Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I validate properties with a custom schema? #2794

Open
iainelder opened this issue Jul 13, 2023 · 0 comments
Open

How do I validate properties with a custom schema? #2794

iainelder opened this issue Jul 13, 2023 · 0 comments
Labels
question Further information is requested

Comments

@iainelder
Copy link

cfn-lint Version

cfn-lint 0.78.1

Provide additional details e.g. code snippets. Be sure to remove any sensitive data.

I want to use aws-sso-util and cfn-lint together. aws-sso-util provides a macro which fakes a custom type called SSOUtil::SSO::AssignmentGroup.

My template looks like this:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS-SSO-Util-2020-11-08

Parameters:
  InstanceArn:
    Type: String
    Default: arn:aws:sso:::instance/ssoins-ffffffffffffffff

Resources:
  ReadOnly:
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      ManagedPolicies:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  AssignmentGroup:
    Type: SSOUtil::SSO::AssignmentGroup
    Properties:
      Name: ReadOnly
      InstanceArn: !Ref InstanceArn
      Principal:
        - Type: USER
          Id: ffffffff-ffff-ffff-ffff-ffffffffffffffff
      PermissionSet:
        - !GetAtt ReadOnly.PermissionSetArn
      Target:
        - Type: AWS_OU
          Id: ou-zzzz-zzzzzzzz

By default cfn-lint of course fails to recognize the custom type.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1
E3001 Invalid or unsupported Type SSOUtil::SSO::AssignmentGroup for resource AssignmentGroup in eu-central-1
Macro-Test.yaml:19:5

I think I'm supposed to use --registry-schemas to solve this, but I've had limited success because of the missing documentation.

#2321 says that to lint Datadog::Monitors::Monitor you need to pass a directory of third-party resource schemas and points to #1732 for a partial solution.

SSOUtil::SSO::AssignmentGroup is not a real registered type, but is faked by macro preprocessing, so there is no schema to download. As far as I know, no one ever wrote that schema.

I created a file called custom-schema/AssignmentGroup.json with this content:

{
    "typeName": "SSOUtil::SSO::AssignmentGroup"
}

cfn-lint produces no output when I pass the the folder name, which I think means it now at least accepts the type name.

$ cfn-lint --template Macro-Test.yaml --region eu-central-1 --registry-schemas custom-schema/

I also want to validate the properties, and this is where I get lost.

I extend the custom schema to look like this:

{
    "typeName": "SSOUtil::SSO::AssignmentGroup",
    "properties": {
        "Color": {
            "Type": "String"
        }
    },
    "required": ["Color"]
}

My intention is to declare a required Color property. This should make cfn-lint fail again because my template doesn't have a Color property anywhere.

But cfn-lint still gives no output in this case.

There might be something wrong with the schema, but I'm unsure how to validate it.

What am I missing?
@iainelder iainelder added the question Further information is requested label Jul 13, 2023
@iainelder iainelder mentioned this issue Jul 13, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iainelder