search

aws-cloudformation / cloudformation-resource-schema

The CloudFormation Resource Schema defines the shape and semantic for resources provisioned by CloudFormation. It is used by provider developers using the CloudFormation RPDK.
Apache License 2.0
93 stars 38 forks source link

additionalProperties needs to be enforced to false #33

Open chgeorgeamzn opened 4 years ago

chgeorgeamzn commented 4 years ago

At several points in the schema, there are JSON schema blocks that force additionalProperties to be false:

https://github.com/aws-cloudformation/aws-cloudformation-resource-schema/blob/6db79a6253e65ee97c55aacfdb7c67f408d2d573/src/main/resources/schema/provider.definition.schema.v1.json#L167-L171

However at no point in the schema is the field marked as required so that this validation applies. This poses a problem since the default value is true.

We need to make a change so this field has to be present. Adding it to the required arrays where necessary is one possible avenue.

aygold92 commented 4 years ago

definnitely agree, but this is difficult because additionalProperties does not play nicely with oneOf, anyOf, etc.

For example, if you wanted to express "you must specify property A or property B for this object", you could do:

{
  "SomeProperty": {
    "type": "object",
    "oneOf": [
      {
        "properties": {
          "PropertyA": {
            "type": "string"
          }
        },
        "additionalProperties": false,
      },
      {
        "properties": {
          "PropertyB": {
            "type": "string"
          }
        }
      },
      "additionalProperties": false,
    ]
  }
}

However, if we forced "additionalProperties": false on every subSchema, we would also have to put "additionalProperties": false on the SomeProperty schema, and since no properties are defined there it would break.