From 4980e53a3cbff934d37bcb9bdff76a44ba586558 Mon Sep 17 00:00:00 2001 From: Daniel Leavitt Date: Wed, 28 Aug 2024 18:04:20 -0700 Subject: [PATCH] secretsmanager enforce suffix https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-name https://stackoverflow.com/a/71275532/362110 --- link2aws.js | 11 ++++------- testcases/aws-negative.json | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/link2aws.js b/link2aws.js index 3062f47..121286a 100644 --- a/link2aws.js +++ b/link2aws.js @@ -979,14 +979,11 @@ class ARN { }, "secretsmanager": { // AWS Secrets Manager "secret": () => { - if (this.resource.indexOf("-") === -1) { - // all the secrets I've seen have a "-" delimited suffix - // in the ARN that isn't part of the secret name. For - // now just throwing if the suffix is missing, please - // update if needed. - throw Error(`Secret ARN for ${this.resource} missing suffix`); + const arnSuffix = /-\w{6}$/; + if (!arnSuffix.test(this.resource)) { + throw Error(`Secret ARN for "${this.resource}" appears invalid, should end with ${arnSuffix}`); } - const name = this.resource.split('-').slice(0, -1).join('-'); + const name = this.resource.replace(arnSuffix, ""); return `https://${this.region}.${this.console}/${this.service}/${this.resource_type}?name=${name}`; }, }, diff --git a/testcases/aws-negative.json b/testcases/aws-negative.json index 4d05058..d05ecb4 100644 --- a/testcases/aws-negative.json +++ b/testcases/aws-negative.json @@ -39,5 +39,5 @@ "arn:aws:ec2:us-ea*st-1:123456789012:instance/asdf", "arn:aws:ec2:us-ea#st-1:123456789012:instance/asdf", "arn:aws:ec2:us-ea\\st-1:123456789012:instance/asdf", - "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret9A3F29" + "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret9A3F29-adf" ] \ No newline at end of file