[cfn-lint] E3030 for config resources

[theksi]

cfn-lint version: (cfn-lint --version)
cfn-lint 0.58.2
Description of issue.
Error on an invalid value for Compliance resourceTypes that is in fact valid

Please provide as much information as possible:

• Template linting issues:*

[{
	"resource": "XXXXX/dev_local/aws-config-library/account-quality/templates/cloudwatch.yaml",
	"owner": "_generated_diagnostic_collection_name_#4",
	"severity": 8,
	"message": "[cfn-lint] E3030: You must specify a valid value for ComplianceResourceTypes (AWS::Logs::LogGroup). Valid values are [\"AWS::ACM::Certificate\", \"AWS::ApiGateway::RestApi\", \"AWS::ApiGateway::Stage\", \"AWS::ApiGatewayV2::Api\", ...]
	"startLineNumber": 57,
	"startColumn": 15,
	"endLineNumber": 57,
	"endColumn": 34
}]

• Please provide a CloudFormation sample that generated the issue.

  QnACwLogRetentionRule:
      Type: AWS::Config::ConfigRule
      Properties:
        ConfigRuleName: !Sub ${RuleNamePrefix}-QnACwLogRetention-${AWS::Region}
        Description: "Every Cloudwatch log must have a set retention"
        Scope:
          ComplianceResourceTypes:
            - AWS::Logs::LogGroup
        Source:
          Owner: AWS
          SourceIdentifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK

• If present, please add links to the (official) documentation for clarification.

• https://docs.aws.amazon.com/config/latest/developerguide/cw-loggroup-retention-period-check.html

• Validate if the issue still exists with the latest version of cfn-lint and/or the latest Spec files
  N/A using the latest version
• Feature request:
  • Please provide argumentation about the missing feature. Context is key!
    When designing cfn template for scheduled rules, any value for ComplianceResourceTypes can be used as long as it is a valid AWS resource type (and not only a supported resource type).
    When a scheduled rule is described in the template, cfn-lint should verify all AWS resources.
    Suggestion :
    Identifying an AWS scheduled rule is not easy as MaximumExecutionFrequency is not mandatory and cfn-lint evaluation could work this way:
    IF an invalid value for ComplianceResourceTypes AND MaximumFrequency is set AND ComplianceResourceType is a Valid AWS resource type, Then cfn-lint evaluation is positive

Cfn-lint uses the CloudFormation Resource Specifications as the base to do validation. These files are included as part of the application version. Please update to the latest version of cfn-lint or update the spec files manually (cfn-lint -u)

[PatMyron]

(Recommended workaround with resource-level ignores)

We're currently pulling that enum from Config's SDK model. That resource type hasn't be added there yet 😕

[kddejong]

More details

{
    "op": "add",
    "path": "/ValueTypes/AWS::Config::ConfigurationRecorder.ResourceTypes",
    "value": {
      "botocore": "config/2014-11-12/ResourceType"
    }
},

https://github.com/boto/botocore/blob/develop/botocore/data/config/2014-11-12/service-2.json#L6481

Also doesn't seem to exist in the API docs too https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html

This issue is also a reference boto/botocore#2535

[kddejong]

I'm debating if we should remove the allowed values for this one @PatMyron Especially with capabilities that are described in this blog