Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cfn-lint enforces awslogs-group to be an ARN but CloudFormation does not consider it as valid #3911

Open
gautaz opened this issue Jan 14, 2025 · 3 comments
Open

cfn-lint enforces awslogs-group to be an ARN but CloudFormation does not consider it as valid #3911

gautaz opened this issue Jan 14, 2025 · 3 comments

Comments

@gautaz
Copy link

gautaz commented Jan 14, 2025

CloudFormation Lint Version

cfn-lint 1.22.4

What operating system are you using?

alpine3.20 (cfn-lint in docker)

Describe the bug

While specifying a LogConfiguration, the AWS documentation is quite evasive on what the awslogs-group option is supposed to be.

Looking deeper in their doumentation, I found myself redirected to this Docker documentation which seems to imply that this option should be set with the LogGroupName.

When linting a template with awslogs-group set to the LogGroupName, cfn-lint fails with this error:

E1010 'LogGroupName' is not one of ['Arn'] in ['eu-west-3']

So I tried replacing the LogGroupName with the Arn.
This time no error from cfn-lint but when deploying the template with CloudFormation, it fails with:

Resource handler returned message:
"Invalid request provided: Create TaskDefinition:
Log driver awslogs option 'awslogs-group' contains invalid characters.
(Service: AmazonECS; Status Code: 400; Error Code: ClientException;
Request ID: 64a7caf9-9a9b-40a1-bd51-4c40f91706b6; Proxy: null)"
(RequestToken: 05873d0f-b9f1-768e-f0cf-04af2a0d7a4a, HandlerErrorCode: InvalidRequest)

So I guess an ARN is not valid when specifying the awslogs-goup option.

Has anyone any insight on this matter?

Expected behavior

I expect cfn-lint to enforce an awslogs-group that complies with what CloudFormation considers to be valid.

Reproduction template

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  TestCluster:
    Type: AWS::ECS::Cluster
  TestFargateExecutionRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
    Type: AWS::IAM::Role
  TestFargateTaskRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
    Type: AWS::IAM::Role
  TestLogGroup:
    Type: AWS::Logs::LogGroup
  TestTaskDefinition:
    Properties:
      ContainerDefinitions:
        - Image: nginx:1.27.3-alpine3.20
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !GetAtt 'TestLogGroup.LogGroupName'
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: test-service
          Name: TestContainerDefinition
          PortMappings:
            - ContainerPort: 80
      Cpu: '256'
      ExecutionRoleArn: !GetAtt 'TestFargateExecutionRole.Arn'
      Memory: '512'
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      TaskRoleArn: !GetAtt 'TestFargateTaskRole.Arn'
    Type: AWS::ECS::TaskDefinition
@gautaz
Copy link
Author

gautaz commented Jan 14, 2025

So I did replace awslogs-group: !GetAtt 'TestLogGroup.LogGroupName' or awslogs-group: !GetAtt 'TestLogGroup.Arn' with awslogs-group: !Ref 'TestLogGroup' which seems to be the right way to pass the log group to the option.

What bothers me is the error message from cfn-lint which seems misleading.
Is this intended?

@kddejong
Copy link
Contributor

kddejong commented Jan 14, 2025
edited
Loading

Looking into this. Early indications are because the Arn is the only documented return value. This also seems to be the only defined GetAtt property in the schema as well.

What that error is pointing to is the idea that the Arn is the only attribute you can do a GetAtt too for this resource type. The work to add knowledge about the correct relationships (Ref/GetAtt with the attribute) is ongoing and isn't complete. So in this case we are just making sure the GetAtt is correct but we don't know if a GetAtt or Ref was the correct way to associate.

@kddejong kddejong mentioned this issue Jan 15, 2025
Open
@kddejong
Copy link
Contributor

Added some logic to make this possible going forward but we have to continue to build out the logic to support more use cases.

E1040 {'Fn::GetAtt': ['TestLogGroup', 'Arn']} does not match destination format of 'AWS::Logs::LogGroup.Name'
i3911.yaml:36:15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gautaz @kddejong