diff --git a/.cfnlintrc b/.cfnlintrc new file mode 100644 index 000000000..01cc17f2c --- /dev/null +++ b/.cfnlintrc @@ -0,0 +1,16 @@ +templates: + - ./**/template.yml + - ./**/account_processing.yml + - ./resources/*.yaml + - ./**/example-global-iam.yml + - ./**/global.yml + - ./**/regional.yml +ignore_templates: + - ./**/appspec.yml + - ./**/appspec.yaml + - ./**/buildspec.yml + - ./**/buildspec.yaml + - ./**/params/*.yml + - ./**/params/*.yaml +include_checks: + - I \ No newline at end of file diff --git a/Makefile b/Makefile index dcdec0962..467c37f08 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,7 @@ test: lint: # Linter performs static analysis to catch latent bugs find src/ -iname "*.py" -not -path "src/.aws-sam/*" | xargs pylint --rcfile .pylintrc + cfn-lint build: sam build -u diff --git a/requirements.txt b/requirements.txt index 1364abc90..3da561c6a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,3 +8,4 @@ pytest~=6.2.5 pyyaml>=5.4.1 schema~=0.7.5 tox==3.24.4 +cfn-lint~=0.60.1 \ No newline at end of file diff --git a/samples/sample-ec2-with-codedeploy/template.yml b/samples/sample-ec2-with-codedeploy/template.yml index 77e09bfd1..6c5131bf7 100644 --- a/samples/sample-ec2-with-codedeploy/template.yml +++ b/samples/sample-ec2-with-codedeploy/template.yml @@ -249,6 +249,6 @@ Resources: Outputs: LoadBalancerExternalUrl: Description: The url of the external load balancer - Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']] + Value: !Sub http://${PublicLoadBalancer.DNSName} Export: Name: 'LoadBalancerExternalUrl' diff --git a/samples/sample-ecs-cluster/template.yml b/samples/sample-ecs-cluster/template.yml index 14e1c2c0f..b157f3913 100644 --- a/samples/sample-ecs-cluster/template.yml +++ b/samples/sample-ecs-cluster/template.yml @@ -155,7 +155,7 @@ Outputs: Name: 'ClusterName' ExternalUrl: Description: The url of the external load balancer - Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']] + Value: !Sub http://${PublicLoadBalancer.DNSName} Export: Name: 'ExternalUrl' ECSRole: diff --git a/samples/sample-serverless-app/template.yml b/samples/sample-serverless-app/template.yml index 1ea4c5498..0b7065f7c 100644 --- a/samples/sample-serverless-app/template.yml +++ b/samples/sample-serverless-app/template.yml @@ -6,6 +6,11 @@ Transform: AWS::Serverless-2016-10-31 Description: ADF CloudFormation Sample Template (Serverless Application) Metadata: License: Apache-2.0 + cfn-lint: + config: + ignore_checks: + # https://github.com/aws/serverless-application-model/issues/1590 + - I3042 Resources: ExampleServerlessApp: Type: 'AWS::Serverless::Function' diff --git a/src/account_processing.yml b/src/account_processing.yml index 21e928629..474579894 100644 --- a/src/account_processing.yml +++ b/src/account_processing.yml @@ -84,7 +84,7 @@ Resources: - Effect: Allow Action: - "sts:AssumeRole" - Resource: !Sub "arn:aws:iam::*:role/${CrossAccountAccessRoleName}" + Resource: !Sub "arn:${AWS::Partition}:iam::*:role/${CrossAccountAccessRoleName}" Roles: - !Ref AccountProcessingLambdaRole - !Ref GetAccountRegionsFunctionRole diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index a1d8b0646..417d26dc2 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -135,6 +135,7 @@ Resources: PipelineBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain + UpdateReplacePolicy: Retain Properties: AccessControl: BucketOwnerFullControl OwnershipControls: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml index a39a0fc12..163375040 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml @@ -11,6 +11,7 @@ Resources: DeploymentFrameworkRegionalS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain + UpdateReplacePolicy: Retain Properties: BucketEncryption: ServerSideEncryptionConfiguration: diff --git a/src/template.yml b/src/template.yml index bdedecb62..52ed51bcd 100644 --- a/src/template.yml +++ b/src/template.yml @@ -145,6 +145,8 @@ Resources: ADFVersion: !FindInMap ['Metadata', 'ADF', 'Version'] OrganizationID: !GetAtt Organization.OrganizationId CrossAccountAccessRoleName: !Ref CrossAccountAccessRoleName + UpdateReplacePolicy: Delete + DeletionPolicy: Delete LambdaLayerVersion: Type: "AWS::Serverless::LayerVersion" Properties: @@ -471,12 +473,12 @@ Resources: Resource: - !GetAtt "BootstrapTemplatesBucket.Arn" - !Sub "${BootstrapTemplatesBucket.Arn}/*" - - !GetAtt BootstrapArtifactStorageBucket.Arn + - !GetAtt "BootstrapArtifactStorageBucket.Arn" - !Sub "${BootstrapArtifactStorageBucket.Arn}/*" - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}" - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}/*" - - !Sub "arn:aws:s3:::${AccountProcessingApplication.Outputs.Bucket}" - - !Sub "arn:aws:s3:::${AccountProcessingApplication.Outputs.Bucket}/*" + - !Sub "arn:${AWS::Partition}:s3:::${AccountProcessingApplication.Outputs.Bucket}" + - !Sub "arn:${AWS::Partition}:s3:::${AccountProcessingApplication.Outputs.Bucket}/*" - Effect: "Allow" Action: - "codebuild:*"