Redo codepipeline rules (#3993)

* Deprecate E2540 for new v1 version rules
* Deprecate E2541 for new v1 version rules
* Add rule E3700 to validate that Source actions are only in the first stage
* Add rule E3701 to validate artifact names shared between InputArtifacts and OutputArtifacts
* Add rule E3702 to validate the InputArtifacts, OutputArtifacts counts for the action type
* Add rule E3703 to validate the configuration of an action. Start with a TemplatePath on CloudFormation based actions have a Source that matches an InputArtifact name

Author: kddejong

scripts/update_schemas_manually.py

@@ -584,6 +584,18 @@
                     values={"requiredXor": ["ArtifactStore", "ArtifactStores"]},
                     path="/",
                 ),
+                Patch(
+                    values={"minItems": 2, "uniqueKeys": ["Name"]},
+                    path="/properties/Stages",
+                ),
+                Patch(
+                    values={"minItems": 1, "uniqueKeys": ["Name"]},
+                    path="/definitions/StageDeclaration/properties/Actions",
+                ),
+                Patch(
+                    values={"pattern": "^[0-9A-Za-z_-]{1,9}$"},
+                    path="/definitions/ActionTypeId/properties/Version",
+                ),
             ],
         ),
         ResourcePatch(

src/cfnlint/data/schemas/extensions/aws_codepipeline_pipeline/__init__.py

@@ -6,5 +6,34 @@
    "ArtifactStore",
    "ArtifactStores"
   ]
+ },
+ {
+  "op": "add",
+  "path": "/definitions/ActionTypeId/properties/Version/pattern",
+  "value": "^[0-9A-Za-z_-]{1,9}$"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/StageDeclaration/properties/Actions/minItems",
+  "value": 1
+ },
+ {
+  "op": "add",
+  "path": "/definitions/StageDeclaration/properties/Actions/uniqueKeys",
+  "value": [
+   "Name"
+  ]
+ },
+ {
+  "op": "add",
+  "path": "/properties/Stages/minItems",
+  "value": 2
+ },
+ {
+  "op": "add",
+  "path": "/properties/Stages/uniqueKeys",
+  "value": [
+   "Name"
+  ]
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_codepipeline_pipeline/manual.json

@@ -74,6 +74,7 @@
      "type": "string"
     },
     "Version": {
+     "pattern": "^[0-9A-Za-z_-]{1,9}$",
      "type": "string"
     }
    },
@@ -426,8 +427,12 @@
      "items": {
       "$ref": "#/definitions/ActionDeclaration"
      },
+     "minItems": 1,
      "type": "array",
-     "uniqueItems": true
+     "uniqueItems": true,
+     "uniqueKeys": [
+      "Name"
+     ]
     },
     "BeforeEntry": {
      "$ref": "#/definitions/BeforeEntryConditions"
@@ -568,8 +573,12 @@
    "items": {
     "$ref": "#/definitions/StageDeclaration"
    },
+   "minItems": 2,
    "type": "array",
-   "uniqueItems": true
+   "uniqueItems": true,
+   "uniqueKeys": [
+    "Name"
+   ]
   },
   "Tags": {
    "items": {

src/cfnlint/data/schemas/providers/ap_southeast_5/aws-codepipeline-pipeline.json

@@ -74,6 +74,7 @@
      "type": "string"
     },
     "Version": {
+     "pattern": "^[0-9A-Za-z_-]{1,9}$",
      "type": "string"
     }
    },
@@ -426,8 +427,12 @@
      "items": {
       "$ref": "#/definitions/ActionDeclaration"
      },
+     "minItems": 1,
      "type": "array",
-     "uniqueItems": true
+     "uniqueItems": true,
+     "uniqueKeys": [
+      "Name"
+     ]
     },
     "BeforeEntry": {
      "$ref": "#/definitions/BeforeEntryConditions"
@@ -568,8 +573,12 @@
    "items": {
     "$ref": "#/definitions/StageDeclaration"
    },
+   "minItems": 2,
    "type": "array",
-   "uniqueItems": true
+   "uniqueItems": true,
+   "uniqueKeys": [
+    "Name"
+   ]
   },
   "Tags": {
    "items": {

src/cfnlint/data/schemas/providers/ap_southeast_7/aws-codepipeline-pipeline.json

@@ -74,6 +74,7 @@
      "type": "string"
     },
     "Version": {
+     "pattern": "^[0-9A-Za-z_-]{1,9}$",
      "type": "string"
     }
    },
@@ -426,8 +427,12 @@
      "items": {
       "$ref": "#/definitions/ActionDeclaration"
      },
+     "minItems": 1,
      "type": "array",
-     "uniqueItems": true
+     "uniqueItems": true,
+     "uniqueKeys": [
+      "Name"
+     ]
     },
     "BeforeEntry": {
      "$ref": "#/definitions/BeforeEntryConditions"
@@ -568,8 +573,12 @@
    "items": {
     "$ref": "#/definitions/StageDeclaration"
    },
+   "minItems": 2,
    "type": "array",
-   "uniqueItems": true
+   "uniqueItems": true,
+   "uniqueKeys": [
+    "Name"
+   ]
   },
   "Tags": {
    "items": {

src/cfnlint/data/schemas/providers/ca_west_1/aws-codepipeline-pipeline.json

@@ -98,6 +98,7 @@
      "type": "string"
     },
     "Version": {
+     "pattern": "^[0-9A-Za-z_-]{1,9}$",
      "type": "string"
     }
    },
@@ -474,8 +475,12 @@
      "items": {
       "$ref": "#/definitions/ActionDeclaration"
      },
+     "minItems": 1,
      "type": "array",
-     "uniqueItems": true
+     "uniqueItems": true,
+     "uniqueKeys": [
+      "Name"
+     ]
     },
     "BeforeEntry": {
      "$ref": "#/definitions/BeforeEntryConditions",
@@ -624,8 +629,12 @@
    "items": {
     "$ref": "#/definitions/StageDeclaration"
    },
+   "minItems": 2,
    "type": "array",
-   "uniqueItems": true
+   "uniqueItems": true,
+   "uniqueKeys": [
+    "Name"
+   ]
   },
   "Tags": {
    "items": {

src/cfnlint/data/schemas/providers/us_east_1/aws-codepipeline-pipeline.json

@@ -137,12 +137,36 @@ def contains(
     if not validator.is_type(instance, "array"):
         return
 
-    if not any(
-        validator.evolve(schema=contains).is_valid(element) for element in instance
-    ):
-        yield ValidationError(
-            f"{instance!r} does not contain items matching the given schema",
-        )
+    matches = 0
+    min_contains = schema.get("minContains", 1)
+    max_contains = schema.get("maxContains", len(instance))
+
+    contains_validator = validator.evolve(schema=contains)
+
+    for each in instance:
+        if contains_validator.is_valid(each):
+            matches += 1
+            if matches > max_contains:
+                yield ValidationError(
+                    "Too many items match the given schema "
+                    f"(expected at most {max_contains})",
+                    validator="maxContains",
+                    validator_value=max_contains,
+                )
+                return
+
+    if matches < min_contains:
+        if not matches:
+            yield ValidationError(
+                f"{instance!r} does not contain items matching the given schema",
+            )
+        else:
+            yield ValidationError(
+                "Too few items match the given schema (expected at least "
+                f"{min_contains} but only {matches} matched)",
+                validator="minContains",
+                validator_value=min_contains,
+            )
 
 
 def dependencies(
@@ -305,18 +329,26 @@ def items(
     if not validator.is_type(instance, "array"):
         return
 
-    if validator.is_type(items, "array"):
-        for (index, item), subschema in zip(enumerate(instance), items):
+    prefix = len(schema.get("prefixItems", []))
+    total = len(instance)
+    extra = total - prefix
+    if extra <= 0:
+        return
+
+    if items is False:
+        rest = instance[prefix:] if extra != 1 else instance[prefix]
+        item = "items" if prefix != 1 else "item"
+        yield ValidationError(
+            f"Expected at most {prefix} {item} but found {extra} " f"extra: {rest!r}",
+        )
+    else:
+        for index in range(prefix, total):
             yield from validator.descend(
-                item,
-                subschema,
+                instance=instance[index],
+                schema=items,
                 path=index,
-                schema_path=index,
                 property_path="*",
             )
-    else:
-        for index, item in enumerate(instance):
-            yield from validator.descend(item, items, path=index, property_path="*")
 
 
 def maxItems(

src/cfnlint/jsonschema/_keywords.py

@@ -11,15 +11,15 @@
 from cfnlint.rules.functions._BaseFn import BaseFn
 
 _all = {
-    "items": [
+    "prefixItems": [
         {"type": "string", "const": "resolve"},
         {"type": "string", "enum": ["ssm", "ssm-secure", "secretsmanager"]},
     ],
     "minItems": 3,
 }
 
 _ssm = {
-    "items": [
+    "prefixItems": [
         {"type": "string", "const": "resolve"},
         {"type": "string", "enum": ["ssm", "ssm-secure"]},
         {"type": "string", "pattern": "[a-zA-Z0-9_.-/]+"},
@@ -30,7 +30,7 @@
 }
 
 _secrets_manager = {
-    "items": [
+    "prefixItems": [
         {"type": "string", "const": "resolve"},
         {"type": "string", "const": "secretsmanager"},
         {"type": "string", "pattern": "[ -~]*"},  # secret-id
@@ -45,7 +45,7 @@
 }
 
 _secrets_manager_arn = {
-    "items": [
+    "prefixItems": [
         {"type": "string", "const": "resolve"},
         {"type": "string", "const": "secretsmanager"},
         {"type": "string", "const": "arn"},  # arn