AWS::EC2::FlowLog incorect check with ResourceType TransitGateway -> TrafficType should be ignored

AndreasAugustin commented 1 year ago

CloudFormation Lint Version

cfn-lint 0.71.0

What operating system are you using?

Mac

Describe the bug

Hi dear AWS cfn-lint team,

thanks for the nice linter.

With the checks for AWS::EC2::FlowLogs it seems that there is an issue when the ResourceType is set to TransitGateway.

Related to docs it states

TrafficType
The type of traffic to monitor (accepted traffic, rejected traffic, or all traffic). This parameter is not supported for transit gateway resource types. It is required for the other resource types.

Required: No

Type: String

Allowed values: ACCEPT | ALL | REJECT

^flow-logs-traffic-type

With that setting the TrafficType property must not be added to the template but is checked in the cfn-linter.

Expected behavior

When the ResourceType: TransitGateway property is set, the expected behaviour is that you get an error if TrafficType is set and not like currently if it is not set.

Reproduction template

MyFlowLog:
  Type: AWS::EC2::FlowLog
  Properties:
    DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
    LogGroupName: FlowLogsGroup
    ResourceId: !Ref MyTransitGateway
    ResourceType: TransitGateway
    TrafficType: ALL

does not throw but

MyFlowLog:
  Type: AWS::EC2::FlowLog
  Properties:
    DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
    LogGroupName: FlowLogsGroup
    ResourceId: !Ref MyTransitGateway
    ResourceType: TransitGateway

throws. This behavior must be switched.

Update: The same is true for ResourceType: TransitgatewayAttachement

AndreasAugustin commented 1 year ago

Remark: The same is true for ResourceType: TransitgatewayAttachement

PatMyron commented 1 year ago

Unable to reproduce cfn-lint throwing for either TransitGateway or TransitGatewayAttachment with the current version with or without TrafficType

aws-cloudformation / cfn-lint