.github/workflows/cd-pypi.yaml

@@ -7,6 +7,7 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python

.github/workflows/cd-release.yaml

@@ -7,6 +7,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/maintenance-v0.yaml

@@ -6,6 +6,7 @@ on:
 jobs:
   job:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/maintenance-v1.yaml

@@ -6,6 +6,7 @@ on:
 jobs:
   job:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
         with:

CHANGELOG.md

@@ -1,3 +1,15 @@
+### v1.30.0
+## What's Changed
+* Allow conditions in foreach by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4009
+* Allow `_` in condition names by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4008
+* Remove experimental from [W3037](https://github.com/aws-cloudformation/cfn-python-lint/blob/main/docs/rules.md#W3037) by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/3680
+* Add in `pattern` for CodePipeline action names by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4012
+* Support GetAtts for nested stacks and outputs by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4011
+* Add rule [I2003](https://github.com/aws-cloudformation/cfn-python-lint/blob/main/docs/rules.md#I2003) to validate `AllowedPattern` by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4013
+* Validate identity base SIDs by @kddejong in https://github.com/aws-cloudformation/cfn-lint/pull/4016
+
+**Full Changelog**: https://github.com/aws-cloudformation/cfn-lint/compare/v1.29.1...v1.30.0
+
 ### v1.29.1
 ## What's Changed
 * Update CloudFormation schemas to `2025-03-10` by @github-actions in https://github.com/aws-cloudformation/cfn-lint/pull/3999

README.md

@@ -342,7 +342,7 @@ If you'd like cfn-lint to be run automatically when making changes to files in y
 ```yaml
 repos:
   - repo: https://github.com/aws-cloudformation/cfn-lint
-    rev: v1.29.1 # The version of cfn-lint to use
+    rev: v1.30.0 # The version of cfn-lint to use
     hooks:
       - id: cfn-lint
         files: path/to/cfn/dir/.*\.(json|yml|yaml)$
@@ -353,7 +353,7 @@ If you are using a `.cfnlintrc` and specifying the `templates` or `ignore_templa
 ```yaml
 repos:
   - repo: https://github.com/aws-cloudformation/cfn-lint
-    rev: v1.29.1 # The version of cfn-lint to use
+    rev: v1.30.0 # The version of cfn-lint to use
     hooks:
       - id: cfn-lint-rc
 ```

scripts/update_schemas_manually.py

@@ -593,9 +593,13 @@
                     path="/definitions/StageDeclaration/properties/Actions",
                 ),
                 Patch(
-                    values={"pattern": "^[0-9A-Za-z_-]{1,9}$"},
+                    values={"pattern": "^[0-9A-Za-z_\-]{1,9}$"},
                     path="/definitions/ActionTypeId/properties/Version",
                 ),
+                Patch(
+                    values={"pattern": "^[A-Za-z0-9.@\-_]{1,100}$"},
+                    path="/definitions/ActionDeclaration/properties/Name",
+                ),
             ],
         ),
         ResourcePatch(

src/cfnlint/context/__init__.py

@@ -1,3 +1,3 @@
 __all__ = ["Context", "create_context_for_template"]
 
-from cfnlint.context.context import Context, Path, create_context_for_template
+from cfnlint.context.context import Context, Path, Resource, create_context_for_template

src/cfnlint/context/context.py

@@ -5,11 +5,12 @@
 
 from __future__ import annotations
 
+import os
 from abc import ABC, abstractmethod
 from collections import deque
 from dataclasses import InitVar, dataclass, field, fields
 from functools import lru_cache
-from typing import Any, Deque, Iterator, Sequence, Set, Tuple
+from typing import TYPE_CHECKING, Any, Deque, Iterator, Sequence, Set, Tuple
 
 from cfnlint.context._mappings import Mappings
 from cfnlint.context.conditions._conditions import Conditions
@@ -22,6 +23,9 @@
 )
 from cfnlint.schema import PROVIDER_SCHEMA_MANAGER, AttributeDict
 
+if TYPE_CHECKING:
+    from cfnlint.template import Template
+
 _PSEUDOPARAMS_NON_REGION = ["AWS::AccountId", "AWS::NoValue", "AWS::StackName"]
 
 
@@ -384,6 +388,37 @@ def is_ssm_parameter(self) -> bool:
         return self.type.startswith("AWS::SSM::Parameter::")
 
 
+def _nested_stack_get_atts(filename, template_url):
+    if (
+        template_url.startswith("http://")
+        or template_url.startswith("https://")
+        or template_url.startswith("s3://")
+    ):
+        return None
+
+    base_dir = os.path.dirname(os.path.abspath(filename))
+    template_path = os.path.normpath(os.path.join(base_dir, template_url))
+
+    try:
+        from cfnlint.decode import decode
+
+        (tmp, matches) = decode(template_path)
+    except Exception:  # noqa: E722
+        return None
+    if matches:
+        return None
+
+    outputs = AttributeDict()
+
+    tmp_outputs = tmp.get("Outputs")
+    if not isinstance(tmp_outputs, dict):
+        return outputs
+
+    for name, _ in tmp_outputs.items():
+        outputs[f"Outputs.{name}"] = "/properties/CfnLintStringType"
+    return outputs
+
+
 @dataclass
 class Resource(_Ref):
     """
@@ -393,8 +428,10 @@ class Resource(_Ref):
     type: str = field(init=False)
     condition: str | None = field(init=False, default=None)
     resource: InitVar[Any]
+    filename: InitVar[str | None] = field(default=None)
+    _nested_stack_get_atts: AttributeDict | None = field(init=False, default=None)
 
-    def __post_init__(self, resource) -> None:
+    def __post_init__(self, resource: Any, filename: str | None) -> None:
         if not isinstance(resource, dict):
             raise ValueError("Resource must be a object")
         t = resource.get("Type")
@@ -409,7 +446,18 @@ def __post_init__(self, resource) -> None:
             raise ValueError("Condition must be a string")
         self.condition = c
 
+        if self.type == "AWS::CloudFormation::Stack":
+            properties = resource.get("Properties")
+            if isinstance(properties, dict):
+                template_url = properties.get("TemplateURL")
+                if isinstance(template_url, str):
+                    self._nested_stack_get_atts = _nested_stack_get_atts(
+                        filename, template_url
+                    )
+
     def get_atts(self, region: str = REGION_PRIMARY) -> AttributeDict:
+        if self._nested_stack_get_atts is not None:
+            return self._nested_stack_get_atts
         return PROVIDER_SCHEMA_MANAGER.get_type_getatts(self.type, region)
 
     def ref(self, region: str = REGION_PRIMARY) -> dict[str, Any]:
@@ -433,13 +481,13 @@ def _init_parameters(parameters: Any) -> dict[str, Parameter]:
     return obj
 
 
-def _init_resources(resources: Any) -> dict[str, Resource]:
+def _init_resources(resources: Any, filename: str | None = None) -> dict[str, Resource]:
     obj = {}
     if not isinstance(resources, dict):
         raise ValueError("Resource must be a object")
     for k, v in resources.items():
         try:
-            obj[k] = Resource(v)
+            obj[k] = Resource(v, filename)
         except ValueError:
             pass
     return obj
@@ -451,7 +499,7 @@ def _init_transforms(transforms: Any) -> Transforms:
     return Transforms([])
 
 
-def create_context_for_template(cfn):
+def create_context_for_template(cfn: Template) -> "Context":
     parameters = {}
     try:
         parameters = _init_parameters(cfn.template.get("Parameters", {}))
@@ -460,7 +508,7 @@ def create_context_for_template(cfn):
 
     resources = {}
     try:
-        resources = _init_resources(cfn.template.get("Resources", {}))
+        resources = _init_resources(cfn.template.get("Resources", {}), cfn.filename)
     except (ValueError, AttributeError):
         pass
 

src/cfnlint/data/schemas/other/conditions/conditions.json

@@ -1,7 +1,7 @@
 {
  "additionalProperties": false,
  "patternProperties": {
-  "^[a-zA-Z0-9&]{1,255}$": {
+  "^[a-zA-Z0-9&_]{1,255}$": {
    "type": "boolean"
   }
  },

src/cfnlint/data/schemas/other/iam/policy.json

@@ -9,6 +9,7 @@
    "items": {
     "type": "string"
    },
+   "minItems": 1,
    "type": [
     "string",
     "array"

src/cfnlint/data/schemas/other/iam/policy_identity.json

@@ -43,7 +43,8 @@
      "$ref": "policy#/definitions/Resource"
     },
     "Sid": {
-     "$ref": "policy#/definitions/Statement/properties/Sid"
+     "$ref": "policy#/definitions/Statement/properties/Sid",
+     "pattern": "^[A-Za-z0-9]+$"
     }
    }
   }

src/cfnlint/data/schemas/patches/extensions/all/aws_codepipeline_pipeline/manual.json

@@ -7,10 +7,15 @@
    "ArtifactStores"
   ]
  },
+ {
+  "op": "add",
+  "path": "/definitions/ActionDeclaration/properties/Name/pattern",
+  "value": "^[A-Za-z0-9.@\\-_]{1,100}$"
+ },
  {
   "op": "add",
   "path": "/definitions/ActionTypeId/properties/Version/pattern",
-  "value": "^[0-9A-Za-z_-]{1,9}$"
+  "value": "^[0-9A-Za-z_\\-]{1,9}$"
  },
  {
   "op": "add",

src/cfnlint/data/schemas/providers/ap_southeast_5/aws-codepipeline-pipeline.json

@@ -25,6 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -75,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/ap_southeast_7/aws-codepipeline-pipeline.json

@@ -25,6 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -75,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/ca_west_1/aws-codepipeline-pipeline.json

@@ -25,6 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -75,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/us_east_1/aws-codepipeline-pipeline.json

@@ -32,6 +32,7 @@
      "uniqueItems": true
     },
     "Name": {
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -99,7 +100,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/rules/conditions/Used.py

@@ -24,7 +24,7 @@ def match(self, cfn: Template) -> RuleMatches:
         conditions = cfn.template.get("Conditions", {})
         if conditions:
             # Get all "If's" that reference a Condition
-            iftrees = cfn.search_deep_keys("Fn::If")
+            iftrees = cfn.transform_pre["Fn::If"]
 
             for iftree in iftrees:
                 if isinstance(iftree[-1], list):

src/cfnlint/rules/parameters/AllowedPattern.py

@@ -0,0 +1,45 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from typing import Any
+
+import regex as re
+
+from cfnlint.jsonschema import ValidationError, ValidationResult, Validator
+from cfnlint.rules.jsonschema.CfnLintKeyword import CfnLintKeyword
+
+
+class AllowedPattern(CfnLintKeyword):
+
+    id = "I2003"
+    shortdesc = "Validate AllowedPattern is a valid regexs"
+    description = (
+        "Validate the pattern defined in a AllowedPattern. "
+        "This is informational as the service side regex library is "
+        "different than the Python one"
+    )
+    source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html"
+    tags = ["parameters", "allowed pattern"]
+
+    def __init__(self) -> None:
+        super().__init__(
+            keywords=[
+                "Parameters/*/AllowedPattern",
+            ]
+        )
+
+    def validate(
+        self, validator: Validator, keywords: Any, instance: Any, schema: dict[str, Any]
+    ) -> ValidationResult:
+
+        if not validator.is_type(instance, "string"):
+            return
+
+        try:
+            re.compile(instance)
+        except Exception as e:
+            yield ValidationError(
+                f"{instance!r} could not be compiled ({str(e)})", rule=self
+            )

src/cfnlint/rules/parameters/Configuration.py

@@ -48,12 +48,10 @@ def __init__(self):
     def _pattern_properties(
         self, validator: Validator, aP: Any, instance: Any, schema: Any
     ):
-        # We have to rework pattern properties
-        # to re-add the keyword or we will have an
-        # infinite loop
+        # Flip back on add cfn-lint keyword
         validator = validator.evolve(
             function_filter=validator.function_filter.evolve(
-                add_cfn_lint_keyword=False,
+                add_cfn_lint_keyword=True,
             )
         )
         yield from patternProperties(validator, aP, instance, schema)