Open
Description
CloudFormation Lint Version
cfn-lint 1.18.4
What operating system are you using?
Windows 11
Describe the bug
Added ignore_checks metadata at the template root level. Running CLI with "-i W" against the file but the error listed under ignore_checks still shows up even though template metadata has higher precedence over CLI parameter. The error does get suppressed if I run it without "-i W" parameter. Adding ignore_checks at the resource level works as intended.
Expected behavior
The ignore_checks metadata at the template root level should get suppressed even when running CLI with "-i W"
Reproduction template
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation Template to create a IAM Policies and Roles
Metadata:
cfn-lint:
config:
ignore_checks:
- E3033
Parameters:
AccountNameShort:
Description: Abbreviated account name
Type: AWS::SSM::Parameter::Value<String>
ProjectTagValue:
Default: project
Description: Project the resources are for
Type: String
Resources:
ReadPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: read-policy
Description: read policy
Path: /
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 's3:ListAllMyBuckets'
Resource: '*'
- Effect: Allow
Action:
- 's3:ListBucket'
- 's3:GetBucketLocation'
- 's3:ListBucketVersions'
Resource:
- 'arn:aws:s3:::team-*'
- !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*"
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:GetObjectAcl'
- 's3:GetObjectVersion'
Resource:
- 'arn:aws:s3:::abcd-team-*/*'
- !Sub "arn:aws:s3:::abcd-${AccountNameShort}-team-*/*"
- Effect: Allow
Action:
- 'ecr:BatchGetRepositoryScanningConfiguration'
- 'ecr:DescribeImages'
- 'ecr:DescribeImageScanFindings'
- 'ecr:DescribeRepositories'
- 'ecr:ListImages'
- 'ecr:ListTagsForResource'
Resource: !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*'
- Effect: Allow
Action:
- 'sns:ListTagsForResource'
- 'sns:ListSubscriptionsByTopic'
- 'sns:GetTopicAttributes'
Resource: !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
- Effect: Allow
Action:
- 'states:Describe*'
- 'states:Get*'
- 'states:ListTag*'
Resource:
- !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:execution:abcd-team-*:*'
- !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:activity:*'
- !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:abcd-team-*'
- Effect: Allow
Action:
- 'ssm:GetParametersByPath'
- 'ssm:GetParameters'
- 'ssm:GetParameter'
Resource:
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/team/team/*'
- Effect: Allow
Action:
- 'lambda:GetProvisionedConcurrencyConfig'
- 'lambda:ListFunctionsByCodeSigningConfig'
- 'lambda:GetLayerVersion'
- 'lambda:GetEventSourceMapping'
- 'lambda:GetCodeSigningConfig'
- 'lambda:GetLayerVersionPolicy'
Resource:
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:code-signing-config:*'
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:*:*'
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*:*'
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:event-source-mapping:*'
- Effect: Allow
Action:
- 'lambda:ListProvisionedConcurrencyConfigs'
- 'lambda:ListFunctionEventInvokeConfigs'
- 'lambda:ListVersionsByFunction'
- 'lambda:GetFunctionConcurrency'
- 'lambda:ListTags'
- 'lambda:GetFunctionEventInvokeConfig'
- 'lambda:GetFunction'
- 'lambda:ListAliases'
- 'lambda:GetFunctionConfiguration'
- 'lambda:GetAlias'
- 'lambda:GetFunctionCodeSigningConfig'
- 'lambda:GetPolicy'
Resource:
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:abcd-team-*'
- Effect: Allow
Action:
- 'cloudwatch:DescribeAlarmHistory'
- 'cloudwatch:GetDashboard'
- 'cloudwatch:GetInsightRuleReport'
- 'cloudwatch:ListTagsForResource'
- 'cloudwatch:DescribeAlarms'
- 'cloudwatch:GetMetricStream'
Resource:
- !Sub 'arn:aws:cloudwatch::${AWS::AccountId}:dashboard/abcd-team*'
- !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:insight-rule/abcd-team-*'
- !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:abcd-team-*'
- !Sub 'arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:metric-stream/abcd-team-*'
- Effect: Allow
Action:
- 'codebuild:BatchGetProjects'
- 'codebuild:BatchGetBuildBatches'
- 'codebuild:ListReportsForReportGroup'
- 'codebuild:GetReportGroupTrend'
- 'codebuild:BatchGetReports'
- 'codebuild:DescribeTestCases'
- 'codebuild:GetResourcePolicy'
- 'codebuild:DescribeCodeCoverages'
- 'codebuild:ListBuildBatchesForProject'
- 'codebuild:ListBuildsForProject'
- 'codebuild:BatchGetReportGroups'
- 'codebuild:BatchGetBuilds'
- 'codebuild:StartBuild*'
- 'codebuild:StopBuild*'
- 'codebuild:RetryBuild*'
Resource:
- !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/abcd-team-*'
- !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/abcd-team-*'
- Effect: Allow
Action:
- 'codepipeline:ListWebhooks'
- 'codepipeline:ListPipelineExecutions'
- 'codepipeline:ListActionExecutions'
- 'codepipeline:GetPipeline'
- 'codepipeline:ListTagsForResource'
- 'codepipeline:GetPipelineState'
- 'codepipeline:GetPipelineExecution'
Resource:
- !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:actiontype:*/*/*/*'
- !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
- !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:webhook:abcd-team-*'
- Effect: Allow
Action:
- 'codedeploy:Get*'
- 'codedeploy:BatchGet*'
- 'codedeploy:List*'
Resource:
- !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:application:abcd-team-*'
- !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:instance:*'
- !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:abcd-team-*/abcd-team-*'
- !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentconfig:abcd-team-*'
- Effect: Allow
Action:
- 'codecommit:Get*'
- 'codecommit:List*'
- 'codecommit:describe*'
- 'codecommit:Batch*'
- 'codecommit:GitPull'
- 'codecommit:BatchGetRepositories'
- 'codecommit:CancelUploadArchive'
- 'codecommit:EvaluatePullRequestApprovalRules'
Resource:
- !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:abcd-team-*'
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
- 'secretsmanager:DescribeSecret'
- 'secretsmanager:ListSecretVersionIds'
- 'secretsmanager:RestoreSecret'
- 'secretsmanager:PutSecretValue'
- 'secretsmanager:CreateSecret'
- 'secretsmanager:UpdateSecretVersionStage'
- 'secretsmanager:DeleteSecret'
- 'secretsmanager:RotateSecret'
- 'secretsmanager:CancelRotateSecret'
- 'secretsmanager:UpdateSecret'
Resource:
- !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:abcd/team/team/*'
- Effect: Allow
Action:
- 'logs:DescribeLogGroups'
- 'logs:GetLogEvents'
- 'logs:DescribeLogStreams'
- 'logs:FilterLogEvents'
Resource:
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/team:log-stream:*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/*/emissary:log-stream:*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/rds/instance/team-*:log-stream:*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/abcd/team/opensearch/*:log-stream:*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/abcd-team*:log-stream:*'
Metadata
Metadata
Assignees
Labels
No labels