W2001: Parameter <name> not used inaccurate when used in Metadata

[gbudge]

CloudFormation Lint Version

cfn-lint 1.22.0

What operating system are you using?

Windows 10

Describe the bug

When using a template parameter in Metadata, cfn-lint incorrectly raises W2001 that the parameter is not used.

Expected behavior

cfn-lint should not raise W2001 when a parameter is used in Metadata.

Reproduction template

Description: CloudFormation template

Metadata:
  ExampleMetadata: !Sub BucketPurpose

Parameters:
  BucketName:
    Type: String
    Description: Example parameter
  BucketPurpose:
    Type: String
    Description: Example parameter

Resources:
  ExampleResource:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Ref BucketName

[kddejong]

I'm trying to find a way to validate this but template metadata section goes unresolved. How are you validating this Sub/Ref function actually does what you want?

[gbudge]

Hi,

Apologies for the delayed response. The metadata as I understand it can be used by other tooling for more or less any arbitrary reason & it would be up to that tool to resolve the !Ref. For example, I could create a simple html5 SPA to create a diagram and use the metadata to add for example the version of the template to be used when visualising.

However, I did find this example that uses metadata for the interface, which I will admit I haven't tested:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template with custom parameter grouping and labeling'

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: !Ref NetworkConfigurationLabel
        Parameters:
          - VpcId
          - SubnetId
      - Label:
          default: !Ref DatabaseConfigurationLabel
        Parameters:
          - DBInstanceType
          - DBAllocatedStorage
          - MyMasterPassword
    ParameterLabels:
      VpcId:
        default: !Ref VpcIdLabel
      SubnetId:
        default: !Ref SubnetIdLabel
      DBInstanceType:
        default: !Ref DBInstanceTypeLabel
      DBAllocatedStorage:
        default: !Ref DBAllocatedStorageLabel
      MyMasterPassword:
        default: !Ref MyMasterPasswordLabel

Parameters:
  NetworkConfigurationLabel:
    Type: String
    Default: "Network Configuration"
    Description: Label for the Network Configuration group

  DatabaseConfigurationLabel:
    Type: String
    Default: "Database Configuration"
    Description: Label for the Database Configuration group

  VpcIdLabel:
    Type: String
    Default: "Select VPC"
    Description: Label for the VPC ID parameter

  SubnetIdLabel:
    Type: String
    Default: "Select Subnet"
    Description: Label for the Subnet ID parameter

  DBInstanceTypeLabel:
    Type: String
    Default: "Database Instance Type"
    Description: Label for the Database Instance Type parameter

  DBAllocatedStorageLabel:
    Type: String
    Default: "Database Storage (GB)"
    Description: Label for the Database Storage parameter

  MyMasterPasswordLabel:
    Type: String
    Default: "Master Password"
    Description: Label for the Master Password parameter

  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: Select the VPC for your resources

  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Select the subnet within the VPC

  DBInstanceType:
    Type: String
    Default: db.t2.micro
    AllowedValues:
      - db.t2.micro
      - db.t2.small
      - db.t2.medium
    Description: Choose the database instance type

  DBAllocatedStorage:
    Type: Number
    Default: 20
    MinValue: 20
    MaxValue: 6144
    Description: Specify the storage in GB for the database

  MyMasterPassword:
    Type: String
    NoEcho: true
    MinLength: 8
    MaxLength: 41
    Description: Enter the master password for the RDS instance

Resources:
  MyRDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceClass: !Ref DBInstanceType
      AllocatedStorage: !Ref DBAllocatedStorage
      Engine: mysql
      MasterUsername: admin
      MasterUserPassword: !Ref MyMasterPassword
      VPCSecurityGroups:
        - !Ref MySecurityGroup
      DBSubnetGroupName: !Ref MyDBSubnetGroup

  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for RDS instance
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: 192.168.1.0/24  # Replace with your trusted IP range

  MyDBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: Subnet group for RDS instance
      SubnetIds:
        - !Ref SubnetId

Hope this helps.

[kddejong]

The template you provided here will result in the javascript on the web browser to fail. Because AWS::CloudFormation::Interface is used to create dynamic content on the pages when its not an expected type it will crash out. I've already reported this issue so hopefully it won't crash out javascript. Its expecting default to be a string and not an object.

Its possible you are running this through another solution that will modify the template. You can always configure cfn-lint to ignore this error as a result. The core engine of CloudFormation will not translate the values in the template Metadata section.

[gbudge]

None the less though, it shouldn't fail when the Ref exists.