search

benkehoe / aws-sso-util

Smooth out the rough edges of AWS SSO (temporarily, until AWS makes it better).
Apache License 2.0
953 stars 72 forks source link

How do I use cfn-lint-spec.json? #102

Open iainelder opened 1 year ago

iainelder commented 1 year ago

I want cfn-lint to validate my SSOUtil::SSO::AssignmentGroup resources instead of just breaking on them.

Here's my test template:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS-SSO-Util-2020-11-08

Parameters:
  InstanceArn:
    Type: String
    Default: arn:aws:sso:::instance/ssoins-ffffffffffffffff

Resources:
  ReadOnly:
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      ManagedPolicies:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  AssignmentGroup:
    Type: SSOUtil::SSO::AssignmentGroup
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      Principal:
        - Type: USER
          Id: ffffffff-ffff-ffff-ffff-ffffffffffffffff
      PermissionSet:
        - !GetAtt ReadOnly.PermissionSetArn
      Target:
        - Type: AWS_OU
          Id: ou-zzzz-zzzzzzzz

By default cfn-lint of course fails to recognize the custom type.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1
E3001 Invalid or unsupported Type SSOUtil::SSO::AssignmentGroup for resource AssignmentGroup in eu-central-1
Macro-Test.yaml:19:5

When I found cfn-lint-spec.json I supposed that it would solve the problem, but I can't figure out how to use it.

cfn-lint fails in the same way when I pass the file via --spec-override.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1 --spec-override cfn-lint-spec.json
E3001 Invalid or unsupported Type SSOUtil::SSO::AssignmentGroup for resource AssignmentGroup in eu-central-1
Macro-Test.yaml:19:5

What am I missing?

iainelder commented 1 year ago

I got slightly further by writing a custom schema. With it cfn-lint validates the type name but seems to ignore the properties. See https://github.com/aws-cloudformation/cfn-lint/issues/2794 for details.

iainelder commented 1 year ago

For now I just ignore the warning on each assignment group with resource-level metadata. It fits on one extra line so it's not too ugly.

Resources:
  AssignmentGroup:
    Type: SSOUtil::SSO::AssignmentGroup
    Metadata: {cfn-lint: {config: {ignore_checks: [E3001]}}}
benkehoe commented 1 year ago

Just checking, the parameter according to the docs is --override-spec, in your example you've got --spec-override?

iainelder commented 1 year ago

Well spotted! Thanks for your help. Awesome as always.

The complete working command is:

cfn-lint --template Macro-Test.yaml --region eu-central-1 --override-spec cfn-lint-spec.json
benkehoe commented 1 year ago

Re-opening this as I should update the docs with this info.