Move KMS validation for SSESpecification on Tables (#3700)

* Remove rule E3640 and move to standard schemas

scripts/update_schemas_manually.py

@@ -641,6 +641,14 @@
                     },
                     path="/",
                 ),
+                Patch(
+                    values={"enum": ["KMS"]},
+                    path="/definitions/SSESpecification/properties/SSEType",
+                ),
+                Patch(
+                    values={"dependentRequired": {"KMSMasterKeyId": ["SSEType"]}},
+                    path="/definitions/SSESpecification",
+                ),
             ],
         ),
         ResourcePatch(
@@ -670,6 +678,10 @@
                     },
                     path="/",
                 ),
+                Patch(
+                    values={"enum": ["AES256", "KMS"]},
+                    path="/definitions/SSESpecification/properties/SSEType",
+                ),
             ],
         ),
         ResourcePatch(

scripts/update_snapshot_results.sh

@@ -8,6 +8,7 @@ cfn-lint test/fixtures/templates/integration/availability-zones.yaml -e -c I --f
 cfn-lint test/fixtures/templates/integration/aws-ec2-networkinterface.yaml -e -c I --format json > test/fixtures/results/integration/aws-ec2-networkinterface.json
 cfn-lint test/fixtures/templates/integration/aws-ec2-instance.yaml -e -c I --format json > test/fixtures/results/integration/aws-ec2-instance.json
 cfn-lint test/fixtures/templates/integration/aws-ec2-launchtemplate.yaml -e -c I --format json > test/fixtures/results/integration/aws-ec2-launchtemplate.json
+cfn-lint test/fixtures/templates/integration/aws-dynamodb-table.yaml -e -c I --format json > test/fixtures/results/integration/aws-dynamodb-table.json
 
 # public/
 cfn-lint test/fixtures/templates/public/lambda-poller.yaml -e -c I --format json > test/fixtures/results/public/lambda-poller.json

src/cfnlint/data/schemas/patches/extensions/all/aws_dynamodb_globaltable/manual.json

@@ -23,5 +23,13 @@
     }
    }
   ]
+ },
+ {
+  "op": "add",
+  "path": "/definitions/SSESpecification/properties/SSEType/enum",
+  "value": [
+   "AES256",
+   "KMS"
+  ]
  }
 ]

src/cfnlint/data/schemas/patches/extensions/all/aws_dynamodb_table/manual.json

@@ -29,5 +29,21 @@
     }
    }
   ]
+ },
+ {
+  "op": "add",
+  "path": "/definitions/SSESpecification/properties/SSEType/enum",
+  "value": [
+   "KMS"
+  ]
+ },
+ {
+  "op": "add",
+  "path": "/definitions/SSESpecification/dependentRequired",
+  "value": {
+   "KMSMasterKeyId": [
+    "SSEType"
+   ]
+  }
  }
 ]

src/cfnlint/data/schemas/providers/us_east_1/aws-dynamodb-globaltable.json

@@ -421,6 +421,10 @@
      "type": "boolean"
     },
     "SSEType": {
+     "enum": [
+      "AES256",
+      "KMS"
+     ],
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/us_east_1/aws-dynamodb-table.json

@@ -360,6 +360,11 @@
   },
   "SSESpecification": {
    "additionalProperties": false,
+   "dependentRequired": {
+    "KMSMasterKeyId": [
+     "SSEType"
+    ]
+   },
    "properties": {
     "KMSMasterKeyId": {
      "anyOf": [
@@ -388,6 +393,9 @@
      "type": "boolean"
     },
     "SSEType": {
+     "enum": [
+      "KMS"
+     ],
      "type": "string"
     }
    },

test/fixtures/results/integration/aws-dynamodb-table.json

@@ -0,0 +1,61 @@
+[
+    {
+        "Filename": "test/fixtures/templates/integration/aws-dynamodb-table.yaml",
+        "Id": "9853e961-d150-10b3-4728-32a621c7fbf6",
+        "Level": "Error",
+        "Location": {
+            "End": {
+                "ColumnNumber": 23,
+                "LineNumber": 22
+            },
+            "Path": [
+                "Resources",
+                "Table1",
+                "Properties",
+                "SSESpecification"
+            ],
+            "Start": {
+                "ColumnNumber": 7,
+                "LineNumber": 22
+            }
+        },
+        "Message": "'SSEType' is a dependency of 'KMSMasterKeyId'",
+        "ParentId": null,
+        "Rule": {
+            "Description": "When certain properties are specified it results in other properties to be required",
+            "Id": "E3021",
+            "ShortDescription": "Validate that when a property is specified that other properties should be included",
+            "Source": "https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/cfn-schema-specification.md#dependentrequired"
+        }
+    },
+    {
+        "Filename": "test/fixtures/templates/integration/aws-dynamodb-table.yaml",
+        "Id": "ecae4565-1f41-0f11-949a-c27038ed5a02",
+        "Level": "Error",
+        "Location": {
+            "End": {
+                "ColumnNumber": 16,
+                "LineNumber": 44
+            },
+            "Path": [
+                "Resources",
+                "Table2",
+                "Properties",
+                "SSESpecification",
+                "SSEType"
+            ],
+            "Start": {
+                "ColumnNumber": 9,
+                "LineNumber": 44
+            }
+        },
+        "Message": "'AES256' is not one of ['KMS']",
+        "ParentId": null,
+        "Rule": {
+            "Description": "Check if properties have a valid value in case of an enumator",
+            "Id": "E3030",
+            "ShortDescription": "Check if properties have a valid value",
+            "Source": "https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/cfn-schema-specification.md#enum"
+        }
+    }
+]

test/fixtures/templates/integration/aws-dynamodb-table.yaml

@@ -0,0 +1,44 @@
+
+Resources:
+  KMS:
+    Type: AWS::KMS::Key
+    UpdateReplacePolicy: Retain
+    DeletionPolicy: Retain
+  Table1:
+    UpdateReplacePolicy: Retain
+    DeletionPolicy: Retain
+    Type: AWS::DynamoDB::Table
+    Properties:
+      TableName: table1
+      AttributeDefinitions:
+        - AttributeName: id
+          AttributeType: S
+      KeySchema:
+        - AttributeName: id
+          KeyType: HASH
+      ProvisionedThroughput:
+        ReadCapacityUnits: 1
+        WriteCapacityUnits: 1
+      SSESpecification:
+        KMSMasterKeyId: !GetAtt KMS.Arn
+        SSEEnabled: true
+        # SSEType: KMS # to provide an error
+  Table2:
+    UpdateReplacePolicy: Retain
+    DeletionPolicy: Retain
+    Type: AWS::DynamoDB::Table
+    Properties:
+      TableName: table2
+      AttributeDefinitions:
+        - AttributeName: id
+          AttributeType: S
+      KeySchema:
+        - AttributeName: id
+          KeyType: HASH
+      ProvisionedThroughput:
+        ReadCapacityUnits: 1
+        WriteCapacityUnits: 1
+      SSESpecification:
+        KMSMasterKeyId: !GetAtt KMS.Arn
+        SSEEnabled: true
+        SSEType: AES256

test/integration/test_integration_templates.py

@@ -72,6 +72,13 @@ class TestQuickStartTemplates(BaseCliTestCase):
             ),
             "exit_code": 2,
         },
+        {
+            "filename": ("test/fixtures/templates/integration/aws-dynamodb-table.yaml"),
+            "results_filename": (
+                "test/fixtures/results/integration/aws-dynamodb-table.json"
+            ),
+            "exit_code": 2,
+        },
     ]
 
     def test_templates(self):