Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CFN-Lint validation fails when Connector uses type instead of ID #3617

Closed
drumgoolej opened this issue Aug 23, 2024 · 0 comments · Fixed by #3628
Closed

CFN-Lint validation fails when Connector uses type instead of ID #3617

drumgoolej opened this issue Aug 23, 2024 · 0 comments · Fixed by #3628

Comments

@drumgoolej
Copy link

drumgoolej commented Aug 23, 2024
edited
Loading

CloudFormation Lint Version

1.10.3

What operating system are you using?

Mac & Ubuntu

Describe the bug

Originally reported in the SAM repo here : aws/aws-sam-cli#7397

After some digging, it appears that this is an issue specifically with cfn-lint, which is a dependency of SAM that was bumped in a recent SAM release.

I ran in to the same issue reported in aws-sam-cli/issues/7397 when running the sam linter in CI/CD

[[E0001: Error found when transforming the template] (Error transforming template: Key None must be a string) matched 1]
Error: Linting failed. At least one linting rule was matched to the provided template.

Expected behavior

Defining a CFN connector with a type instead of id should pass linting validation

Reproduction template

From the original ticket :

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  ai-workflows-photo

Parameters:
  Environment:
    Type: String
    AllowedValues:
    - dev
    - staging
    - prod
    - dz

  LambdaRuntime:
    Type: String
    Default: provided.al2023
    AllowedValues:
    - provided.al2023
    - java21

  LambdaHandler:
    Type: String
    Default: not.used.in.provided.runtime
    AllowedValues:
    - not.used.in.provided.runtime
    - io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest

  LambdaArchitecture:
    Type: String
    Default: arm64
    AllowedValues:
    - arm64
    - x86_64

  SnsTopicSubscription:
    Type: String
    Default: "[email protected]"

Globals:
  Function:
    Runtime: !Sub "${LambdaRuntime}"
    Architectures:
    - !Sub "${LambdaArchitecture}"
    Timeout: 20
    # 128 is ok but to be fast
    MemorySize: 128
    Handler: !Sub "${LambdaHandler}"

Resources:
  #Source SQS
  SourceQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub ai-workflows-photo-queue-${Environment}

  #Result SQS
  ResultQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub ai-workflows-photo-result-queue-${Environment}

  AiWorkflowStabilisationFunctionLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/lambda/ai-workflows-stabilisation-function-${Environment}"

  #Lambda Stabilisation
  AiWorkflowStabilisationFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ai-workflows-stabilisation-function-${Environment}
      CodeUri: ../../lambdas/stabilisation/build/function.zip
      MemorySize: 1536
      Policies:
      - RekognitionLabelsPolicy: { }
    Metadata:
      SkipBuild: True
    # noinspection YamlFormatViolation
    Connectors:
      AiWorkflowStabilisationFunctionS3Connector:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: !Sub arn:aws:s3:::qundo-legitimation-data-${Environment}
          Permissions:
          - Read
          - Write
      AiWorkflowStabilisationFunctionS3ConnectorDev:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-legitimation-data-dev
          Permissions:
          - Read
          - Write
      AiWorkflowStabilisationFunctionS3ConnectorTest:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-kyc-test-data
          Permissions:
          - Read
          - Write

  AiWorkflowExtractionFunctionLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/lambda/ai-workflows-extraction-function-${Environment}"

  #Lambda Extraction
  AiWorkflowExtractionFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ai-workflows-extraction-function-${Environment}
      CodeUri: ../../lambdas/extraction/build/function.zip
      MemorySize: 192
      Policies:
      - TextractDetectAnalyzePolicy: { }
      - TextractGetResultPolicy: { }
    Metadata:
      SkipBuild: True
    # noinspection YamlFormatViolation
    Connectors:
      AiWorkflowExtractionFunctionS3Connector:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: !Sub arn:aws:s3:::qundo-legitimation-data-${Environment}
          Permissions:
          - Read
      AiWorkflowExtractionFunctionS3ConnectorDev:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-legitimation-data-dev
          Permissions:
          - Read
      AiWorkflowExtractionFunctionS3ConnectorTest:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-kyc-test-data
          Permissions:
          - Read

  AiWorkflowExtractionMergeFunctionLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/lambda/ai-workflows-extraction-merge-function-${Environment}"

  #Lambda Merge
  AiWorkflowExtractionMergeFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ai-workflows-extraction-merge-function-${Environment}
      CodeUri: ../../lambdas/extraction-merge/build/function.zip
    Metadata:
      SkipBuild: True

  #Logs for StepFunctions
  AiWorkflowStateMachineLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/snf/ai-workflows-${Environment}"

  AiWorkflowFaceComparisonFunctionLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/lambda/ai-workflows-face-comparison-function-${Environment}"

  #Lambda Face Comparision
  AiWorkflowFaceComparisonFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ai-workflows-face-comparison-function-${Environment}
      CodeUri: ../../lambdas/face-comparison/build/function.zip
      Policies:
      - RekognitionFacesPolicy: { }
    Metadata:
      SkipBuild: True
    # noinspection YamlFormatViolation
    Connectors:
      AiWorkflowFaceComparisonFunctionS3Connector:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: !Sub arn:aws:s3:::qundo-legitimation-data-${Environment}
          Permissions:
          - Read
      AiWorkflowFaceComparisonFunctionS3ConnectorDev:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-legitimation-data-dev
          Permissions:
          - Read
      AiWorkflowFaceComparisonFunctionS3ConnectorTest:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: arn:aws:s3:::qundo-kyc-test-data
          Permissions:
          - Read

  AiWorkflowSnsTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Sub ai-workflows-error-${Environment}
      Subscription:
      - Endpoint: !Ref SnsTopicSubscription
        Protocol: "EMAIL"

  #Target StepFunction state machine
  AiWorkflowStateMachine:
    Type: AWS::Serverless::StateMachine
    Properties:
      Name: !Sub ai-workflow-photo-${Environment}
      DefinitionUri: workflow/ai-workflow-photo.asl.json
      DefinitionSubstitutions:
        AiWorkflowStabilisationFunctionArn: !GetAtt AiWorkflowStabilisationFunction.Arn
        AiWorkflowExtractionFunctionArn: !GetAtt AiWorkflowExtractionFunction.Arn
        AiWorkflowFaceComparisonFunctionArn: !GetAtt AiWorkflowFaceComparisonFunction.Arn
        AiWorkflowExtractionMergeFunctionArn: !GetAtt AiWorkflowExtractionMergeFunction.Arn
        AiWorkflowSnsTopicArn: !GetAtt AiWorkflowSnsTopic.TopicArn
      Logging:
        Destinations:
        - CloudWatchLogsLogGroup:
            LogGroupArn: !GetAtt AiWorkflowStateMachineLogGroup.Arn
        Level: ALL
        IncludeExecutionData: true
      Policies:
      - CloudWatchLogsFullAccess
      - Version: '2012-10-17' # Policy Document
        Statement:
        - Effect: Allow
          Action:
          - geo:SearchPlaceIndexForText
          Resource: 'arn:aws:geo:eu-central-1:001160930910:place-index/Qundo-Addresss-Check'
    # noinspection YamlFormatViolation
    Connectors:
      AiWorkflowStepFunctionStabilisationLambdaWriteConnector:
        Properties:
          Destination:
            Id: AiWorkflowStabilisationFunction
          Permissions:
          - Write
      AiWorkflowStepFunctionExtractionLambdaWriteConnector:
        Properties:
          Destination:
            Id: AiWorkflowExtractionFunction
          Permissions:
          - Write
      AiWorkflowStepFunctionFaceComparisonLambdaWriteConnector:
        Properties:
          Destination:
            Id: AiWorkflowFaceComparisonFunction
          Permissions:
          - Write
      AiWorkflowExtractionMergeLambdaWriteConnector:
        Properties:
          Destination:
            Id: AiWorkflowExtractionMergeFunction
          Permissions:
          - Write
      AiWorkflowStepFunctionResultQueueWriteConnector:
        Properties:
          Destination:
            Id: ResultQueue
          Permissions:
          - Write
      AiWorkflowStepFunctionResultQueueWriteConnectorDev:
        Properties:
          Destination:
            Type: AWS::SQS::Queue
            Arn: arn:aws:sqs:eu-central-1:001160930910:ai-workflows-photo-queue-dev
          Permissions:
          - Write
      AiWorkflowStepFunctionResultQueueWriteConnectorTest:
        Properties:
          Destination:
            Type: AWS::SQS::Queue
            Arn: arn:aws:sqs:eu-central-1:001160930910:ai-workflow-photo-result-for-test-*
          Permissions:
          - Write
      AiWorkflowStepFunctionSnsTopicWriteConnector:
        Properties:
          Destination:
            Id: AiWorkflowSnsTopic
          Permissions:
          - Write

  # Logs for EventBridge Pipe
  AiWorkflowSqsEventBridgePipeLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Sub "/aws/pipe/ai-workflows-${Environment}"

  # Role for EventBridge Pipes to read from SQS and launch SFN
  AiWorkflowSqsEventBridgePipeRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ai-workflow-sqs-event-bridge-pipe-role-${Environment}
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - pipes.amazonaws.com
          Action:
          - sts:AssumeRole
      Policies:
      - PolicyName: CloudWatchLogs
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - 'logs:CreateLogGroup'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
            Resource: '*'
      - PolicyName: ReadSQS
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - 'sqs:ReceiveMessage'
            - 'sqs:DeleteMessage'
            - 'sqs:GetQueueAttributes'
            Resource: !GetAtt SourceQueue.Arn
      - PolicyName: ExecuteSFN
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - 'states:StartExecution'
            Resource: !Ref AiWorkflowStateMachine

  # EventBridge from SQS to StepFunction
  AiWorkflowSqsEventBridgePipe:
    Type: AWS::Pipes::Pipe
    Properties:
      Name: !Sub ai-workflow-photo-event-bridge-${Environment}
      RoleArn: !GetAtt AiWorkflowSqsEventBridgePipeRole.Arn
      DesiredState: RUNNING
      LogConfiguration:
        CloudwatchLogsLogDestination:
          LogGroupArn: !GetAtt AiWorkflowSqsEventBridgePipeLogGroup.Arn
        IncludeExecutionData:
        - ALL
        Level: TRACE
      Source: !GetAtt SourceQueue.Arn
      SourceParameters:
        SqsQueueParameters:
          BatchSize: 1
      Target: !Ref AiWorkflowStateMachine
      TargetParameters:
        StepFunctionStateMachineParameters:
          InvocationType: FIRE_AND_FORGET
        InputTemplate: |
          {
            "body": <$.body>
          }


Outputs:
  AiWorkflowSourceQueueUrl:
    Description: SourceQueue URL
    Value: !GetAtt SourceQueue.QueueUrl
  AiWorkflowResultQueueUrl:
    Description: ResultQueue URL
    Value: !GetAtt ResultQueue.QueueUrl
  AiWorkflowStateMachineLogGroup:
    Description: 'StepFunctions LogGroup Name'
    Value: !Ref AiWorkflowStateMachineLogGroup
  AiWorkflowStabilisationFunction:
    Description: "Stabilisation Lambda Function ARN"
    Value: !GetAtt AiWorkflowStabilisationFunction.Arn
  AiWorkflowExtractionFunction:
    Description: "Extraction Lambda Function ARN"
    Value: !GetAtt AiWorkflowExtractionFunction.Arn

Simplifed

    Connectors:
      AiWorkflowStabilisationFunctionS3Connector:
        Properties:
          Destination:
            Type: AWS::S3::Bucket
            Arn: !Sub arn:aws:s3:::qundo-legitimation-data-${Environment}
          Permissions:
          - Read
          - Write
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix an issue with node get kddejong/cfn-python-lint
1 participant
@drumgoolej