[Bug] Impossible, rules-unaware condition errors

[alnoki]

CloudFormation Lint Version

1.11.0

What operating system are you using?

Mac pre-commit

Describe the bug

The reproduction template throws:

W1001 Ref to resource 'InternetGateway' that may not be available when condition 'ProvisionStack' is False and when condition 'ProvisionVpc' is True at Resources/InternetGatewayAttachment/Properties/InternetGatewayId

Specifically, the purported hypothetical situation

when condition 'ProvisionStack' is False and when condition 'ProvisionVpc' is True

is impossible per the ProvisionVpc rule.

Expected behavior

The lint should pass, without having to duplicate ProvisionVpc rule logic in
the ProvisionVpc condition. E.g. while updating the condition to:

  ProvisionVpc: !And
  - !Condition 'ProvisionStack'
  - !Equals
    - !Ref 'ProvisionVpc'
    - 'true'

results in a successful lint, this situation requires duplicate definitions
just to satisfy the linter, thus reducing maintainability.

Moreover, since cfn-lint's static analysis is based off of conditions instead
of rules (presumably, based on the reproduction template), templates that pass
lints might not preserve the intended behavior if a cascaded condition is added
without an accompanying duplicate rule.

Reproduction template

---
Conditions:
  ProvisionStack: !Equals
  - !Ref 'ProvisionStack'
  - 'true'
  ProvisionVpc: !Equals
  - !Ref 'ProvisionVpc'
  - 'true'
Parameters:
  ProvisionStack:
    AllowedValues:
    - 'false'
    - 'true'
    Type: 'String'
  ProvisionVpc:
    AllowedValues:
    - 'false'
    - 'true'
    Type: 'String'
Resources:
  InternetGateway:
    Condition: 'ProvisionStack'
    Type: 'AWS::EC2::InternetGateway'
  InternetGatewayAttachment:
    Condition: 'ProvisionVpc'
    Properties:
      InternetGatewayId: !Ref 'InternetGateway'
      VpcId: !Ref 'Vpc'
    Type: 'AWS::EC2::VPCGatewayAttachment'
  Vpc:
    Condition: 'ProvisionVpc'
    Properties:
      CidrBlock: '0.0.0.0/16'
    Type: 'AWS::EC2::VPC'
Rules:
  ProvisionVpc:
    Assertions:
    - Assert: !Or
      - Fn::Not: !Condition 'ProvisionVpc'
      - !Condition 'ProvisionStack'
...

[kddejong]

Duplicate #1888. We would need to add support for Rules.

[alnoki]

@kddejong unfortunately with v1.14.2 the reproduction template still throws the same error described above, despite #3634's inclusion in v1.12.0. Did you verify #3634 against the reproduction template I provided above?

[kddejong]

Yea, but with the change of Fn::Not: !Condition 'ProvisionVpc' to Fn::Not: [!Condition 'ProvisionVpc']. I suppose it is possible the Rules version of the Fn::Not supports a none list but the docs say to use a list.

[kddejong]

Also as provided by the CloudFormation service Template error: Fn::Not requires a list argument with one element

[alnoki]

@kddejong thanks for the followup and for the docs references.

I updated a template I was actually using with the new list-based Fn::Not style and my lints passed, but then I was unable to deploy a changeset: it appears that !Condition is not a supported rule-specific intrinsic function, so I've filed #3710 accordingly

[kddejong]

Working on the Condition portion of this today.