Checking for Lint in your CloudFormation Templates
If you are like me, you want your templates to pass muster and therefore usually pass them through some type of verification tool beyond the human eye, which is a poor verification tool by the way. Especially without caffiene.
As much as I love hunting config files for missing comas and quotation marks, or an out of alignment issue. I would rather spend the time thinking about the content of the template, rather the formatting.
So have I ventured to find a few solutions to make the hunt easier.
Install cfn-lint
Installing cfn-lint is usually a few keystrokes away using your favourite package manager.
Linux
If you are on a Debian-based Linux
apt install cfn-lint
or if you run a Red Hat based system
yum install cfn-lint
or Arch Linux (umm, okay, I can see it)
sudo pacman -S python-cfn-lint
or Gentoo Linux (what the hell? why?)
ebuild dev-python/cfn-python-lint
macOS
brew install cfn-lint
FreeBSD
pkg install cfn-lint
This should get cfn-lint installed to your system. Verify.
$ cfn-lint -v
cfn-lint 0.48.2
Command line
Using this script you can check your CloudFormation templates until the cows come home. But, that is going to get old real quick. And you will want to either add an extension to your editor or at the very least add the pre-commit hooks to prevent commits with templates that don’t pass.
Issues can be output in different formats. There are parseable, json, junit, and pretty formats. For example, if you just want parse output in a script or command.
$ cfn-lint --format parseable template.yml -f parseable
template.yml:115:3:115:15:W3011:Both UpdateReplacePolicy and DeletionPolicy are needed to protect Resources/ConfigBucket from deletion
Or if you want JSON output
$ cfn-lint -t template.yml -f json
[
{
"Filename": "templates.yml",
"Level": "Warning",
"Location": {
"End": {
"ColumnNumber": 15,
"LineNumber": 115
},
"Path": [
"Resources",
"ConfigBucket"
],
"Start": {
"ColumnNumber": 3,
"LineNumber": 115
}
},
"Message": "Both UpdateReplacePolicy and DeletionPolicy are needed to protect Resources/ConfigBucket from deletion",
"Rule": {
"Description": "Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion",
"Id": "W3011",
"ShortDescription": "Check resources with UpdateReplacePolicy/DeletionPolicy have both",
"Source": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html"
}
}
]
Visual Studio Code & Codium
For the people that like to do things away from the command line, CloudFormation Linter is an extension that can add CodeLens details about template issues to VSC.
I couldn’t find it in the Codium marketplace, so I had to download the VISX file and install manually. VS Code should be a straight click Install of the extension from the Microsoft Visual Studio Code marketplace.
Git Pre Commit Hooks
Install
brew install pre-commit
Or from Python
pip install pre-commit
Repository Config
You can setup git repository pre-commit hooks to run cfn-lint against the file(s) in the commit. Of course, this requires that pre-commit be installed to the system.
# .pre-commit-config.yaml
repos:
# cfn-python-lint
- repo: https://github.com/aws-cloudformation/cfn-python-lint
rev: v0.48.2
hooks:
- id: cfn-python-lint
files: templates/.*\.(json|yml|yaml)$
The files entry uses regexp to math path and file names.
When you commit the pre-hook will run the templates through cfn-lint, preventing any templates that don’t pass cfn-lint.
$ git commit -m "Extremely nice commit message!"
AWS CloudFormation Linter................................................Passed
Happy Linting!