[cfn-lint] E3030 for config resources

[theksi]

cfn-lint version: (cfn-lint --version) cfn-lint 0.58.2 Description of issue. Error on an invalid value for Compliance resourceTypes that is in fact valid

Please provide as much information as possible:

• Template linting issues:*

  [{
  "resource": "XXXXX/dev_local/aws-config-library/account-quality/templates/cloudwatch.yaml",
  "owner": "_generated_diagnostic_collection_name_#4",
  "severity": 8,
  "message": "[cfn-lint] E3030: You must specify a valid value for ComplianceResourceTypes (AWS::Logs::LogGroup). Valid values are [\"AWS::ACM::Certificate\", \"AWS::ApiGateway::RestApi\", \"AWS::ApiGateway::Stage\", \"AWS::ApiGatewayV2::Api\", ...]
  "startLineNumber": 57,
  "startColumn": 15,
  "endLineNumber": 57,
  "endColumn": 34
  }]

  • Please provide a CloudFormation sample that generated the issue.

    QnACwLogRetentionRule:
    Type: AWS::Config::ConfigRule
    Properties:
    ConfigRuleName: !Sub ${RuleNamePrefix}-QnACwLogRetention-${AWS::Region}
    Description: "Every Cloudwatch log must have a set retention"
    Scope:
      ComplianceResourceTypes:
        - AWS::Logs::LogGroup
    Source:
      Owner: AWS
      SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK

  • If present, please add links to the (official) documentation for clarification.
  • https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html
  • Validate if the issue still exists with the latest version of cfn-lint and/or the latest Spec files N/A using the latest version
• Feature request:
  • Please provide argumentation about the missing feature. Context is key! When designing cfn template for scheduled rules, any value for ComplianceResourceTypes can be used as long as it is a valid AWS resource type (and not only a supported resource type). When a scheduled rule is described in the template, cfn-lint should verify all AWS resources. Suggestion : Identifying an AWS scheduled rule is not easy as MaximumExecutionFrequency is not mandatory and cfn-lint evaluation could work this way: IF an invalid value for ComplianceResourceTypes AND MaximumFrequency is set AND ComplianceResourceType is a Valid AWS resource type, Then cfn-lint evaluation is positive

Cfn-lint uses the CloudFormation Resource Specifications as the base to do validation. These files are included as part of the application version. Please update to the latest version of cfn-lint or update the spec files manually (cfn-lint -u)

[PatMyron]

(Recommended workaround with resource-level ignores)

We're currently pulling that enum from Config's SDK model. That resource type hasn't be added there yet 😕

[kddejong]

More details

{
    "op": "add",
    "path": "/ValueTypes/AWS::Config::ConfigurationRecorder.ResourceTypes",
    "value": {
      "botocore": "config/2014-11-12/ResourceType"
    }
},

https://github.com/boto/botocore/blob/develop/botocore/data/config/2014-11-12/service-2.json#L6481

Also doesn't seem to exist in the API docs too https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html

This issue is also a reference https://github.com/boto/botocore/issues/2535

[kddejong]

I'm debating if we should remove the allowed values for this one @PatMyron Especially with capabilities that are described in this blog