-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resources created through serverless transforms use hardcoded partitions #1522
Comments
actually been meaning to write a similar rule think the Linter's just running the AWS::Serverless transform itself though do you not also experience these hardcoded partitions being generated outside of the Linter? I'd also check which version of pip3 show aws-sam-translator
pip3 install aws-sam-translator --upgrade |
I upgraded I have generally worked with CloudFormation templates with the SAM Transform directly instead of using the SAM CLI.
I upgraded my version of the aws-sam-translator, but unfortunately that did not solve the issue. I have generally worked with CloudFormation templates with SAM resources specified directly in those templates packaging and deploying them using the CloudFormation package and deploy CLI I do know that the SAM spec does work across partitions, so perhaps CFn does the correct resource selection behind the scenes. Is there a way to run linting before the linter runs the transform? Specifically for checks for harcoded partitions (or perhaps ARN checks in general)? |
Console's template tab has a
If processed templates contain generated hardcoded partitions, the AWS::Serverless transform itself should fix that |
I checked the processed template and you are correct, this needs to be fixed in the transform itself. Is it possible to create a rule that Warns normally, but Errors if the |
@PatMyron Why does cfn-lint run on the transformed template? Shouldn't this only be run on the source template? I ask because SAM is partition aware but we (in some cases) explicitly set the partition. Which will create false positives. Not sure I understand why cfn-lint does this validation on the transformed template? Does cfn-lint do this for all transforms? |
currently just the AWS::Serverless Transform the Linter doesn't require networking or credentials to run, which other transforms require |
Hmm.. So SAM is the only one that is validated based on the transformed template. How do we address that? I really don't think you guys should be validating on what we do under the hood for customers, that will lead to confusion on how a customer can fix some 'issue' with the generated template. |
Running the AWS::Serverless Transform has some value, but definitely agree that customers shouldn't feel blocked on generated code they can't control |
My ideal solution @jfuss would be to have a SAM CloudFormation spec file we could use to validate the templates. We need to transform for SAM since the transformed template is the only thing that would make sense to the spec files that exist. I agree it does cause some confusion. The other option would be to disable linting on SAM templates (or just lint them as is... which could cause a lot more false positives). |
+1 to @kddejong's preference for SAM to provide a spec cfn-lint can use rather than running the SAM translator library on the template before processing with cfn-lint. There's a SAM issue for this: aws/serverless-application-model#1133 |
Yup. I know this has come up in (many) discussions and I think we had something small done in this space but I don't think it ever got completed. This will help many tools out (cfn lint, cdk, sam cli, etc), so there is value to trying to get this prioritized from our side. |
*cfn-lint version: v0.30.1
Resources (such as Lambda Roles and Permissions) created by resources using AWS::Serverless use hardcoded Partitions
Example Resource
Hardcoded partition in resulting managed policy arn
The text was updated successfully, but these errors were encountered: