Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

catch common resource schema issues in cfn validate #663

Merged
merged 4 commits into from
Jan 20, 2021

Conversation

PatMyron
Copy link
Contributor

@PatMyron PatMyron commented Jan 8, 2021

resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself:
aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3
aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3
aws-cloudformation/aws-cloudformation-resource-providers-ssm#75

botocore $ grep -h 'input_token' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
1147       "input_token": "nexttoken",
 328       "input_token": "marker",
  40       "input_token": "pagetoken",
  18       "input_token": "position",
  16       "input_token": "nextmarker",
   7       "input_token": "nextpagetoken",
   5       "input_token": "paginationtoken",

botocore $ grep -h 'output_token' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
1147       "output_token": "nexttoken",
 199       "output_token": "marker",
  57       "output_token": "nextmarker",
  45       "output_token": "nextpagetoken",

botocore $ grep -h 'limit_key' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
 931       "limit_key": "maxresults",
 159       "limit_key": "maxrecords",
 144       "limit_key": "limit",
 129       "limit_key": "maxitems",
  42       "limit_key": "pagesize",

readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties or required:
aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2
aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38
AWS::Events::Archive.ArchiveName
#668


wildcards in handler permissions:
CloudformationSchemas $ grep 'permissions.*\*' *
aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2#4
aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46035310
AWS::ApiGateway::DomainName
AWS::ServiceCatalog::CloudFormationProvisionedProduct


TODO in future PRs:


how to run new validations on all existing resource provider schemas


Inspired by https://github.com/hashicorp/terraform-provider-aws/tree/main/providerlint

@PatMyron PatMyron force-pushed the catch-schema-issues branch 2 times, most recently from c2c7cbb to 4d1e326 Compare January 8, 2021 06:24
"maxresults" in map(str.lower, resource_spec.get("properties", []))
or "nexttoken" in map(str.lower, resource_spec.get("properties", []))
or "nextmarker" in map(str.lower, resource_spec.get("properties", []))
):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've also seen Marker, ClientToken and StatusReason all as problematic properties that are clearly not assignable.

Copy link
Contributor Author

@PatMyron PatMyron Jan 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

@PatMyron PatMyron Jan 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was easy to track down LIST API option synonyms using paginators, but left those open while we try to find a way to track down all their synonyms too

@PatMyron PatMyron force-pushed the catch-schema-issues branch 3 times, most recently from 394a0d4 to 3828495 Compare January 13, 2021 23:00
@PatMyron PatMyron added the schema Related to the provider meta schema label Jan 14, 2021
@PatMyron PatMyron force-pushed the catch-schema-issues branch 2 times, most recently from 01b3066 to 4d9bf63 Compare January 14, 2021 02:25
@PatMyron PatMyron force-pushed the catch-schema-issues branch from 4d9bf63 to 32c9c0a Compare January 14, 2021 02:42
@PatMyron PatMyron marked this pull request as ready for review January 14, 2021 02:51
@PatMyron PatMyron force-pushed the catch-schema-issues branch from dbfdb72 to 452021b Compare January 17, 2021 04:22
@PatMyron PatMyron force-pushed the catch-schema-issues branch from 452021b to 893bd03 Compare January 17, 2021 04:26
):
LOG.warning(
"readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties"
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for users to successfully submit their resources when these warning are logged? If yes, should we throw an exception and stop them from submitting?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for users to successfully submit their resources when these warning are logged?

As it's currently written, yes

If yes, should we throw an exception and stop them from submitting?

I've also been debating this. We should have enforced some of these from the start, but it's trickier now to suddenly introduce backwards incompatible breaking changes

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should do it, maybe with a major version bump and a release announcement that the changes are backward incompatible. Users can stick with a specific version until they are ready to upgrade.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think this is something we can introduce in the future, but i think these warnings are still valuable for customers to see before upgrading. usually with some backwards incompatible change there's a period of warning about an upcoming change in behavior, then a flip of some kind. we can use this as an opportunity to introduce the warnings then remove the functionality at a later date

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.

Warning is good at this point to alert.

Copy link
Contributor

@johnttompkins johnttompkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any unit tests for these checks? i see the example schemas was curious if they are used by our test suite

@PatMyron
Copy link
Contributor Author

any unit tests for these checks? i see the example schemas was curious if they are used by our test suite

Yup, these new code branches hit by adding those schemas:

fail_under = 100

Copy link
Contributor

@johnttompkins johnttompkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would like to see some additional logging to aid customers in finding issues in schema rather than catch all log messages. Would be good to log which properties trip the checks

):
LOG.warning(
"readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties"
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.

Warning is good at this point to alert.

@PatMyron PatMyron merged commit 197b3b1 into master Jan 20, 2021
@PatMyron PatMyron deleted the catch-schema-issues branch January 20, 2021 01:45
PatMyron added a commit that referenced this pull request Jan 20, 2021
continuing #663

readOnlyProperties overlapping with required:
AWS::CodeArtifact::Repository.DomainName
AWS::MWAA::Environment.Name
PatMyron added a commit that referenced this pull request Jan 21, 2021
continuing #663

readOnlyProperties overlapping with required:
AWS::CodeArtifact::Repository.DomainName
AWS::MWAA::Environment.Name
@iann0036
Copy link
Contributor

iann0036 commented Jan 23, 2021

Saw CallerReference recently, which could be good for the list

@PatMyron PatMyron changed the title catch common resource schema issues catch common resource schema issues in cfn validate Jan 27, 2021
kddejong pushed a commit to kddejong/cloudformation-cli that referenced this pull request Oct 24, 2022
continuing aws-cloudformation#663

readOnlyProperties overlapping with required:
AWS::CodeArtifact::Repository.DomainName
AWS::MWAA::Environment.Name
kddejong pushed a commit to kddejong/cloudformation-cli that referenced this pull request Oct 24, 2022
continuing aws-cloudformation#663

readOnlyProperties overlapping with required:
AWS::CodeArtifact::Repository.DomainName
AWS::MWAA::Environment.Name
awesomedevchris pushed a commit to awesomedevchris/awesome_app that referenced this pull request Apr 10, 2023
continuing aws-cloudformation/cloudformation-cli#663

readOnlyProperties overlapping with required:
AWS::CodeArtifact::Repository.DomainName
AWS::MWAA::Environment.Name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
schema processing schema Related to the provider meta schema
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants