Home > Back-end >  CloudFormation cnf-lint Obsolete "DependsOn"
CloudFormation cnf-lint Obsolete "DependsOn"

Time:12-19

When running cfn-lint on the following code I get a warning

"MicroserviceSG": {
   "Type": "AWS::EC2::SecurityGroup",
⚠  "DependsOn": "MicroserviceLoadBalancerSGPrivate",
   "Properties": {
      "GroupName": {"Fn::Join": ["-", [{"Ref": "Name"}, {"Ref": "Env"}, "container-sg"]]},
      "GroupDescription": "HTTP",
         "VpcId": {"Ref": "VpcId"},
         "SecurityGroupIngress": [
            {
                "IpProtocol": "tcp",
                "FromPort": 80,
                "ToPort": 80,
                "SourceSecurityGroupId": { "Ref": "MicroserviceLoadBalancerSGPrivate" }
             }
           ]
        }
    },
W3005 Obsolete DependsOn on resource (MicroserviceLoadBalancerSGPrivate),
dependency already enforced by a "Ref" at 
Resources/MicroserviceSG/Properties/SecurityGroupIngress/0/SourceSecurityGroupId/Ref

Is this warning valid? Do certain object references perform implicit dependency checks?

CodePudding user response:

Yes, the warning is valid since the Ref usage implicitly defines a dependency on MicroserviceLoadBalancerSGPrivate. Technically speaking, redundant would be more correct than obsolete.

Unless you specifically need MicroserviceSG to be created after MicroserviceLoadBalancerSGPrivate, then you should remove the DependsOn and let CloudFormation do it's thing, as CloudFormation will optimize and parallelize the deployment.


The most common use of the DependsOn is to enforce the creation and deletion of resources in a certain order, as mentioned by the documentation:

You can use the DependsOn attribute with any resource. Here are some typical uses: Declare dependencies for resources that must be created or deleted in a specific order

The DependsOn documentation has more scenarios on when and why you might want to use DependsOn.

  • Related