search

martysweet / cfn-lint

A CloudFormation JSON and YAML Validator
MIT License
163 stars 38 forks source link

ImportValue failing for EventSourceMapping type #231

Closed ImperviousPanda closed 5 years ago

ImperviousPanda commented 5 years ago

I just added an EventSourceMapping type to our CloudFormation template:

    "ResolverEventSourceMappingDynamodbDhsfaapiestest2databaseSFATableStreamARN": {
      "Type": "AWS::Lambda::EventSourceMapping",
      "DependsOn": "IamRoleLambdaExecution",
      "Properties": {
        "BatchSize": 10,
        "EventSourceArn": {
          "Fn::ImportValue": "dh--sfa-api--estest2--database:SFATableStreamARN"
        },
        "FunctionName": {
          "Fn::GetAtt": [
            "ResolverLambdaFunction",
            "Arn"
          ]
        },
        "StartingPosition": "TRIM_HORIZON",
        "Enabled": "True"
      }
    },

Which is causing the error: 

Resource: Resources > ResolverEventSourceMappingDynamodbDhsfaapistagingdatabaseSFATableStreamARN > Properties > EventSourceArn
Message: Expecting an ARN, got 'IMPORTEDVALUEdh--sfa-api--staging--database:SFATableStreamARN'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html

In cfn-lint. We use this ImportValue other places in our code without utilizing the --import-values CLI option, but in this particular case it fails. Example in our code where it does not fail:

{
                  "Effect": "Allow",
                  "Action": [
                    "es:ESHttpGet"
                  ],
                  "Resource": [
                    {
                      "Fn::Join": [
                        "",
                        [
                          {
                            "Fn::ImportValue": "dh--sfa-api--yamltest--elasticsearch:ElasticSearchArn"
                          },
                          "/*"
                        ]
                      ]
                    }
                  ]
                },
martysweet commented 5 years ago

Any single property which ends in Arn has a check which expects an ARN to be present. This is what is generating the error. This check does not extend to other properties which do not have Arn explicitly in their name, like in your IAM policy example (where a resolved ARN would be expected, but cfn-lint does not check for it). What you are observing is expected, but not ideal behaviour.

cfn-python-lint has a rules engine that I imagine handles this better. https://github.com/aws-cloudformation/cfn-python-lint

Hope this helps, Marty