Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I3042 in PipelineConfigurationBody for AWS::OSIS::Pipeline when defining DynamoDB table_arn #3571

Closed
jburnham opened this issue Aug 5, 2024 · 3 comments · Fixed by #3572
Closed

I3042 in PipelineConfigurationBody for AWS::OSIS::Pipeline when defining DynamoDB table_arn #3571

jburnham opened this issue Aug 5, 2024 · 3 comments · Fixed by #3572

Comments

@jburnham
Copy link

jburnham commented Aug 5, 2024

CloudFormation Lint Version

cfn-lint 1.9.4

What operating system are you using?

macOS

Describe the bug

The template receives the following warning

[cfn-lint] I3042: ARN in Resource IngestionPipeline contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters

The regex for I3042 seems to be confused with the table_arn: part of the pipeline configuration as defined in Opensearch1. If I rename it to just table:, the warning goes away. This is regardless if the value of table_arn: is a full arn using ${AWS::Partition} or a variable reference as is the case in the reproduction template.

Expected behavior

I expect the template to be valid as there is no use of a hardcoded partition nor any use of a pseudo parameter afaict.

Reproduction template

---
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  DynamoDBTableArn:
    Description: "DynamoDB Table ARN"
    Type: String
  EnvironmentName:
    Type: String
    AllowedValues:
      - staging
      - production
  PipelineName:
    Description: "Name of the ingestion pipeline"
    Type: String
  PipelineMinUnits:
    Description: Min Units for ingestion pipeline
    Type: Number
  PipelineMaxUnits:
    Description: Max Units for ingestion pipeline
    Type: Number
Resources:
  IngestionPipeline:
    Type: AWS::OSIS::Pipeline
    Properties:
      PipelineName: !Sub ${PipelineName}
      MaxUnits: !Ref PipelineMaxUnits
      MinUnits: !Ref PipelineMinUnits
      PipelineConfigurationBody: !Sub |
          version: "2"
          dynamodb-pipeline:
            source:
              dynamodb:
                acknowledgments: true
                tables:
                  - table_arn: ${DynamoDBTableArn}
                  - export:
                      s3_bucket: mybucket
                      s3_prefix: ${EnvironmentName}
                    stream:
                      start_position: "LATEST"
                aws:
                  region: us-east-1

Footnotes

  1. https://opensearch.org/docs/latest/data-prepper/pipelines/configuration/sources/dynamo-db/#usage

@kddejong
Copy link
Contributor

kddejong commented Aug 5, 2024

cfn-lint/src/cfnlint/rules/resources/HardCodedArnProperties.py

Line 28 in 39ca987

r"arn:(\$\{[^:]*::[^:]*}|[^:]*):[^:]+:(\$\{[^:]*::[^:]*}|[^:]*):(\$\{[^:]*::[^:]*}|[^:]*)"

I think the issue is [^:] which will match any character but: including newlines.

@kddejong kddejong mentioned this issue Aug 5, 2024
Merged
@kddejong
Copy link
Contributor

kddejong commented Aug 5, 2024

I think the new regex pattern in the PR will do better with handling newlines and spacing

@jburnham
Copy link
Author

jburnham commented Aug 5, 2024

@kddejong confirmed, testing the PR against our full template corrected the warning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update regex pattern for rule I3042 kddejong/cfn-python-lint
2 participants
@jburnham @kddejong