martysweet / cfn-lint Goto Github PK

View Code? Open in Web Editor NEW

163.0 11.0 38.0 1.52 MB

A CloudFormation JSON and YAML Validator

License: MIT License

TypeScript 95.31% Shell 0.58% JavaScript 4.11%

cloudformation intrinsic-functions cfn-lint cfn

cfn-lint's People

Contributors

Stargazers

Watchers

cfn-lint's Issues

GetAtt does not support attributes with double periods

Outputs:
  DBDNS:
    Description: DNS Name of the DB Instance
    Value: !GetAtt Database.Endpoint.Address

Results in

Resource: Outputs > DBDNS > Value
Message: Invalid parameters for Fn::GetAtt
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=Fn::GetAtt&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

However !GetAtt Database.Endpoint.Address is valid and works in CloudFormation.

GetAtt in Outputs not reporting template invalid

Template

Resources:
  Bucket:
    Type: AWS::S3::Bucket

Outputs:
  DBDNS:
    Description: DNS Name of the DB Instance
    Value: !GetAtt Database.Endpoint.Address

Results in a Valid Template, however Database is not defined in resources, so this template should be invalid.

Support for SAM transform?

Is it possible to start supporting the Serverless Application Model transform in the linter?

Currently, I get a bunch of errors like this on my template, which makes the tool quite useless:

Resource: Resources > GetStateFunction
Message: Resource GetStateFunction has an invalid Type of AWS::Serverless::Function.
Documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resources-section-structure.html

Implement downloader for JSON specs for each region

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-resource-specification.html

Double nested PropertyTypes are not checked correctly

A template such as

Resources:
  CloudFrontDistribution:
    Type: "AWS::CloudFront::Distribution"
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref DomainName
        CacheBehaviors:
          CacheBehavior
        DefaultCacheBehavior:
          DefaultCacheBehavior
        DefaultRootObject: index.php"
        Enabled: true
        Logging:
          Bucket: mybucket
          IncludeCookies: false
          Prefix: !Sub "${DomainName}/"
       Origins:
          - Id: !Sub "Root-${OriginDomainName}"
            DomainName: !Ref OriginDomainName
            CustomOriginConfig:
              OriginProtocolPolicy: http-only
        PriceClass: String
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn

Will throw an error of:

Resource: Resources > CloudFrontDistribution > Properties > DistributionConfig
Message: Bucket is not a valid property of AWS::CloudFront::Distribution.DistributionConfig.Logging
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig.html#cfn-cloudfront-distributionconfig-logging

Resource: Resources > CloudFrontDistribution > Properties > DistributionConfig
Message: CustomOriginConfig is not a valid property of AWS::CloudFront::Distribution.DistributionConfig.Origin
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=AWS::CloudFront::Distribution.DistributionConfig.Origin&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

Among others...

This should be Resources > CloudFrontDistribution > Properties > DistributionConfig > Logging, however it looks like the PropertyType is correct.

ManagedPolicyName is not a valid property

  DeploymentIAMPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: DeploymentPolicyForMyApplication

Results in:

1 crit
Resource: Resources > DeploymentIAMPolicy > Properties
Message: ManagedPolicyName is not a valid property of AWS::IAM::ManagedPolicy
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

However "ManagedPolicyName" is specified here http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

errorr: uncaughtException: toGet.slice when running validate

When i run the command: /usr/bin/cfn-lint validate idam-master-apps.yml

i get the following error:
root@bd9dd3ebbb6a:/home/jenkins/workspace/gehc-cft-idam/gehc-cft-idam# /usr/bin/cfn-lint validate idam-master-apps.yml
2017-07-26T13:42:37.586Z - error: uncaughtException: toGet.slice(...).join is not a function date=Wed Jul 26 2017 13:42:37 GMT+0000 (UTC), pid=708, uid=0, gid=0, cwd=/home/jenkins/workspace/gehc-cft-idam/gehc-cft-idam, execPath=/usr/local/nvm/versions/v7.4.0/bin/node, version=v7.4.0, argv=[/usr/local/nvm/versions/v7.4.0/bin/node, /usr/bin/cfn-lint, validate, idam-master-apps.yml], rss=36220928, heapTotal=18747392, heapUsed=10032080, external=61182, loadavg=[1.36962890625, 0.50634765625, 0.27392578125], uptime=1369536, trace=[column=40, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=doIntrinsicGetAtt, line=473, method=null, native=false, column=20, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=resolveIntrinsicFunction, line=375, method=null, native=false, column=38, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=327, method=null, native=false, column=13, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=337, method=null, native=false, column=13, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=337, method=null, native=false, column=13, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=337, method=null, native=false, column=13, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=337, method=null, native=false, column=13, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=recursiveDecent, line=337, method=null, native=false, column=5, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=resolveReferences, line=299, method=null, native=false, column=5, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=validateWorkingInput, line=108, method=null, native=false], stack=[TypeError: toGet.slice(...).join is not a function, at doIntrinsicGetAtt (/usr/lib/node_modules/cfn-lint/lib/validator.js:473:40), at resolveIntrinsicFunction (/usr/lib/node_modules/cfn-lint/lib/validator.js:375:20), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:327:38), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:337:13), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:337:13), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:337:13), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:337:13), at recursiveDecent (/usr/lib/node_modules/cfn-lint/lib/validator.js:337:13), at resolveReferences (/usr/lib/node_modules/cfn-lint/lib/validator.js:299:5), at validateWorkingInput (/usr/lib/node_modules/cfn-lint/lib/validator.js:108:5)]

It appears i have the npm libs installed but not sure why this is failing

Watch file

As this is a dev tool, watching a template could be useful

Map picked up for Lambda ENV Vars

Resource: Resources > LambdaFunction > Properties > Environment > Variables
Message: HEALTHCHECK_BUCKET is not a valid property of AWS::Lambda::Function.Map
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=AWS::Lambda::Function.Map&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

Resource: Resources > LambdaFunction > Properties > Environment > Variables
Message: SOMETHING_ELSE is not a valid property of AWS::Lambda::Function.Map
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=AWS::Lambda::Function.Map&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

API Gateway Support

We're getting a bunch of critical issues on our API Gateway definitions, which we believe are not actually issues.

They are mostly variations on these 3 issues:

API Gateway Resource PathPart
Resource: Resources > APIGatewayResource > Properties > PathPart
Message: Expected type String for PathPart, got value '{myPathPart}'

API Gateway Integration Responses
Resource: Resources > APIGatewayGetMethod > Properties > Integration > application/json
Message: Expected type String for application/json, got value '#set($inputRoot = $input.path('$'))

API Gateway Selection Pattern
Resource: Resources > APIGatewayGetMethod > Properties > Integration > SelectionPattern
Message: Expected type String for SelectionPattern, got value '.InternalServerError.'

This is a snippet of the offending cfn:

    APIGatewayResource:
      Type: "AWS::ApiGateway::Resource"
      Properties:
        PathPart: "{myPathPart}"
        RestApiId:
          Ref: APIGateway
    APIGatewayGetMethod:
      Type: "AWS::ApiGateway::Method"
      Properties:
        ApiKeyRequired: false
        AuthorizationType: "NONE"
        HttpMethod: GET
        Integration:
          Type: "AWS"
          PassthroughBehavior: WHEN_NO_TEMPLATES
          IntegrationHttpMethod: POST
          IntegrationResponses:
            - StatusCode: 200
            - StatusCode: 500
              ResponseTemplates:
                application/json:
                  Fn::FindInMap: [CustomVariables, responseTemplates, error]
              SelectionPattern: .*InternalServerError.*
            - StatusCode: 400
              SelectionPattern: .*BadRequest.*
              ResponseTemplates:
                application/json:
                  Fn::FindInMap: [CustomVariables, responseTemplates, error]
            - StatusCode: 404
              SelectionPattern: .*NotFound.*
              ResponseTemplates:
                application/json:
                  Fn::FindInMap: [CustomVariables, responseTemplates, error]
          RequestTemplates:
            application/json:
              Fn::FindInMap: [CustomVariables, requestTemplates, valid]
          Uri:
            Fn::Sub:
              - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Lambda}/invocations"
              - Lambda:
                  Fn::GetAtt: [LambdaFunction, Arn]
        MethodResponses:
          - StatusCode: 200
            ResponseModels:
              application/json:
                Ref: ResponseModel
          - StatusCode: 500
          - StatusCode: 400
          - StatusCode: 404
        ResourceId:
          Ref: APIGatewayResource
        RestApiId:
          Ref: APIGateway

Typescript?

Hey,
I'm trying to write a PR to add map support and I'm finding that there are a lot of extraneous checks in this project for whether properties exist or not, etc. It's always good to be careful with js, but I think the level you are going to here is leading to a quite difficult to read codebase.

Would you accept a PR to write this in Typescript instead of es6? I'm happy to do the work, you're already transpiling (it would replace Babel), and I think it would lead to much cleaner code (the typescript compiler is smart enough to know when certain checks are not required, so you can largely rely on build-time safety instead of the hand-written runtime checks you are using now).

I know this would be quite an invasive change, so that's why I'm checking instead of barging ahead and PR/forking. If you're unsure maybe we could chat over some IM medium?

Cheers
Jarrad

Plan program workflow

COS

Resource nesting is shown in the error messages
Multiple error messages can be shown per run
YAML and JSON are supported
Uses the AWS API Spec for a knowledge base
First release only checks Resources
Give a link to the documentation for errors in an error summary once run
Debug should throw errors when found, and again at the end in the summary

cfn-lint --debug --region eu-west-1 mytemplate.yaml

Validate users input
For each resource defined, generate Outputs depending on type defined, throw error if invalid type
Check for circular dependencies
Resolve all !Ref and !Attr calls, then perform !Join
Recursively descend through the template (if valid type)
5.1. Take the resource type, store the resource name on a stack
5.2. Check parameters for properties are valid, descending into them if type is not string
5.3. Throw errors on type mismatch or where property is somethingArn and an Arn is not found to be it's value

Pass pseudo parameters as CLI arguments

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html

To avoid:

Resource: Resources > ConsulLoadBalancerSecurityGroup > Properties > VpcId
Message: Could not find value in map 123456789012|eu-west-1|VpcId. Have you tried specifying input parameters?
Documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html

'000000000000':
  eu-west-1:
    VpcId: vpc-00000000

Use CircleCI 2.0

Use CircleCI 2.0 for faster tests and builds

GetAZs function is unknown

Check your template is not malformed. unknown tag !<!GetAZs>

Usage: SubAStack: Properties: Parameters: AvailabilityZone: !Select ['0', !GetAZs {Ref: 'AWS::Region'}] Type: AWS::CloudFormation::Stack

Feature request - be able to call as a node library and access stack outputs

I am working to integrate this tool with Sceptre, which is a tool to orchestrate a set of stacks being deployed at once. I am not attempting to actually modify sceptre to call cfn-lint directly, but I am writing a local validation tool that runs cfn-lint on all stacks in a Sceptre environment.

It would be really helpful to be able to do require('cfn-lint') in a node bridging script, as it's difficult to parse CLI output (and I guess this is not maintained as part of the concept of stable API, which is fair enough..)

require('cfn-lint/validator') does currently work as a workaround.

In addition, and for the same reason, it would be great to have access to computed stack outputs in the errorObject.

I currently have a branch that does both of these; would this functionality be considered?

Improve CLI Interface

The CLI interface isn't great.

Allow for randomly ordered parameters
Attempt to mimic aws cloudformation validate-stack and parameters as closely as possible
Add help and hints (auto completion?)

JSON structures are not validated

Not currently sure how to do this with the current information.

This occurs when validating something like an IAM policy.

Validation without parameters

I'd like to be able to locally validate the syntax of my CloudFormation templates on PRs. I don't have any requirements to validate parameters and it's not realistic for me to document the parameters of all the templates I have. It would be quite useful to skip that option and any validation that depends on passing through parameters.

Gather lists of Cloudformation properties

Resource Property Types
Resource root attributes (ex. Type, Properties, DependsOn)

Conditional properties failing to evaluate

I'm not sure if this is currently supported, but I have some conditionals that are empty after being evaluated:

Parameters:
  Env:
    Description: Which Environment
    Type: String
    Default: Dev
    AllowedValues:
      - Dev
      - QA
      - PreProd
      - Production

Conditions:
  isProd: !Equals [!Ref Env, Production]
  isPreProd: !Equals [!Ref Env, PreProd]
  isProdOrPreProd: !Or
    - Condition: isProd
    - Condition: isPreProd
  isNotProdOrPreProd: !Not
    - Condition: isProdOrPreProd

Mappings:
  App:
    Dev:
      CertificateId: NA
      CertificateArn: arn:aws:acm:us-east-1:etc
    Production:
      CertificateId: 09187234234
      CertificateArn: NA

# ... CloudFront config
        ViewerCertificate:
          IamCertificateId: !If
             - isProd
             - !FindInMap [App, !Ref Env, CertificateId]
             - !Ref "AWS::NoValue"
          AcmCertificateArn: !If
             - isPreProd
             - !FindInMap [App, !Ref Env, CertificateArn]
             - !Ref "AWS::NoValue"

cfn-lint validate myapp.yml --pseudo AWS::Region=ap-southeast-2

Results in:

3 crit
Resource: Resources > cloudfrontDistribution > Properties > DistributionConfig > ViewerCertificate > IamCertificateId
Message: Expected type String for IamCertificateId, got value '' instead
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig-viewercertificate.html#cfn-cloudfront-distributionconfig-viewercertificate-iamcertificateid

Resource: Resources > cloudfrontDistribution > Properties > DistributionConfig > ViewerCertificate > AcmCertificateArn
Message: AcmCertificateArn is expecting an Arn, '' given. If this is a parameter, has it been specified with --parameters?
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig-viewercertificate.html#cfn-cloudfront-distributionconfig-viewercertificate-acmcertificatearn

Resource: Resources > cloudfrontDistribution > Properties > DistributionConfig > ViewerCertificate > AcmCertificateArn
Message: Expected type String for AcmCertificateArn, got value '' instead
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig-viewercertificate.html#cfn-cloudfront-distributionconfig-viewercertificate-acmcertificatearn

Improper Type Checking + Invalid search string

String checks should allow '-' in the regex.
Template Formation Version is expecting a quoted "2010-09-09", for some reason, unquoted 2010-09-09 is throwing an error.
The "Expected String type" error is giving 'String.IpProtocol' as a type, as opposed to 'SecurityGroup.IpProtocol', this is creating the invalid search

Resource: AWSTemplateFormatVersion
Message: AWSTemplateFormationVersion should be "2010-09-09"
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=AWSTemplateFormatVersion&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

Resource: Resources > SecurityGroup > Properties > IpProtocol
Message: Expected type String for IpProtocol, got value -1
Documentation: http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=String.IpProtocol&x=0&y=0&this_doc_product=AWS+CloudFormation&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20CloudFormation&facet_doc_guide=User%20Guide

CloudFormation Stack Resoure - Passing Parameters causes uncaughtException

When using an AWS::CloudFormation::Stack resource type, in both JSON and YAML, if parameters are passed under resource properties validation fails with error: uncaughtException: Cannot read property 'hasOwnProperty. From error messages and my own troubleshooting, I believe that this bug is from validator.js's function checkResourceProperties, when it attempts process each property for property validation with checkEachProperty(resourceType, resources[res], 'Properties');. I've been able to replicate this the CloudFormation templates in
replication.txt.

As a workaround, I've added a check for resource type prior to checkEachProperty that seems to resolve the error, but presumably removes the desired vetting of parameters for AWS::CloudFormation::Stack.

if (resourceType !== 'AWS::CloudFormation::Stack') {
                    checkEachProperty(resourceType, resources[res], 'Properties');
}

Validation on properties of a parameter

An invalid property on a parameter doesn't seem to trigger an error (there's a typo in the Default key):

Parameters:
  MyPassword:
    Description: Password
    Type: String
    Defaut: hunter2
    NoEcho: True

This parameter was used in some UserData via Fn::Sub.

Update CONTRIBUTING.md and README.md

Update the files about the new branching strategy, brief project overview and status.

If all happy with TS, add TS documentation for newcomers to learn from.

Show parsing error on invalid input

Doesn't handle the output section in a cloudformation stack

Invalid references made in the output section of the cloudformation stack is not handled.

API Docs

CLI exit codes

Can the CLI provide a non-zero exit code for invalid templates, and optionally when crit and warn results exist?

This will allow cfn-lint to be used in a CI process that can abort/fail when invalid templates and/or critical errors are present

Fix v1.3.3 issues

V1.3.0 -> V1.3.3

Add code coverage reporting

Instance AMI type

Slightly harder to check

Virtualization type 'hvm' is required for instances of type 'm4.large'. Ensure that you are using an AMI with virtualization type 'hvm'. For more information, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html

Extended validation flag

After validating, have the option to use the AWS API to do a final check

This ensures everything can be caught

Could auto-mock Arn parameters

Currently, if a ResourceType has an Attribute with 'Arn' in its name, cfn-lint mocks the attribute value to be a valid arn.

Would it be acceptable to extend this behaviour to Parameters with 'Arn' in the name? I structure my templates like this already so it would certainly fit my needs. This would obviate the need to pass mock Arn parameters by hand. It is 'opinionated' behaviour though, so I'm not sure if you would accept it. (It certainly wouldn't break any existing behaviour though as far as I can guess, it just would only work for people if they write their templates in a certain way.))

Support custom resources

Resource type of Custom::* is valid, but cfn-lint fails it.

Yaml shorthand !Fn::Sub

      UserData:
        - Fn::Base64
            !Fn::Sub "PERSCODE=${ProvisionKey}"

Does not throw any validation errors

!Fn is invalid, should be !Sub

Raise a critical error when S3Bucket name have upper case.

This template will fail with the message "Bucket name should not contain uppercase characters
"

However cfn-lint is not able to catch this.
$ cfn-lint validate s3bucket_parameter.yaml
0 infos
0 warn
0 crit
Template valid!

Tonys-Mac-mini:~/cloudformation $  cat s3bucket_parameter.yaml
---
  AWSTemplateFormatVersion: "2010-09-09"
  Parameters:
    BucketName:
      Description: "Name of MyS3Bucket"
      Type: "String"
#      Default: "mys3bucketacloudgurutraining"
  Resources:
    S3Bucket:
      Type: "AWS::S3::Bucket"
      Properties:
        BucketName:
          Ref: "BucketName"
    S3Bucket2:
      Type: "AWS::S3::Bucket"
      Properties:
        BucketName: "Publicreadbucket220170703"
  Outputs:
    S3BucketName:
      Value:
        Ref: "S3Bucket"
      Description: "Name of S3 bucket"
    S3BucketName2:
      Value:
        Ref: "S3Bucket2"
      Description: "Name of S3 bucket"

Template Valid formatting

Exception when passing an AWS::ECS::TaskDefinition with LogConfiguration

task.yaml:

Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - LogConfiguration:
            Options:
              awslogs-region: "region"

cfn-lint validate task.yaml

/usr/local/lib/node_modules/cfn-lint/lib/resourcesSpec.js:121
    return spec.hasOwnProperty('AdditionalProperties') && spec['AdditionalProperties'] === true;
               ^

TypeError: Cannot read property 'hasOwnProperty' of null
    at Object.isAdditionalPropertiesEnabled (/usr/local/lib/node_modules/cfn-lint/lib/resourcesSpec.js:122:16)
    at checkResourceProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:928:49)
    at checkProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:1049:21)
    at checkResourceProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:973:17)
    at checkProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:1049:21)
    at checkResourceProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:973:17)
    at checkProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:1049:21)
    at checkResourceProperty (/usr/local/lib/node_modules/cfn-lint/lib/validator.js:955:29)
    at /usr/local/lib/node_modules/cfn-lint/lib/validator.js:919:9
    at Array.forEach (native)

Suggest dependsOn

If DependsOn is not defined, suggest it to the user with INFO

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

Tags is not a valid property of AWS::AutoScaling::AutoScalingGroup

Yes it is.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group-prop

For example:

ConsulAutoScalingGroup:
  Type: AWS::AutoScaling::AutoScalingGroup
  Properties:
    DesiredCapacity: 3
    MaxSize: 7
    MinSize: 3
    MetricsCollection:
      Granularity: 1Minute
    HealthCheckType: EC2
    LaunchConfigurationName: !Ref ConsulLaunchConfiguration
    VPCZoneIdentifier: !FindInMap [!Ref "AWS::AccountId", !Ref "AWS::Region", "PrivateSubnets"]
    Tags:
      - Key: Consul-Auto-Discover
        Value: !Sub "Consul-${AWS::AccountId}-${AWS::Region}-${AWS::StackName}"
        PropagateAtLaunch: true

Security group rule

Invalid value 'Must specify both from and to ports with ICMP.' for portRange.

Numeric Parameters not being validated

It appears parameters with values of int are not being processed properly. This is probably getting picked up on tests but being ignored as the majority of tests only check critical errors.

Resource: Resources > ALBTargetGroup > Properties
Message: Unhandled property for HealthCheckIntervalSeconds
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-healthcheckintervalseconds

Resource: Resources > ALBTargetGroup > Properties
Message: Unhandled property for UnhealthyThresholdCount
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-unhealthythresholdcount

Resource: Resources > ALBTargetGroup > Properties
Message: Unhandled property for Port
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-port

Resource: Resources > DNSRecordInstance > Properties
Message: Unhandled property for TTL
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html#cfn-route53-recordset-ttl

Circular dependency detection

Detect circular dependencies in the template. This is not urgent as it is caught by AWS before deploying a template.

Feature request - more control over parameter validation

It would be useful if cfn-lint could be ran in a sort of 'strict mode' that it would create an error if a parameter was missing and not provided as a Default or on the CLI, instead of (or maybe as well as) proceeding with a mocked value.

Perhaps an optional options argument passed to validateFile to switch behaviour.

Would you accept this?

Bucket Transitions non-array not detected

  S3LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      LifecycleConfiguration:
        Rules:
          - Status: Enabled
            Transitions:
                StorageClass: GLACIER
                TransitionInDays: 60

is Invalid as Transitions should be array types (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lifecycleconfig-rule.html).

  S3LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      LifecycleConfiguration:
        Rules:
          - Status: Enabled
            Transitions:
              - StorageClass: GLACIER
                TransitionInDays: 60

would be correct...

Can not read property'hasOwnProperty' of null

Getting this error from a fresh install of cfn-lint version 1.1.7.

The cloudformation template i'm using is a valid json format template which has already been deployed successfully.

root@DESKTOP-9JIN1GI:/mnt/c/workspace/andover-pipelinebot# npm install -g cfn-lint
/usr/bin/cfn-lint -> /usr/lib/node_modules/cfn-lint/lib/index.js
/usr/lib
└── [email protected]

root@DESKTOP-9JIN1GI:/mnt/c/workspace/andover-pipelinebot# cfn-lint --version
1.1.7
root@DESKTOP-9JIN1GI:/mnt/c/workspace/andover-pipelinebot# cfn-lint validate .serverless/cloudformation-template-update-stack.json
2017-10-31T14:35:12.455Z - error: uncaughtException: Cannot read property 'hasOwnProperty' of null date=Tue Oct 31 2017 14:35:12 GMT+0000 (STD), pid=1178, uid=0, gid=0, cwd=/mnt/c/workspace/andover-pipelinebot, execPath=/usr/bin/node, version=v6.11.3, argv=[/usr/bin/node, /usr/bin/cfn-lint, validate, .serverless/cloudformation-template-update-stack.json], rss=26845184, heapTotal=19972096, heapUsed=10396944, external=69450, loadavg=[0.5185546875, 0.57763671875, 0.5859375], uptime=103911, trace=[column=16, file=/usr/lib/node_modules/cfn-lint/lib/resourcesSpec.js, function=Object.isAdditionalPropertiesEnabled, line=121, method=isAdditionalPropertiesEnabled, native=false, column=49, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkResourceProperty, line=928, method=null, native=false, column=21, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkProperty, line=1049, method=null, native=false, column=17, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkResourceProperty, line=973, method=null, native=false, column=21, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkProperty, line=1049, method=null, native=false, column=17, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkResourceProperty, line=973, method=null, native=false, column=9, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=null, line=919, method=null, native=false, column=null, file=null, function=Array.forEach, line=null, method=forEach, native=true, column=27, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkEachProperty, line=918, method=null, native=false, column=17, file=/usr/lib/node_modules/cfn-lint/lib/validator.js, function=checkResourceProperties, line=902, method=null, native=false], stack=[TypeError: Cannot read property 'hasOwnProperty' of null,     at Object.isAdditionalPropertiesEnabled (/usr/lib/node_modules/cfn-lint/lib/resourcesSpec.js:121:16),     at checkResourceProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:928:49),     at checkProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:1049:21),     at checkResourceProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:973:17),     at checkProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:1049:21),     at checkResourceProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:973:17),     at /usr/lib/node_modules/cfn-lint/lib/validator.js:919:9,     at Array.forEach (native),     at checkEachProperty (/usr/lib/node_modules/cfn-lint/lib/validator.js:918:27),     at checkResourceProperties (/usr/lib/node_modules/cfn-lint/lib/validator.js:902:17)]
root@DESKTOP-9JIN1GI:/mnt/c/workspace/andover-pipelinebot# cfn-lint validate .serverless/cloudformation-template-update-stack.json --pseudo AWS::Region=eu-west-1,AWS::AccountId=12345

Parameter type List<AWS::EC2::SecurityGroup::Id>

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  ExistingSecurityGroups:
    Type: List<AWS::EC2::SecurityGroup::Id>
Resources:
  Bucket:
    Type: AWS::S3::Bucket

Results in:

0 infos
0 warn
1 crit
Resource: Parameters > ExistingSecurityGroups
Message: Parameter ExistingSecurityGroups has an invalid type of List<AWS::EC2::SecurityGroup::Id>.
Documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html

However List<AWS::EC2::SecurityGroup::Id> is valid.

[email protected]

Custom resources should be able to have any attribute accessed

The Attributes that a Custom:: resource can have are arbitrary. Accessing any attribute of a Custom resource should return a mock value instead of creating an error.
Happy to work on this, just logging it so I don't forget :)

martysweet / cfn-lint Goto Github PK

cfn-lint's People

Contributors

Stargazers

Watchers

Forkers

cfn-lint's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs