SYSTEM Cited by 1 source

cfn-lint¶

Definition¶

cfn-lint (AWS CloudFormation Linter) is the AWS-maintained linter for CloudFormation templates (YAML and JSON). It validates a template against the CloudFormation resource provider schemas and a curated set of best-practice rules before the template is submitted to CloudFormation.

cfn-lint catches a wide class of mistakes that CloudFormation would otherwise only report at runtime — invalid property names, wrong property types, missing required properties, invalid intrinsic function arguments, cross-stack reference errors, region-specific resource availability, and many best-practice violations (e.g., DeletionPolicy missing on stateful resources).

Seen in¶

sources/2024-01-22-zalando-tale-of-metadpata-the-revenge-of-the-supertools — Zalando adds cfn-lint to the infrastructure-change-validation tier post-metadpata: "We've introduced a series of validation steps, for example stringent checks for the presence of mandatory keys and the preview of all stack templates using AWS CloudFormation Linter before they get deployed." Runs both locally (via pre-commit hooks) and server-side in the CI/CD pipeline — same commit-and-CI redundancy as patterns/jsonschema-validated-config-both-local-and-ci.

Relationship to adjacent tools¶

CloudFormation's native validation (ValidateTemplate API) — catches syntactic errors and a narrow class of structural problems. cfn-lint catches more, including runtime-type errors that would only surface at apply time.
JSON Schema validators — apply to arbitrary YAML/JSON configs. cfn-lint is CloudFormation-specific and understands the resource-provider schemas.
CloudFormation ChangeSet — shows the per-resource deltas of a submitted template. cfn-lint is pre-submission; ChangeSet is post-submission, pre-apply.
AWS CDK cdk synth + cdk diff — CDK's equivalents; synth produces a template that can then be linted by cfn-lint.

Typical integration¶

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/aws-cloudformation/cfn-lint
    rev: v0.83.0
    hooks:
      - id: cfn-lint
        files: templates/.*\.(json|yml|yaml)$

# CI (GitHub Actions example)
- name: lint CloudFormation templates
  run: cfn-lint templates/*.yaml

The same cfn-lint version at both points keeps enforcement consistent.

Caveats¶

cfn-lint is not a replacement for ChangeSet preview. cfn-lint validates the template; ChangeSet validates the delta against live state. Both are necessary.
Rule tuning matters. Default rules may be too permissive or too strict for a given team's conventions; most teams pin a rule set.
Custom resources render opaque to cfn-lint (same as to ChangeSet).