Add rule to validate mixing API body definitions (#3989)

kddejong · web-flow · commit 7fee6bdab935 · 2025-03-05T09:20:59.000-08:00
* Add rule W3660 to validate mixing API body definitions
diff --git a/src/cfnlint/rules/resources/apigateway/RestApiMixingDefinitions.py b/src/cfnlint/rules/resources/apigateway/RestApiMixingDefinitions.py
@@ -0,0 +1,68 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from cfnlint.jsonschema import ValidationError, ValidationResult, Validator
+from cfnlint.rules.jsonschema.CfnLintKeyword import CfnLintKeyword
+
+
+class RestApiMixingDefinitions(CfnLintKeyword):
+    id = "W3660"
+    shortdesc = "Validate if multiple resources are modifying a Rest API definition"
+    description = (
+        "When using AWS::ApiGateway::RestApi with 'Body' or 'BodyS3Location' "
+        "the resource handler will use PutRestApi with mode overwrite. "
+        "Depending on how resources are updated the IaC template will "
+        "drift and create orphaned resources."
+    )
+    tags = ["resources", "apigateway"]
+
+    def __init__(self) -> None:
+        super().__init__(
+            keywords=[
+                "Resources/AWS::ApiGateway::RestApi/Properties/Body",
+                "Resources/AWS::ApiGateway::RestApi/Properties/BodyS3Location",
+            ],
+        )
+        self._mix_types = [
+            "AWS::ApiGateway::Method",
+            "AWS::ApiGateway::Model",
+            "AWS::ApiGateway::Resource",
+            "AWS::ApiGateway::GatewayResponse",
+            "AWS::ApiGateway::RequestValidator",
+            "AWS::ApiGateway::Authorizer",
+        ]
+
+    def validate(
+        self, validator: Validator, keywords: Any, instance: Any, schema: dict[str, Any]
+    ) -> ValidationResult:
+
+        if validator.cfn.graph is None:  # pragma: no cover
+            return  # pragma: no cover
+
+        if not len(validator.context.path.path) > 3:
+            return
+
+        resource_name = validator.context.path.path[1]
+        key = validator.context.path.path[3]
+
+        unique_sources: set[str] = set()
+        for source, _ in validator.cfn.graph.graph.in_edges(resource_name):
+            if source not in validator.context.resources:
+                continue
+            if validator.context.resources[source].type in self._mix_types:
+                if source not in unique_sources:
+                    yield ValidationError(
+                        message=(
+                            f"Defining {key!r} with a relation to resource {source!r} "
+                            f"of type {validator.context.resources[source].type!r} "
+                            "may result in drift and orphaned resources"
+                        ),
+                        rule=self,
+                    )
+                    unique_sources.add(source)
diff --git a/test/unit/rules/resources/apigateway/test_rest_api_mixing_definition.py b/test/unit/rules/resources/apigateway/test_rest_api_mixing_definition.py
@@ -0,0 +1,169 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from collections import deque
+
+import pytest
+
+from cfnlint.jsonschema import ValidationError
+from cfnlint.rules.resources.apigateway.RestApiMixingDefinitions import (
+    RestApiMixingDefinitions,
+)
+
+
+@pytest.fixture(scope="module")
+def rule():
+    rule = RestApiMixingDefinitions()
+    yield rule
+
+
+_rest_api = {
+    "Type": "AWS::ApiGateway::RestApi",
+    "Properties": {},
+}
+
+_api_resource = {
+    "Type": "AWS::ApiGateway::Resource",
+    "Properties": {
+        "RestApiId": {"Ref": "RestApi"},
+        "ParentId": {"Fn::GetAtt": "RestApi.RootResourceId"},
+        "PathPart": "test",
+    },
+}
+
+_api_model = {
+    "Type": "AWS::ApiGateway::Model",
+    "Properties": {
+        "RestApiId": {"Ref": "RestApi"},
+        "ContentType": "application/json",
+        "Description": "Schema for Pets example",
+        "Name": "PetsModelNoFlatten",
+        "Schema": {
+            "$schema": "http://json-schema.org/draft-04/schema#",
+            "title": "PetsModelNoFlatten",
+            "type": "array",
+            "items": {
+                "type": "object",
+                "properties": {
+                    "number": {"type": "integer"},
+                    "class": {"type": "string"},
+                    "salesPrice": {"type": "number"},
+                },
+            },
+        },
+    },
+}
+
+_api_stage = {
+    "Type": "AWS::ApiGateway::Stage",
+    "Properties": {
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "RestApiId": {"Ref": "RestApi"},
+    },
+}
+
+
+@pytest.mark.parametrize(
+    "template,path,expected",
+    [
+        (
+            {
+                "Resources": {
+                    "RestApi": _rest_api,
+                }
+            },
+            {
+                "path": deque(["Resources", "RestApi", "Properties", "Body"]),
+            },
+            [],
+        ),
+        (
+            {
+                "Resources": {
+                    "RestApi": _rest_api,
+                    "ProdStage": _api_stage,
+                },
+                "Outputs": {"RestApiId": {"Value": {"Ref": "RestApi"}}},
+            },
+            {
+                "path": deque(["Resources", "RestApi", "Properties", "Body"]),
+            },
+            [],
+        ),
+        (
+            {
+                "Resources": {
+                    "RestApi": _rest_api,
+                    "RootResource": _api_resource,
+                }
+            },
+            {
+                "path": deque(["Resources", "RestApi", "Properties", "Body"]),
+            },
+            [
+                ValidationError(
+                    (
+                        "Defining 'Body' with a relation to "
+                        "resource 'RootResource' of type "
+                        "'AWS::ApiGateway::Resource' may result "
+                        "in drift and orphaned resources"
+                    ),
+                    rule=RestApiMixingDefinitions(),
+                    path=deque([]),
+                )
+            ],
+        ),
+        (
+            {
+                "Resources": {
+                    "RestApi": _rest_api,
+                    "RootResource": _api_resource,
+                }
+            },
+            {
+                "path": deque(["Resources", "RestApi"]),
+            },
+            [],
+        ),
+        (
+            {
+                "Resources": {
+                    "RestApi": _rest_api,
+                    "RootResource": _api_resource,
+                    "Model": _api_model,
+                }
+            },
+            {
+                "path": deque(["Resources", "RestApi", "Properties", "Body"]),
+            },
+            [
+                ValidationError(
+                    (
+                        "Defining 'Body' with a relation to "
+                        "resource 'RootResource' of type "
+                        "'AWS::ApiGateway::Resource' may result "
+                        "in drift and orphaned resources"
+                    ),
+                    rule=RestApiMixingDefinitions(),
+                ),
+                ValidationError(
+                    (
+                        "Defining 'Body' with a relation to "
+                        "resource 'Model' of type "
+                        "'AWS::ApiGateway::Model' may result "
+                        "in drift and orphaned resources"
+                    ),
+                    rule=RestApiMixingDefinitions(),
+                ),
+            ],
+        ),
+    ],
+    indirect=["template", "path"],
+)
+def test_validate(template, path, expected, rule, validator):
+    errs = list(rule.validate(validator, "", "", {}))
+
+    assert errs == expected, f"Expected {expected} got {errs}"
