cfn-lint icon indicating copy to clipboard operation
cfn-lint copied to clipboard

Published 20 hours ago verified publisher icon martysweet

Cloudfront DistribConfig - ARN validation failure on intrinsic functions

Open willgarcia opened this issue 6 years ago • 4 comments

First of all, thanks for this tool 👍

The following template:

Description: TEST
Parameters:
  ACMCertificateARN:
    Description: ARN for certificate to be used by CloudFront
    Type: String

Resources:
  DistributionConfig:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        ViewerCertificate:
          AcmCertificateArn: !Ref ACMCertificateARN

fails to validate:

0 warn
1 crit
Resource: Resources > DistributionConfig > Properties > DistributionConfig > ViewerCertificate > AcmCertificateArn
Message: Expecting an ARN, got 'string_input_ACMCertificateARN'
Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html

Template invalid!

And, replacing the Ref function that references a template parameter (AcmCertificateArn: !Ref ACMCertificateARN) by a string works.

At this stage, I'm unsure of the cause of this validation failure. I suspect that the validator.isArn function is expecting a string starting with arn:aws as per https://github.com/martysweet/cfn-lint/blob/2e2a767d31b2b5bb7a529c43d6c32878f57443f1/src/validator.ts#L1436.

willgarcia avatar Apr 20 '18 09:04 willgarcia

Hi @willgarcia,

Thanks! You should be able to define a simple ARN on the CLI with --parameters ACMCertificateARN="arn:aws:something:something:something".

As cfn-lint attempts to find all errors, if a parameter isn't given, the system will guess. In the case of empty parameters, it will be type_input_ParameterName as you have seen.

If a parameter default is given, cfn-lint will use this value by default.

Hope this helps!

martysweet avatar Apr 21 '18 17:04 martysweet

I ran into this too. Please consider changing the error message so that it's more clear what the appropriate response is (either use --params or --no-guess-params)

alexjurkiewicz avatar Jun 04 '18 06:06 alexjurkiewicz

I tried some variations, but I wasn't able to apply the workaround with the API (where's the --no-gess-params option in ValidationOptions?) Reverted to pre-guessing version :(

fhewitt avatar Nov 16 '18 21:11 fhewitt

@fhewitt, can you confirm cfn-lint works properly using the CLI, just the API does not allow the no guessing option to be set?

https://github.com/martysweet/cfn-lint/blob/master/src/api.ts#L3-L16

martysweet avatar Nov 20 '18 07:11 martysweet