Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I use cfn-lint-spec.json? #102

Open
iainelder opened this issue Jul 13, 2023 · 5 comments
Open

How do I use cfn-lint-spec.json? #102

iainelder opened this issue Jul 13, 2023 · 5 comments

Comments

@iainelder
Copy link

I want cfn-lint to validate my SSOUtil::SSO::AssignmentGroup resources instead of just breaking on them.

Here's my test template:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS-SSO-Util-2020-11-08

Parameters:
  InstanceArn:
    Type: String
    Default: arn:aws:sso:::instance/ssoins-ffffffffffffffff

Resources:
  ReadOnly:
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      ManagedPolicies:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  AssignmentGroup:
    Type: SSOUtil::SSO::AssignmentGroup
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      Principal:
        - Type: USER
          Id: ffffffff-ffff-ffff-ffff-ffffffffffffffff
      PermissionSet:
        - !GetAtt ReadOnly.PermissionSetArn
      Target:
        - Type: AWS_OU
          Id: ou-zzzz-zzzzzzzz

By default cfn-lint of course fails to recognize the custom type.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1
E3001 Invalid or unsupported Type SSOUtil::SSO::AssignmentGroup for resource AssignmentGroup in eu-central-1
Macro-Test.yaml:19:5

When I found cfn-lint-spec.json I supposed that it would solve the problem, but I can't figure out how to use it.

cfn-lint fails in the same way when I pass the file via --spec-override.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1 --spec-override cfn-lint-spec.json
E3001 Invalid or unsupported Type SSOUtil::SSO::AssignmentGroup for resource AssignmentGroup in eu-central-1
Macro-Test.yaml:19:5

What am I missing?
@iainelder
Copy link
Author

I got slightly further by writing a custom schema. With it cfn-lint validates the type name but seems to ignore the properties. See aws-cloudformation/cfn-lint#2794 for details.

@iainelder
Copy link
Author

For now I just ignore the warning on each assignment group with resource-level metadata. It fits on one extra line so it's not too ugly.

Resources:
  AssignmentGroup:
    Type: SSOUtil::SSO::AssignmentGroup
    Metadata: {cfn-lint: {config: {ignore_checks: [E3001]}}}

@benkehoe
Copy link
Owner

benkehoe commented Jul 13, 2023
edited
Loading

Just checking, the parameter according to the docs is --override-spec, in your example you've got --spec-override?

@iainelder
Copy link
Author

Well spotted! Thanks for your help. Awesome as always.

The complete working command is:

cfn-lint --template Macro-Test.yaml --region eu-central-1 --override-spec cfn-lint-spec.json

@iainelder iainelder mentioned this issue Jul 13, 2023
Closed
@benkehoe
Copy link
Owner

Re-opening this as I should update the docs with this info.

@benkehoe benkehoe reopened this Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benkehoe @iainelder