ignore_checks order of precedence #3816

dishikang123 · 2024-11-08T17:25:02Z

CloudFormation Lint Version

cfn-lint 1.18.4

What operating system are you using?

Windows 11

Describe the bug

Added ignore_checks metadata at the template root level. Running CLI with "-i W" against the file but the error listed under ignore_checks still shows up even though template metadata has higher precedence over CLI parameter. The error does get suppressed if I run it without "-i W" parameter. Adding ignore_checks at the resource level works as intended.

Expected behavior

The ignore_checks metadata at the template root level should get suppressed even when running CLI with "-i W"

Reproduction template

   
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation Template to create a IAM Policies and Roles
Metadata:  
  cfn-lint:
    config:
      ignore_checks:
        - E3033

Parameters:
  AccountNameShort:
    Description: Abbreviated account name
    Type: AWS::SSM::Parameter::Value<String>

  ProjectTagValue:
    Default: project
    Description: Project the resources are for
    Type: String    

Resources:
  ReadPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ManagedPolicyName: read-policy
      Description: read policy
      Path: /
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: 's3:ListAllMyBuckets'
            Resource: '*'
          - Effect: Allow
            Action: 
            - 's3:ListBucket'
            - 's3:GetBucketLocation'
            - 's3:ListBucketVersions'
            Resource: 
             - 'arn:aws:s3:::team-*'
             - !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*"
          - Effect: Allow
            Action: 
            - 's3:GetObject'
            - 's3:GetObjectAcl'
            - 's3:GetObjectVersion'
            Resource: 
             - 'arn:aws:s3:::abcd-team-*/*'
             - !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*/*"
          - Effect: Allow
            Action: 
            - 'ecr:BatchGetRepositoryScanningConfiguration'
            - 'ecr:DescribeImages'
            - 'ecr:DescribeImageScanFindings'
            - 'ecr:DescribeRepositories'
            - 'ecr:ListImages'
            - 'ecr:ListTagsForResource'
            Resource: !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*'
          - Effect: Allow
            Action: 
            - 'sns:ListTagsForResource'
            - 'sns:ListSubscriptionsByTopic'
            - 'sns:GetTopicAttributes'
            Resource: !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'states:Describe*'
            - 'states:Get*'
            - 'states:ListTag*'
            Resource: 
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:execution:abcd-team-*:*'
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:activity:*'
             - !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'ssm:GetParametersByPath'
            - 'ssm:GetParameters'
            - 'ssm:GetParameter'
            Resource: 
             - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/team/team/*'
          - Effect: Allow
            Action: 
            - 'lambda:GetProvisionedConcurrencyConfig'
            - 'lambda:ListFunctionsByCodeSigningConfig'
            - 'lambda:GetLayerVersion'
            - 'lambda:GetEventSourceMapping'
            - 'lambda:GetCodeSigningConfig'
            - 'lambda:GetLayerVersionPolicy'
            Resource: 
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:code-signing-config:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:*:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*:*'
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:event-source-mapping:*'
          - Effect: Allow
            Action: 
            - 'lambda:ListProvisionedConcurrencyConfigs'
            - 'lambda:ListFunctionEventInvokeConfigs'
            - 'lambda:ListVersionsByFunction'
            - 'lambda:GetFunctionConcurrency'
            - 'lambda:ListTags'
            - 'lambda:GetFunctionEventInvokeConfig'
            - 'lambda:GetFunction'
            - 'lambda:ListAliases'
            - 'lambda:GetFunctionConfiguration'
            - 'lambda:GetAlias'
            - 'lambda:GetFunctionCodeSigningConfig'
            - 'lambda:GetPolicy'
            Resource: 
             - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'cloudwatch:DescribeAlarmHistory'
            - 'cloudwatch:GetDashboard'
            - 'cloudwatch:GetInsightRuleReport'
            - 'cloudwatch:ListTagsForResource'
            - 'cloudwatch:DescribeAlarms'
            - 'cloudwatch:GetMetricStream'
            Resource: 
             - !Sub 'arn:aws:cloudwatch::${AWS::AccountId}:dashboard/abcd-team*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:insight-rule/abcd-team-*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:abcd-team-*'
             - !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:metric-stream/abcd-team-*'
          - Effect: Allow
            Action: 
            -  'codebuild:BatchGetProjects'
            -  'codebuild:BatchGetBuildBatches'
            -  'codebuild:ListReportsForReportGroup'
            -  'codebuild:GetReportGroupTrend'
            -  'codebuild:BatchGetReports'
            -  'codebuild:DescribeTestCases'
            -  'codebuild:GetResourcePolicy'
            -  'codebuild:DescribeCodeCoverages'
            -  'codebuild:ListBuildBatchesForProject'
            -  'codebuild:ListBuildsForProject'
            -  'codebuild:BatchGetReportGroups'
            -  'codebuild:BatchGetBuilds'
            -  'codebuild:StartBuild*'
            -  'codebuild:StopBuild*'
            -  'codebuild:RetryBuild*'
            Resource: 
             - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/abcd-team-*'
             - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codepipeline:ListWebhooks'
            - 'codepipeline:ListPipelineExecutions'
            - 'codepipeline:ListActionExecutions'
            - 'codepipeline:GetPipeline'
            - 'codepipeline:ListTagsForResource'
            - 'codepipeline:GetPipelineState'
            - 'codepipeline:GetPipelineExecution'
            Resource: 
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:actiontype:*/*/*/*'
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
             - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:webhook:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codedeploy:Get*'
            - 'codedeploy:BatchGet*'
            - 'codedeploy:List*'
            Resource: 
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:application:abcd-team-*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:instance:*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:abcd-team-*/abcd-team-*'
             - !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentconfig:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'codecommit:Get*'
            - 'codecommit:List*'
            - 'codecommit:describe*'
            - 'codecommit:Batch*'
            - 'codecommit:GitPull'
            - 'codecommit:BatchGetRepositories'
            - 'codecommit:CancelUploadArchive'
            - 'codecommit:EvaluatePullRequestApprovalRules'
            Resource: 
             - !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
          - Effect: Allow
            Action: 
            - 'secretsmanager:GetSecretValue'
            - 'secretsmanager:DescribeSecret'
            - 'secretsmanager:ListSecretVersionIds'
            - 'secretsmanager:RestoreSecret'
            - 'secretsmanager:PutSecretValue'
            - 'secretsmanager:CreateSecret'
            - 'secretsmanager:UpdateSecretVersionStage'
            - 'secretsmanager:DeleteSecret'
            - 'secretsmanager:RotateSecret'
            - 'secretsmanager:CancelRotateSecret'
            - 'secretsmanager:UpdateSecret'
            Resource: 
             - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:abcd/team/team/*'
          - Effect: Allow
            Action: 
            - 'logs:DescribeLogGroups'
            - 'logs:GetLogEvents'
            - 'logs:DescribeLogStreams'
            - 'logs:FilterLogEvents'
            Resource: 
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*:log-stream:*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*'
             - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*:log-stream:*'

The text was updated successfully, but these errors were encountered:

kddejong · 2024-11-08T18:25:59Z

May have to update the docs for this one. I went back and reread it and I believe its just wrong or misleading. The CLI takes precedence since that configuration is used for just that one run. We tried to go from broad to specific. So a cfnlintrc is considered more generic and will overwritten by the CLI and the template matadata. Then the metadata is overwritten by the CLI since that configuration was supplied just for that run.

This logic seems to have held from v0 to v1 so I think this is a documentation issue.

Also there is an option called --merge-configs that can merge together lists across different levels of configuration. cfn-lint --merge-configs -i W -- local/issue/3816.yaml will result in 0 issues.

dishikang123 · 2024-11-08T19:05:34Z

@kddejong If CLI has higher precedence, then why would putting metadata at the resource level suppress the error? I can work with --merge-configs in the mean time. Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ignore_checks order of precedence #3816

ignore_checks order of precedence #3816

dishikang123 commented Nov 8, 2024

kddejong commented Nov 8, 2024

dishikang123 commented Nov 8, 2024

ignore_checks order of precedence #3816

ignore_checks order of precedence #3816

Comments

dishikang123 commented Nov 8, 2024

CloudFormation Lint Version

What operating system are you using?

Describe the bug

Expected behavior

Reproduction template

kddejong commented Nov 8, 2024

dishikang123 commented Nov 8, 2024