search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.43k stars 590 forks source link

E1150 '' is not a 'AWS::EC2::SecurityGroup.GroupId' when 'Ref' is resolved #3348

Closed kduvzc closed 3 months ago

kduvzc commented 3 months ago

CloudFormation Lint Version

1.3.0

What operating system are you using?

Mac

Describe the bug

In a CloudFormation template snippet like this:

Resources:
  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      SecurityGroups: !If [ HasSecurityGroups, !Ref SecurityGroups, !Ref "AWS::NoValue"]
      ...
      ...

cfn-lint is failing with E1150 '' is not a 'AWS::EC2::SecurityGroup.GroupId' when 'Ref' is resolved.

Expected behavior

Creating a LoadBalancer without necessarily attaching a security group should be allowed as it is also allowed when creating such a resource from the AWS console. E1150 should not be raised when using AWS::NoValue

Reproduction template

AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
  SecurityGroups:
    Default: ""
    Type: CommaDelimitedList
  Scheme:
    Type: String
    Description: >
      Specifies if the load balancer will be internal or internet facing
    Default: internal
    AllowedValues:
      - internal
      - internet-facing
  AllocationIds:
    Type: String
    Default: ""
    Description: >
      Specifies the Comma separated list of existing allocation
      Ids of the Elastic IP address for an internet-facing load balancer.

Conditions:
  CreateSubnetMappings:
    !Not [ !Equals [ !Ref AllocationIds, ''] ]
  HasSecurityGroups: !And
    - !Not [ !Equals [ !Join [ '', !Ref SecurityGroups ], ''] ]
    - !Not [ !Condition CreateSubnetMappings ]

Resources:
  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      SecurityGroups: !If [ HasSecurityGroups, !Ref SecurityGroups, !Ref "AWS::NoValue"]
      Scheme: !Ref Scheme
      Subnets: !If [CreateSubnetMappings, !Ref "AWS::NoValue", !Ref SubnetIds]
      Type: network
      LoadBalancerAttributes:
        -
          Key: load_balancing.cross_zone.enabled
          Value: false
kddejong commented 3 months ago

Can you provide your condition logic for HasSecurityGroups this is probably associated to #3325

kduvzc commented 3 months ago

I've edited the template above.