Update I3510 to only validate one resource is matched (#4032)

Author: kddejong

src/cfnlint/rules/resources/iam/StatementResources.py

@@ -158,15 +158,17 @@ def validate(
                         ].get("ARNFormats")
                         for arn_format in arn_formats:
                             arn = _Arn(arn_format)
-                            if arn not in all_resource_arns:
-                                yield ValidationError(
-                                    (
-                                        f"action {action!r} requires "
-                                        f"a resource of {arn_formats!r}"
-                                    ),
-                                    path=deque(["Resource"]),
-                                    rule=self,
-                                )
+                        if arn in all_resource_arns:
+                            break
+                    else:
+                        yield ValidationError(
+                            (
+                                f"action {action!r} requires "
+                                f"a resource of {arn_formats!r}"
+                            ),
+                            path=deque(["Resource"]),
+                            rule=self,
+                        )
                 else:
                     LOGGER.debug(f"action {action!r} requires a resource of '*'")
                     # yield ValidationError(

test/unit/rules/resources/iam/test_statement_resources.py

@@ -112,6 +112,13 @@ def template():
             },
             [],
         ),
+        (
+            {
+                "Action": "ec2:CreateTags",
+                "Resource": ["arn:aws:ec2:*::snapshot/*"],
+            },
+            [],
+        ),
         (
             {
                 "Action": "cloudformation:CreateStackSet",