Disable and configure certain rules when template is from CDK (#2971)

* Disable certain rules when doing CDK

Author: kddejong

src/cfnlint/rules/resources/HardCodedArnProperties.py

@@ -74,6 +74,10 @@ def match_values(self, cfn):
     def match(self, cfn):
         matches = []
 
+        # Skip rule if CDK
+        if cfn.is_cdk_template():
+            return matches
+
         transforms = cfn.transform_pre["Transform"]
         transforms = transforms if isinstance(transforms, list) else [transforms]
         if "AWS::Serverless-2016-10-31" in cfn.transform_pre["Transform"]:

src/cfnlint/rules/resources/properties/AvailabilityZone.py

@@ -63,6 +63,10 @@ def check(self, properties, resource_type, path, cfn):
         """Check itself"""
         matches = []
 
+        # Skip rule if CDK
+        if cfn.is_cdk_template():
+            return matches
+
         matches.extend(
             cfn.check_value(
                 properties,

src/cfnlint/template/template.py

@@ -202,6 +202,23 @@ def has_serverless_transform(self):
         )
         return bool(lang_extensions_transform in transform_type)
 
+    def is_cdk_template(self) -> bool:
+        """Check if the template was created by CDK"""
+        resources = self.template.get("Resources")
+        if not isinstance(resources, dict):
+            return False
+
+        for _, properties in resources.items():
+            if not isinstance(properties, dict):
+                continue
+            resource_type = properties.get("Type")
+            if not isinstance(resource_type, str):
+                continue
+            if resource_type == "AWS::CDK::Metadata":
+                return True
+
+        return False
+
     def get_resources(self, resource_type=[]):
         """
         Get Resources

test/fixtures/templates/good/resources/properties/az_cdk.yaml

@@ -0,0 +1,8 @@
+Resources:
+  CdkMetadata:
+    Type: AWS::CDK::Metadata
+  Instance:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: vpc-1234567
+      AvailabilityZone: us-east-1a

test/fixtures/templates/good/resources/properties/hard_coded_arn_properties_cdk.yaml

@@ -0,0 +1,82 @@
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  CdkMetadata:
+    Type: AWS::CDK::Metadata
+
+  S3BadBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: Private
+      NotificationConfiguration:
+        TopicConfigurations:
+        - Topic: !Sub arn:aws:sns:us-east-1:123456789012:TestTopic
+          Event: s3:ReducedRedundancyLostObject
+
+  SampleBadBucketPolicy: 
+    Type: AWS::S3::BucketPolicy
+    Properties: 
+      Bucket: !Ref S3BadBucket
+      PolicyDocument: 
+        Statement: 
+          - Action: 
+              - s3:GetObject
+            Effect: Allow
+            Resource: !Sub arn:aws:s3:::${S3BadBucket}
+            Principal: "*"
+
+  SampleRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+              - ec2.amazonaws.com
+            Action:
+              - 'sts:AssumeRole'
+      Path: /
+
+
+  SampleBadIAMPolicy1:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - sns:Publish
+            Resource: !Sub arn:${AWS::Partition}:sns:us-east-1:${AWS::AccountId}:TestTopic
+      Roles:
+        - !Ref SampleRole
+
+  SampleBadIAMPolicy2:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - sns:Publish
+            Resource: 
+              - !Sub arn:${AWS::Partition}:sns:us-east-1:${AWS::AccountId}:TestTopic
+              - !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:TestTopic
+      Roles:
+        - !Ref SampleRole
+
+  SampleBadIAMPolicy3:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - sns:Publish
+            Resource: 
+              - !Sub arn:${AWS::Partition}:sns:${AWS::Partition}:${AWS::AccountId}:TestTopic
+      Roles:
+        - !Ref SampleRole

test/unit/module/test_template.py

@@ -1254,3 +1254,58 @@ def test_schemas(self):
                 },
                 self.template.get_valid_getatts(),
             )
+
+    def test_is_cdk_bad_type(self):
+        template = {
+            "Resources": {
+                "CDK": {
+                    "Type": ["AWS::CDK::Metadata"],
+                    "Properties": {
+                        "AssumeRolePolicyDocument": {
+                            "Version": "2012-10-17",
+                        }
+                    },
+                }
+            },
+        }
+
+        template = Template("test.yaml", template)
+        self.assertFalse(template.is_cdk_template())
+
+    def test_is_cdk_bad_resources(self):
+        template = {
+            "Resources": [
+                {
+                    "CDK": {
+                        "Type": ["AWS::CDK::Metadata"],
+                        "Properties": {
+                            "AssumeRolePolicyDocument": {
+                                "Version": "2012-10-17",
+                            }
+                        },
+                    }
+                }
+            ],
+        }
+
+        template = Template("test.yaml", template)
+        self.assertFalse(template.is_cdk_template())
+
+    def test_is_cdk_bad_resource_props(self):
+        template = {
+            "Resources": {
+                "CDK": [
+                    {
+                        "Type": ["AWS::CDK::Metadata"],
+                        "Properties": {
+                            "AssumeRolePolicyDocument": {
+                                "Version": "2012-10-17",
+                            }
+                        },
+                    }
+                ]
+            },
+        }
+
+        template = Template("test.yaml", template)
+        self.assertFalse(template.is_cdk_template())

test/unit/rules/resources/properties/test_availability_zone.py

@@ -18,7 +18,8 @@ def setUp(self):
         super(TestPropertyAvailabilityZone, self).setUp()
         self.collection.register(AvailabilityZone())
         self.success_templates = [
-            "test/fixtures/templates/good/resources/properties/az.yaml"
+            "test/fixtures/templates/good/resources/properties/az.yaml",
+            "test/fixtures/templates/good/resources/properties/az_cdk.yaml",
         ]
 
     def test_file_positive(self):

test/unit/rules/resources/test_hardcodedarnproperties.py

@@ -19,6 +19,7 @@ def setUp(self):
         self.collection.register(HardCodedArnProperties())
         self.success_templates = [
             "test/fixtures/templates/good/resources/properties/hard_coded_arn_properties_sam.yaml",
+            "test/fixtures/templates/good/resources/properties/hard_coded_arn_properties_cdk.yaml",
         ]
 
     def test_file_positive(self):