -81,10 +81,8 @@ def _do_statement_check(
                     and not principal.endswith(".amazonaws.com")
                 ):
                     if statement.Condition and statement.Condition.dict():
-                        logger.warning(
-                            f"Not adding {type(self).__name__} failure in {logical_id} "
-                            f"because there are conditions: {statement.Condition}"
-                        )
+                        # Ignoring condition checks since they will get reviewed in other rules and future improvements
+                        pass
                     elif not self._config.aws_account_id:
                         logger.warning(
                             f"Not adding {type(self).__name__} failure in {logical_id} "

diff --git a/cfripper/rules/kms_key_wildcard_principal.py b/cfripper/rules/kms_key_wildcard_principal.py
@@ -42,10 +42,9 @@ def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result:
                         for principal in statement.get_principal_list():
                             if self.CONTAINS_WILDCARD_PATTERN.match(principal):
                                 if statement.Condition and statement.Condition.dict():
-                                    logger.warning(
-                                        f"Not adding {type(self).__name__} failure in {logical_id} "
-                                        f"because there are conditions: {statement.Condition}"
-                                    )
+                                    # Ignoring condition checks since they will get reviewed in other
+                                    # rules and future improvements
+                                    pass
                                 else:
                                     self.add_failure_to_result(
                                         result,

diff --git a/cfripper/rules/s3_bucket_policy.py b/cfripper/rules/s3_bucket_policy.py
@@ -51,10 +51,8 @@ def resource_invoke(self, resource: S3BucketPolicy, logical_id: str, extras: Opt
                     continue
                 if account_id not in self.valid_principals:
                     if statement.Condition and statement.Condition.dict():
-                        logger.warning(
-                            f"Not adding {type(self).__name__} failure in {logical_id} "
-                            f"because there are conditions: {statement.Condition}"
-                        )
+                        # Ignoring condition checks since they will get reviewed in other rules and future improvements
+                        pass
                     else:
                         self.add_failure_to_result(
                             result,

diff --git a/cfripper/rules/sqs_queue_policy.py b/cfripper/rules/sqs_queue_policy.py
@@ -83,10 +83,8 @@ def resource_invoke(self, resource: SQSQueuePolicy, logical_id: str, extras: Opt
             for statement in resource.Properties.PolicyDocument._statement_as_list():
                 if statement.Effect == "Allow" and statement.principals_with(REGEX_HAS_STAR_OR_STAR_AFTER_COLON):
                     if statement.Condition and statement.Condition.dict():
-                        logger.warning(
-                            f"Not adding {type(self).__name__} failure in {logical_id} "
-                            f"because there are conditions: {statement.Condition}"
-                        )
+                        # Ignoring condition checks since they will get reviewed in other rules and future improvements
+                        pass
                     else:
                         self.add_failure_to_result(
                             result,

diff --git a/cfripper/rules/wildcard_principals.py b/cfripper/rules/wildcard_principals.py
@@ -56,12 +56,9 @@ def check_for_wildcards(
                     # which belong to AWS Services (such as ELB and ElastiCache).
                     if account_id in self._get_allowed_from_config():
                         continue
-
                     if statement.Condition and statement.Condition.dict():
-                        logger.warning(
-                            f"Not adding {type(self).__name__} failure in {logical_id} because there are conditions: "
-                            f"{statement.Condition}"
-                        )
+                        # Ignoring condition checks since they will get reviewed in other rules and future improvements
+                        continue
                     else:
                         self.add_failure_to_result(
                             result,