search

cloudcomponents / cdk-constructs

A collection of higher-level reusable cdk constructs
MIT License
623 stars 101 forks source link

Time To Life Stack and linting generated templateswith cfn-lint #185

Open kaidobit opened 1 year ago

kaidobit commented 1 year ago

Hi,

basically I have to ignore the Check I1022 (https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/rules.md) when using a Time To Life Stack because the stack generates with "Fn::Join" which is not best practice accordingly to Cfn-lint: Cfn-lint has only defaults configured.

CDK:

     new TimeToLive(this, 'TimeToLive', {
        ttl: Duration.minutes(
          Number(process.env.BS_CM_STACK_TIME_TO_LIVE_MINUTES)
        ),
      })

generated Cloudformation Template:

 "Resources": {
  "TimeToLiveDeleteStackServiceRole5597A6E0": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "lambda.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "ManagedPolicyArns": [
     {
      "Fn::Join": [
       "",
       [
        "arn:",
        {
         "Ref": "AWS::Partition"
        },
        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
       ]
      ]
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "InfrastructureStack/TimeToLive/DeleteStack/ServiceRole/Resource"
   }
  },

Cfn-lint Errormessage:

  I1022 Prefer using Fn::Sub over Fn::Join with an empty delimiter
packages/infrastructure/cdk.out/InfrastructureStack.template.json

W3005 Obsolete DependsOn on resource (TimeToLiveDeleteStackServiceRole5597A6E0), dependency already enforced by a "Fn:GetAtt" at Resources/TimeToLiveDeleteStack08274E9B/Properties/Role/Fn::GetAtt
packages/infrastructure/cdk.out/InfrastructureStack.template.json