Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linter unable to support resource transforms #597

Closed
zetas opened this issue Aug 18, 2020 · 3 comments
Closed

Linter unable to support resource transforms #597

zetas opened this issue Aug 18, 2020 · 3 comments

Comments

@zetas
Copy link

zetas commented Aug 18, 2020

Describe the bug
Due to the fact that DeletionPolicy cannot be made dynamic due to a stupid CF limitation that's existed since 2014 I've had to use a workaround to allow for different deletion policies for different environments (i.e. DeletionPolicy: Delete for RDS instance in dev but in Prod it should be Retain or at least Snapshot). I've verified that this approach is supported and works, however Taskcats linter throws an error: [ERROR ] : line 64 [3001] [Basic CloudFormation Resource Check] Invalid resource attribute Fn::Transform for resource Instance

To Reproduce
Steps to reproduce the behavior:

Here is the relevant template snippet:

Resources:
  Instance:
    Type: 'AWS::RDS::DBInstance'
    Fn::Transform:
      Name: AWS::Include
      Parameters:
        Location: !Sub 's3://${S3SourceBucketName}/${CPVersion}/templates/customer/rds-instance-${StackType}-policy.yaml'
    Properties:
      Engine: MySQL
      EngineVersion: '5.7'
...

And here's the entirety of the included file (the dev version for example):

DeletionPolicy: Delete
UpdateReplacePolicy: Delete

Expected behavior
I expect it to acknowledge it's use case as being valid. Perhaps because CloudFormation does not support shorthand !Transform for yaml? Maybe that's why it's triggering this, it doesn't like the 'Fn::Transform' in the upper scope of a resource?

Version

  • Taskcat Version 0.9.19 installed via pip3

Note: Python Version 3.7

Additional context
I tried putting single quotes around the Fn::Transform as well as around AWS::Include, it doesn't make a difference. I've also tried putting the transform block at the bottom of the resource definition under the parameters, it too doesn't have an effect; it still triggers an error in the linter.

Also here is the processed template snippet from the CloudFormation GUI where you can clearly see the DeletionPolicy and UpdateReplacePolicy are being included in the template correctly so the transform is working as far as CF is concerned:

"Instance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "Engine": "MySQL",
        "EngineVersion": "5.7",
        "MultiAZ": {
          "Ref": "MultiAZ"
        },
        "MasterUsername": {
          "Fn::Join": [
            "",
            [
              "{{resolve:secretsmanager:",
              {
                "Ref": "InstanceMasterCredentials"
              },
              ":SecretString:username}}"
            ]
          ]
        },
        "MasterUserPassword": {
          "Fn::Join": [
            "",
            [
              "{{resolve:secretsmanager:",
              {
                "Ref": "InstanceMasterCredentials"
              },
              ":SecretString:password}}"
            ]
          ]
        },
        "DBInstanceClass": {
          "Ref": "InstanceType"
        },
        "StorageType": "gp2",
        "AllocatedStorage": {
          "Ref": "InitialAllocatedStorage"
        },
        "MaxAllocatedStorage": {
          "Ref": "MaxAllocatedStorage"
        },
        "DBSubnetGroupName": {
          "Ref": "SubnetGroup"
        },
        "VPCSecurityGroups": {
          "Fn::Split": [
            ",",
            {
              "Ref": "VPCSecurityGroupIds"
            }
          ]
        },
        "StorageEncrypted": true,
        "KmsKeyId": {
          "Ref": "EncryptionKeyId"
        },
        "BackupRetentionPeriod": {
          "Ref": "BackupRetentionPeriod"
        }
      },
      "DeletionPolicy": "Delete",
      "UpdateReplacePolicy": "Delete"
@andrew-glenn
Copy link
Collaborator

@zetas thanks for the report. Are you able to replicate this via cfn-init? That what we use under the hood and I'm looking to narrow down a cfn-lint issue versus how we interface with it.

@zetas
Copy link
Author

zetas commented Aug 19, 2020

@andrew-glenn I'm not sure how to test with cfn-init, but I installed and tested cfn-lint and got the same error so it looks like it's an issue with the cloudformation helper scripts maybe?

The cfn-lint output:
E3001 Invalid resource attribute Fn::Transform for resource Instance rds.yaml:64:5

@zetas zetas mentioned this issue Aug 19, 2020
Closed
@zetas
Copy link
Author

zetas commented Aug 20, 2020

@andrew-glenn I'm going to close this ticket as I got a response from someone on the AWS issue I posted to their roadmap repo with an explanation and a workaround that totally fixes this: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/162#issuecomment-676880085

@zetas zetas closed this as completed Aug 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zetas @andrew-glenn