Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect [E3002: Resource properties are invalid] message for AWS::SageMaker::Domain resoruce for the AppLifecycleManagement property #3921

Closed
rwmason opened this issue Jan 22, 2025 · 1 comment · Fixed by #3922
Closed

Incorrect [E3002: Resource properties are invalid] message for AWS::SageMaker::Domain resoruce for the AppLifecycleManagement property #3921

rwmason opened this issue Jan 22, 2025 · 1 comment · Fixed by #3922

Comments

@rwmason
Copy link

rwmason commented Jan 22, 2025

CloudFormation Lint Version

1.22.6

What operating system are you using?

Mac OS 15.1.1

Describe the bug

Running cfn-lint against a template that contains an AWS::SageMaker::Domain resource with the AppLifecycleManagement property defined results in the error:

E3002 Additional properties are not allowed ('AppLifecycleManagement' was unexpected)

This was being defined as follows (full replication template also included):

  Domain:
    Type: AWS::SageMaker::Domain
    Properties:
      DomainName: test-domain
      AuthMode: IAM
      DefaultUserSettings:
        ExecutionRole: !GetAtt ExecutionRole.Arn
        JupyterLabAppSettings:
          AppLifecycleManagement:
            IdleSettings:
              IdleTimeoutInMinutes: 60
              LifecycleManagement: ENABLED
              MaxIdleTimeoutInMinutes: 240
              MinIdleTimeoutInMinutes: 60
      DefaultSpaceSettings:
        ExecutionRole: !GetAtt ExecutionRole.Arn
        JupyterLabAppSettings:
          AppLifecycleManagement:
            IdleSettings:
              IdleTimeoutInMinutes: 60
              LifecycleManagement: ENABLED
              MaxIdleTimeoutInMinutes: 240
              MinIdleTimeoutInMinutes: 60
      SubnetIds: !Ref pSubnets
      VpcId: !Ref pVpc
      ...

According to the docs for this resource type, this is the correct way to specify these properties: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-domain-jupyterlabappsettings.html#cfn-sagemaker-domain-jupyterlabappsettings-applifecyclemanagement

This is also reflected in the resource schema:

        "JupyterLabAppSettings": {
            "type": "object",
            "description": "The JupyterLab app settings.",
            "additionalProperties": false,
            "properties": {
                "DefaultResourceSpec": {
                    "$ref": "#/definitions/ResourceSpec",
                    "description": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the JupyterLab app."
                },
                "LifecycleConfigArns": {
                    "type": "array",
                    "description": "A list of LifecycleConfigArns available for use with JupyterLab apps.",
                    "uniqueItems": false,
                    "minItems": 0,
                    "maxItems": 30,
                    "items": {
                        "$ref": "#/definitions/StudioLifecycleConfigArn"
                    }
                },
                "CodeRepositories": {
                    "type": "array",
                    "description": "A list of CodeRepositories available for use with JupyterLab apps.",
                    "uniqueItems": false,
                    "minItems": 0,
                    "maxItems": 30,
                    "items": {
                        "$ref": "#/definitions/CodeRepository"
                    }
                },
                "CustomImages": {
                    "type": "array",
                    "description": "A list of custom images for use for JupyterLab apps.",
                    "uniqueItems": false,
                    "minItems": 0,
                    "maxItems": 200,
                    "items": {
                        "$ref": "#/definitions/CustomImage"
                    }
                },
                "AppLifecycleManagement": {
                    "$ref": "#/definitions/AppLifecycleManagement"
                }
            }
        },
        "AppLifecycleManagement": {
            "type": "object",
            "properties": {
                "IdleSettings": {
                    "$ref": "#/definitions/IdleSettings"
                }
            },
            "additionalProperties": false
        },
        "IdleSettings": {
            "type": "object",
            "properties": {
                "LifecycleManagement": {
                    "$ref": "#/definitions/LifecycleManagement"
                },
                "IdleTimeoutInMinutes": {
                    "$ref": "#/definitions/IdleTimeoutInMinutes"
                },
                "MinIdleTimeoutInMinutes": {
                    "$ref": "#/definitions/MinIdleTimeoutInMinutes"
                },
                "MaxIdleTimeoutInMinutes": {
                    "$ref": "#/definitions/MaxIdleTimeoutInMinutes"
                }
            },
            "additionalProperties": false
        },

Creating the stack despite the error from cfn-lint results in the stack creating successfully, and the API call to CreateDomain is properly showing these values being based in the request parameters:

Therefore, it seems cfn-lint is incorrectly detecting this as an invalid property

Expected behavior

As this is a valid property, it would be expected that cfn-lint does not display the E3002 Additional properties are not allowed ('AppLifecycleManagement' was unexpected) message

Reproduction template

Parameters:
  pSubnets:
    Type: List<AWS::EC2::Subnet::Id>
  pVpc:
    Type: AWS::EC2::VPC::Id

Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - sagemaker.amazonaws.com
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'

  Domain:
    Type: AWS::SageMaker::Domain
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - E3002
    Properties:
      DomainName: test-domain
      AuthMode: IAM
      DefaultUserSettings:
        ExecutionRole: !GetAtt ExecutionRole.Arn
        JupyterLabAppSettings:
          AppLifecycleManagement:
            IdleSettings:
              IdleTimeoutInMinutes: 60
              LifecycleManagement: ENABLED
              MaxIdleTimeoutInMinutes: 240
              MinIdleTimeoutInMinutes: 60
      DefaultSpaceSettings:
        ExecutionRole: !GetAtt ExecutionRole.Arn
        JupyterLabAppSettings:
          AppLifecycleManagement:
            IdleSettings:
              IdleTimeoutInMinutes: 60
              LifecycleManagement: ENABLED
              MaxIdleTimeoutInMinutes: 240
              MinIdleTimeoutInMinutes: 60
      SubnetIds: !Ref pSubnets
      VpcId: !Ref pVpc
@kddejong
Copy link
Contributor

This was previously patched out because of schema issues which now seem to be resolved so clearing it up.

@kddejong kddejong mentioned this issue Jan 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove Sagemaker domain patch and run update specs kddejong/cfn-python-lint
2 participants
@kddejong @rwmason