AWS::ApiGateway.AccessLogSetting.DestinationArn AllowedPatternRegex

[jlhood]

Description of issue.

Amazon API Gateway just announced support for writing Access Logs directly to Kinesis Data Firehose instead of CloudWatch Logs.

Buried in the CloudFormation documentation is this constraint:

DestinationArn
The Amazon Resource Name (ARN) of the CloudWatch Logs log group or Kinesis Data Firehose delivery stream to receive access logs. If you specify a Kinesis Data Firehose delivery stream, the stream name must begin with amazon-apigateway-.

The stream name prefix constraint is likely going to trip up customers who are letting CloudFormation name their Kinesis Data Firehose delivery stream since it won't have the required prefix unless their stack name begins with amazon-apigateway-.

Opening this issue to see if cfn-lint could help users by detecting this scenario and issuing a warning/error.

[PatMyron]

As described here, this needs AllowedPatternRegex to enforce:

cfn-lint/src/cfnlint/data/ExtendedSpecs/all/03_value_types.json

Lines 33 to 36 in a46773c

	"CidrIp": {
	"AllowedPattern": "x.x.x.x/y",
	"AllowedPatternRegex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/([0-9]|[1-2][0-9]|3[0-2]))$"
	},

---

This AllowedPatternRegex seems usable for a couple properties at least:

AWS::ApiGateway::Deployment.AccessLogSetting.DestinationArn

AWS::ApiGateway::Stage.AccessLogSetting.DestinationArn