search

martysweet / cfn-lint

A CloudFormation JSON and YAML Validator
MIT License
163 stars 38 forks source link

False alert for *Arn parameters that Ref other resources #212

Closed vivus-ignis closed 5 years ago

vivus-ignis commented 5 years ago

Hi!

I've just upgraded to 1.9.2 and now I'm having errors on otherwise valid templates. Example:

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internal
<...>

  DevNullTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Port: 80
      Protocol: HTTP
<...>

  LoadBalancerHTTPListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref DevNullTargetGroup
          Type: forward
      LoadBalancerArn: !Ref LoadBalancer
      Port: 80
      Protocol: HTTP

And here's what cfn-lint outputs:

Resource: Resources > LoadBalancerHTTPListener > Properties > DefaultActions > 0 > TargetGroupArn
Message: Expecting an ARN, got 'mock-ref-DevNullTargetGroup'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html

Resource: Resources > LoadBalancerHTTPListener > Properties > LoadBalancerArn
Message: Expecting an ARN, got 'mock-ref-LoadBalancer'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html

For ELBv2 load balancer & target group resources !Ref returns an Arn.

Maybe there's a way to check when a !Ref for a given resource would return an Arn and then properly mock a string?

Thank you.

simlevesque commented 5 years ago

I have the same problem.

A temporary fix would be to send fake params, here's an example:

If I get this error:

Resource: Resources > cf_front_prod > Properties > DistributionConfig > ViewerCertificate > AcmCertificateArn
Message: Expecting an ARN, got 'string_input_CertificateARN'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html

I change the command from this:

cfn-lint validate --verbose ./cloudformation.yaml

To this:

cfn-lint validate --parameters CertificateARN=arn:aws:acm:test --verbose ./cloudformation.yaml

If I find the time I'll make a PR.

edit: I just realized that my problem it slightly different than the vivus-ignis's problem. My problem is related to referencing an ARN from a parameter, his problem is when he references a ressource's ARN.

My "fix" does not work in vivus-ignis's case.

simlevesque commented 5 years ago

This problem is caused by Resource Attribute Mocking. From the README: "A resource will always have a Ref of mock-ref-RESOURCENAME". This should not be the case. Some resource types return a reference id, such as AWS::IAM::AccessKey. Those currently work. Other resource types return a ARN. Those who return an ARN should not have a ref of mock-ref-RESOURCENAME.

ronkorving commented 5 years ago

I have the same issue on:

  rLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref rPublicLoadBalancer  # here
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref rDefaultTargetGroup  # here

and

  rEcsService:
    Type: AWS::ECS::Service
    Properties:
      LoadBalancers:
        - TargetGroupArn: !Ref rDefaultTargetGroup  # here
bbraunstein commented 5 years ago

+1

I've also been running to the same problems when calling the !Ref intristic function for ARNs.

marcodatola commented 5 years ago

+1 having the same problem when Ref(erencing) resources. Tried adding a DependsOn attribute which didn't solve anything.

ronkorving commented 5 years ago

Don't get me wrong, I appreciate the nature of Open Source very, very well. I can't demand anything. But I'm a bit confused how this is not a priority? For me, cfn-lint has become pretty unusable :-/

ARMAAN7139 commented 4 years ago

I am still getting the same issue with API GW arn.