aws - access-analyzer - fix policy name ref for err msg if no access …

…analyzers (cloud-custodian#7231)
newscorp-ghfb · Apr 30, 2022 · 3b51b7a · 3b51b7a
1 parent 5f6e778
commit 3b51b7a
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 2 deletions.
diff --git a/c7n/filters/iamanalyzer.py b/c7n/filters/iamanalyzer.py
@@ -94,7 +94,7 @@ def get_analyzer(self, client):
         if not found:
             raise PolicyExecutionError(
                 "policy:%s no access analyzer found in account or org analyzer specified" % (
-                    self.manager.policy.name
+                    self.manager.ctx.policy.name
                 ))
         return found['arn']
 

diff --git a/tests/data/placebo/test_s3_iam_analyzers/access-analyzer.ListAnalyzers_1.json b/tests/data/placebo/test_s3_iam_analyzers/access-analyzer.ListAnalyzers_1.json
@@ -0,0 +1,7 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "analyzers": []
+    }
+}
diff --git a/tests/data/placebo/test_s3_iam_analyzers/s3.GetBucketLocation_1.json b/tests/data/placebo/test_s3_iam_analyzers/s3.GetBucketLocation_1.json
@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/data/placebo/test_s3_iam_analyzers/s3.ListBuckets_1.json b/tests/data/placebo/test_s3_iam_analyzers/s3.ListBuckets_1.json
@@ -0,0 +1,25 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "Buckets": [
+            {
+                "Name": "stacklet-tfstate",
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2022,
+                    "month": 4,
+                    "day": 21,
+                    "hour": 11,
+                    "minute": 5,
+                    "second": 49,
+                    "microsecond": 0
+                }
+            }
+        ],
+        "Owner": {
+            "DisplayName": "aws-backoffice+sandbox-sontek",
+            "ID": "a9c5c1df0336f80c56886067a659c42e3e6b2df97418b44cbe66c453b5284bfb"
+        }
+    }
+}
diff --git a/tests/test_s3.py b/tests/test_s3.py
@@ -16,7 +16,7 @@
 from dateutil.tz import tzutc
 from pytest_terraform import terraform
 
-from c7n.exceptions import PolicyValidationError
+from c7n.exceptions import PolicyExecutionError, PolicyValidationError
 from c7n.executor import MainThreadExecutor
 from c7n.resources import s3
 from c7n.mu import LambdaManager
@@ -3816,3 +3816,19 @@ def test_s3_ownership_defined(self, test, s3_ownership):
         resources = p.run()
         assert len(resources) == 2
         assert {r["Name"] for r in resources} == bucket_names
+
+    def test_s3_access_analyzer_filter_with_no_results(self, test):
+        factory = test.replay_flight_data("test_s3_iam_analyzers")
+        test.patch(s3, "S3_AUGMENT_TABLE", [])
+        p = test.load_policy({
+            'name': 'check-s3',
+            'resource': 'aws.s3',
+            'filters': [
+                {
+                    'type': 'iam-analyzer',
+                    'key': 'isPublic',
+                    'value': True,
+                },
+            ]
+        }, session_factory=factory)
+        test.assertRaises(PolicyExecutionError, p.run)