catch common resource schema issues in cfn validate

[PatMyron]

resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself:
aws-cloudformation/aws-cloudformation-resource-providers-licensemanager#3
aws-cloudformation/aws-cloudformation-resource-providers-iotwireless#3
aws-cloudformation/aws-cloudformation-resource-providers-ssm#75

botocore $ grep -h 'input_token' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
1147       "input_token": "nexttoken",
 328       "input_token": "marker",
  40       "input_token": "pagetoken",
  18       "input_token": "position",
  16       "input_token": "nextmarker",
   7       "input_token": "nextpagetoken",
   5       "input_token": "paginationtoken",

botocore $ grep -h 'output_token' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
1147       "output_token": "nexttoken",
 199       "output_token": "marker",
  57       "output_token": "nextmarker",
  45       "output_token": "nextpagetoken",

botocore $ grep -h 'limit_key' botocore/data/*/*/paginators-1.json | tr '[:upper:]' '[:lower:]' | sort | uniq -ic | sort -nr | head
 931       "limit_key": "maxresults",
 159       "limit_key": "maxrecords",
 144       "limit_key": "limit",
 129       "limit_key": "maxitems",
  42       "limit_key": "pagesize",

---

readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties or required:
aws-cloudformation/aws-cloudformation-resource-providers-auditmanager#2
aws-cloudformation/aws-cloudformation-resource-providers-codeartifact#38
AWS::Events::Archive.ArchiveName
#668

---

wildcards in handler permissions:
CloudformationSchemas $ grep 'permissions.*\*' *
aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2#4
aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46035310
AWS::ApiGateway::DomainName
AWS::ServiceCatalog::CloudFormationProvisionedProduct

---

TODO in future PRs:

• invalid regular expression patterns
• non-ASCII resource schema characters
• hardcoded aws partition
• incorrect min/max constraints
• inconsistent property casing
• hardcoding constantly evolving enums like instance types, lambda runtimes, partitions, regions, availability zones, etc. that get outdated quickly
• insertionOrder not specified correctly for array (default value for insertionOrder is true cloudformation-resource-schema#47 (comment))
• taggable not specified correctly (Adding taggable support in schema cloudformation-resource-schema#105 (comment))
• Add runtime schema validation for things that can't be checked by JSONSchema cloudformation-resource-schema#17
• missing type of properties
• both inline and referenced definitions: CloudformationSchemas $ grep -C 1 '$ref' * | grep '"type"'
• nested property definitions that can't be properly backported to the Resource Specification yet
• resource semantic syntax for nested property lists / definitions / empty lists
• unrecognized IAM actions according to cfn-lint --include-experimental

  • Resources:
    ManagedPolicy:
      Type: AWS::IAM::ManagedPolicy
      Properties:
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Resource: '*'
              Action:

  • Add Stackset Resource aws-cloudformation-resource-providers-cloudformation#6 (comment)
  • https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-gamelift/pull/4#discussion_r408507305
  • https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-gamelift/pull/4#discussion_r408502268
  • https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-gamelift/pull/6#discussion_r416136301
  • Add KmsKeyId to LogGroup aws-cloudformation-resource-providers-logs#27 (comment)
  • https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudwatch/pull/2#discussion_r564125756
  • Add Redshift parameter group handlers aws-cloudformation-resource-providers-redshift#10 (comment)
  • Add APIs to schema and Exception Handling aws-cloudformation-resource-providers-redshift#20 (comment)
  • Support Athena DataCatalog aws-cloudformation-resource-providers-athena#16
  • Onboard AWS Glue DataBrew Resources to CloudFormation. aws-cloudformation-resource-providers-databrew#2 (comment)
  • Implemented CREATE,READ,LIST,DELETE cloudformation actions. Added bas… aws-cloudformation-resource-providers-synthetics#2
  • add sagemaker resource types aws-cloudformation-resource-providers-sagemaker#2 (comment)
  • https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-servicecatalog-appregistry/pull/3/#discussion_r571499802
  • aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder@55fa9bf#r46832819

---

how to run new validations on all existing resource provider schemas

---

Inspired by https://github.com/hashicorp/terraform-provider-aws/tree/main/providerlint

[iann0036]

I've also seen Marker, ClientToken and StatusReason all as problematic properties that are clearly not assignable.

[PatMyron]

@iann0036 thanks for the heads up, I'll look into these tomorrow:
AWS::EFS::AccessPoint.ClientToken
AWS::LicenseManager::License.ClientToken
AWS::LicenseManager::Grant.ClientToken
AWS::LicenseManager::Grant.StatusReason

AWS::XRay::SamplingRule.SamplingRuleRecord.CreatedAt/ModifiedAt

[PatMyron]

was easy to track down LIST API option synonyms using paginators, but left those open while we try to find a way to track down all their synonyms too

[omkhegde]

Is it possible for users to successfully submit their resources when these warning are logged? If yes, should we throw an exception and stop them from submitting?

[PatMyron]

Is it possible for users to successfully submit their resources when these warning are logged?

As it's currently written, yes

If yes, should we throw an exception and stop them from submitting?

I've also been debating this. We should have enforced some of these from the start, but it's trickier now to suddenly introduce backwards incompatible breaking changes

[omkhegde]

I think we should do it, maybe with a major version bump and a release announcement that the changes are backward incompatible. Users can stick with a specific version until they are ready to upgrade.

[johnttompkins]

i think this is something we can introduce in the future, but i think these warnings are still valuable for customers to see before upgrading. usually with some backwards incompatible change there's a period of warning about an upcoming change in behavior, then a flip of some kind. we can use this as an opportunity to introduce the warnings then remove the functionality at a later date

[wbingli]

I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.

Warning is good at this point to alert.

[johnttompkins]

any unit tests for these checks? i see the example schemas was curious if they are used by our test suite

[PatMyron]

any unit tests for these checks? i see the example schemas was curious if they are used by our test suite

Yup, these new code branches hit by adding those schemas:

cloudformation-cli/.coveragerc

Line 6 in c542ea9

fail_under = 100

[johnttompkins]

Would like to see some additional logging to aid customers in finding issues in schema rather than catch all log messages. Would be good to log which properties trip the checks

[wbingli]

I agree NOT to introduce backward incompatible change as because there are some resources have it's special cases which it will break them.

Warning is good at this point to alert.

[iann0036]

Saw CallerReference recently, which could be good for the list