Get value constraints from AWS registry types #1867
Conversation
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
from
d453491
to
22a86e1
Compare
scripts/update_from_registry.py
Outdated
| """ main function """ | ||
| configure_logging() | ||
|
|
||
| types = client.list_types( |
There was a problem hiding this comment.
comment to remember pagination if calling list_types() (+1 to boto/botocore#2177)
There was a problem hiding this comment.
These hosted resource provider schemas might be even better to avoid credential requirements and pagination
scripts/update_from_registry.py
Outdated
| @@ -0,0 +1,180 @@ | |||
| #!/usr/bin/env python | |||
There was a problem hiding this comment.
let's make sure this is run in #1792 as well
There was a problem hiding this comment.
thoughts on just putting this in cfn-lint --update-specs like #1682 if we use the hosted resource provider schemas to avoid new credential requirements? Would be great if updates could be easily picked up without us needing to release
There was a problem hiding this comment.
yea good question. Any thoughts on how this would scale and the speed of it? We could download the zips and read them instead of using the APIs (honestly didn't know that existed). Plus it would help with my rate limiting issues.
| @@ -0,0 +1,1883 @@ | |||
| [ | |||
There was a problem hiding this comment.
thoughts on ditching these files + writing directly to CloudSpecs if we make this part of cfn-lint --update-specs?
think it's confusing that ExtendedSpecs/all is partially manually maintained and partially autogenerated
might be useful to include some metadata that the information is coming from the Registry though
There was a problem hiding this comment.
agreed. The automation portions can get confusing. Let me see what I can do.
There was a problem hiding this comment.
Current values that would need to get corrected in AWS::DataBrew::Job.DatasetName
DatasetName" : {
"description" : "Dataset name",
"type" : "string",
"pattern" : "[ --�𐀀-\t]*",
"minLength" : 1,
"maxLength" : 255
},
There was a problem hiding this comment.
found all non-ASCII characters in resource schemas (only pattern ones related to this PR):
$ brew install coreutils
$ ggrep --color='auto' -P -n "[^\x00-\x7F]" *
aws-appflow-connectorprofile.json:158: "description" : "A unique alphanumeric identifier used to authenticate a user, developer, or calling program to your API.",
aws-appflow-connectorprofile.json:171: "description" : "A unique alphanumeric identifier used to authenticate a user, developer, or calling program to your API.",
aws-appflow-connectorprofile.json:175: "description" : "Application keys, in conjunction with your API key, give you full access to Datadog’s programmatic API. Application keys are associated with the user account that created them. The application key is used to log all requests made to the API.",
aws-appflow-connectorprofile.json:215: "description" : "The identifier for the desired client.",
aws-appflow-connectorprofile.json:245: "description" : "The identifier for the user.",
aws-appflow-connectorprofile.json:273: "description" : "The identifier for the desired client.",
aws-appflow-connectorprofile.json:327: "description" : "The object key for the destination bucket in which Amazon AppFlow will place the files.",
aws-appflow-connectorprofile.json:398: "description" : "A unique alphanumeric identifier used to authenticate a user, developer, or calling program to your API.",
aws-appflow-connectorprofile.json:408: "description" : "The identifier for the desired client.",
aws-appflow-connectorprofile.json:454: "description" : "The name of the Snowflake warehouse.",
aws-appflow-connectorprofile.json:458: "description" : "The name of the Amazon S3 stage that was created while setting up an Amazon S3 stage in the\nSnowflake account. This is written in the following format: < Database>< Schema><Stage Name>.",
aws-appflow-connectorprofile.json:462: "description" : "The name of the Amazon S3 bucket associated with Snowflake.",
aws-appflow-connectorprofile.json:466: "description" : "The bucket prefix that refers to the Amazon S3 bucket associated with Snowflake.",
aws-appflow-connectorprofile.json:470: "description" : "The Snowflake Private Link service name to be used for private data transfers.",
aws-appflow-connectorprofile.json:478: "description" : "The region of the Snowflake account.",
aws-appflow-connectorprofile.json:522: "description" : "The identifier for the desired client.",
aws-databrew-job.json:9: "pattern" : "[ --�𐀀-�\t]*",
aws-databrew-job.json:27: "pattern" : "[ --�𐀀-�\t]*",
aws-databrew-job.json:72: "pattern" : "[ --�𐀀-�\t]*",
aws-databrew-recipe.json:8: "pattern" : "[ --�𐀀-�\t]*",
aws-databrew-recipe.json:16: "pattern" : "^[ -.0-^`--�]*$",
aws-databrew-schedule.json:37: "pattern" : "[ --�𐀀-�\t]*",
aws-gamelift-gameservergroup.json:244: "pattern" : "[ --�𐀀-�\r\n\t]*",
aws-kinesis-stream.json:26: "description" : "An arbitrary set of tags (key–value pairs) to associate with the Kinesis stream.",
aws-kinesis-stream.json:73: "description" : "An arbitrary set of tags (key–value pairs) to associate with the Kinesis stream.",
aws-mediapackage-packagingconfiguration.json:100: "description" : "This setting controls how ad markers are included in the packaged OriginEndpoint. “NONE” will omit all SCTE-35 ad markers from the output. “PASSTHROUGH” causes the manifest to contain a copy of the SCTE-35 ad markers (comments) taken directly from the input HTTP Live Streaming (HLS) manifest. “SCTE35_ENHANCED” generates ad markers and blackout tags based on SCTE-35 messages in the input source.",
aws-mediapackage-packagingconfiguration.json:141: "description" : "The Dynamic Adaptive Streaming over HTTP (DASH) profile type. When set to “HBBTV_1_5”, HbbTV 1.5 compliant output is enabled.",
aws-mediapackage-packagingconfiguration.json:217: "description" : "A list of triggers that controls when the outgoing Dynamic Adaptive Streaming over HTTP (DASH) Media Presentation Description (MPD) will be partitioned into multiple periods. If empty, the content will not be partitioned into more than one period. If the list contains “ADS”, new periods will be created where the Asset contains SCTE-35 ad markers.",https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-appflow/pull/6#discussion_r562217193
aws-cloudformation/aws-cloudformation-resource-providers-databrew#2 (comment)
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-gamelift/pull/13#discussion_r562220060
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-kinesis/pull/6#discussion_r562226794
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-mediapackage/pull/3#discussion_r562228692
(in TODO list in aws-cloudformation/cloudformation-cli#663 / aws-cloudformation/cloudformation-cli#459)
|
Noting constraints applied last overwrite any already existing constraints (seems okay, just noteworthy) |
|
Do you know how this handles combined JSON schemas? Fine to not handle them yet since there are so few resource provider schemas using them so far, just want to make sure they're at least not handled incorrectly: grep -l -E -i '(oneOf|anyOf|allOf)' *
aws-applicationinsights-application.json
aws-cloudformation-moduledefaultversion.json
aws-cloudformation-stackset.json
aws-cloudwatch-metricstream.json
aws-databrew-dataset.json
aws-databrew-recipe.json
aws-gamelift-alias.json
aws-iotwireless-wirelessdevice.json
aws-kendra-datasource.json
aws-rds-globalcluster.json
aws-s3-storagelens.json
aws-sagemaker-pipeline.json
aws-synthetics-canary.json |
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
from
22a86e1
to
86a6cf0
Compare
|
This is awesome btw, this alone is pulling in significantly more constraints: |
| "op": "add", | ||
| "path": "/ValueTypes/AWS::SageMaker::ModelBiasJobDefinition.EndpointInput.EndTimeOffset", | ||
| "value": { | ||
| "Allowed |
There was a problem hiding this comment.
Similar to aws-cloudformation/cloudformation-cli#459, we need to think about how to verify regular expressions are valid in Java and Python
(some don't seem to be valid in either though 🤔)
There was a problem hiding this comment.
Switched to the regex package that supports unicode. That helps bring Python closer to Java but there are still some expressions that are not compliant. Example: ^[a-zA-Z0-9-]+{1,255}$
There was a problem hiding this comment.
PatMyron
changed the title
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
2 times, most recently
from
1d8726a
to
265a207
Compare
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
4 times, most recently
from
2c70c72
to
30dd5c2
Compare
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
9 times, most recently
from
80a511f
to
d4fd6f8
Compare
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
from
fe4d594
to
1a3e7f3
Compare
|
This is going to add a little time to build |
I like this idea. Separating this from the python codebase would help me with |
kddejong
force-pushed
the
feature/valuecontraintsfromregistry
branch
from
1a3e7f3
to
776f7fb
Compare
* Get value constraints from registry types * Eliminate unicode strings from being allowed for patterns
There was a problem hiding this comment.
minItems/maxItems could be translated to ListMin/ListMax as well
currently 468 usages of those 2 keywords in AWS resource schemas:
CloudformationSchema $ grep -Eho '"m\w\wItems"' * | sort | uniq -c | sort -nr
257 "maxItems"
211 "minItems"| results['.'.join(names + [propname])] = {} | ||
| if propdetails.get('pattern'): | ||
| p = propdetails.get('pattern') | ||
| if '.'.join(names + [propname]) == 'AWS::OpsWorksCM::Server.CustomPrivateKey': |
There was a problem hiding this comment.
| if propdetails.get('enum'): | ||
| results['.'.join(names + [propname])].update({ | ||
| 'AllowedValues': propdetails.get('enum') | ||
| }) |
There was a problem hiding this comment.
Could grab enums for types other than string as well
Especially since we seem to already be handling more types in the rule itself:
https://github.com/aws-cloudformation/cfn-python-lint/blob/853522ff0e4c977331ac677a47059cf96b6f3189/src/cfnlint/rules/resources/properties/AllowedValue.py#L38
| 'NumberMin': propdetails.get('minimum'), | ||
| 'NumberMax': propdetails.get('maximum'), |
There was a problem hiding this comment.
Could use exclusiveMinimum/exclusiveMaximum as well
Although no AWS resource schemas use these keywords yet anyway
Could even just set NumberMin/NumberMax for these for now even though those are inclusive since that'd still be better than not supporting it at all
Issue #, if available: #1277
Description of changes:
(in addition to already existing AWS constraints manually maintained and pulled from
botoand 3rd party constraints from Registry)By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.