-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1 - Using Resource Provider Schemas #2606
Comments
undocumented and no other public repos show up in sourcegraph search using that, which bodes well |
When dealing with Do not raise any generic errors for these types |
i saw the rc1 released yesterday. i ran it against one my pipelines CF stacks. It returned a many findings, though basically the same 3-5 findings repeatedly. Where would you like the feedback? |
I would love the feedback. I've been trying to find as many templates as I can to run against behind the scenes but I'm running out of additional issues to chase. Thanks! |
E3001 and E3030 are the most seen errors. Below are the unique errors and a snippet example. E3030 - {'Fn::FindInMap': ['StaticParams', 'S3EmptierLambda', 'LambdaOSArchitechture']} is not one of ['x86_64', 'arm64']LambdaLogGroup: E3001 - {'Fn::If': ['ConditionDev', 'Delete', 'Retain']} is not one of ['Delete', 'Retain', 'Snapshot']E3001 - {'Fn::If': ['ConditionDev', 'Delete', 'Retain']} is not of type 'string'ALBLogsBucket: E0002 - Unknown exception while processing rule E6003: Resource type 'Custom::R53EndpointIp' is not found in 'us-east-1'E1010 - 'EndpointIds' is not one of ['FirewallId', 'ResourceArn'] (This is an interesting one. Erroring on a custom resource)NetworkFirewallVpceAz1: E3032 - [] is too short(Its barking about the Regions section)ClientVpnAuthStackSet: E3012 - Specify only 'SubnetMappings' or 'Subnets'ApplicationLoadBalancer: |
Action items:
I'll add more details as I investigate and figure out the solutions. |
for I am testing this and I'm not able to repeat this error. I used the following condition logic. ConditionCreateAuthorizationRulesUse1: !Equals [!Ref AWS::Region, "us-east-1"]
ConditionCreateAuthorizationRulesUse2: !Equals [!Ref AWS::Region, "us-east-2"]
ConditionCreateAuthorizationRulesUsw2: !Equals [!Ref AWS::Region, "us-west-2"]
ConditionCreateAuthorizationRulesAps1: !Equals [!Ref AWS::Region, "ap-south-1"]
ConditionCreateCrossRegionAuthRules: !Or [
!Condition ConditionCreateAuthorizationRulesUse1,
!Condition ConditionCreateAuthorizationRulesUse2,
!Condition ConditionCreateAuthorizationRulesUsw2,
!Condition ConditionCreateAuthorizationRulesAps1 ] |
Mappings: Conditions: ConditionCreateAuthorizationRulesUse1: ConditionCreateAuthorizationRulesUse2: ConditionCreateAuthorizationRulesUsw2: ConditionCreateAuthorizationRulesAps1: Conents of transform in mapping: Acm: |
Thank you. Let me look into it. I think this is a problem in v0 but there was an expanded check here in v1 that is highlighting the issue. |
down to a single error code now. E1010 E1010 'EndpointIds' is not one of ['FirewallId', 'ResourceArn']
|
got that one fixed now. Thanks for all the testing @whoDoneItAgain |
yep. no problem. I'll run it against some of my other repos too and see what else I get |
Do you want me to continue putting these here or open new issues for each? E3510 datetime.date(2012, 10, 17) is not one of ['2008-10-17', '2012-10-17'] (easy enough to fix on my end by quoting the date but v0 doesnt error on this)
E1010 'Value' is not one of ['Id'] - Erroring on both FromPort and ToPort (I suspect this is fixed based on the last one i sent but since that was a custom resource I'm adding this)
E3003 'NoncurrentDays' is a required property
E2523 Either CIDR Block or IPv4 IPAM Pool and IPv4 Netmask Length must be provided
|
I realize it's early - however will there be migration guidance for end-users whom have written custom rules ? Edited to add: If that hasn't been really considered much yet, I'm happy to collaborate offline |
@whoDoneItAgain I think I got most of these items resolved but I did re-work some of how the json schema validation was handled so hopefully I didn't cause any more. |
@andrew-glenn absolutely. Not a lot has changed but there are a few things. There are probably some more clever ways to write rules though so should work on documenting that. |
Description
The effort to go to v1 will be driven by the goal to convert from CloudFormation specs to CloudFormation resource provider schemas. This will be a large change for how cfn-lint works and will result in rules having to be updated and changed. This issue will also serve to communicate the migration efforts.
Details
The CloudFormation resource provider schema is based on JSON Schema draft-07 but has modifications to handle the CloudFormation service These schemas allow us to do more straight JSON schema validation against resource properties. There are modifications to the schema and how the JSON schema validators work to handle CloudFormation specific capabilities. We find it important to provide the functionality and features that cfn-lint has had in v0 including the ability to disable and configure rules. As a result we will integrate in JSON schema validation into cfn-lint and cfn-lint will provide the functionality to massage the schemas and handle CloudFormation specific capabilities. Additionally there are checks in cfn-lint (best practices, etc.) that cannot be written into JSON schema validation.
Rule changes
All rules that have been modified or where the logic will change:
DynamicReferenceSecureString
- Depended onmatch_resource_sub_properties
. Was re-written to usematch
GetAtt
- Used the specs for valid GetAtt valuesJoin
- Used the specs to determine the type of a GetAttSub
- Used the specs to determine the type of a GetAttSubNeeded
- Used the specs to determine valid GetAtt valuesValue
(Outputs) - Used the specs to determine the type of a GetAttAllowedPattern
(Parameters) - Replaced by JSON Schema validation logicAllowedValue
(Parameters) - Replaced by JSON Schema validation logicConfiguration
(Resources) - Replaced by JSON Schema validation. Logic is outside of the registryJsonSchema
(Resources) - Expanded to handle registry resource schemas. Parent rule for all JSON schema validation rulesAllowedPattern
(Resource/Properties) - Replaced by JSON Schema validation logicAllowedValue
(Resource/Properties) - Replaced by JSON Schema validation logicAtLeastOne
(Resource/Properties) - Deleted?CfnSchema
(Resource/Properties) (New Rule) - New rule to extend JSON Schema validation to handle scenarios not covered by the registry schemaExclusive
(Resource/Properties) - Deleted. Handled by if/then/else logic in JSON schema validationInclusive
(Resource/Properties) - Deleted. Handled by if/then/else logic in JSON schema validationJsonSize
(Resource/Properties) - Deleted. Converted to string maxLength and minLength validationListDuplicates
(Resource/Properties) - Replaced by JSON Schema validation logicListDuplicatesAllowed
(Resource/Properties) - Replaced by JSON Schema validation logicListSize
(Resource/Properties) - Replaced by JSON Schema validation logicNumberSize
(Resource/Properties) - Replaced by JSON Schema validation logicOnlyOne
(Resource/Properties) - Replaced byoneOf
logic in JSON schemaProperties
(Resource/Properties) - Replaced byproperties
andadditionalProperties
in JSON schemaRequired
(Resource/Properties) - Replaced byrequired
in JSON schemaRequiredBasedOnValue
(Resource/Properties) - Replaced by if/then/else logic usingcfnSchema
and JSON schemaStringSize
(Resource/Properties) - Replaced byminLength
andmaxLength
in JSON schema. May still need to add exceptions for dynamic referencesUnwantedBasedOnValue
(Resource/Properties) - Replaced by if/then/else logic usingcfnSchema
and JSON schemaValuePrimitiveType
(Resource/Properties) - Replaced bytype
in JSON schemaValueRefGetAtt
(Resource/Properties) - WIPBreaking changes
This will serve as a list of changes that will occur in the migration from v0 to v1
match_resource_sub_properties
will be deprecated. This function was based on the specs and is not easily converted into the resource provider schema approachIssues
readOnlyProperties
that are still write-able. Since we are removing them for validation we need to know the list of exceptionsAction Items
AWS::CDK::Metadata
schemaThe text was updated successfully, but these errors were encountered: