From 8e93bfc60bd99f7473ff5b117e8dff98fef2ae5f Mon Sep 17 00:00:00 2001
From: kbalk <7536198+kbalk@users.noreply.github.com>
Date: Fri, 24 Sep 2021 17:50:39 -0400
Subject: [PATCH] Fix validation of InputParameters (#4343)

---
 moto/config/models.py                  |  2 +-
 tests/test_config/test_config_rules.py | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/moto/config/models.py b/moto/config/models.py
index 35ee8b02c..82ca28101 100644
--- a/moto/config/models.py
+++ b/moto/config/models.py
@@ -791,7 +791,7 @@ class ConfigRule(ConfigEmptyDictable):
         # Verify input parameter names are actual parameters for the rule ID.
         if param_names:
             allowed_names = {x["Name"] for x in rule_info["Parameters"]}
-            if allowed_names.difference(set(param_names)):
+            if not set(param_names).issubset(allowed_names):
                 raise InvalidParameterValueException(
                     "Unknown parameters provided in the inputParameters: "
                     + self.input_parameters.replace('"', '\\"')
diff --git a/tests/test_config/test_config_rules.py b/tests/test_config/test_config_rules.py
index 1601acb81..12e752b6a 100644
--- a/tests/test_config/test_config_rules.py
+++ b/tests/test_config/test_config_rules.py
@@ -317,6 +317,7 @@ def test_valid_put_config_managed_rule():
     # Create managed rule and compare input against describe_config_rule()
     # output.
     managed_rule = managed_config_rule()
+    managed_rule["Source"]["SourceIdentifier"] = "IAM_PASSWORD_POLICY"
     managed_rule["Scope"]["ComplianceResourceTypes"] = ["AWS::IAM::Group"]
     managed_rule["Scope"]["ComplianceResourceId"] = "basic_test"
     managed_rule["InputParameters"] = '{"RequireUppercaseCharacters":"true"}'
@@ -336,7 +337,6 @@ def test_valid_put_config_managed_rule():
     managed_rule["ConfigRuleId"] = rule_id
     managed_rule["Description"] = "Updated Managed S3 Public Read Rule"
     managed_rule["Scope"]["ComplianceResourceTypes"] = ["AWS::S3::Bucket"]
-    managed_rule["Scope"]["ComplianceResourceId"] = "S3-BUCKET_VERSIONING_ENABLED"
     managed_rule["MaximumExecutionFrequency"] = "Six_Hours"
     managed_rule["InputParameters"] = "{}"
     client.put_config_rule(ConfigRule=managed_rule)
@@ -346,6 +346,25 @@ def test_valid_put_config_managed_rule():
     rsp_json = json.dumps(rsp["ConfigRules"][0], sort_keys=True)
     assert managed_rule_json == rsp_json
 
+    # Valid InputParameters.
+    managed_rule = {
+        "ConfigRuleName": f"input_param_test_{random_string()}",
+        "Description": "Provide subset of allowed input parameters",
+        "InputParameters": '{"blockedPort1":"22","blockedPort2":"3389"}',
+        "Scope": {"ComplianceResourceTypes": ["AWS::IAM::SecurityGroup"]},
+        "Source": {"Owner": "AWS", "SourceIdentifier": "RESTRICTED_INCOMING_TRAFFIC"},
+    }
+    client.put_config_rule(ConfigRule=managed_rule)
+
+    rsp = client.describe_config_rules(ConfigRuleNames=[managed_rule["ConfigRuleName"]])
+    managed_rule_json = json.dumps(managed_rule, sort_keys=True)
+    new_config_rule = rsp["ConfigRules"][0]
+    del new_config_rule["ConfigRuleArn"]
+    del new_config_rule["ConfigRuleId"]
+    del new_config_rule["ConfigRuleState"]
+    rsp_json = json.dumps(new_config_rule, sort_keys=True)
+    assert managed_rule_json == rsp_json
+
 
 @mock_config
 def test_describe_config_rules():