cfn-lint

Features

• Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released
• Add new rule W3037 to validate IAM resource policies. Status: Experimental
• Add new parameter -e/--include-experimental to allow for new rules in that aren't ready to be fully released

CloudFormation Specifications

• Update Spec files to 2.28.0
• Add all the allowed values of the AWS::Redshift::* Resources
• Add all the allowed values of the AWS::Neptune::* Resources
• Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required
• Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required

Fixes

• Remove extra blank lines when there is no errors in the output
• Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition
• Update rule E1029 to allow for literals in a Sub
• Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check
• Correct typos for errors in rule W1001
• Switch from parsing a template as Yaml to Json when finding an escape character
• Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers
• Fix an issue with rule E2541 when non strings were used for Stage Names

Features

• Add rule E3031 to look for regex patterns based on the patched spec file
• Remove regex checks from rule E2509
• Add parameter ignore-templates to allow the ignoring of templates when doing bulk linting

CloudFormation Specifications

• Update Spec files to 2.26.0
• Add all the allowed values of the AWS::DirectoryService::* Resources
• Add all the allowed values of the AWS::DynamoDB::* Resources
• Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2
• Patch the spec file with regex patterns
• Add all the allowed values of the AWS::DocDb::* Resources

Fixes

• Update rule E2504 to have '20000' as the max value
• Update rule E1016 to not allow ImportValue inside of Conditions
• Update rule E2508 to check conditions when providing limit checks on managed policies
• Convert unicode to strings when in Py 3.4/3.5 and updating specs
• Convert from awslabs to aws-cloudformation organization
• Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with
  samtranslator 1.10.0

Features

• Add scaffolding for arbitrary Match attributes, adding attributes for Type checks
• Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST

CloudFormation Specifications

• Update Spec files to 2.24.0
• Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName
• Add all the allowed values of the AWS::CloudFront::* Resources
• Add all the allowed values of the AWS::DAX::* Resources

Fixes

• Update config parsing to use the builtin Yaml decoder
• Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules
• Update rule E1029 to better check Resource strings inside IAM Policies
• Improve the line/column information of a Match with array support

CloudFormation Specifications

• Update CloudFormation Specs to version 2.23.0
• Add allowed values for AWS::Config::* resources
• Add allowed values for AWS::ServiceDiscovery::* resources
• Fix allowed values for Apache MQ

Fixes

• Update rule E3008 to not error when using a list from a custom resource
• Support simple types in the CloudFormation spec
• Add tests for the formatters

Features

• Add rule E3035 to check the values of DeletionPolicy
• Add rule E3036 to check the values of UpdateReplacePolicy
• Add rule E2014 to check that there are no REFs in the Parameter section
• Update rule E2503 to support TLS on NLBs

CloudFormation Specifications

• Update CloudFormation spec to version 2.22.0
• Add allowed values for AWS::Cognito::* resources

Fixes

• Update rule E3002 to allow GetAtts to Custom Resources under a Condition

Features

• Introducing the cfn-lint logo!
• Update SAM dependency version

Fixes

• Fix CloudWatchAlarmComparisonOperator allowed values.
• Fix typo resoruce_type_spec in several files
• Better support for nested And, Or, and Not when processing Conditions

CloudFormation Specifications

• Add allowed values for AWS::CloudTrail::Trail resources
• Patch spec to have AWS::CodePipeline::CustomActionType Version included

Fixes

• Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified

Features

• New rule W1011 to check if a FindInMap is using the correct map name and keys
• New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used
• Removed logic in E1011 and moved it to W1011 for validating keys
• Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne
• Update rule E2505 to check the netmask bit
• Include the ability to update the CloudFormation Specs using the Pricing API

CloudFormation Specifications

• Update to version 2.21.0
• Add allowed values for AWS::Budgets::Budget
• Add allowed values for AWS::CertificateManager resources
• Add allowed values for AWS::CodePipeline resources
• Add allowed values for AWS::CodeCommit resources
• Add allowed values for EC2 InstanceTypes from pricing API
• Add allowed values for RedShift InstanceTypes from pricing API
• Add allowed values for MQ InstanceTypes from pricing API
• Add allowed values for RDS InstanceTypes from pricing API

Fixes

• Fixed README indentation issue with .pre-commit-config.yaml
• Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task
• Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record
• Update rule E3001 to support UpdateReplacePolicy
• Fix a cli issue where --template wouldn't be used when a .cfnlintrc was in the same folder
• Update rule E3002 and W3002 to support packaging of AWS::Lambda::LayerVersion content

CloudFormation Specifications

• Add AWS::WorkSpaces::Workspace.WorkspaceProperties ComputeTypeName, RunningMode allowed values
• Fix AWS::CloudWatch::Alarm to point Metrics at AWS::CloudWatch::Alarm.MetricDataQuery

Fixes

• Update rule E1024 to support Fn::Sub inside Fn::Cidr

Features

• Update rule E1019 to not allow for lists directly when doing a Ref or GetAtt to a list
• Move parameter checks from rule E3030 to a new rule W2030

CloudFormation Specifications

• Updated to version 2.19.0
• Add S3 Bucket Allowed Values
• Add Route53 Allowed Values
• Add CodeDeploy Allowed Values
• Add AWS::SecretsManager::SecretTargetAttachment TargetType Allowed Values
• Add AWS::SES::ReceiptRule.Rule TlsPolicy Allowed Values
• Add AWS::AutoScaling::AutoScalingGroup, AWS::Route53::RecordSetGroup, and AWS::AutoScaling::AutoScalingGroup to OnlyOne

Fixes

• Improve W7001 error message

CloudFormation Specifications

• Support Ref to IAM::Role or IAM::InstanceProfile with values looking for an ARN
• AWS::Batch::ComputeEnvironment InstanceRole is an InstanceProfile not Role

Fixes

• Add debug options to print a stack trace for rule E0002
• Update rule E2015 to include a try/catch around AllowedPattern testing to catch errors caused by non Python supported regex

Features

• Add rule E3030 to use the newly patched spec to check resource properties values. Update the following rules replaced by E3030.
  • Delete rule W2512
  • Delete rule E2531
  • Move allowed values check in rule E2505
• Add rule E3008 to use the newly patched spec to check a resource properties Ref and GetAtt. Update the following rules replaced by E3008.
  • Delete rule E2502
  • Delete rule W2505
• Improve rule E3020 to check MX records

CloudFormation Specifications

• Update CloudFormation specs to 2.18.1
• Append the CloudFormation spec to include:
  • AllowedValues for resource properties
  • Allowed Ref/GetAtts for resource properties
• Add specs for regions eu-north-1, us-gov-east-1, us-gov-west-1
• Add AWS::StepFunctions::StateMachine in all supported regions
• Add AWS::CloudWatch::Alarm.Metric, AWS::CloudWatch::Alarm.MetricDataQuery and AWS::CloudWatch::Alarm.MetricStat in all supported regions
• Add AWS::Lambda::LayerVersion, AWS::Lambda::LayerVersion.Content, and AWS::Lambda::LayerVersionPermission in all supported regions

Fixes

• Fix description on rule W2501 to be more informative
• Update rule E2532 to allow Parameters in a Task in a Step Function
• Fix rule E1010 to allow Refs in the GetAtt attribute section
• Add AWS::CloudFormation::Init as an exception for rule E1029
• Add Informational error messages to JSON outputs
• Fix file searching **/* to recursively search in Python 3.5 and greater
• Update CopyRight from 2018 to 2019

Features

• Code coverage testing integrated into the CI process
• Update CloudFormation specs to 2.18.0

Fixes

• Fix rule E2505 to allow for SSM parameters when checking Cidr and Tenancy parameters
• Fix rule E1029 to not error on API Gateway stageVariables

Features

• Support stdin for reading and testing templates

Fixes

• Remove dependency on regex package as it requires gcc
• Remove rule E3507 because it depends on regex package

Features

• Update specs to version 2.16.0

Fixes

• Require pathlib2 in Python versions earlier than 3.4.0
• Update aws-sam-translator to v1.8.0
• Update requests dependency to be at least version 2.15.0
• Add Python 3.7 support for Lambda
• Provide valid Python runtimes in rule E2531 error message
• Allow Fn::Sub inside a Fn::Sub for rule E1019
• Add hardcoded list check as invalid in rule E6003
• Fix home expansion with when looking for .cfnlintrc in Python 3.4
• Add testing in Travis for Py34, Py35, Py37
• Prevent spaces after the comma in spec file
• Update allowed Lambda Runtimes to include provided and ruby

Features

• Update specs to version 2.15.0

Fixes

• Fix rule E3020 to allow multiple text records of up to 255 characters
• Fix rule E3016 to handle conditions in Update Policies
• Fix rule E2532 to not fail when using a Fn::Sub and a number for a param

Features

• Add support for eu-west-3 and ap-northeast-3
• Add Resource Type AWS::CloudFormation::Macro to CloudFormation Spec

Fixes

• Fix the error message for YAML null being off by 1 line and 1 column number
• Add Custom Error for when trying to access an attribute in the classes that make up the template
• Fix an issue with deepcopy not creating copies with start and end marks
• Fix 4 rules that would fail when trying to create the path of the error and running into an integer
• Fix rule E2015 to force parameter default values to be a string when testing against the AllowedPattern regex pattern
• Fix a bug in the config engine in which append rules would have gone to override spec
• Remove exit calls from functions that are used in integrations preventing pre-mature failures
• Fix rule E3002 E3003 to support functions that may be able to support objects

Features

• Add rule E8002 to validate if resource Conditions or Fn::If conditions are defined
• Improve rule E3002 to validate custom resources when custom specs are addended to the resource spec using override-spec
• Allow for configuration of cfn-lint using configuration files in the project and home folder called .cfnlintrc
• Updated specs to versions release 2.12.0

Fixes

• Fix rule E3002 to not fail when looking for lists of objects and using a FindInMap or GetAtt to a custom resource as both could suppliy a list of objects
• Remove rule E1025 which was duplicative to the more extensive rule E8002
• Fix rule E3020 to allow for quotes when checking the length
• Add generic exception handling to SAM transforming functions
• Complete redo how we handle arguments to fix issues created when linting multiple files with cfn-lint configurations in the file
• New CloudFormation spec patch to not require CidrBlock on resource type AWS::EC2::NetworkAclEntry
• New updates to AtLeastOne.json definition to require CidrBlock or Ipv6CidrBlock on resource type AWS::EC2::NetworkAclEntry
• A few documentation improvements

Features

• Add rule E3022 to validate that there is only one SubnetRouteTableAssociation per subnet

Fixes

• Fix rule E2502 to check Arn and Name for AWS::EC2::LaunchTemplate resources
• Fix rule E3016 to remove use of Path which may not be defined in certain scenarios
• Fix base rule Class so that resource_property_types and resource_sub_property_types is initialized from on every new rule and not copied from previous rules that were initialized
• Fix conversions of transformed templates in which keys stayed as str(s) instead of str_node(s)

Fixes

• Update rule E2502 to allow GetAtt against a nested stack or custom resource
• Update rules E2541 and E2540 to support conditions inside the CodePipeline
• Fix types in rule E2532 to now include InputPath and OutputPath
• Update rule E1029 to skip missing sub when looking at parameters in IAM policies
• Update rule E2507 to allow for strings in the IAM policy
• Update rule E2507 to allow the policy statement to be an object along with a list