FN::GetAtt can return an array

[tomdionysus]

First: Great tool, it really removes some of the pain of dealing with CloudFormation.

I have a situation where I'm creating a subdomain in Route 53 for an environment as a hosted zone, and then creating a NS delegation in another preexisting hosted zone to point to it. The JSON template for the delegation RecordSet comes out as follows:

    "DNSVPCDomain": {
      "Type": "AWS::Route53::HostedZone",
      "Properties": {
        "Name": "staging.DOMAIN.COM",
        "HostedZoneConfig": { "Comment": "ENVIRONMENT staging Public DNS" },
        "HostedZoneTags": [ { "Key": "Name", "Value": "ENVIRONMENT-staging-hosted-zone" } ]
      }
    },

    "DNSVPCDelegation": {
      "Type": "AWS::Route53::RecordSet",
      "DependsOn": [ "DNSVPCDomain" ],
      "Properties": {
        "Name": "staging.DOMAIN.COM",
        "Comment": "ENVIRONMENT staging Subdomain Delegation",
        "HostedZoneId": "Z3**************",
        "ResourceRecords": { "Fn::GetAtt": [ "DNSVPCDomain", "NameServers" ] },
        "TTL": "300",
        "Type": "NS"
      }
    },

Although the template is valid and will create successfully, cfn-lint reports 1 critical:

Resource: Resources > DNSVPCDelegation > Properties > ResourceRecords
Message: Expecting a list, got 'mockAttr_DNSVPCDomain'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html

In this case, ResourceRecords is expecting an array of strings, which is what the Fn:GetAtt returns for NameServers. Obviously cfn-lint can't be expected to know what type the intrinsic function returns, making validation difficult if not impossible: should there be a mechanism to 'ignore' certain errors, or can I help come up with a better way to handle this?

[martysweet]

It may be possible to implement this.
The GetAtt already does checks against the CloudFormation spec to ensure the Attribute given is valid.

Example from spec.

"AWS::Route53::HostedZone": {
  "Attributes": {
    "NameServers": {
    "PrimitiveItemType": "String",
    "Type": "List"
  }
},

This has a type which can then be parsed, so we can say if list of string, lets output a couple of elements of type string. Should solve the majority of issues surrounding this.

Code which would require changing:

cfn-lint/src/validator.ts

Lines 1056 to 1067 in 78c82a5

	export function fnGetAtt(reference: string, attribute: string){
	if(workingInput['Resources'].hasOwnProperty(reference)){
	const resource = workingInput['Resources'][reference];
	if (resource['Attributes'].hasOwnProperty(attribute)){
	return resource['Attributes'][attribute];
	} else if (resource['Type'].indexOf('Custom::') === 0 || resource['Type'] === 'AWS::CloudFormation::CustomResource') {
	return `mockAttr_${reference}_${attribute}`;
	}
	}
	// Return null if not found
	return null;
	}

[RazzM13]

If I'm not mistaken, this is the root cause of #95.

[martysweet]

@RazzM13 Yes and no. Indeed GetAtt should be capable of returning an array when required, however, with a Custom:: resource we have no idea if the GetAtt should be a string or array, as it's decided at runtime by the invoked Lambda function.

[tomdionysus]

PR: #139

I left attributes on Custom:: resources doing what they did before in the original code, but maybe this is on the road to a more complete solution.