fix: Enhance API Gateway structured logging and Lambda permission rule for improved validation (#231)

sliedig · web-flow · commit 599e5fa0e4e3 · 2025-07-22T09:57:52.000+08:00
* fix: Enhance ApiGatewayStructuredLoggingRule and LambdaStarPermissionRule for improved validation

- Added stripping of leading/trailing quotes and whitespace in log format for ApiGatewayStructuredLoggingRule.
- Improved validation in LambdaStarPermissionRule by ensuring that statements and principals are dictionaries before accessing their properties.

* fix: Removed unnecessary conditional check for "Service" key in principal dictionary, directly accessing it to streamline the code.

* chore: update project version and dependencies

- Bumped version from 0.3.3 to 0.3.4 in pyproject.toml.
- Updated cfn-lint dependency from version 1.33.0 to 1.36.0 for improved functionality and compatibility.
- Incremented revision in uv.lock to reflect changes in dependency management.

* chore: update aws-serverless plugin version to 0.3.4

- Bumped version from 0.3.3 to 0.3.4 in README.md, tflint.md, and example configuration.
- Updated version in main.go to reflect the new plugin version.
diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ You can enable the Serverless Rules plugin by adding a plugin section in the `.t
 ```terraform
 plugin "aws-serverless" {
   enabled = true
-  version = "0.3.3"
+  version = "0.3.4"
   source = "github.com/awslabs/serverless-rules"
 }
 ```
diff --git a/cfn-lint-serverless/cfn_lint_serverless/rules/api_gateway.py b/cfn-lint-serverless/cfn_lint_serverless/rules/api_gateway.py
@@ -74,6 +74,12 @@ def _check_log_format(self, log_format: str) -> bool:
         JSON first.
         """
 
+        # Strip any leading/trailing quotes and whitespace that might be in the string
+        log_format = log_format.strip()
+        if (log_format.startswith("'") and log_format.endswith("'")) or (log_format.startswith('"') and log_format.endswith('"')):
+            log_format = log_format[1:-1]
+
+        # Replace context variables with a simple value
         log_format = self._log_format_pattern.sub("0", log_format)
 
         try:
diff --git a/cfn-lint-serverless/cfn_lint_serverless/rules/lambda_.py b/cfn-lint-serverless/cfn_lint_serverless/rules/lambda_.py
@@ -133,10 +133,17 @@ def _get_principals(self, properties) -> List[str]:
         principals = []
 
         for statement in properties.get("AssumeRolePolicyDocument", {}).get("Statement", []):
-            if "Service" not in statement.get("Principal", {}):
+            if not isinstance(statement, dict):
+                continue
+                
+            principal = statement.get("Principal", {})
+            if not isinstance(principal, dict):
+                continue
+                
+            if "Service" not in principal:
                 continue
 
-            services = statement.get("Principal", {}).get("Service")
+            services = principal["Service"]
 
             if isinstance(services, str):
                 principals.append(services)
@@ -154,7 +161,13 @@ def _get_actions(self, properties) -> List[str]:
         actions = []
 
         for policy in properties.get("Policies", []):
+            if not isinstance(policy, dict):
+                continue
+                
             for statement in policy.get("PolicyDocument", {}).get("Statement", []):
+                if not isinstance(statement, dict):
+                    continue
+                    
                 action = statement.get("Action")
 
                 if isinstance(action, str):
diff --git a/cfn-lint-serverless/pyproject.toml b/cfn-lint-serverless/pyproject.toml
@@ -1,13 +1,13 @@
 [project]
 name = "cfn_lint_serverless"
-version = "0.3.3"
+version = "0.3.4"
 description = "Serverless rules for cfn-lint"
 authors = [{name = "Amazon Web Service"}]
 readme = "README.md"
 license = "MIT-0"
 requires-python = ">=3.9.1,<4"
 dependencies = [
-    "cfn-lint>=1.33.0"
+    "cfn-lint>=1.36.0"
 ]
 
 [dependency-groups]
diff --git a/cfn-lint-serverless/uv.lock b/cfn-lint-serverless/uv.lock
diff --git a/docs/tflint.md b/docs/tflint.md
@@ -10,7 +10,7 @@ You can enable the Serverless Rules plugin by adding a plugin section in the `.t
 ```terraform
 plugin "aws-serverless" {
   enabled = true
-  version = "0.3.3"
+  version = "0.3.4"
   source = "github.com/awslabs/serverless-rules"
 }
 ```
@@ -76,7 +76,7 @@ Rules in `tflint` can be disabled either through the `--disable-rule` command-li
     ```terraform
     plugin "aws-serverless" {
       enabled = true
-      version = "0.3.3"
+      version = "0.3.4"
       source = "github.com/awslabs/serverless-rules"
     }
 
diff --git a/examples/tflint/.tflint.hcl b/examples/tflint/.tflint.hcl
@@ -6,5 +6,5 @@ plugin "aws-serverless" {
   enabled = true
   # Uncomment those lines if you are using tflint 0.29 or later
   # source = "github.com/awslabs/serverless-rules"
-  # version = "0.3.3"
+  # version = "0.3.4"
 }
diff --git a/tflint-ruleset-aws-serverless/main.go b/tflint-ruleset-aws-serverless/main.go
@@ -10,7 +10,7 @@ func main() {
 	plugin.Serve(&plugin.ServeOpts{
 		RuleSet: &tflint.BuiltinRuleSet{
 			Name:    "aws-serverless",
-			Version: "0.3.3",
+			Version: "0.3.4",
 			Rules:   rules.Rules,
 		},
 	})

Original file line number	Diff line number	Diff line change
@@ -41,7 +41,7 @@ You can enable the Serverless Rules plugin by adding a plugin section in the `.t
`41`	`41`	```terraform
`42`	`42`	`plugin "aws-serverless" {`
`43`	`43`	`enabled = true`
`44`		`- version = "0.3.3"`
	`44`	`+ version = "0.3.4"`
`45`	`45`	`source = "github.com/awslabs/serverless-rules"`
`46`	`46`	`}`
`47`	`47`	```
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,5 @@ plugin "aws-serverless" {`
`6`	`6`	`enabled = true`
`7`	`7`	`# Uncomment those lines if you are using tflint 0.29 or later`
`8`	`8`	`# source = "github.com/awslabs/serverless-rules"`
`9`		`- # version = "0.3.3"`
	`9`	`+ # version = "0.3.4"`
`10`	`10`	`}`