Validate if a map is actually a map (#2669)

Author: kddejong

src/cfnlint/rules/resources/properties/ValuePrimitiveType.py

@@ -192,6 +192,28 @@ def check_value(self, value, path, **kwargs):
 
         return matches
 
+    def _check_map(self, m, path):
+        matches = []
+        if isinstance(m, dict):
+            if len(m) == 1:
+                for k, v in m.items():
+                    if k == "Fn::If":
+                        if isinstance(v, list) and len(v) == 3:
+                            matches.extend(
+                                self._check_map(v[1], path[:] + ["Fn::If", 1])
+                            )
+                            matches.extend(
+                                self._check_map(v[2], path[:] + ["Fn::If", 2])
+                            )
+        else:
+            matches.append(
+                RuleMatch(
+                    path,
+                    "Map must be an object of key-value pairs",
+                )
+            )
+        return matches
+
     def check(self, cfn, properties, specs, spec_type, path):
         """Check itself"""
         matches = []
@@ -201,6 +223,10 @@ def check(self, cfn, properties, specs, spec_type, path):
                 primitive_type = specs.get(prop).get("PrimitiveType")
                 if not primitive_type:
                     primitive_type = specs.get(prop).get("PrimitiveItemType")
+                if specs.get(prop).get("Type") == "Map":
+                    matches.extend(
+                        self._check_map(properties.get(prop), path[:] + [prop])
+                    )
                 if specs.get(prop).get("Type") in ["List", "Map"]:
                     item_type = specs.get(prop).get("Type")
                 else:

test/fixtures/templates/bad/resources/properties/primitive_types_map.yaml

@@ -0,0 +1,41 @@
+AWSTemplateFormatVersion: 2010-09-09
+Conditions:
+  IsUsEast1: !Equals [!Ref AWS::Region, "us-east-1"]
+Resources:
+  ExampleLambda:
+    Properties:
+      Code:
+        ZipFile: |
+          exports.handler = async (event) => {
+            console.log('Hello World');
+            return 'Hello World';
+          };
+      Environment:
+        Variables:
+          - Key: A
+            Value: B
+          - C: d
+      Handler: src/index.handler
+      Runtime: nodejs18.x
+      Role: arn:aws:iam::123456789012:role/MyRole
+    Type: AWS::Lambda::Function
+  ExampleLambda1:
+    Properties:
+      Code:
+        ZipFile: |
+          exports.handler = async (event) => {
+            console.log('Hello World');
+            return 'Hello World';
+          };
+      Environment:
+        Variables:
+          Fn::If:
+          - IsUsEast1
+          - - Key: A
+              Value: B
+            - C: d
+          - !Ref AWS::NoValue
+      Handler: src/index.handler
+      Runtime: nodejs18.x
+      Role: arn:aws:iam::123456789012:role/MyRole
+    Type: AWS::Lambda::Function

test/unit/rules/resources/properties/test_value_primitive_type.py

@@ -46,6 +46,13 @@ def test_template_config(self):
             4,
         )
 
+    def test_bad_map_values(self):
+        """Test strict false"""
+        self.helper_file_negative(
+            "test/fixtures/templates/bad/resources/properties/primitive_types_map.yaml",
+            2,
+        )
+
     def test_file_negative_nist_high_main(self):
         """Generic Test failure"""
         self.helper_file_rule_config(