Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Rules support Condition, which is not a rule-specific intrinsic function #3710

Closed
alnoki opened this issue Sep 24, 2024 · 2 comments · Fixed by #3714
Closed

[Bug] Rules support Condition, which is not a rule-specific intrinsic function #3710

alnoki opened this issue Sep 24, 2024 · 2 comments · Fixed by #3714

Comments

@alnoki
Copy link

alnoki commented Sep 24, 2024
edited
Loading

CloudFormation Lint Version

1.15.0

What operating system are you using?

Mac pre-commit

Background

Note that I described similar behavior in #3630, which #3634 and #3703 attempted to address. Unfortunately it appears that these changes resulted in cfn-lint allowing the Condition function inside of rules, which is not an allowed rule-specific intrinsic function.

In particular, templates of the form described at #3630 (comment) will throw:

Changeset creation failed. The reason was Template format error: Following functions are not supported in the Rules block of the template: [Condition].

Describe the bug

The reproduction template throws:

W1001 Ref to resource 'InternetGateway' that may not be available when condition 'DeployGateway' is False and when condition 'DeployVpc' is True at Resources/InternetGatewayAttachment/Properties/InternetGatewayId
src/cloud-formation/indexer.cfn.yaml:32:7

Specifically, the purported hypothetical situation

when condition 'DeployGateway' is False and when condition 'DeployVpc' is True

is impossible per the DeployVpc rule.

Expected behavior

The lint should pass without template modification.

Reproduction template

---
Conditions:
  DeployGateway: !Equals
  - !Ref 'DeployGateway'
  - 'true'
  DeployVpc: !Equals
  - !Ref 'DeployVpc'
  - 'true'
Parameters:
  DeployAnything:
    AllowedValues:
    - 'false'
    - 'true'
    Type: 'String'
  DeployGateway:
    AllowedValues:
    - 'false'
    - 'true'
    Type: 'String'
  DeployVpc:
    AllowedValues:
    - 'false'
    - 'true'
    Type: 'String'
Resources:
  InternetGateway:
    Condition: 'DeployGateway'
    Type: 'AWS::EC2::InternetGateway'
  InternetGatewayAttachment:
    Condition: 'DeployVpc'
    Properties:
      InternetGatewayId: !Ref 'InternetGateway'
      VpcId: !Ref 'Vpc'
    Type: 'AWS::EC2::VPCGatewayAttachment'
  Vpc:
    Condition: 'DeployVpc'
    Properties:
      CidrBlock: '0.0.0.0/16'
    Type: 'AWS::EC2::VPC'
Rules:
  DeployGateway:
    Assertions:
    - Assert: !Or
      - !Equals
        - !Ref 'DeployAnything'
        - 'true'
      - !Equals
        - !Ref 'DeployGateway'
        - 'false'
  DeployVpc:
    Assertions:
    - Assert: !Or
      - !Equals
        - !Ref 'DeployGateway'
        - 'true'
      - !Equals
        - !Ref 'DeployVpc'
        - 'false'
...
@alnoki alnoki mentioned this issue Sep 24, 2024
Closed
@alnoki alnoki changed the title [Bug] Inaccurate condition evaluation when using rules [Bug] Rules support Condition, which is not a rule-specific intrinsic function Sep 24, 2024
@kddejong
Copy link
Contributor

#3712 will fix the Condition issue. Looking into the scenario you described above

@kddejong kddejong mentioned this issue Sep 24, 2024
Merged
@alnoki
Copy link
Author

alnoki commented Sep 24, 2024
edited
Loading

@kddejong thanks for the quick fix!

This resolved the issues with the reproduction template, and for the template I've been working on

This was referenced Sep 26, 2024
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add equal vars for Rules to cnf building kddejong/cfn-python-lint
2 participants
@kddejong @alnoki