Remove SAM translator dependency, validate SAM templates via schemas

.github/workflows/maintenance-v1.yaml

@@ -20,18 +20,15 @@ jobs:
           python-version: 3.13
       - id: maintenance
         run: |
-          latest_sam_cli=`curl -s https://api.github.com/repos/aws/aws-sam-cli/releases/latest | jq -r .tag_name | cut -c 2-`
-          latest=`curl "https://pypi.org/pypi/aws-sam-cli/$latest_sam_cli/json" -s | jq -r '.info.requires_dist[] | select(contains("aws-sam-translator"))' | cut -c 21-`
-          sed -i -E "s/aws-sam-translator>=[0-9.]+/aws-sam-translator>=$latest/" requirements/base.txt
           pip install -e .
           pip install requests
           rm -rf src/cfnlint/data/DownloadsMetadata/*
           cfn-lint --update-iam-policies
           cfn-lint --update-documentation
           scripts/update_specs_from_pricing.py
-          scripts/update_serverless_aws_policies.py
           scripts/smithy/update_schemas_from_smithy.py
           scripts/update_schemas_from_aws_api.py
+          scripts/update_sam_schemas.py
           cfn-lint --update-specs
           echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
         env:

docs/sam-schema-gaps.md

@@ -0,0 +1,58 @@
+# SAM Schema Migration — Known Gaps
+
+## Generated Resources (Ref/GetAtt targets)
+
+The SAM transform generates additional CFN resources with predictable logical ID
+suffixes. These resources can be targets of `!Ref` and `!GetAtt` in templates.
+Without the transform, cfn-lint won't know these resources exist.
+
+### Resource Generation Patterns
+
+| SAM Type | Suffix | Generated CFN Type | Conditional |
+|----------|--------|--------------------|-------------|
+| `AWS::Serverless::Function` | *(same)* | `AWS::Lambda::Function` | No |
+| | `Role` | `AWS::IAM::Role` | When no `Role` property |
+| | `Version*` | `AWS::Lambda::Version` | When `AutoPublishAlias` |
+| | `Alias*` | `AWS::Lambda::Alias` | When `AutoPublishAlias` |
+| | `Url` | `AWS::Lambda::Url` | When `FunctionUrlConfig` |
+| | `{EventName}Permission` | `AWS::Lambda::Permission` | Per event source |
+| `AWS::Serverless::Api` | *(same)* | `AWS::ApiGateway::RestApi` | No |
+| | `Deployment*` | `AWS::ApiGateway::Deployment` | No |
+| | `Stage` | `AWS::ApiGateway::Stage` | No |
+| | `DomainName` | `AWS::ApiGateway::DomainName` | When `Domain` |
+| | `UsagePlan` | `AWS::ApiGateway::UsagePlan` | When `Auth` |
+| `AWS::Serverless::HttpApi` | *(same)* | `AWS::ApiGatewayV2::Api` | No |
+| | `Stage` | `AWS::ApiGatewayV2::Stage` | No |
+| `AWS::Serverless::StateMachine` | *(same)* | `AWS::StepFunctions::StateMachine` | No |
+| | `Role` | `AWS::IAM::Role` | When no `Role` property |
+| `AWS::Serverless::SimpleTable` | *(same)* | `AWS::DynamoDB::Table` | No |
+| `AWS::Serverless::LayerVersion` | *(same)* | `AWS::Lambda::LayerVersion` | No |
+| `AWS::Serverless::Application` | *(same)* | `AWS::CloudFormation::Stack` | No |
+
+`*` = Suffix includes a hash or version identifier (e.g., `MyFunctionDeploymentabc123`)
+
+### Impact
+
+- `!Ref MyFunctionRole` — Won't resolve because `MyFunctionRole` isn't in the template
+- `!GetAtt MyApi.Stage` — Won't resolve for the same reason
+- Cross-resource relationship rules (e.g., API Gateway Method → RestApi) won't see
+  SAM-generated resources
+
+### Mitigation Options
+
+1. **Accept the gap** — Most users reference SAM resources by their declared logical ID,
+   not the generated suffixed resources. The primary resource (same logical ID) works.
+2. **Context-aware resource injection** — During context creation, inspect SAM resources
+   and inject synthetic resource entries for known generated resources. This would let
+   Ref/GetAtt resolve without running the transform.
+3. **Custom rule** — A SAM-specific rule could validate references to known generated
+   resource patterns.
+
+### Types Without CFN Mapping
+
+These SAM types don't have a clear 1:1 primary CFN resource mapping:
+
+- `AWS::Serverless::Connector` — Generates IAM policies, no primary resource
+
+GetAtt/Ref for Connector will error since it has no `readOnlyProperties` or
+`primaryIdentifier`. This is correct — you'd never `!Ref` or `!GetAtt` a Connector.

pyproject.toml

@@ -183,10 +183,6 @@ ignore_missing_imports = true
 module = "importlib_resources.*"
 ignore_missing_imports = true
 
-[[tool.mypy.overrides]]
-module = "samtranslator.*"
-ignore_missing_imports = true
-
 [[tool.mypy.overrides]]
 module = "sarif_om.*"
 ignore_missing_imports = true

requirements/base.txt

@@ -1,5 +1,4 @@
 pyyaml>5.4
-aws-sam-translator>=1.109.0
 jsonpatch
 networkx>=2.4,<4
 sympy>=1.14.0