martysweet/cfn-lint

Lint on Fn::If gives false alarm on Array value of S3 Bucket CorsRule

exoego opened this issue · 0 comments

exoego commented

AllowdOrigins properties for Amazon S3 Bucket CorsRule accepts Array value.
My CF tempalte uses Fn::If to switch AllowedOrigins depending on environment like below:

    "MyBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "CorsConfiguration": {
          "CorsRules": [
            {
              "AllowedOrigins": {
                "Fn::If": [
                  "IsDev",
                  [
                    "https://dev1.example.com",
                  ],
                  [
                    "https://foo.prod1.example.com",
                    "https://bar.prod2.example.com",
                  ]
                ]
              },

This template is valid and works fine in CloudFormation.

However, cfn-lint gives critical error on this like

1 crit
Resource: Resources > S3Annotation > Properties > CorsConfiguration > CorsRules > 0 > AllowedOrigins
Message: Fn::If does not allow 0 as a nested function within an array
Documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if

I think this is false alarm.
Suspect code is

cfn-lint/src/validator.ts

Lines 1528 to 1537 in 7975480

if(value instanceof Array){
// Go through each element in the array, resolving if needed.
let resolvedValue = [];
for(let i=0; i < value.length; i++) {
let keys = Object.keys(value[i]);
if (awsIntrinsicFunctions['Fn::If']['supportedFunctions'].indexOf(keys[0]) !== -1) {
resolvedValue.push(resolveIntrinsicFunction(value[i], keys[0]));
}else{
addError('crit', `Fn::If does not allow ${keys[0]} as a nested function within an array`, placeInTemplate, 'Fn::If');
}