Call cfn-lint for module fragments

[miparnisari]

Issue #, if available: N/A

Description of changes: when calling cfn validate on a module, run cfn-lint on the fragment for extra validations.

(Future improvement: support cfn validate --region so that we can pass the region value to cfn-lint. Related: aws-cloudformation/cfn-lint#607)

Sample output:

MacBook@ ~/Desktop/modules/cfnlint $ cat fragments/sample.json
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "S3Bucket": {
            "Type": "AWS::S3::Bucket",
            "DeletionPolicy": "Something",
            "UpdateReplacePolicy": "Retain"
        }
    }
}
MacBook@ ~/Desktop/modules/cfnlint $ cfn validate
Module fragment is probably valid, but there are warnings/errors from cfn-lint (https://github.com/aws-cloudformation/cfn-python-lint):
	DeletionPolicy should be only one of Delete, Retain, Snapshot at Resources/S3Bucket/DeletionPolicy (from rule E3035: Check DeletionPolicy values for Resources)
MacBook@ ~/Desktop/modules/cfnlint $ cat fragments/sample.json
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "S3Bucket": {
            "Type": "AWS::S3::Bucket",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Retain"
        }
    }
}
MacBook@ ~/Desktop/modules/cfnlint $ cfn validate
Module fragment is valid.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[PatMyron]

1. We don't really know the module fragment is valid yet, right?

2. Worth distinguishing terminology from one of cfn-lints rule levels?

Suggested change

	"Module fragment is valid, but there are warnings from cfn-lint "
	"Module fragment might be valid, but there are warnings from cfn-lint "

[johnttompkins]

will this only appear if the user running validate specifies increased verbosity?

[miparnisari]

@PatMyron right. I'll edit both.

@jotompki no, for modules this runs all the time.

[PatMyron]

Future improvement: support cfn validate --region so that we can pass the region value to cfn-lint

Other options like --registry-schemas and --include-checks I come to mind as well

[johnttompkins]

will this only appear if the user running validate specifies increased verbosity?

[johnttompkins]

Can we just use the yaml loads() so we don't have to write to a temporary file: https://github.com/aws-cloudformation/cfn-python-lint/blob/master/src/cfnlint/decode/cfn_yaml.py#L183?

[miparnisari]

The problem is that cfnlint.core.run_checks needs a filename to run. I haven't seen an api that validates a template in memory.

[johnttompkins]

is filename being used anywhere?

if it's really necessary recommend: https://docs.python.org/3/library/tempfile.html

[miparnisari]

@jotompki yep, it's used by cfnlint.core.run_checks. I tried using NamedTemporaryFile, I don't see the benefit, I have to write the file, then read it back, and then manually remove it?

[kddejong]

This is great to see. One of the things that may be worth adding as a rule (Warning level) is using parameters in conditions inside your module. Not sure if you would want to add custom rules but I got tripped up on this.

[miparnisari]

This is great to see. One of the things that may be worth adding as a rule (Warning level) is using parameters in conditions inside your module. Not sure if you would want to add custom rules but I got tripped up on this.

@kddejong this can be added as an extra validation in RPDK, right? @MalikAtalla-AWS has context on all the validations were are currently doing.