Update rule E3703 to validate RoleArns (#3998)

* Create rule E1156 to validate IAM Role Arns
* Update rule E3703 to validate RoleArns

Author: kddejong

docs/format_keyword.md

@@ -32,6 +32,10 @@ This format validates that the value is a valid list of security group names, wh
 
 This format validates that the value is a valid Amazon Machine Image (AMI), which is a string of the pattern `ami-[0-9a-f]{8}` or `ami-[0-9a-f]{17}`.  More info in [docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html)
 
+### AWS::IAM::Role.Arn
+
+This format validates that the value is a valid IAM Role ARN, which is a string of the pattern `^arn:(aws|aws-cn|aws-iso|aws-iso-[a-z]{1}|aws-us-gov):iam::\d{12}:role/.*$`.  More info in [docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
+
 ### AWS::Logs::LogGroup.Name
 
 This format validates that the value is a valid log group name, which is a string of the pattern `^[\.\-_\/#A-Za-z0-9]{1,512}\Z`.  More info in [docs](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogGroup.html)

scripts/update_schemas_format.py

@@ -178,7 +178,13 @@ def _create_security_group_name(type_name: str, ref: str, resolver: RefResolver)
 def _create_patch(value: dict[str, str], ref: str, resolver: RefResolver):
     _, resolved = resolver.resolve(ref)
     if "$ref" in resolved:
-        return _create_patch(value, resolved["$ref"], resolver)
+        patch = _create_patch(value, resolved["$ref"], resolver)
+        if patch is not None:
+            return patch
+
+    if ref == "#/definitions/Arn":
+        # way too generic general item
+        return None
 
     if "items" in resolved:
         return Patch(
@@ -270,6 +276,12 @@ def _create_patch(value: dict[str, str], ref: str, resolver: RefResolver):
             path="/definitions/NetworkInterface/properties/GroupSet/items",
         ),
     ],
+    "AWS::IAM::Role": [
+        Patch(
+            values={"format": "AWS::IAM::Role.Arn"},
+            path="/properties/Arn",
+        ),
+    ],
 }
 
 
@@ -377,6 +389,18 @@ def main():
                         )
                     )
 
+            for path in _descend(
+                obj, ["RoleArn", "RoleARN", "IAMRoleARN", "IamRoleArn"]
+            ):
+                if path[-2] == "properties":
+                    resource_patches.append(
+                        _create_patch(
+                            value={"format": "AWS::IAM::Role.Arn"},
+                            ref="#/" + "/".join(path),
+                            resolver=resolver,
+                        )
+                    )
+
             for path in _descend(
                 obj,
                 [

src/cfnlint/data/schemas/patches/extensions/all/aws_appconfig_extension/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/Action/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_appflow_connectorprofile/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_appflow_flow/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/GlueDataCatalog/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_applicationautoscaling_scalabletarget/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_appstream_appblockbuilder/format.json

@@ -8,5 +8,10 @@
   "op": "add",
   "path": "/definitions/VpcConfig/properties/SecurityGroupIds/items/format",
   "value": "AWS::EC2::SecurityGroup.Id"
+ },
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_appstream_fleet/format.json

@@ -8,5 +8,10 @@
   "op": "add",
   "path": "/definitions/VpcConfig/properties/SecurityGroupIds/items/format",
   "value": "AWS::EC2::SecurityGroup.Id"
+ },
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_appstream_imagebuilder/format.json

@@ -8,5 +8,10 @@
   "op": "add",
   "path": "/definitions/VpcConfig/properties/SecurityGroupIds/items/format",
   "value": "AWS::EC2::SecurityGroup.Id"
+ },
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_aps_scraper/format.json

@@ -8,5 +8,10 @@
   "op": "add",
   "path": "/definitions/Source/properties/EksConfiguration/properties/SecurityGroupIds/format",
   "value": "AWS::EC2::SecurityGroup.Ids"
+ },
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_auditmanager_assessment/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/IamArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/IamArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_autoscaling_autoscalinggroup/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/LifecycleHookSpecification/properties/RoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_autoscaling_lifecyclehook/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_backup_backupselection/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/BackupSelectionResourceType/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_backup_restoretestingselection/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_bedrock_knowledgebase/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_chatbot_microsoftteamschannelconfiguration/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_chatbot_slackchannelconfiguration/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/IamRoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cleanrooms_configuredtableassociation/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cleanrooms_membership/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/MembershipProtectedQueryResultConfiguration/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cleanroomsml_trainingdataset/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cloudfront_realtimelogconfig/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/KinesisStreamConfig/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cloudwatch_metricstream/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_codepipeline_pipeline/format.json

@@ -0,0 +1,17 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/ActionDeclaration/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/RuleDeclaration/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ },
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_codestarconnections_syncconfiguration/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cognito_identitypool/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/CognitoStreams/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/PushSync/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cognito_identitypoolroleattachment/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/MappingRule/properties/RoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cognito_userpoolclient/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/AnalyticsConfiguration/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_cognito_userpoolgroup/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_config_configurationaggregator/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/OrganizationAggregationSource/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_config_configurationrecorder/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_databrew_job/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_databrew_project/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_dax_cluster/format.json

@@ -1,4 +1,9 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/IAMRoleARN/format",
+  "value": "AWS::IAM::Role.Arn"
+ },
  {
   "op": "add",
   "path": "/properties/SecurityGroupIds/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_deadline_fleet/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_deadline_monitor/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_deadline_queue/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_enclavecertificateiamroleassociation/__init__.py

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/RoleArn/format",
+  "value": "AWS::IAM::Role.Arn"
+ }
+]