Support GetAtts for nested stacks and outputs (#4011)

kddejong · web-flow · commit e3b60eccd7d1 · 2025-03-12T09:25:13.000-07:00
* Support GetAtts for nested stacks and outputs
diff --git a/src/cfnlint/context/__init__.py b/src/cfnlint/context/__init__.py
@@ -1,3 +1,3 @@
 __all__ = ["Context", "create_context_for_template"]
 
-from cfnlint.context.context import Context, Path, create_context_for_template
+from cfnlint.context.context import Context, Path, Resource, create_context_for_template
diff --git a/src/cfnlint/context/context.py b/src/cfnlint/context/context.py
@@ -5,11 +5,12 @@
 
 from __future__ import annotations
 
+import os
 from abc import ABC, abstractmethod
 from collections import deque
 from dataclasses import InitVar, dataclass, field, fields
 from functools import lru_cache
-from typing import Any, Deque, Iterator, Sequence, Set, Tuple
+from typing import TYPE_CHECKING, Any, Deque, Iterator, Sequence, Set, Tuple
 
 from cfnlint.context._mappings import Mappings
 from cfnlint.context.conditions._conditions import Conditions
@@ -22,6 +23,9 @@
 )
 from cfnlint.schema import PROVIDER_SCHEMA_MANAGER, AttributeDict
 
+if TYPE_CHECKING:
+    from cfnlint.template import Template
+
 _PSEUDOPARAMS_NON_REGION = ["AWS::AccountId", "AWS::NoValue", "AWS::StackName"]
 
 
@@ -384,6 +388,37 @@ def is_ssm_parameter(self) -> bool:
         return self.type.startswith("AWS::SSM::Parameter::")
 
 
+def _nested_stack_get_atts(filename, template_url):
+    if (
+        template_url.startswith("http://")
+        or template_url.startswith("https://")
+        or template_url.startswith("s3://")
+    ):
+        return None
+
+    base_dir = os.path.dirname(os.path.abspath(filename))
+    template_path = os.path.normpath(os.path.join(base_dir, template_url))
+
+    try:
+        from cfnlint.decode import decode
+
+        (tmp, matches) = decode(template_path)
+    except Exception:  # noqa: E722
+        return None
+    if matches:
+        return None
+
+    outputs = AttributeDict()
+
+    tmp_outputs = tmp.get("Outputs")
+    if not isinstance(tmp_outputs, dict):
+        return outputs
+
+    for name, _ in tmp_outputs.items():
+        outputs[f"Outputs.{name}"] = "/properties/CfnLintStringType"
+    return outputs
+
+
 @dataclass
 class Resource(_Ref):
     """
@@ -393,8 +428,10 @@ class Resource(_Ref):
     type: str = field(init=False)
     condition: str | None = field(init=False, default=None)
     resource: InitVar[Any]
+    filename: InitVar[str | None] = field(default=None)
+    _nested_stack_get_atts: AttributeDict | None = field(init=False, default=None)
 
-    def __post_init__(self, resource) -> None:
+    def __post_init__(self, resource: Any, filename: str | None) -> None:
         if not isinstance(resource, dict):
             raise ValueError("Resource must be a object")
         t = resource.get("Type")
@@ -409,7 +446,18 @@ def __post_init__(self, resource) -> None:
             raise ValueError("Condition must be a string")
         self.condition = c
 
+        if self.type == "AWS::CloudFormation::Stack":
+            properties = resource.get("Properties")
+            if isinstance(properties, dict):
+                template_url = properties.get("TemplateURL")
+                if isinstance(template_url, str):
+                    self._nested_stack_get_atts = _nested_stack_get_atts(
+                        filename, template_url
+                    )
+
     def get_atts(self, region: str = REGION_PRIMARY) -> AttributeDict:
+        if self._nested_stack_get_atts is not None:
+            return self._nested_stack_get_atts
         return PROVIDER_SCHEMA_MANAGER.get_type_getatts(self.type, region)
 
     def ref(self, region: str = REGION_PRIMARY) -> dict[str, Any]:
@@ -433,13 +481,13 @@ def _init_parameters(parameters: Any) -> dict[str, Parameter]:
     return obj
 
 
-def _init_resources(resources: Any) -> dict[str, Resource]:
+def _init_resources(resources: Any, filename: str | None = None) -> dict[str, Resource]:
     obj = {}
     if not isinstance(resources, dict):
         raise ValueError("Resource must be a object")
     for k, v in resources.items():
         try:
-            obj[k] = Resource(v)
+            obj[k] = Resource(v, filename)
         except ValueError:
             pass
     return obj
@@ -451,7 +499,7 @@ def _init_transforms(transforms: Any) -> Transforms:
     return Transforms([])
 
 
-def create_context_for_template(cfn):
+def create_context_for_template(cfn: Template) -> "Context":
     parameters = {}
     try:
         parameters = _init_parameters(cfn.template.get("Parameters", {}))
@@ -460,7 +508,7 @@ def create_context_for_template(cfn):
 
     resources = {}
     try:
-        resources = _init_resources(cfn.template.get("Resources", {}))
+        resources = _init_resources(cfn.template.get("Resources", {}), cfn.filename)
     except (ValueError, AttributeError):
         pass
 
diff --git a/src/cfnlint/schema/_getatts.py b/src/cfnlint/schema/_getatts.py
@@ -213,10 +213,9 @@
 )
 
 
-class AttributeDict(UserDict):
-    def __init__(self, __dict: None = None) -> None:
+class AttributeDict(UserDict[str, str]):
+    def __init__(self, __dict: dict[str, str] | None = None) -> None:
         super().__init__(__dict)
-        self.data: dict[str, str] = {}
 
     def __getitem__(self, key: str) -> str:
         possible_items = {}
diff --git a/src/cfnlint/template/getatts.py b/src/cfnlint/template/getatts.py
@@ -3,6 +3,7 @@
 from collections import UserDict
 from typing import Any
 
+from cfnlint.context import Resource
 from cfnlint.schema import PROVIDER_SCHEMA_MANAGER, AttributeDict, ResourceNotFoundError
 
 
@@ -51,21 +52,19 @@ def __init__(self, regions: list[str]) -> None:
         for region in self._regions:
             self._getatts[region] = _ResourceDict()
 
-    def add(self, resource_name: str, resource_type: str) -> None:
+    def add(self, resource_name: str, resource: Resource) -> None:
         for region in self._regions:
             if resource_name not in self._getatts[region]:
-                if resource_type.endswith("::MODULE"):
+                if resource.type.endswith("::MODULE"):
                     self._getatts[region][f"{resource_name}.*"] = (
                         PROVIDER_SCHEMA_MANAGER.get_type_getatts(
-                            resource_type=resource_type, region=region
+                            resource_type=resource.type, region=region
                         )
                     )
 
                 try:
-                    self._getatts[region][resource_name] = (
-                        PROVIDER_SCHEMA_MANAGER.get_type_getatts(
-                            resource_type=resource_type, region=region
-                        )
+                    self._getatts[region][resource_name] = resource.get_atts(
+                        region=region
                     )
                 except ResourceNotFoundError:
                     self._getatts[region][resource_name] = AttributeDict()
diff --git a/src/cfnlint/template/template.py b/src/cfnlint/template/template.py
@@ -327,7 +327,7 @@ def get_valid_getatts(self) -> GetAtts:
         results = GetAtts(self.regions)
 
         for name, value in self.context.resources.items():
-            results.add(name, value.type)
+            results.add(name, value)
 
         return results
 
diff --git a/test/unit/module/context/test_resource.py b/test/unit/module/context/test_resource.py
@@ -3,9 +3,14 @@
 SPDX-License-Identifier: MIT-0
 """
 
+from unittest.mock import patch
+
 import pytest
 
 from cfnlint.context.context import Resource, _init_resources
+from cfnlint.match import Match
+from cfnlint.rules.errors.parse import ParseError
+from cfnlint.schema import AttributeDict
 
 
 @pytest.mark.parametrize(
@@ -41,3 +46,65 @@ def test_errors(name, instance):
 def test_resources():
     with pytest.raises(ValueError):
         _init_resources([])
+
+
+@pytest.mark.parametrize(
+    "name,instance,decode_results,expected_getatts",
+    [
+        (
+            "Nested stack with no Properties",
+            {"Type": "AWS::CloudFormation::Stack"},
+            None,
+            AttributeDict({"Outputs\\..*": "/properties/CfnLintStringType"}),
+        ),
+        (
+            "Nested stack with template URL",
+            {
+                "Type": "AWS::CloudFormation::Stack",
+                "Properties": {"TemplateURL": "https://bucket/path.yaml"},
+            },
+            None,
+            AttributeDict({"Outputs\\..*": "/properties/CfnLintStringType"}),
+        ),
+        (
+            "Nested stack with a local file",
+            {
+                "Type": "AWS::CloudFormation::Stack",
+                "Properties": {"TemplateURL": "./bar.yaml"},
+            },
+            ({"Outputs": {"MyValue": {"Type": "String"}}}, None),
+            AttributeDict({"Outputs.MyValue": "/properties/CfnLintStringType"}),
+        ),
+        (
+            "Nested stack with a local file and no outputs",
+            {
+                "Type": "AWS::CloudFormation::Stack",
+                "Properties": {"TemplateURL": "./bar.yaml"},
+            },
+            ({}, None),
+            AttributeDict({}),
+        ),
+        (
+            "Nested stack with a local file but match error",
+            {
+                "Type": "AWS::CloudFormation::Stack",
+                "Properties": {"TemplateURL": "./bar.yaml"},
+            },
+            (None, Match("test", rule=ParseError())),
+            AttributeDict({"Outputs\\..*": "/properties/CfnLintStringType"}),
+        ),
+    ],
+)
+def test_nested_stacks(name, instance, decode_results, expected_getatts):
+    region = "us-east-1"
+    filename = "foo/bar.yaml"
+
+    with patch("cfnlint.decode.decode") as mock_decode:
+        if decode_results is not None:
+            mock_decode.return_value = decode_results
+
+        resource = Resource(instance, filename)
+
+        assert expected_getatts == resource.get_atts(
+            region
+        ), f"{name!r} test got {resource.get_atts(region)}"
diff --git a/test/unit/module/template/test_getatts.py b/test/unit/module/template/test_getatts.py
@@ -5,6 +5,7 @@
 
 from test.testlib.testcase import BaseTestCase
 
+from cfnlint.context import Resource
 from cfnlint.template.getatts import GetAtts
 
 
@@ -13,14 +14,20 @@ class TestGetAtts(BaseTestCase):
 
     def test_getatt(self):
         getatts = GetAtts(["us-east-1", "us-west-2"])
-        getatts.add("Module", "Organization::Resource::Type::MODULE")
+        getatts.add(
+            "Module", Resource({"Type": "Organization::Resource::Type::MODULE"})
+        )
         results = getatts.match("us-east-1", "ModuleResource.Module")
         self.assertEqual(results, "/properties/CfnLintAllTypes")
 
     def test_many_modules(self):
         getatts = GetAtts(["us-east-1", "us-west-2"])
-        getatts.add("Module", "Organization::Resource::Type::MODULE")
-        getatts.add("Module1", "Organization::Resource::Type::MODULE")
+        getatts.add(
+            "Module", Resource({"Type": "Organization::Resource::Type::MODULE"})
+        )
+        getatts.add(
+            "Module1", Resource({"Type": "Organization::Resource::Type::MODULE"})
+        )
         results = getatts.match("us-east-1", "ModuleResource.Module")
         self.assertEqual(results, "/properties/CfnLintAllTypes")
 
@@ -29,8 +36,10 @@ def test_many_modules(self):
 
     def test_getatt_resource_and_modules(self):
         getatts = GetAtts(["us-east-1", "us-west-2"])
-        getatts.add("Resource", "Organization::Resource::Type::MODULE")
-        getatts.add("Resource1", "Organization::Resource::Type")
+        getatts.add(
+            "Resource", Resource({"Type": "Organization::Resource::Type::MODULE"})
+        )
+        getatts.add("Resource1", Resource({"Type": "Organization::Resource::Type"}))
         results = getatts.match("us-east-1", "ResourceOne.Module")
         self.assertEqual(results, "/properties/CfnLintAllTypes")
 
@@ -48,7 +57,7 @@ def test_getatt_type_errors(self):
 
     def test_getatt_resource_with_list(self):
         getatts = GetAtts(["us-east-1"])
-        getatts.add("Resource", "AWS::NetworkFirewall::Firewall")
+        getatts.add("Resource", Resource({"Type": "AWS::NetworkFirewall::Firewall"}))
         results = getatts.match("us-east-1", "Resource.EndpointIds")
         self.assertEqual(results, "/properties/EndpointIds")
         self.assertDictEqual(
diff --git a/test/unit/module/template/test_template.py b/test/unit/module/template/test_template.py
diff --git a/test/unit/rules/resources/route53/test_recordsets.py b/test/unit/rules/resources/route53/test_recordsets.py

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`__all__ = ["Context", "create_context_for_template"]`
`2`	`2`
`3`		`-from cfnlint.context.context import Context, Path, create_context_for_template`
	`3`	`+from cfnlint.context.context import Context, Path, Resource, create_context_for_template`