Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing validation of Parameter Store type parameters #3870

Closed
scolebrook opened this issue Dec 11, 2024 · 5 comments · Fixed by #3874
Closed

Failing validation of Parameter Store type parameters #3870

scolebrook opened this issue Dec 11, 2024 · 5 comments · Fixed by #3874

Comments

@scolebrook
Copy link

CloudFormation Lint Version

1.22.0

What operating system are you using?

Mac

Describe the bug

A template with Parameter Store type parameters fails validation when the default value is a parameter name (as it should be) not a value of the type that will eventually be read from Parameter Store.

Eg,

Parameters:
  vpcId:
    Description: "VPC for Lambdas"
    Type: "AWS::SSM::Parameter::Value<AWS::EC2::VPC::Id>"
    Default: "/network/vpc/primary/id"
  subnets:
    Description: "Subnets for Lambdas"
    Type: "AWS::SSM::Parameter::Value<List<AWS::EC2::Subnet::Id>>"
    Default: "/network/vpc/primary/subnets"
    ```
    
The first gets a `E1151 '/network/vpc/primary/id' is not a 'AWS::EC2::VPC.Id'`.
The second gets a `E3012 '/network/vpc/primary/subnets' is not of type 'array'`.

The error messages reference the lines where the parameters are referenced, not where the parameters are defined.

The values in parameter store are correct.

This issue is not present in 1.21.0 or earlier.

### Expected behavior

These parameters pass validation as in previous versions.

### Reproduction template

```yaml
Parameters:
  vpcId:
    Description: "VPC for Lambdas"
    Type: "AWS::SSM::Parameter::Value<AWS::EC2::VPC::Id>"
    Default: "/network/vpc/primary/id"
  subnets:
    Description: "Subnets for Lambdas"
    Type: "AWS::SSM::Parameter::Value<List<AWS::EC2::Subnet::Id>>"
    Default: "/network/vpc/primary/subnets"
    ```
@kddejong
Copy link
Contributor

Can you share how you are using the values? Are you using the language extension? Is this in a FindInMap? Looking at possible PRs with that release that could have caused this.

@scolebrook
Copy link
Author

The stack where I first found the problem after bumping the ver of cfn-lint the pipeline uses is a SAM template.

Transform:
  - AWS::LanguageExtensions
  - AWS::Serverless-2016-10-31

The subnets param is used in the VpcConfig:

Globals:
  Function:
    Architectures:
      - x86_64
    Runtime: python3.12
    Tracing: Disabled
    VpcConfig:
      SecurityGroupIds:
        - !Ref sg
      SubnetIds: !Ref subnets

The security group referenced above is where the vpcId param is used.

  sg:
   Type: "AWS::EC2::SecurityGroup"
   Properties:
     GroupDescription: "mySG"
     GroupName: "mySG"
     VpcId: !Ref vpcId
     ...

The language extensions transform is used elsewhere in the template.

@kddejong
Copy link
Contributor

Okay, yea, I know what the issue is then. I'm on it.

@kddejong
Copy link
Contributor

Some people are using LanguageExtension into SAM to help with parameter resolution before running SAM. This is part of aws/serverless-application-model#2533. We did this in #3861 but we shouldn't be doing this for SSM parameters. Fix is incoming.

@kddejong kddejong mentioned this issue Dec 12, 2024
Merged
@scolebrook
Copy link
Author

@kddejong You're a champion. Thanks for the quick turn around.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't replace Default values in SAM when SSM parameter kddejong/cfn-python-lint
2 participants
@scolebrook @kddejong