mew1033
commented
10 months ago This still isn't working for me. Here's a sample template:
AWSTemplateFormatVersion: '2010-09-09'
Transform:
- 'AWS::Serverless-2016-10-31'
Description: Test template
Resources:
GatewayCyclerStage1Function:
Type: AWS::Serverless::Function
Metadata:
cfn-lint:
config:
ignore_checks:
- E1019
Properties:
Architectures:
- arm64
Runtime: python3.12
CodeUri: src/
Handler: lambda_function.lambda_handler
MemorySize: 512
Timeout: 350
Policies:
- Version: '2012-10-17'
Statement:
- Sid: Sid1Test
Effect: Allow
Action:
- ec2:CreateTags
Resource:
- !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${ThisShouldBeIgnored}
Transformed Template:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Test template",
"Resources": {
"TestFunction": {
"Metadata": {
"cfn-lint": {
"config": {
"ignore_checks": [
"E1019"
]
}
}
},
"Properties": {
"Architectures": [
"arm64"
],
"Code": {
"S3Bucket": "bucket",
"S3Key": "value"
},
"Handler": "lambda_function.lambda_handler",
"MemorySize": 512,
"Role": {
"Fn::GetAtt": [
"TestFunctionRole",
"Arn"
]
},
"Runtime": "python3.12",
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
],
"Timeout": 350
},
"Type": "AWS::Lambda::Function"
},
"TestFunctionRole": {
"Metadata": {
"cfn-lint": {
"config": {
"ignore_checks": [
"E1019"
]
}
}
},
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${ThisShouldBeIgnored}"
}
],
"Sid": "Sid1Test"
}
],
"Version": "2012-10-17"
},
"PolicyName": "TestFunctionRolePolicy0"
}
],
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
]
},
"Type": "AWS::IAM::Role"
}
}
}The Metadata section is there in the role, but it's still not ignoring the check.
kddejong
Is this feature request related to a new rule or cfn-lint capabilities?
No response
Describe the feature you'd like to request
Based on this: https://github.com/aws/serverless-application-model/pull/2224, it looks like it should be possible to ask SAM to bring all the Metadata stored on the original AWS::Serverless::* resources through to the translated resources. Doing that should allow cfn-lint to check the Metadata section for resource level ignores.
I actually tried changing the parameter myself but couldn't get it working. I must be missing something....
Describe the solution you'd like
Enable
passthrough_metadataon the samtranslatetranslatecall to bring ALL the metadata through and properly support resource level ignores on serverless resources.Additional context
This is where I tried to add the parameter: https://github.com/aws-cloudformation/cfn-lint/blob/main/src/cfnlint/template/transforms/_sam.py#L155
Is this something that you'd be interested in working on?
Would this feature include a breaking change?