-
Notifications
You must be signed in to change notification settings - Fork 16
/
cfn-lint.aws.txt
366 lines (288 loc) · 19.9 KB
/
cfn-lint.aws.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
CFN-LINT
ALTERNATIVES ==> #See cfn-guard
VERSION ==> #0.83.5
/=+===============================+=\
/ : : \
)==: MAIN :==(
\ :_______________________________: /
\=+===============================+=/
cfn-lint #Lint AWS CloudFormation TEMPLATE file
#CLI. Python, installed with pip|docker
cfn-lint-visual-studio-code #VSCode plugin linting CloudFormation TEMPLATEs
#Must install cfn-lint. For graphs, must also install pydot
#Plugins for other IDEs also available
#Version 0.25.1
cscottbrenner/fn-lint-action@v2 #GitHub action downloading cfn-lint
#Version 2.3.7
INPUTS.version #STR. cfn-lint's version (def: latest)
INPUTS.python #STR. Python version (def: 'python' on Windows, 'python3' on Unix)
INPUTS.command #STR. Shell command to run, typically `cfn-lint ...`
CONF #One of (in priority order):
# - CLI flags
# - TEMPLATE|RESOURCE.Metadata.cfn-lint.config
# - ./.cfnlintrc[.y[a]ml]
# - ~/.cfnlintrc
#Same syntax as CLI flags, but snake_case, and some properties pluralized (templates|configure_rules|...)
/=+===============================+=\
/ : : \
)==: CONFIG :==(
\ :_______________________________: /
\=+===============================+=/
--template|-t TEMPLATE... #Can be - (stdin)
--ignore-templates TEMPLATE... #Exclude those
--include-checks|-c STR... #Include rules which RULE_ID that start with STR
--ignore-checks|-i STR... #Def: W* and E* but not I*
--mandatory-checks|-m #Ignore TEMPLATE|RESOURCE.Metadata.cfn-lint.config.ignore_checks
--include-experimental|-e #Include experimental rules
--configure-rule|-x
RULE_ID:RVAR=VAL... #Pass configuration to rules
--list-rules|-l #List all rules
--append-rules|-a DIR... #Add advanced custom rules
#Must be written in Python, i.e. not documented yet
--custom-rules|-z PATH.txt... #Add simple custom rules
#Each line has space-separated fields:
# - RESTYPE
# - RESPROP_VARR (dot-delimited)
# - one of:
# - [NOT_]EQUALS (or ==|!=)
# - [NOT_]IN
# - IS: VAL is "[NOT_]DEFINED", i.e. [not] undefined
# - >= > < <=
# - REGEX_MATCH
# - VAL
# - INFO|WARN|ERROR (def: ERROR)
# - "ERROR_MESSAGE" (def: none)
#Can "-quote spaces
#Can use #COMMENT
#RULE_ID is I9xxx|W9xxx|E9xxx where xxx is line number
--ignore-bad-template|-b #Ignore syntax errors in TEMPLATE
--update-specs|-u #Autofix TEMPLATE
EXIT CODE ==> #Or'd flag: 2 (error, E* rules), 4 (warning, W* rules), 8 (info, I* rules)
--non-zero-exit-code STR #One of:
# - informational (def): 0 for success
# - warning: 0 for success|info
# - error: 0 for success|info|warning
# - none: always 0, except syntax error
--format|-f #Output format among: quiet, parseable, json, junit, pretty (def), sarif
--info|-i #Debug logging
--debug|-D #Verbose debug logging
--build-graph|-g PATH #Output RESOURCE dependencies in DOT format
--regions|-r REGION... #Use TEMPLATE CloudFormation SPEC for those specific REGIONs
--override-spec|-o FILE #Merged to TEMPLATE CloudFormation SPEC. Can also specify:
# - SPEC.Include|ExcludeResourceTypes 'RESTYPE'_ARR (can use *)
--registry-schemas|-s DIR... #DIR with SCHEMA.json of resource ETYPEs
/=+===============================+=\
/ : : \
)==: RULES SYNTAX :==(
\ :_______________________________: /
\=+===============================+=/
E0000 #JSON|YAML syntax error
E0001 #Macro syntax error
E0002 #Linting rule bug
E1001 #Only known TEMPLATE.PROP (can add custom RPROP sections 'PROP')
#Required TEMPLATE.Resources
#Valid TEMPLATE.AWSTemplateFormatVersion|Transform
E1002 #Max 1MB TEMPLATE
I1002 #Max 900KB TEMPLATE
E1003 #Max 1KB TEMPLATE.Description
I1003 #Max 900b TEMPLATE.Description
E1004 #TEMPLATE.Description is STR
E1012 #!Ref target exist
E1020 #!Ref argument is STR
E1026 #No !Ref inside TEMPLATE.Conditions
E1010 #Valid !GetAtt arguments
W1001 #!Ref and !GetAtt target exist, when using CONDs
E1011 #Valid !FindInMap arguments
W1011 #!FindInMap keys exist
E1015 #Valid !GetAz arguments
E1016 #Valid !ImportValue arguments
E1017 #Valid !Select arguments
E1018 #Valid !Split arguments
E1019 #Valid !Sub arguments
W1019 #Required !Sub arguments
W1020 #!Sub arguments are not only static STRs
E1029 #!Sub is used if STR contains ${VAR}
#Can ignore RPROP custom_excludes 'REGEXP'
E1022 #Valid !Join arguments
I1022 #Prefer !Sub over !Join with '' delimiter
E1021 #Valid !Base64 arguments
E1023 #!Not argument is ARR
E1024 #Valid !Cidr arguments
E1028 #Valid !If arguments
E1030 #Valid !Length arguments
E1031 #Valid !ToJsonString arguments
E1032 #Valid !ForEach arguments
E1027 #{{resolve:...}} only used in supported places
E2001 #PARAM syntax error
W2001 #PARAMs that are defined are used
E2002 #Used PARAMs have correct type
E2003 #Valid PARAM names
E2010 #Max 200 PARAMs
I2010 #Max 180 PARAMs
E2011 #PARAM name max 255 chars
I2011 #PARAM name max 230 chars
E2012 #PARAM value max 1KB
I2012 #PARAM value max 900b
E2014 #PARAM default value does not use !Ref
E2015 #PARAM default value satisfies constraints
W2030 #PARAM value satisfies AllowedValues
W2031 #PARAM value satisfies AllowedPattern
W2501 #PARAM 'Password' should use NoEcho and {{resolve:...}}
E3001 #Valid RESOURCE usage
E3010 #Max 500 RESOURCEs
I3010 #Max 450 RESOURCEs
E3006 #Valid RESOURCE name
E3007 #No duplicate RESOURCE|PARAM name
E3011 #RESOURCE name max 255 chars
I3012 #RESOURCE name max 230 chars
E3005 #Valid RESOURCE.DependsOn
W3005 #Redundant RESOURCE.DependsOn due to using { Ref|GetAtt }
E3016 #Valid RESOURCE.UpdatePolicy
E3035 #Valid RESOURCE.DeletionPolicy
E3036 #Valid RESOURCE.UpdateReplacePolicy
W3011 #When using RESOURCE.DeletionPolicy, use UpdateReplacePolicy too
I3011 #Requires RESOURCE.UpdateReplacePolicy|DeletionPolicy for stateful RESOURCEs
E3502 #JSON value too large
I3042 #Built-in PARAMs (AWS::*) should be correctly placed inside ARNs
#Can set RPROP partition BOOL (def: true), region BOOL (def: false), accountId BOOL (def: false)
E3043 #Valid PARAMs in a nested STACK
E3038 #AWS::Serverless TRANSFORM declared when using AWS::Serverless::* RESTYPEs
E3000 #Valid resource ETYPE's ESCHEMA
E3004 #No !RFUNC cycles in RESPROPs
E3008 #Valid !Ref|!GetAtt target when it is a RESPROP
W3010 #Use !GetAZs when needed
W3002 #If RESPROPs is S3 URL, should use `aws cloudformation package`
E4001 #Valid TEMPLATE.Metadata['AWS::CloudFormation::Interface']
W4001 #Required TEMPLATE.Metadata['AWS::CloudFormation::Interface']
E4002 #TEMPLATE.Metadata is OBJ and no null values
W4002 #TEMPLATE.Metadata does not contain PARAMs which have NoEcho true
E5001 #Valid MODULEs
E6001 #Valid TEMPLATE.Outputs
W6001 #Valid !ImportValue
E6002 #Required OUTPUT.Value
E6003 #OUTPUT.Value is STR
E6004 #Valid OUTPUT name
E6011 #OUTPUT name max 255 chars
I6011 #OUTPUT name max 230 chars
E6005 #OUTPUT.Description is STR
E6012 #OUTPUT.Description max 1KB
I6012 #OUTPUT.Description max 900b
E6010 #Max 200 OUTPUTs
I6010 #Max 180 OUTPUTs
E7001 #Valid TEMPLATE.Mappings
W7001 #No unused TEMPLATE.Mappings.FILTER
E7002 #Valid TEMPLATE.Mappings FILTER names
E7003 #Valid TEMPLATE.Mappings VAR names
E7010 #Max 200 FILTERs per TEMPLATE
I7010 #Max 180 FILTERs per TEMPLATE
E7011 #FILTER name max 255 chars
I7011 #FILTER name max 230 chars
E7012 #Max 200 VARs per FILTER
I7012 #Max 180 VARs per FILTER
E8001 #Valid TEMPLATE.Conditions
W8001 #No unused TEMPLATE.Conditions.COND
E8002 #No { Condition: COND } without TEMPLATE.Conditions.COND
E8003 #Valid !Equals
W8003 #!Equals returns BOOL
E8004 #Valid !And
E8005 #Valid !Not
E8006 #Valid !Or
/=+===============================+=\
/ : : \
)==: RULES SPECIFICATION :==(
\ :_______________________________: /
\=+===============================+=/
E2520 #Mutually exclusive RESPROPs not used together
E2521 #Mutually required RESPROPs used together
E2522 #RESPROPs that require at least one of multiple other RESPROPs
E2523 #RESPROPs that require exactly one of multiple other RESPROPs
E3002 #Valid RESPROPs
E3003 #Required RESPROPs
E3012 #Valid RESPROPs types, if primitive
#Warning unless RPROP strict true
E3030 #Valid RESPROP according to its AllowedValue constraint
E3031 #Valid RESPROP according to its REGEXP constraint
#Can set RPROP exceptions 'REGEXP'_ARR
E3032 #Valid RESPROP according to its min|max ARR length
E3033 #Valid RESPROP according to its min|max STR length
E3034 #Valid RESPROP according to its min|max NUM
E3037 #No duplicate ARR items, in RESPROPs that do not allow them
I3037 #No duplicate ARR items, in RESPROPs that do allow them
E3017 #Required RESPROP due to another RESPROP having a specific value
E3018 #Redundant RESPROP due to another RESPROP having a specific value
/=+===============================+=\
/ : : \
)==: RULES SERVICES :==(
\ :_______________________________: /
\=+===============================+=/
SERVICE-SPECIFIC RULES ==> #Are documented in their own SERVICEs
EC2 ==> #
W2506 #EC2 Image.Id RESTYPE is AWS::EC2::Image::Id or AWS::SSM::Parameter::ValueAWS::EC2::Image::Id
E2506 #Valid EC2 SecurityGroup.Ingress
I3100 #No deprecated EC2|RDS|ElasticCache|ElasticSearch instance types
EBS ==> #
E2504 #Valid EBS
ELB ==> #
E2503 #Valid ELB
VPC ==> #
E3022 #Max 1 SubnetRouteTableAssociation per Subnet
ECS ==> #
E3042 #Require >=1 essential ECS container
FARGATE ==> #
E3044 #Fargate scheduling strategy must be 'REPLICA'
CLOUDFRONT ==> #
E3013 #Valid domain names with CloudFront Alias
ROUTE53 ==> #
E3020 #Valid Route53 RecordSets
E3041 #Route53 RecordSet.HostedZoneName is a superdomain of RecordSet.Name
SQS ==> #
I3013 #Requires setting retention period for RESOURCEs that have one (e.g. SQS Queue.MessageRetentionPeriod)
STEP FUNCTIONS ==> #
E2532 #Valid Step Functions StateMachine
CLOUDWATCH EVENTS ==> #
E3021 #Max 5 CloudWatch Events Rule Targets
EVENTBRIDGE ==> #
E3027 #Valid EventBridge Rule.ScheduleExpression
RDS ==> #
E3025 #Valid RDS instance type for a given engine
ELASTICACHE ==> #
E3026 #ElastiCache uses automatic failover if cluster mode enabled
DYNAMODB ==> #
E3039 #DynamoDB AttributeDefinitions match the KeySchemas
CODEBUILD ==> #
E3050 #When CodeBuild Project uses !Ref to a STS ServiceRole, path must be /
CODEPIPELINE ==> #
E2540 #Valid CodePipeline Stages
E2541 #Valid CodePipeline Stage Actions
BACKUP ==> #
E3504 #AWS Backup Plan LifecycleRule period between cold and delete is >= 90d
ACM ==> #
E3503 #Certificate manager ValidationDomain is superdomain of DomainName
/=+===============================+=\
/ : : \
)==: SERVERLESS-RULES :==(
\ :_______________________________: /
\=+===============================+=/
cfn-lint-serverless #Additional rules, added with --append-rules. Must be installed with pip
#Also called "serverless-rules"
#Can also be used with tflint, i.e. to check Terraform files
# - the longer names below are for tflint
SNS ==> #
aws_sns_
topic_subscription_redrive_policy
ES7000 #SUBSCRIPTION.RedrivePolicy must be set
SQS ==> #
aws_sqs_queue_redrive_policy
ES6000 #QUEUE.RedrivePolicy must be set
STEP FUNCTIONS ==> #
aws_sfn_state_machine_tracing
WS5000 #STATE_MACHINE.TracingConfiguration.Enabled must be true
EVENTBRIDGE ==> #
aws_cloudwatch_event_target_no_dlq
ES4000 #RULE.Targets[*].DeadLetterConfig must be set
APPSYNC ==> #
aws_appsync_
graphql_api_tracing_rule
WS3000 #GRAPHQL_API.XrayEnabled must be true