bug: Invalid JSONB expression in AWS policy query #9763
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
When executing policy AWS policies, the lambda_function_prohibit_public_access.sql query can generate a SQL Error even when faced with perfectly valid resource policy:
SQL Error [22P02]: ERROR: invalid input syntax for type json
Detail: Token "arn" is invalid.
Where: JSON data, line 1: arn...
Expected Behavior
The query should not generate errors when faced with a valid IAM resource policy.
CloudQuery (redacted) config
---
kind: source
spec:
name: team-daily
path: cloudquery/aws
version: "v16.0.1"
tables:
- aws_acm_certificates
# ...
- aws_waf_web_acls
destinations: ["postgresql"]
spec:
regions:
- "*"
accounts:
- id: my-account
role_arn: "arn:aws:iam::123456789012:role/somerole"
---
kind: destination
spec:
name: postgresql
path: cloudquery/postgresql
version: "v3.0.2"
spec:
connection_string: "postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_DATABASE}?sslmode=${DB_SSLMODE}"
migrate_mode: forcedSteps To Reproduce
- Run sync against the target AWS account. At least one Lambda function in the account should have a resource policy something like this:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/myuser"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:myfunction"
}
]
}- Execute all the AWS policies:
export DSN=postgres://postgres:pass@localhost:5432/postgres
psql ${DSN} -f ./policy.sql
CloudQuery (redacted) logs
$ psql ${DSN} -f ./policy.sql
Password for user postgres:
SET
SET
psql:/mounted/create_aws_policy_results.sql:9: NOTICE: relation "aws_policy_results" already exists, skipping
CREATE TABLE
"Executing CIS V1.2.0 Section 1"
"Executing check 1.1"
INSERT 0 20
"Executing check 1.2"
...
INSERT 0 312
"Executing check lambda.1"
psql:/mounted/queries/lambda/lambda_function_prohibit_public_access.sql:23: ERROR: invalid input syntax for type json
DETAIL: Token "arn" is invalid.
CONTEXT: JSON data, line 1: arn
CloudQuery version
cloudquery version 2.5.2
Additional Context
PostgreSQL version:
PostgreSQL 14.7 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 7.3.1 20180712 (Red Hat 7.3.1-12), 64-bit
I believe that the SQL WHERE clause expression or (statement -> 'Principal' ->> 'AWS')::JSONB ? '*' needs a guard of some sort so that it won't try to cast text values into jsonb.
Pull request (optional)
- I can submit a pull request
Metadata
Metadata
Assignees
Labels
No labels