search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.26k stars 212 forks source link

Incorrectly Throwing W28 Warning for Resource Type #559

Open emilyrohrbough opened 3 years ago

emilyrohrbough commented 3 years ago

Running the linter on my CF template, I am receiving a W28 warning that is resolving to my resource type. Initally I thought it was reporting the inocrrect line number but when I removed the type, I received a missing type error (as I should) and when I moved it do a different line, I received the same error with the updated line number.

Error

➜ cfn_nag_scan --input-path ./aws/cloudformation/template.yaml

------------------------------------------------------------
./aws/cloudformation/template.yaml
------------------------------------------------------------------------------------------------------------------------
| WARN W28
|
| Resources: [2343]
| Line Numbers: [33]
|
| Resource found with an explicit name, this disallows updates that require replacement of this resource

Failures count: 0
Warnings count: 1

Template

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Parameters:
  Environment:
    Description: The environment.
    Type: String
  SupportNotifierARN:
    Description: Support Team AWS::SNS::Topic ARN.
    Type: String

Conditions:
  IsProd:
    !Equals [ !Ref Environment, 'prod' ]

Resources:
  TesterDLQ:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub tester-dlq-${Environment}
      MessageRetentionPeriod: 1209600 # 14 days

  TesterDLQAlarm:
    Type: AWS::CloudWatch::Alarm
-   ^ line 33 (above) that is throwing the error
    Properties:
      AlarmName: !GetAtt TesterDLQ.QueueName
      AlarmDescription: !Sub The Tester Service was unable to process one or more messages.
      Dimensions:
      - Name: QueueName
        Value: !GetAtt TesterDLQ.QueueName
      ComparisonOperator: GreaterThanThreshold
      EvaluationPeriods: 1
      MetricName: ApproximateNumberOfMessagesVisible
      Namespace: AWS/SQS
      Period: 60 # seconds
      Statistic: Sum
      Threshold: 0
      TreatMissingData: notBreaching
      Unit: Count
      AlarmActions:
      - !If [ IsProd, !Ref SupportNotifierARN, !Ref 'AWS::NoValue' ]
      OKActions:
      - !If [ IsProd, !Ref SupportNotifierARN, !Ref 'AWS::NoValue' ]
jebbens commented 2 years ago

I am experiencing the same error with v0.8.8 for Type: AWS::IAM::Role

lindsaywuau commented 2 years ago

I am experiencing the same issue and it is pointing to "Type: AWS::CloudWatch::Alarm". Any update on this?

maghirardelli commented 2 years ago

I don't think it is incorrectly throwing the error. The rule is outlined here.

poladinesh commented 1 year ago

@emilyrohrbough Although the error complains about the type, its actually the name of the resource which is causing the cfn_nag to complain. In your case its this line -> AlarmName: !GetAtt TesterDLQ.QueueName. If you remove this line, the warning goes away. As @maghirardelli mentioned, cfn_nag only checks particular resources (check the link shared above)