Fix validation of InputParameters (#4343)

2021-09-24 17:50:39 -04:00 · 2021-09-24 17:50:39 -04:00 · 8e93bfc60b
commit 8e93bfc60b
parent 8ab76cb1d5
2 changed files with 21 additions and 2 deletions
--- a/moto/config/models.py
+++ b/moto/config/models.py
@ -791,7 +791,7 @@ class ConfigRule(ConfigEmptyDictable):
        # Verify input parameter names are actual parameters for the rule ID.
        if param_names:
            allowed_names = {x["Name"] for x in rule_info["Parameters"]}
-            if allowed_names.difference(set(param_names)):
+            if not set(param_names).issubset(allowed_names):
                raise InvalidParameterValueException(
                    "Unknown parameters provided in the inputParameters: "
                    + self.input_parameters.replace('"', '\\"')
--- a/tests/test_config/test_config_rules.py
+++ b/tests/test_config/test_config_rules.py
@ -317,6 +317,7 @@ def test_valid_put_config_managed_rule():
    # Create managed rule and compare input against describe_config_rule()
    # output.
    managed_rule = managed_config_rule()
+    managed_rule["Source"]["SourceIdentifier"] = "IAM_PASSWORD_POLICY"
    managed_rule["Scope"]["ComplianceResourceTypes"] = ["AWS::IAM::Group"]
    managed_rule["Scope"]["ComplianceResourceId"] = "basic_test"
    managed_rule["InputParameters"] = '{"RequireUppercaseCharacters":"true"}'
@ -336,7 +337,6 @@ def test_valid_put_config_managed_rule():
    managed_rule["ConfigRuleId"] = rule_id
    managed_rule["Description"] = "Updated Managed S3 Public Read Rule"
    managed_rule["Scope"]["ComplianceResourceTypes"] = ["AWS::S3::Bucket"]
-    managed_rule["Scope"]["ComplianceResourceId"] = "S3-BUCKET_VERSIONING_ENABLED"
    managed_rule["MaximumExecutionFrequency"] = "Six_Hours"
    managed_rule["InputParameters"] = "{}"
    client.put_config_rule(ConfigRule=managed_rule)
@ -346,6 +346,25 @@ def test_valid_put_config_managed_rule():
    rsp_json = json.dumps(rsp["ConfigRules"][0], sort_keys=True)
    assert managed_rule_json == rsp_json

+    # Valid InputParameters.
+    managed_rule = {
+        "ConfigRuleName": f"input_param_test_{random_string()}",
+        "Description": "Provide subset of allowed input parameters",
+        "InputParameters": '{"blockedPort1":"22","blockedPort2":"3389"}',
+        "Scope": {"ComplianceResourceTypes": ["AWS::IAM::SecurityGroup"]},
+        "Source": {"Owner": "AWS", "SourceIdentifier": "RESTRICTED_INCOMING_TRAFFIC"},
+    }
+    client.put_config_rule(ConfigRule=managed_rule)
+
+    rsp = client.describe_config_rules(ConfigRuleNames=[managed_rule["ConfigRuleName"]])
+    managed_rule_json = json.dumps(managed_rule, sort_keys=True)
+    new_config_rule = rsp["ConfigRules"][0]
+    del new_config_rule["ConfigRuleArn"]
+    del new_config_rule["ConfigRuleId"]
+    del new_config_rule["ConfigRuleState"]
+    rsp_json = json.dumps(new_config_rule, sort_keys=True)
+    assert managed_rule_json == rsp_json
+

@mock_config
 def test_describe_config_rules():