Skip to content

Commit 56e6be1

Browse files
kddejongkddejong
committed
Tighten SAM Ref/GetAtt validation using CFN schema primaryIdentifier and readOnlyProperties
Remove blanket permissive GetAtt for all AWS::Serverless:: types. SAM types with CFN mappings now use the mapped type's readOnlyProperties for GetAtt validation and primaryIdentifier for Ref validation. Connector correctly errors on GetAtt since it has no primary resource.
1 parent bd34b32 commit 56e6be1

59 files changed

Lines changed: 556 additions & 473 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/sam-schema-gaps.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,4 +54,5 @@ These SAM types don't have a clear 1:1 primary CFN resource mapping:
5454

5555
- `AWS::Serverless::Connector` — Generates IAM policies, no primary resource
5656

57-
GetAtt for these types remains permissive (accepts any attribute).
57+
GetAtt/Ref for Connector will error since it has no `readOnlyProperties` or
58+
`primaryIdentifier`. This is correct — you'd never `!Ref` or `!GetAtt` a Connector.

scripts/update_sam_schemas.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -276,7 +276,7 @@ def build_resource_schema(
276276
"properties": properties_schema.get("properties", {}),
277277
}
278278

279-
# Copy readOnlyProperties from the underlying CFN type
279+
# Copy readOnlyProperties and primaryIdentifier from the underlying CFN type
280280
cfn_type = SAM_TO_CFN_TYPE.get(module_name)
281281
if cfn_type:
282282
try:
@@ -285,6 +285,9 @@ def build_resource_schema(
285285
cfn_schema = PROVIDER_SCHEMA_MANAGER.get_resource_schema(
286286
"us-east-1", cfn_type
287287
)
288+
pi = cfn_schema.schema.get("primaryIdentifier", [])
289+
if pi:
290+
schema["primaryIdentifier"] = pi
288291
ro_props = cfn_schema.schema.get("readOnlyProperties", [])
289292
if ro_props:
290293
schema["readOnlyProperties"] = ro_props

src/cfnlint/data/schemas/providers/af_south_1.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -926,17 +926,17 @@
926926
"AWS::SecurityHub::ProductSubscription": "a6a7b09a786ba544",
927927
"AWS::SecurityHub::SecurityControl": "062ab72de4bbcd1d",
928928
"AWS::SecurityHub::Standard": "a9a57a7527f5aff5",
929-
"AWS::Serverless::Api": "234f60c06f473450",
930-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
931-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
929+
"AWS::Serverless::Api": "e6affacebe8b0c55",
930+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
931+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
932932
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
933-
"AWS::Serverless::Function": "b6d9353bf9544213",
934-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
935-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
936-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
937-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
938-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
939-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
933+
"AWS::Serverless::Function": "554cec6192159770",
934+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
935+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
936+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
937+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
938+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
939+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
940940
"AWS::ServiceCatalog::AcceptedPortfolioShare": "77373a56c0c4bd28",
941941
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
942942
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_east_1.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -885,17 +885,17 @@
885885
"AWS::SecurityHub::ProductSubscription": "a6a7b09a786ba544",
886886
"AWS::SecurityHub::SecurityControl": "062ab72de4bbcd1d",
887887
"AWS::SecurityHub::Standard": "a9a57a7527f5aff5",
888-
"AWS::Serverless::Api": "234f60c06f473450",
889-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
890-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
888+
"AWS::Serverless::Api": "e6affacebe8b0c55",
889+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
890+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
891891
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
892-
"AWS::Serverless::Function": "b6d9353bf9544213",
893-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
894-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
895-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
896-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
897-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
898-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
892+
"AWS::Serverless::Function": "554cec6192159770",
893+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
894+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
895+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
896+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
897+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
898+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
899899
"AWS::ServiceCatalog::AcceptedPortfolioShare": "77373a56c0c4bd28",
900900
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
901901
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_east_2.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -630,17 +630,17 @@
630630
"AWS::SecurityHub::ProductSubscription": "a6a7b09a786ba544",
631631
"AWS::SecurityHub::SecurityControl": "062ab72de4bbcd1d",
632632
"AWS::SecurityHub::Standard": "a9a57a7527f5aff5",
633-
"AWS::Serverless::Api": "234f60c06f473450",
634-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
635-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
633+
"AWS::Serverless::Api": "e6affacebe8b0c55",
634+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
635+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
636636
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
637-
"AWS::Serverless::Function": "b6d9353bf9544213",
638-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
639-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
640-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
641-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
642-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
643-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
637+
"AWS::Serverless::Function": "554cec6192159770",
638+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
639+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
640+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
641+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
642+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
643+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
644644
"AWS::ServiceDiscovery::HttpNamespace": "986cb51cac464fe8",
645645
"AWS::ServiceDiscovery::Instance": "b4227e1dfa14a394",
646646
"AWS::ServiceDiscovery::PrivateDnsNamespace": "d78a2213969ef282",

src/cfnlint/data/schemas/providers/ap_northeast_1.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1360,17 +1360,17 @@
13601360
"AWS::SecurityLake::DataLake": "3b4f02ea01647d04",
13611361
"AWS::SecurityLake::Subscriber": "d19c32e17f36619f",
13621362
"AWS::SecurityLake::SubscriberNotification": "ef5a3a84d2557a3e",
1363-
"AWS::Serverless::Api": "234f60c06f473450",
1364-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
1365-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
1363+
"AWS::Serverless::Api": "e6affacebe8b0c55",
1364+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
1365+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
13661366
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
1367-
"AWS::Serverless::Function": "b6d9353bf9544213",
1368-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
1369-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
1370-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
1371-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
1372-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
1373-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
1367+
"AWS::Serverless::Function": "554cec6192159770",
1368+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
1369+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
1370+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
1371+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
1372+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
1373+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
13741374
"AWS::ServiceCatalog::AcceptedPortfolioShare": "aabf5162cee03316",
13751375
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
13761376
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_northeast_2.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1280,17 +1280,17 @@
12801280
"AWS::SecurityLake::DataLake": "3b4f02ea01647d04",
12811281
"AWS::SecurityLake::Subscriber": "d19c32e17f36619f",
12821282
"AWS::SecurityLake::SubscriberNotification": "ef5a3a84d2557a3e",
1283-
"AWS::Serverless::Api": "234f60c06f473450",
1284-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
1285-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
1283+
"AWS::Serverless::Api": "e6affacebe8b0c55",
1284+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
1285+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
12861286
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
1287-
"AWS::Serverless::Function": "b6d9353bf9544213",
1288-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
1289-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
1290-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
1291-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
1292-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
1293-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
1287+
"AWS::Serverless::Function": "554cec6192159770",
1288+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
1289+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
1290+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
1291+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
1292+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
1293+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
12941294
"AWS::ServiceCatalog::AcceptedPortfolioShare": "aabf5162cee03316",
12951295
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
12961296
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_northeast_3.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -952,17 +952,17 @@
952952
"AWS::SecurityLake::DataLake": "3b4f02ea01647d04",
953953
"AWS::SecurityLake::Subscriber": "d19c32e17f36619f",
954954
"AWS::SecurityLake::SubscriberNotification": "ef5a3a84d2557a3e",
955-
"AWS::Serverless::Api": "234f60c06f473450",
956-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
957-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
955+
"AWS::Serverless::Api": "e6affacebe8b0c55",
956+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
957+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
958958
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
959-
"AWS::Serverless::Function": "b6d9353bf9544213",
960-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
961-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
962-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
963-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
964-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
965-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
959+
"AWS::Serverless::Function": "554cec6192159770",
960+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
961+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
962+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
963+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
964+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
965+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
966966
"AWS::ServiceCatalog::AcceptedPortfolioShare": "77373a56c0c4bd28",
967967
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
968968
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_south_1.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1275,17 +1275,17 @@
12751275
"AWS::SecurityLake::DataLake": "3b4f02ea01647d04",
12761276
"AWS::SecurityLake::Subscriber": "d19c32e17f36619f",
12771277
"AWS::SecurityLake::SubscriberNotification": "ef5a3a84d2557a3e",
1278-
"AWS::Serverless::Api": "234f60c06f473450",
1279-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
1280-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
1278+
"AWS::Serverless::Api": "e6affacebe8b0c55",
1279+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
1280+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
12811281
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
1282-
"AWS::Serverless::Function": "b6d9353bf9544213",
1283-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
1284-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
1285-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
1286-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
1287-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
1288-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
1282+
"AWS::Serverless::Function": "554cec6192159770",
1283+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
1284+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
1285+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
1286+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
1287+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
1288+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
12891289
"AWS::ServiceCatalog::AcceptedPortfolioShare": "aabf5162cee03316",
12901290
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
12911291
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

src/cfnlint/data/schemas/providers/ap_south_2.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -795,17 +795,17 @@
795795
"AWS::SecurityHub::ProductSubscription": "a6a7b09a786ba544",
796796
"AWS::SecurityHub::SecurityControl": "062ab72de4bbcd1d",
797797
"AWS::SecurityHub::Standard": "a9a57a7527f5aff5",
798-
"AWS::Serverless::Api": "234f60c06f473450",
799-
"AWS::Serverless::Application": "7d1c95a8b2f01e07",
800-
"AWS::Serverless::CapacityProvider": "d3e92d066f69a0ff",
798+
"AWS::Serverless::Api": "e6affacebe8b0c55",
799+
"AWS::Serverless::Application": "f7ac4b0ebba84f8b",
800+
"AWS::Serverless::CapacityProvider": "9642a84515d09fb5",
801801
"AWS::Serverless::Connector": "4bdbe0eeeeb859e5",
802-
"AWS::Serverless::Function": "b6d9353bf9544213",
803-
"AWS::Serverless::GraphQLApi": "dc4b31b5ee945bbc",
804-
"AWS::Serverless::HttpApi": "db28952063f3fb37",
805-
"AWS::Serverless::LayerVersion": "54a05d5150f92d6f",
806-
"AWS::Serverless::SimpleTable": "274556bcca91c9c4",
807-
"AWS::Serverless::StateMachine": "30679ac19f760f8c",
808-
"AWS::Serverless::WebSocketApi": "8ef912f4a2e5f4b1",
802+
"AWS::Serverless::Function": "554cec6192159770",
803+
"AWS::Serverless::GraphQLApi": "2d654013ac11af44",
804+
"AWS::Serverless::HttpApi": "9aebe136ff9b8f6d",
805+
"AWS::Serverless::LayerVersion": "e6e17ee142ff4fb5",
806+
"AWS::Serverless::SimpleTable": "318018ba3be5fbfc",
807+
"AWS::Serverless::StateMachine": "cbe043b60e78821e",
808+
"AWS::Serverless::WebSocketApi": "81e13008dbf1beb7",
809809
"AWS::ServiceCatalog::AcceptedPortfolioShare": "77373a56c0c4bd28",
810810
"AWS::ServiceCatalog::CloudFormationProduct": "662186534ff8e643",
811811
"AWS::ServiceCatalog::CloudFormationProvisionedProduct": "448a377417beb2e5",

0 commit comments

Comments
 (0)