Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with 'Key' Being a Required Property in cfn-lint v1.9.3 #3562

Closed
wapacz opened this issue Aug 2, 2024 · 4 comments · Fixed by #3563
Closed

Issue with 'Key' Being a Required Property in cfn-lint v1.9.3 #3562

wapacz opened this issue Aug 2, 2024 · 4 comments · Fixed by #3563
Assignees
@kddejong
Labels
bug Something isn't working

Comments

@wapacz
Copy link

wapacz commented Aug 2, 2024
edited
Loading

CloudFormation Lint Version

1.9.3

What operating system are you using?

Ubuntu

Describe the bug

I have following part of the template that latest (1.9.3) cfn-lint complains about:

      Tags:

        - !If
          - Condition1
          - Key: 'Key1'
            Value: 'Value1'
          - !Ref 'AWS::NoValue'

I'm getting following error regarding this part: 3024 'Key' is a required property

Previous version 1.9.2 version didn't complain about it.

Expected behavior

The template should work as it is, or please clarify how this should be properly implemented.

Reproduction template

---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  Property1:
    Type: 'String'
    Default: 'no'

Conditions:
  Condition1: !Equals [!Ref 'Property1', 'yes']

Resources:
  Resource1:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'Role1'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
      Tags:

        - !If
          - Condition1
          - Key: 'Key1'
            Value: 'Value1'
          - !Ref 'AWS::NoValue'

        - Key: 'Key2'
          Value: 'Value2'
@nosnilmot
Copy link

I think the problem is AWS::NoValue is not recognised as a (valid) dummy value in a list where an object is expected.

An even simpler reproducer:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group
      VpcId: 'vpc-12345678901234567'
      Tags:
        - !Ref 'AWS::NoValue'

@wapacz
Copy link
Author

wapacz commented Aug 2, 2024
edited
Loading

@nosnilmot, thanks. Yes, that is true. It looks like the problem is with AWS::NoValue on the list.

@kddejong kddejong self-assigned this Aug 2, 2024
@kddejong kddejong added the bug Something isn't working label Aug 2, 2024
@kddejong
Copy link
Contributor

kddejong commented Aug 2, 2024

Correct it has to do with how we process items. It creates an interesting scenario that I'm working to resolve.

For instance in the scenario below we want to have the error E3003 'AssumeRolePolicyDocument' is a required property

---
Resources:
  Resource2:
    Type: 'AWS::IAM::Role'
    Properties: !Ref AWS::NoValue

But for in a list of objects we want the list item removed as the following template should provide 0 errors (at least for the tags).

---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  Property1:
    Type: 'String'
    Default: 'no'

Conditions:
  Condition1: !Equals [!Ref 'Property1', 'yes']

Resources:
  Resource1:
    Type: 'AWS::IAM::Role'
    Properties:
      Tags:

        - !If
          - Condition1
          - Key: 'Key1'
            Value: 'Value1'
          - !Ref 'AWS::NoValue'

        - Key: 'Key2'
          Value: 'Value2'
        - !Ref 'AWS::NoValue'

In both scenarios there is a required keyword but in the list side of the world we need to recognize it is not an item in the list at all. As a result of this I'm going to send the items json schema word through the same logic we use to determine minItems, maxItems, maxProperties, etc. as defined here

@kddejong
Copy link
Contributor

kddejong commented Aug 2, 2024

Additionally this change will handle all these scenarios appropriately

---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  Property1:
    Type: 'String'
    Default: 'no'

Conditions:
  Condition1: !Equals [!Ref 'Property1', 'yes']

Resources:
  Resource1:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument: {}
      Tags:

        - !If
          - Condition1
          - Key: 'Key1'
            Value: 'Value1'
          - !Ref 'AWS::NoValue'

        - Key: 'Key2'
          Value: 'Value2'
        - !Ref 'AWS::NoValue'
  Resource2:
    Type: 'AWS::IAM::Role'
    Properties: !Ref AWS::NoValue
  Resource3:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument: {}
      Tags:
        !If
          - Condition1
          - - Key: 'Key1'
              Value: 'Value1'
          - !Ref 'AWS::NoValue'
E3003 'AssumeRolePolicyDocument' is a required property
local/issue/3562.yaml:29:5

@kddejong kddejong mentioned this issue Aug 2, 2024
Merged
@kddejong kddejong mentioned this issue Aug 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kddejong kddejong

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add logic to handle Ref AWS::NoValue in list kddejong/cfn-python-lint
3 participants
@wapacz @nosnilmot @kddejong