chore(tests): use valid ARN formats in test fixtures to comply with cfn-lint#3916
Merged
roger-zhangg merged 1 commit intoaws:developfrom Apr 22, 2026
Merged
Conversation
…fn-lint
cfn-lint 1.49.x added stricter format validation for AWS resource ARN
properties (E1156/E1157/E1159, E1041, W1031). Update test fixtures to
use ARNs that conform to the expected patterns, so cfn-lint runs cleanly
without needing to suppress these rules.
Changes:
- Replace placeholder values with valid-format ARN strings in test inputs:
- ACM certificates: 'my-api-cert-arn', 'cert-arn-in-us-east-1',
'another-api-arn', 'arn::cert::abc' -> arn:aws:acm:us-east-1:123456789012:certificate/...
- IAM roles: 'some-arn', 'some-role-arn', 'SomeRoleArn', 'my-ddb-role',
'my-lambda-role' -> arn:aws:iam::123456789012:role/...
- KMS keys: 'thisIsaKey', 'some-kms-arn' -> arn:aws:kms:us-east-1:123456789012:key/...
- Fn::Sub: 'arn:${AWS::Partition}:key:key' -> arn:${AWS::Partition}:kms:us-east-1:123456789012:key/my-key
- In function_with_kmskeyarn.yaml, change KmsKeyArn value from Ref: myKey
(returns Key ID) to Fn::GetAtt: [myKey, Arn] (correct ARN reference)
- Regenerate corresponding output JSON fixtures
- Remove the E1041/E1156/E1157/E1159/W1031 rules from .cfnlintrc.yaml
ignore list (added temporarily in aws#3915)
valerena
approved these changes
Apr 22, 2026
vicheey
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #3915. Fix the underlying cause instead of suppressing the checks: update test fixture inputs to use valid AWS ARN formats, regenerate outputs, then remove the temporary ignore rules from
.cfnlintrc.yaml.Background
cfn-lint 1.49.0 (aws-cloudformation/cfn-lint#4442) expanded format coverage, adding ARN pattern validation for ACM certificates, IAM roles, KMS keys, and cross-resource Ref/GetAtt checking. The fix rules originally added in #3915 blanket-ignored these checks across all test fixtures, which also hides any future real issues. This PR fixes the fixtures properly.
Changes
Input YAML updates — replace placeholder values with valid-format ARNs:
my-api-cert-arnarn:aws:acm:us-east-1:123456789012:certificate/my-api-certcert-arn-in-us-east-1arn:aws:acm:us-east-1:123456789012:certificate/abc123another-api-arnarn:aws:acm:us-east-1:123456789012:certificate/another-api-certarn::cert::abcarn:aws:acm:us-east-1:123456789012:certificate/abcsome-arn,some-role-arn,SomeRoleArnarn:aws:iam::123456789012:role/...my-ddb-role,my-lambda-rolearn:aws:iam::123456789012:role/my-ddb-role,.../my-lambda-rolethisIsaKey,some-kms-arnarn:aws:kms:us-east-1:123456789012:key/...arn:${AWS::Partition}:key:keyarn:${AWS::Partition}:kms:us-east-1:123456789012:key/my-keyE1041 fix in
function_with_kmskeyarn.yaml: changedKmsKeyArn: !Ref myKeytoKmsKeyArn: !GetAtt myKey.Arn.Refon anAWS::KMS::Keyreturns a Key ID (UUID), not an ARN — per the Lambda CreateFunction API,KMSKeyArnrequires an ARN. This change makes the template actually correct.Output JSON regeneration: 12 testcases with content-hashed logical IDs (API Gateway deployments, KMS ARN-dependent outputs) were regenerated by replaying the transformer. All 2117 transform tests pass.
.cfnlintrc.yaml: removed E1041, E1156, E1157, E1159, W1031 fromignore_checks(added in #3915).Testing
cfn-lint 1.49.3 --format parseableproduces 0 errors against the generated templates