Create ipv4 and ipv6 network formats (#3981)

* Create ipv4 and ipv6 network formats

* Update format docs

Author: kddejong

docs/format_keyword.md

@@ -35,3 +35,11 @@ This format validates that the value is a valid Amazon Machine Image (AMI), whic
 ### AWS::Logs::LogGroup.Name
 
 This format validates that the value is a valid log group name, which is a string of the pattern `^[\.\-_\/#A-Za-z0-9]{1,512}\Z`.  More info in [docs](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogGroup.html)
+
+### ipv4-network
+
+Validates the value against the python implementation of validating an [IPV4 network](https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Network)
+
+### ipv6-network
+
+Validates the value against the python implementation of validating an [IPV6 network](https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv6Network)

scripts/update_schemas_format.py

@@ -36,6 +36,33 @@ def _descend(instance: Any, keywords: Sequence[str]) -> Iterator[deque[str]]:
     return
 
 
+def _create_cidr_patch(type_name: str, ref: str, resolver: RefResolver, format: str):
+    if type_name in [
+        "AWS::SecurityHub::Insight",
+    ]:
+        return []
+
+    _, resolved = resolver.resolve(ref)
+    if "$ref" in resolved:
+        return _create_cidr_patch(type_name, resolved["$ref"], resolver, format)
+
+    if "items" in resolved:
+        return [
+            Patch(
+                values={"format": format},
+                path=f"{ref[1:]}/items",
+            )
+        ]
+
+    return [
+        _create_patch(
+            {"format": format},
+            ref,
+            resolver=resolver,
+        )
+    ]
+
+
 def _create_subnet_ids_patch(type_name: str, ref: str, resolver: RefResolver):
 
     _, resolved = resolver.resolve(ref)
@@ -148,11 +175,17 @@ def _create_security_group_name(type_name: str, ref: str, resolver: RefResolver)
     ]
 
 
-def _create_patch(value: dict[str, str], ref: Sequence[str], resolver: RefResolver):
+def _create_patch(value: dict[str, str], ref: str, resolver: RefResolver):
     _, resolved = resolver.resolve(ref)
     if "$ref" in resolved:
         return _create_patch(value, resolved["$ref"], resolver)
 
+    if "items" in resolved:
+        return Patch(
+            values=value,
+            path=f"{ref[1:]}/items",
+        )
+
     return Patch(
         values=value,
         path=ref[1:],
@@ -270,6 +303,42 @@ def main():
                         )
                     )
 
+            for path in _descend(
+                obj,
+                [
+                    "CidrIp",
+                    "CIDRIP",
+                    "Cidr",
+                    "Cidrs",
+                    "CidrBlock",
+                    "DestinationCidr",
+                    "DestinationCidrBlock",
+                    "SourceCidrBlock",
+                    "CidrList",
+                    "CidrAllowList",
+                ],
+            ):
+                if path[-2] == "properties":
+                    resource_patches.extend(
+                        _create_cidr_patch(
+                            resource_type,
+                            ref="#/" + "/".join(path),
+                            resolver=resolver,
+                            format="ipv4-network",
+                        )
+                    )
+
+            for path in _descend(obj, ["Ipv6CidrBlock", "Ipv6Cidrs", "CidrIpv6"]):
+                if path[-2] == "properties":
+                    resource_patches.extend(
+                        _create_cidr_patch(
+                            resource_type,
+                            ref="#/" + "/".join(path),
+                            resolver=resolver,
+                            format="ipv6-network",
+                        )
+                    )
+
             for path in _descend(obj, ["ImageId", "AmiId"]):
                 if path[-2] == "properties":
                     resource_patches.append(

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_clientvpnroute/__init__.py

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_clientvpnroute/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/Cidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_ipamallocation/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/Cidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_ipampool/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/Cidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_ipampoolcidr/__init__.py

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_ipampoolcidr/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/Ipv6CidrBlock/format",
+  "value": "ipv6-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_localgatewayroute/format.json

@@ -0,0 +1,22 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/AnalysisAclRule/properties/Cidr/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/AnalysisSecurityGroupRule/properties/Cidr/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/Explanation/properties/Cidrs/items/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/TransitGatewayRouteTableRoute/properties/DestinationCidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_networkaclentry/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/Entry/properties/Cidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_networkinsightsanalysis/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_prefixlist/format.json

@@ -1,9 +1,29 @@
 [
+ {
+  "op": "add",
+  "path": "/definitions/Egress/properties/CidrIp/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/Egress/properties/CidrIpv6/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/definitions/Egress/properties/DestinationSecurityGroupId/format",
   "value": "AWS::EC2::SecurityGroup.Id"
  },
+ {
+  "op": "add",
+  "path": "/definitions/Ingress/properties/CidrIp/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/Ingress/properties/CidrIpv6/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/definitions/Ingress/properties/SourceSecurityGroupId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_route/format.json

@@ -1,4 +1,14 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/CidrIp/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/CidrIpv6/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/properties/DestinationSecurityGroupId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_securitygroup/format.json

@@ -1,4 +1,14 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/CidrIp/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/CidrIpv6/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/properties/GroupId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_securitygroupegress/format.json

@@ -1,4 +1,14 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/Ipv6CidrBlock/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/properties/SubnetId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_securitygroupingress/format.json

@@ -1,4 +1,9 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/Ipv6CidrBlock/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/properties/SubnetId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_subnet/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/SourceCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_subnetcidrblock/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_trafficmirrorfilterrule/__init__.py

@@ -1,4 +1,9 @@
 [
+ {
+  "op": "add",
+  "path": "/definitions/CidrOptions/properties/Cidr/format",
+  "value": "ipv4-network"
+ },
  {
   "op": "add",
   "path": "/definitions/SecurityGroupId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_trafficmirrorfilterrule/format.json

@@ -1,4 +1,9 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
  {
   "op": "add",
   "path": "/properties/DefaultSecurityGroup/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_transitgatewayroute/format.json

@@ -1,4 +1,14 @@
 [
+ {
+  "op": "add",
+  "path": "/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/properties/Ipv6CidrBlock/format",
+  "value": "ipv6-network"
+ },
  {
   "op": "add",
   "path": "/properties/VpcId/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_verifiedaccessendpoint/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/properties/DestinationCidrBlock/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_vpc/format.json

@@ -1,4 +1,14 @@
 [
+ {
+  "op": "add",
+  "path": "/definitions/RemoteNodeNetwork/properties/Cidrs/items/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/RemotePodNetwork/properties/Cidrs/items/format",
+  "value": "ipv4-network"
+ },
  {
   "op": "add",
   "path": "/definitions/ResourcesVpcConfig/properties/SecurityGroupIds/format",

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_vpccidrblock/format.json

@@ -0,0 +1,12 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/NetworkAclEntry/properties/CidrBlock/format",
+  "value": "ipv4-network"
+ },
+ {
+  "op": "add",
+  "path": "/definitions/NetworkAclEntry/properties/Ipv6CidrBlock/format",
+  "value": "ipv6-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_ec2_vpnconnectionroute/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/Resource/properties/Cidr/format",
+  "value": "ipv4-network"
+ }
+]

src/cfnlint/data/schemas/patches/extensions/all/aws_eks_cluster/format.json

@@ -0,0 +1,7 @@
+[
+ {
+  "op": "add",
+  "path": "/definitions/MetricValue/properties/Cidrs/items/format",
+  "value": "ipv4-network"
+ }
+]