Use region when looking for a resolver being satisfied (#3490)

* Use region when looking for a resolver being satisfied * Update github workflows
aws-cloudformation · Jul 11, 2024 · 93b27c2 · 93b27c2
1 parent afcf307
commit 93b27c2
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 14 deletions.
diff --git a/.github/workflows/ci-branch.yaml b/.github/workflows/ci-branch.yaml
@@ -74,3 +74,4 @@ jobs:
           ignore-vulns: |
             GHSA-r9hx-vwmv-q579
             PYSEC-2022-43012
+            PYSEC-2024-60
diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml
@@ -94,3 +94,4 @@ jobs:
           ignore-vulns: |
             GHSA-r9hx-vwmv-q579
             PYSEC-2022-43012
+            PYSEC-2024-60
diff --git a/src/cfnlint/conditions/conditions.py b/src/cfnlint/conditions/conditions.py
@@ -8,6 +8,7 @@
 import itertools
 import logging
 import traceback
+from functools import lru_cache
 from typing import Any, Iterator, Set, Tuple
 
 from sympy import And, Implies, Not, Symbol
@@ -294,6 +295,7 @@ def check_implies(self, scenarios: dict[str, bool], implies: str) -> bool:
             #  formatting or just the wrong condition name
             return True
 
+    @lru_cache()
     def build_scenerios_on_region(
         self, condition_name: str, region: str
     ) -> Iterator[bool]:

diff --git a/src/cfnlint/jsonschema/_resolvers_cfn.py b/src/cfnlint/jsonschema/_resolvers_cfn.py
@@ -25,11 +25,11 @@ def ref(validator: Validator, instance: Any) -> ResolutionResult:
     if not isinstance(instance, (str, dict)):
         return
 
-    for instance, _, _ in validator.resolve_value(instance):
+    for instance, instance_validator, _ in validator.resolve_value(instance):
         if validator.is_type(instance, "string"):
             # if the ref is to pseudo-parameter or parameter we can validate the values
-            for v, c in validator.context.ref_value(instance):
-                yield v, validator.evolve(context=c), None
+            for v, c in instance_validator.context.ref_value(instance):
+                yield v, instance_validator.evolve(context=c), None
             return
 
 

diff --git a/src/cfnlint/jsonschema/validators.py b/src/cfnlint/jsonschema/validators.py
@@ -172,21 +172,23 @@ def resolve_value(self, instance: Any) -> ResolutionResult:
                 for r_value, r_validator, r_errs in self._resolve_fn(key, value):  # type: ignore
                     if not r_errs:
                         try:
-                            if self.cfn.conditions.satisfiable(
-                                r_validator.context.conditions.status,
-                                r_validator.context.ref_values,
+                            for _, region_context in r_validator.context.ref_value(
+                                "AWS::Region"
                             ):
-                                r_validator = r_validator.evolve(
-                                    context=r_validator.context.evolve(
-                                        is_resolved_value=True,
-                                    )
-                                )
-                                yield r_value, r_validator, r_errs
+                                if self.cfn.conditions.satisfiable(
+                                    region_context.conditions.status,
+                                    region_context.ref_values,
+                                ):
+                                    yield r_value, r_validator.evolve(
+                                        context=region_context.evolve(
+                                            is_resolved_value=True,
+                                        )
+                                    ), r_errs
                         except UnknownSatisfisfaction as err:
                             LOGGER.debug(err)
                             return
                     else:
-                        yield None, self, r_errs  # type: ignore
+                        yield None, r_validator, r_errs  # type: ignore
                 return
 
             # The return type is a Protocol and we are returning an instance

diff --git a/test/unit/module/conditions/test_conditions.py b/test/unit/module/conditions/test_conditions.py
@@ -254,7 +254,7 @@ def test_check_condition_region(self):
             ],
         )
         self.assertListEqual(
-            list(cfn.conditions.build_scenerios_on_region({"Ref": "Foo"}, "us-east-1")),
+            list(cfn.conditions.build_scenerios_on_region(1, "us-east-1")),
             [],
         )
-Original file line number
+Diff line change
@@ Expand Up / @@ -254,7 +254,7 @@ def test_check_condition_region(self): @@
                 ],
             )
             self.assertListEqual(
-                list(cfn.conditions.build_scenerios_on_region({"Ref": "Foo"}, "us-east-1")),
+                list(cfn.conditions.build_scenerios_on_region(1, "us-east-1")),
                 [],
             )
@@ Expand Down @@