"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
from cfnlint.rules import CloudFormationLintRule, RuleMatch
class Modules(CloudFormationLintRule):
"""Check that Modules do not contain invalid data"""
id = "E5001"
shortdesc = "Check that Modules resources are valid"
description = "Check that Modules resources are valid"
source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/"
tags = ["resources", "modules"]
def match(self, cfn):
matches = []
resource_properties = cfn.get_resources()
resource_dict = {
key: resource_properties[key]
for key in resource_properties
if isinstance(resource_properties[key], dict)
}
for resource_name, resource_values in resource_dict.items():
module = {
"Type": v
for (k, v) in resource_values.items()
if str(v).endswith("::MODULE") is True
}
if module:
matches.extend(self.check_metadata_keys(cfn))
matches.extend(self.check_tags(resource_name, resource_values))
matches.extend(
self.check_policy("CreationPolicy", resource_name, resource_values)
)
matches.extend(
self.check_policy("UpdatePolicy", resource_name, resource_values)
)
return matches
def check_policy(self, policy, resource_name, resource_values):
"""Ensure invalid policies are not used"""
matches = []
if resource_values.get(policy, {}):
path = ["Resources", resource_name, policy]
matches.append(RuleMatch(path, f"{policy} is not permitted within Modules"))
return matches
def check_tags(self, resource_name, resource_values):
"""Ensure invalid policies are not used"""
matches = []
properties = resource_values.get("Properties", {})
if properties.get("Tags"):
path = ["Resources", resource_name, "Properties", "Tags"]
matches.append(RuleMatch(path, "Tags is not permitted within Modules"))
return matches
def check_metadata_keys(self, cfn):
"""Ensure reserved metadata key AWS::CloudFormation::Module is not used"""
modules = cfn.get_modules().keys()
matches = []
reserved_key = "AWS::CloudFormation::Module"
refs = cfn.search_deep_keys(reserved_key)
for ref in refs:
if (ref[1] in modules) and (len(ref) > 3):
if ref[0] == "Resources" and ref[2] == "Metadata":
matches.append(
RuleMatch(ref, f"The Metadata key {reserved_key} is reserved")
)
return matches
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| __pycache__ | Folder | 0755 |
|
|
| backup | Folder | 0755 |
|
|
| certificatemanager | Folder | 0755 |
|
|
| cloudformation | Folder | 0755 |
|
|
| cloudfront | Folder | 0755 |
|
|
| codepipeline | Folder | 0755 |
|
|
| dynamodb | Folder | 0755 |
|
|
| ecs | Folder | 0755 |
|
|
| ectwo | Folder | 0755 |
|
|
| elasticache | Folder | 0755 |
|
|
| elb | Folder | 0755 |
|
|
| events | Folder | 0755 |
|
|
| iam | Folder | 0755 |
|
|
| lmbd | Folder | 0755 |
|
|
| properties | Folder | 0755 |
|
|
| rds | Folder | 0755 |
|
|
| route53 | Folder | 0755 |
|
|
| stepfunctions | Folder | 0755 |
|
|
| updatepolicy | Folder | 0755 |
|
|
| ApproachingLimitName.py | File | 686 B | 0644 |
|
| ApproachingLimitNumber.py | File | 690 B | 0644 |
|
| BothUpdateReplacePolicyDeletionPolicyNeeded.py | File | 1.74 KB | 0644 |
|
| CircularDependency.py | File | 1.18 KB | 0644 |
|
| Configuration.py | File | 6.97 KB | 0644 |
|
| DeletionPolicy.py | File | 3.91 KB | 0644 |
|
| DependsOn.py | File | 2.7 KB | 0644 |
|
| DependsOnObsolete.py | File | 3.01 KB | 0644 |
|
| HardCodedArnProperties.py | File | 4.71 KB | 0644 |
|
| LimitName.py | File | 704 B | 0644 |
|
| LimitNumber.py | File | 692 B | 0644 |
|
| Modules.py | File | 2.8 KB | 0644 |
|
| Name.py | File | 688 B | 0644 |
|
| NoEcho.py | File | 3.2 KB | 0644 |
|
| PreviousGenerationInstanceType.py | File | 4.2 KB | 0644 |
|
| ResourceSchema.py | File | 1.74 KB | 0644 |
|
| RetentionPeriodOnResourceTypesWithAutoExpiringContent.py | File | 6.42 KB | 0644 |
|
| ServerlessTransform.py | File | 1.59 KB | 0644 |
|
| UniqueNames.py | File | 924 B | 0644 |
|
| UpdateReplacePolicy.py | File | 4.07 KB | 0644 |
|
| UpdateReplacePolicyDeletionPolicyOnStatefulResourceTypes.py | File | 2.09 KB | 0644 |
|
| __init__.py | File | 106 B | 0644 |
|