-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
catch common resource schema issues in cfn validate #663
Conversation
c2c7cbb
to
4d1e326
Compare
src/rpdk/core/data_loaders.py
Outdated
"maxresults" in map(str.lower, resource_spec.get("properties", [])) | ||
or "nexttoken" in map(str.lower, resource_spec.get("properties", [])) | ||
or "nextmarker" in map(str.lower, resource_spec.get("properties", [])) | ||
): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've also seen Marker
, ClientToken
and StatusReason
all as problematic properties that are clearly not assignable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@iann0036 thanks for the heads up, I'll look into these tomorrow:
AWS::EFS::AccessPoint.ClientToken
AWS::LicenseManager::License.ClientToken
AWS::LicenseManager::Grant.ClientToken
AWS::LicenseManager::Grant.StatusReason
AWS::XRay::SamplingRule.SamplingRuleRecord.CreatedAt/ModifiedAt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was easy to track down LIST API option synonyms using paginators, but left those open while we try to find a way to track down all their synonyms too
394a0d4
to
3828495
Compare
resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself: aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3 aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3 aws-cloudformation/aws-cloudformation-resource-providers-ssm#75 readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties: aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2 aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38
01b3066
to
4d9bf63
Compare
4d9bf63
to
32c9c0a
Compare
dbfdb72
to
452021b
Compare
452021b
to
893bd03
Compare
): | ||
LOG.warning( | ||
"readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible for users to successfully submit their resources when these warning are logged? If yes, should we throw an exception and stop them from submitting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible for users to successfully submit their resources when these warning are logged?
As it's currently written, yes
If yes, should we throw an exception and stop them from submitting?
I've also been debating this. We should have enforced some of these from the start, but it's trickier now to suddenly introduce backwards incompatible breaking changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should do it, maybe with a major version bump and a release announcement that the changes are backward incompatible. Users can stick with a specific version until they are ready to upgrade.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this is something we can introduce in the future, but i think these warnings are still valuable for customers to see before upgrading. usually with some backwards incompatible change there's a period of warning about an upcoming change in behavior, then a flip of some kind. we can use this as an opportunity to introduce the warnings then remove the functionality at a later date
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.
Warning is good at this point to alert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any unit tests for these checks? i see the example schemas was curious if they are used by our test suite
Yup, these new code branches hit by adding those schemas: cloudformation-cli/.coveragerc Line 6 in c542ea9
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would like to see some additional logging to aid customers in finding issues in schema rather than catch all log messages. Would be good to log which properties trip the checks
): | ||
LOG.warning( | ||
"readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.
Warning is good at this point to alert.
continuing #663 readOnlyProperties overlapping with required: AWS::CodeArtifact::Repository.DomainName AWS::MWAA::Environment.Name
continuing #663 readOnlyProperties overlapping with required: AWS::CodeArtifact::Repository.DomainName AWS::MWAA::Environment.Name
Saw |
resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself: aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3 aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3 aws-cloudformation/aws-cloudformation-resource-providers-ssm#75 readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties: aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2 aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38 no wildcards in handler permissions: aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2#4 aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46035310
continuing aws-cloudformation#663 readOnlyProperties overlapping with required: AWS::CodeArtifact::Repository.DomainName AWS::MWAA::Environment.Name
resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself: aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3 aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3 aws-cloudformation/aws-cloudformation-resource-providers-ssm#75 readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties: aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2 aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38 no wildcards in handler permissions: aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2#4 aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46035310
continuing aws-cloudformation#663 readOnlyProperties overlapping with required: AWS::CodeArtifact::Repository.DomainName AWS::MWAA::Environment.Name
continuing aws-cloudformation/cloudformation-cli#663 readOnlyProperties overlapping with required: AWS::CodeArtifact::Repository.DomainName AWS::MWAA::Environment.Name
resource types with LIST API options like
MaxResults
,NextToken
,Filters
, etc as properties of the resource itself:aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3
aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3
aws-cloudformation/aws-cloudformation-resource-providers-ssm#75
readOnlyProperties
overlapping withwriteOnlyProperties
orcreateOnlyProperties
orrequired
:aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2
aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38
AWS::Events::Archive.ArchiveName
#668
wildcards in handler permissions:
CloudformationSchemas $ grep 'permissions.*\*' *
aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2#4
aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46035310
AWS::ApiGateway::DomainName
AWS::ServiceCatalog::CloudFormationProvisionedProduct
TODO in future PRs:
invalid regular expression patternsnon-ASCII resource schema charactershardcoded aws partitionincorrect min/max constraintsinconsistent property casinghardcoding constantly evolving enums like instance types, lambda runtimes, partitions, regions, availability zones, etc. that get outdated quicklyinsertionOrder
not specified correctly forarray
(default value for insertionOrder is true cloudformation-resource-schema#47 (comment))taggable
not specified correctly (Addingtaggable
support in schema cloudformation-resource-schema#105 (comment))type
of propertiesCloudformationSchemas $ grep -C 1 '$ref' * | grep '"type"'
definitions
/ empty listscfn-lint --include-experimental
how to run new validations on all existing resource provider schemas
Inspired by https://github.com/hashicorp/terraform-provider-aws/tree/main/providerlint