awslabs · sbkok · Aug 10, 2022 · Apr 3, 2022 · Apr 3, 2022 · Apr 3, 2022
diff --git a/.cfnlintrc b/.cfnlintrc
@@ -0,0 +1,16 @@
+templates:
+  - ./**/template.yml
+  - ./**/account_processing.yml
+  - ./resources/*.yaml
+  - ./**/example-global-iam.yml
+  - ./**/global.yml
+  - ./**/regional.yml
+ignore_templates:
+  - ./**/appspec.yml
+  - ./**/appspec.yaml
+  - ./**/buildspec.yml
+  - ./**/buildspec.yaml
+  - ./**/params/*.yml
+  - ./**/params/*.yaml
+include_checks:
+  - I
diff --git a/Makefile b/Makefile
@@ -13,6 +13,7 @@ test:
 lint:
 	# Linter performs static analysis to catch latent bugs
 	find src/ -iname "*.py" -not -path "src/.aws-sam/*" | xargs pylint --rcfile .pylintrc
+	cfn-lint
 
 build:
 	sam build -u

diff --git a/requirements.txt b/requirements.txt
@@ -8,3 +8,4 @@ pytest~=6.2.5
 pyyaml>=5.4.1
 schema~=0.7.5
 tox==3.24.4
+cfn-lint~=0.60.1
diff --git a/samples/sample-ec2-with-codedeploy/template.yml b/samples/sample-ec2-with-codedeploy/template.yml
@@ -249,6 +249,6 @@ Resources:
 Outputs:
   LoadBalancerExternalUrl:
     Description: The url of the external load balancer
-    Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
+    Value: !Sub http://${PublicLoadBalancer.DNSName}
     Export:
       Name: 'LoadBalancerExternalUrl'
diff --git a/samples/sample-ecs-cluster/template.yml b/samples/sample-ecs-cluster/template.yml
@@ -155,7 +155,7 @@ Outputs:
       Name:  'ClusterName'
   ExternalUrl:
     Description: The url of the external load balancer
-    Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
+    Value: !Sub http://${PublicLoadBalancer.DNSName}
     Export:
       Name: 'ExternalUrl'
   ECSRole:

diff --git a/samples/sample-serverless-app/template.yml b/samples/sample-serverless-app/template.yml
@@ -6,6 +6,11 @@ Transform: AWS::Serverless-2016-10-31
 Description: ADF CloudFormation Sample Template (Serverless Application)
 Metadata:
   License: Apache-2.0
+  cfn-lint:
+    config:
+      ignore_checks:
+        # https://github.com/aws/serverless-application-model/issues/1590
+        - I3042 
 Resources:
   ExampleServerlessApp:
     Type: 'AWS::Serverless::Function'

diff --git a/src/account_processing.yml b/src/account_processing.yml
@@ -84,7 +84,7 @@ Resources:
           - Effect: Allow
             Action:
               - "sts:AssumeRole"
-            Resource: !Sub "arn:aws:iam::*:role/${CrossAccountAccessRoleName}"
+            Resource: !Sub "arn:${AWS::Partition}:iam::*:role/${CrossAccountAccessRoleName}"
       Roles:
         - !Ref AccountProcessingLambdaRole
         - !Ref GetAccountRegionsFunctionRole

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -135,6 +135,7 @@ Resources:
   PipelineBucket:
     Type: AWS::S3::Bucket
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Properties:
       AccessControl: BucketOwnerFullControl
       OwnershipControls:

diff --git a/...lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml b/...lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
@@ -11,6 +11,7 @@ Resources:
   DeploymentFrameworkRegionalS3Bucket:
     Type: AWS::S3::Bucket
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Properties:
       BucketEncryption:
         ServerSideEncryptionConfiguration:

diff --git a/src/template.yml b/src/template.yml
@@ -145,6 +145,8 @@ Resources:
         ADFVersion: !FindInMap ['Metadata', 'ADF', 'Version']
         OrganizationID: !GetAtt Organization.OrganizationId
         CrossAccountAccessRoleName: !Ref CrossAccountAccessRoleName
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
   LambdaLayerVersion:
     Type: "AWS::Serverless::LayerVersion"
     Properties:
@@ -471,12 +473,12 @@ Resources:
             Resource:
               - !GetAtt "BootstrapTemplatesBucket.Arn"
               - !Sub "${BootstrapTemplatesBucket.Arn}/*"
-              - !GetAtt BootstrapArtifactStorageBucket.Arn
+              - !GetAtt "BootstrapArtifactStorageBucket.Arn"
               - !Sub "${BootstrapArtifactStorageBucket.Arn}/*"
               - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}"
               - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}/*"
-              - !Sub "arn:aws:s3:::${AccountProcessingApplication.Outputs.Bucket}"
-              - !Sub "arn:aws:s3:::${AccountProcessingApplication.Outputs.Bucket}/*"
+              - !Sub "arn:${AWS::Partition}:s3:::${AccountProcessingApplication.Outputs.Bucket}"
+              - !Sub "arn:${AWS::Partition}:s3:::${AccountProcessingApplication.Outputs.Bucket}/*"
           - Effect: "Allow"
             Action:
               - "codebuild:*"