Skip to content

fix: add cfn-lint ignore rules for new format validation checks#3915

Merged
roger-zhangg merged 1 commit intoaws:developfrom
roger-zhangg:fix/cfn-lint-ignore-format-rules
Apr 21, 2026
Merged

fix: add cfn-lint ignore rules for new format validation checks#3915
roger-zhangg merged 1 commit intoaws:developfrom
roger-zhangg:fix/cfn-lint-ignore-format-rules

Conversation

@roger-zhangg
Copy link
Copy Markdown
Member

@roger-zhangg roger-zhangg commented Apr 21, 2026

Summary

cfn-lint v1.49.0 (aws-cloudformation/cfn-lint#4442) expanded format keyword coverage, adding validation for several new AWS resource property formats. This causes 97 new lint errors on test fixture files that use placeholder/fake ARN values.

New rules added to .cfnlintrc.yaml ignore list

Rule Description
E1041 Ref/GetAtt format mismatch — test fixtures use refs that resolve correctly at deploy time
E1156 Invalid IAM Role ARN format — test fixtures use placeholder values like some-arn
E1157 Invalid KMS Key ARN format — test fixtures use placeholder values like thisIsaKey
E1159 Invalid ACM Certificate ARN format — test fixtures use placeholder values like arn::cert::abc
W1031 Fn::Sub resolved value format mismatch — test fixtures use simplified ARN patterns

Context

These errors are not caused by any code change — they are triggered by the upstream cfn-lint release. The develop branch will also fail once CI re-runs with cfn-lint >= 1.49.0. This also unblocks #3913.

The test fixture files under tests/translator/output/ intentionally use simplified placeholder values for ARNs, which is consistent with how other checks (E3001, E3006, W3037) are already suppressed in .cfnlintrc.yaml.

Testing

Verified locally that cfn-lint 1.49.1 --format parseable produces 0 errors with this change.

@roger-zhangg
fix: add cfn-lint ignore rules for new format validation checks
bc98561 
cfn-lint 1.49.0 expanded format keyword coverage (aws-cloudformation/cfn-lint#4442),
adding validation for ACM Certificate ARNs (E1159), IAM Role ARNs (E1156),
KMS Key ARNs (E1157), Ref/GetAtt format matching (E1041), and Fn::Sub
resolved value checking (W1031).

These new rules flag placeholder/fake ARN values in test fixture files
under tests/translator/output/. Since these are intentionally simplified
test values (not real templates), suppress the checks in .cfnlintrc.yaml.
@roger-zhangg roger-zhangg requested a review from a team as a code owner April 21, 2026 21:29
@roger-zhangg
Copy link
Copy Markdown
Member Author

roger-zhangg commented Apr 21, 2026
edited
Loading

aws-cloudformation/cfn-lint#4468
Issue created on cfn-lint side for E1041 false positive

valerena
valerena approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@valerena valerena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading only the description I thought that it didn't make sense to ignore E1041, but then I saw the other comment and the linked issue in their repo. Sounds good.

@roger-zhangg roger-zhangg merged commit ea9b220 into aws:develop Apr 21, 2026
7 checks passed
@roger-zhangg roger-zhangg mentioned this pull request Apr 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valerena valerena valerena approved these changes

@seshubaws seshubaws seshubaws approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roger-zhangg @valerena @seshubaws