ignore_checks order of precedence

[dishikang123]

CloudFormation Lint Version

cfn-lint 1.18.4

What operating system are you using?

Windows 11

Describe the bug

Added ignore_checksmetadata at the template root level. Running CLI with "-i W" against the file but the error listed under ignore_checks still shows up even though template metadata has higher precedence over CLI parameter. The error does get suppressed if I run it without "-i W" parameter. Adding ignore_checks at the resource level works as intended.

Expected behavior

The ignore_checks metadata at the template root level should get suppressed even when running CLI with "-i W"

Reproduction template

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation Template to create a IAM Policies and Roles
Metadata:  
  cfn-lint:
    config:
      ignore_checks:
        - E3033

Parameters:
  AccountNameShort:
    Description: Abbreviated account name
    Type: AWS::SSM::Parameter::Value<String>

  ProjectTagValue:
    Default: project
    Description: Project the resources are for
    Type: String    

Resources:
  ReadPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ManagedPolicyName: read-policy
      Description: read policy
      Path: /
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: 's3:ListAllMyBuckets'
            Resource: '*'
          - Effect: Allow
            Action: 
            - 's3:ListBucket'
            - 's3:GetBucketLocation'
            - 's3:ListBucketVersions'
            Resource: 
             - 'arn:aws:s3:::team-*'
             - !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*"
          - Effect: Allow
            Action: 
            - 's3:GetObject'
            - 's3:GetObjectAcl'
            - 's3:GetObjectVersion'
            Resource: 
             - 'arn:aws:s3:::abcd-team-*/*'
             - !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*/*"
          - Effect: Allow
            Action: 
            - 'ecr:BatchGetRepositoryScanningConfiguration'
            - 'ecr:DescribeImages'
            - 'ecr:DescribeImageScanFindings'
            - 'ecr:DescribeRepositories'
            - 'ecr:ListImages'
            - 'ecr:ListTagsForResource'
            Resource: !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*'
          - Effect: Allow
            Action: 
            - 'sns:ListTagsForResource'
            - 'sns:ListSubscriptionsByTopic'
            - 'sns:GetTopicAttributes'
            Resource: !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'states:Describe*'
            - 'states:Get*'
            - 'states:ListTag*'
            Resource: 
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:execution:abcd-team-*:*'
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:activity:*'
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'ssm:GetParametersByPath'
            - 'ssm:GetParameters'
            - 'ssm:GetParameter'
            Resource: 
             - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/team/team/*'
          - Effect: Allow
            Action: 
            - 'lambda:GetProvisionedConcurrencyConfig'
            - 'lambda:ListFunctionsByCodeSigningConfig'
            - 'lambda:GetLayerVersion'
            - 'lambda:GetEventSourceMapping'
            - 'lambda:GetCodeSigningConfig'
            - 'lambda:GetLayerVersionPolicy'
            Resource: 
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:code-signing-config:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:*:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:event-source-mapping:*'
          - Effect: Allow
            Action: 
            - 'lambda:ListProvisionedConcurrencyConfigs'
            - 'lambda:ListFunctionEventInvokeConfigs'
            - 'lambda:ListVersionsByFunction'
            - 'lambda:GetFunctionConcurrency'
            - 'lambda:ListTags'
            - 'lambda:GetFunctionEventInvokeConfig'
            - 'lambda:GetFunction'
            - 'lambda:ListAliases'
            - 'lambda:GetFunctionConfiguration'
            - 'lambda:GetAlias'
            - 'lambda:GetFunctionCodeSigningConfig'
            - 'lambda:GetPolicy'
            Resource: 
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'cloudwatch:DescribeAlarmHistory'
            - 'cloudwatch:GetDashboard'
            - 'cloudwatch:GetInsightRuleReport'
            - 'cloudwatch:ListTagsForResource'
            - 'cloudwatch:DescribeAlarms'
            - 'cloudwatch:GetMetricStream'
            Resource: 
             - !Sub 'arn:aws:cloudwatch::${AWS::AccountId}:dashboard/abcd-team*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:insight-rule/abcd-team-*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:abcd-team-*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:metric-stream/abcd-team-*'
          - Effect: Allow
            Action: 
            -  'codebuild:BatchGetProjects'
            -  'codebuild:BatchGetBuildBatches'
            -  'codebuild:ListReportsForReportGroup'
            -  'codebuild:GetReportGroupTrend'
            -  'codebuild:BatchGetReports'
            -  'codebuild:DescribeTestCases'
            -  'codebuild:GetResourcePolicy'
            -  'codebuild:DescribeCodeCoverages'
            -  'codebuild:ListBuildBatchesForProject'
            -  'codebuild:ListBuildsForProject'
            -  'codebuild:BatchGetReportGroups'
            -  'codebuild:BatchGetBuilds'
            -  'codebuild:StartBuild*'
            -  'codebuild:StopBuild*'
            -  'codebuild:RetryBuild*'
            Resource: 
             - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/abcd-team-*'
             - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codepipeline:ListWebhooks'
            - 'codepipeline:ListPipelineExecutions'
            - 'codepipeline:ListActionExecutions'
            - 'codepipeline:GetPipeline'
            - 'codepipeline:ListTagsForResource'
            - 'codepipeline:GetPipelineState'
            - 'codepipeline:GetPipelineExecution'
            Resource: 
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:actiontype:*/*/*/*'
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:webhook:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codedeploy:Get*'
            - 'codedeploy:BatchGet*'
            - 'codedeploy:List*'
            Resource: 
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:application:abcd-team-*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:instance:*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:abcd-team-*/abcd-team-*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentconfig:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codecommit:Get*'
            - 'codecommit:List*'
            - 'codecommit:describe*'
            - 'codecommit:Batch*'
            - 'codecommit:GitPull'
            - 'codecommit:BatchGetRepositories'
            - 'codecommit:CancelUploadArchive'
            - 'codecommit:EvaluatePullRequestApprovalRules'
            Resource: 
             - !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'secretsmanager:GetSecretValue'
            - 'secretsmanager:DescribeSecret'
            - 'secretsmanager:ListSecretVersionIds'
            - 'secretsmanager:RestoreSecret'
            - 'secretsmanager:PutSecretValue'
            - 'secretsmanager:CreateSecret'
            - 'secretsmanager:UpdateSecretVersionStage'
            - 'secretsmanager:DeleteSecret'
            - 'secretsmanager:RotateSecret'
            - 'secretsmanager:CancelRotateSecret'
            - 'secretsmanager:UpdateSecret'
            Resource: 
             - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:abcd/team/team/*'
          - Effect: Allow
            Action: 
            - 'logs:DescribeLogGroups'
            - 'logs:GetLogEvents'
            - 'logs:DescribeLogStreams'
            - 'logs:FilterLogEvents'
            Resource: 
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*:log-stream:*'   

[kddejong]

May have to update the docs for this one. I went back and reread it and I believe its just wrong or misleading. The CLI takes precedence since that configuration is used for just that one run. We tried to go from broad to specific. So a cfnlintrc is considered more generic and will overwritten by the CLI and the template matadata. Then the metadata is overwritten by the CLI since that configuration was supplied just for that run.

This logic seems to have held from v0 to v1 so I think this is a documentation issue.

Also there is an option called --merge-configs that can merge together lists across different levels of configuration. cfn-lint --merge-configs -i W -- local/issue/3816.yaml will result in 0 issues.

[dishikang123]

@kddejong If CLI has higher precedence, then why would putting metadata at the resource level suppress the error? I can work with --merge-configs in the mean time. Thanks!