Update W3663 to skip validation when Sub (#3548)

* Update W3663 to skip validation when Sub
* Make sure to return rule E3673

Author: kddejong

src/cfnlint/rules/resources/ectwo/InstanceImageId.py

@@ -70,11 +70,20 @@ def validate(
             launch_templates = list(
                 self._get_related_launch_template(instance_image_id_validator, instance)
             )
+            path: deque[str | int] = deque([])
+            if "ImageId" != instance_image_id_validator.context.path.path[-1]:
+                path = deque(
+                    list(instance_image_id_validator.context.path.path)[
+                        len(validator.context.path.path) :
+                    ]
+                )
 
             if not launch_templates:
                 yield ValidationError(
                     "'ImageId' is a required property",
-                    path_override=instance_image_id_validator.context.path.path,
+                    validator="required",
+                    path=path,
+                    rule=self,
                 )
                 continue
 
@@ -123,5 +132,7 @@ def validate(
                     if launch_template_image_id is None and instance_image_id is None:
                         yield ValidationError(
                             "'ImageId' is a required property",
-                            path_override=instance_image_id_validator.context.path.path,
+                            validator="required",
+                            path=path,
+                            rule=self,
                         )

src/cfnlint/rules/resources/lmbd/PermissionSourceAccount.py

@@ -32,16 +32,6 @@ def __init__(self):
             keywords=["Resources/AWS::Lambda::Permission/Properties"],
         )
 
-    def _validate_sub_has_account_id(self, validator: Validator, value: Any) -> bool:
-        value = ensure_list(value)
-
-        if isinstance(value[0], str):
-            if re.search(r":(\d{12}|\${AWS::AccountId}):", value[0]):
-                return True
-
-            return False
-        return True
-
     def _validate_is_gettatt_to_bucket(self, validator: Validator, value: Any) -> bool:
         value = ensure_list(value)[0].split(".")[0]
 
@@ -81,10 +71,7 @@ def validate(
 
             fn_k, fn_v = is_function(source_arn)
             if fn_k is not None:
-                if fn_k == "Fn::Sub":
-                    if self._validate_sub_has_account_id(scenario_validator, fn_v):
-                        continue
-                elif fn_k == "Fn::GetAtt":
+                if fn_k == "Fn::GetAtt":
                     if not self._validate_is_gettatt_to_bucket(
                         scenario_validator, fn_v
                     ):
@@ -96,4 +83,5 @@ def validate(
                 yield ValidationError(
                     "'SourceAccount' is a required property",
                     validator="required",
+                    rule=self,
                 )

test/unit/rules/resources/ec2/test_instance_image_id.py

@@ -184,9 +184,9 @@ def rule():
             [
                 ValidationError(
                     "'ImageId' is a required property",
-                    path_override=deque(
-                        ["Resources", "Instance", "Properties", "ImageId"]
-                    ),
+                    validator="required",
+                    rule=InstanceImageId(),
+                    path=deque([]),
                 )
             ],
         ),
@@ -221,9 +221,9 @@ def rule():
             [
                 ValidationError(
                     "'ImageId' is a required property",
-                    path_override=deque(
-                        ["Resources", "Instance", "Properties", "ImageId"]
-                    ),
+                    validator="required",
+                    rule=InstanceImageId(),
+                    path=deque([]),
                 )
             ],
         ),
@@ -268,17 +268,9 @@ def rule():
             [
                 ValidationError(
                     "'ImageId' is a required property",
-                    path_override=deque(
-                        [
-                            "Resources",
-                            "Instance",
-                            "Properties",
-                            "ImageId",
-                            "Fn::If",
-                            2,
-                            "Ref",
-                        ]
-                    ),
+                    validator="required",
+                    rule=InstanceImageId(),
+                    path=deque(["ImageId", "Fn::If", 2, "Ref"]),
                 )
             ],
         ),
@@ -288,6 +280,10 @@ def rule():
 def test_validate(name, instance, expected, rule, validator):
     errs = list(rule.validate(validator, "", instance, {}))
 
+    for err in errs:
+        print(err.path)
+        print(err.validator)
+        print(err.rule)
     assert (
         errs == expected
     ), f"Expected test {name!r} to have {expected!r} but got {errs!r}"

test/unit/rules/resources/lmbd/test_permission_source_account.py

@@ -61,6 +61,7 @@ def template():
                 ValidationError(
                     "'SourceAccount' is a required property",
                     validator="required",
+                    rule=PermissionSourceAccount(),
                 )
             ],
         ),
@@ -85,24 +86,6 @@ def template():
             {
                 "SourceArn": {"Fn::Sub": "arn:${AWS::Partition}:s3:::bucket"},
             },
-            [
-                ValidationError(
-                    "'SourceAccount' is a required property",
-                    validator="required",
-                )
-            ],
-        ),
-        (
-            {
-                "SourceArn": {"Fn::Sub": [[], {}]},
-            },
-            [],
-        ),
-        (
-            {
-                "SourceArn": {"Fn::Sub": "arn:${AWS::Partition}:s3:::bucket"},
-                "SourceAccount": {"Ref": "AWS::AccountId"},
-            },
             [],
         ),
         (
@@ -120,6 +103,7 @@ def template():
                 ValidationError(
                     "'SourceAccount' is a required property",
                     validator="required",
+                    rule=PermissionSourceAccount(),
                 )
             ],
         ),
@@ -182,6 +166,7 @@ def template():
                 ValidationError(
                     "'SourceAccount' is a required property",
                     validator="required",
+                    rule=PermissionSourceAccount(),
                 )
             ],
         ),