search

aws-cloudformation / cfn-lint

CloudFormation Linter
MIT No Attribution
2.4k stars 576 forks source link

AWS::Lambda::EventSourceMapping defaulting to enforce StartingPosition when EventSourceArn is a reference/lookup #3441

Closed adamandrews closed 4 days ago

adamandrews commented 4 days ago

CloudFormation Lint Version

1.4.0, 1.4.2

What operating system are you using?

Mac, Centos, RHEL

Describe the bug

When using a parameter lookup as the ARN for EventSourceArn in the resource type AWS::Lambda::EventSourceMapping, cfn-lint is throwing error E3633.

Expected behavior

This error should only show up when the ARN of EventSourceArn in the resource type AWS::Lambda::EventSourceMapping contains (kinesis|kafka|dynamodb).

If this ARN pattern is not present, enforcement of StartingPosition should not be enforced during linting.

Reproduction template

AWSTemplateFormatVersion: '2010-09-09'
Resources:
SES_EventSourceMapping:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      BatchSize: 10
      Enabled: true
      EventSourceArn: '{{resolve:ssm:/SQS_Queue/SQS_ARN}}'
      FunctionName: MyFunctionNameHere
kddejong commented 4 days ago

The basics here is that we extend the resource schemas here with additional schemas. In this case we look for kinesis|kafka|dynamodb and determine if other properties should exist. Additionally we look for dynamic references and validate those but we can no longer validate the pattern that includes kinesis|kafka|dynamodb so we skip those tests which results in the schema being true. What will be appropriate is when we are doing this validation we skip the dynamic reference validation and force the pattern matching to occur.

I need evaluate some of our custom schemas because if this additional schema had an else we may just flip the problem to the other side of the if/then/else statement. We are doing this already for functions but need to cover also do it for dynamic references.

PR incoming.