From 93b27c26d6a4f97df466b67cf9ed8d8a199d8eaf Mon Sep 17 00:00:00 2001
From: Kevin DeJong <kddejong@amazon.com>
Date: Thu, 11 Jul 2024 11:38:54 -0700
Subject: [PATCH] Use region when looking for a resolver being satisfied
 (#3490)

* Use region when looking for a resolver being satisfied

* Update github workflows
---
 .github/workflows/ci-branch.yaml              |  1 +
 .github/workflows/ci-pr.yaml                  |  1 +
 src/cfnlint/conditions/conditions.py          |  2 ++
 src/cfnlint/jsonschema/_resolvers_cfn.py      |  6 ++---
 src/cfnlint/jsonschema/validators.py          | 22 ++++++++++---------
 .../unit/module/conditions/test_conditions.py |  2 +-
 6 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci-branch.yaml b/.github/workflows/ci-branch.yaml
index 66afa84d2f..2cc66e81f6 100644
--- a/.github/workflows/ci-branch.yaml
+++ b/.github/workflows/ci-branch.yaml
@@ -74,3 +74,4 @@ jobs:
           ignore-vulns: |
             GHSA-r9hx-vwmv-q579
             PYSEC-2022-43012
+            PYSEC-2024-60
diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml
index c12874ab74..8fab70662c 100644
--- a/.github/workflows/ci-pr.yaml
+++ b/.github/workflows/ci-pr.yaml
@@ -94,3 +94,4 @@ jobs:
           ignore-vulns: |
             GHSA-r9hx-vwmv-q579
             PYSEC-2022-43012
+            PYSEC-2024-60
diff --git a/src/cfnlint/conditions/conditions.py b/src/cfnlint/conditions/conditions.py
index a56fb77a32..0fa815fbfe 100644
--- a/src/cfnlint/conditions/conditions.py
+++ b/src/cfnlint/conditions/conditions.py
@@ -8,6 +8,7 @@
 import itertools
 import logging
 import traceback
+from functools import lru_cache
 from typing import Any, Iterator, Set, Tuple
 
 from sympy import And, Implies, Not, Symbol
@@ -294,6 +295,7 @@ def check_implies(self, scenarios: dict[str, bool], implies: str) -> bool:
             #  formatting or just the wrong condition name
             return True
 
+    @lru_cache()
     def build_scenerios_on_region(
         self, condition_name: str, region: str
     ) -> Iterator[bool]:
diff --git a/src/cfnlint/jsonschema/_resolvers_cfn.py b/src/cfnlint/jsonschema/_resolvers_cfn.py
index aa713fc93b..5c84aa3539 100644
--- a/src/cfnlint/jsonschema/_resolvers_cfn.py
+++ b/src/cfnlint/jsonschema/_resolvers_cfn.py
@@ -25,11 +25,11 @@ def ref(validator: Validator, instance: Any) -> ResolutionResult:
     if not isinstance(instance, (str, dict)):
         return
 
-    for instance, _, _ in validator.resolve_value(instance):
+    for instance, instance_validator, _ in validator.resolve_value(instance):
         if validator.is_type(instance, "string"):
             # if the ref is to pseudo-parameter or parameter we can validate the values
-            for v, c in validator.context.ref_value(instance):
-                yield v, validator.evolve(context=c), None
+            for v, c in instance_validator.context.ref_value(instance):
+                yield v, instance_validator.evolve(context=c), None
             return
 
 
diff --git a/src/cfnlint/jsonschema/validators.py b/src/cfnlint/jsonschema/validators.py
index 817c1f6dfd..e6c5ada5a3 100644
--- a/src/cfnlint/jsonschema/validators.py
+++ b/src/cfnlint/jsonschema/validators.py
@@ -172,21 +172,23 @@ def resolve_value(self, instance: Any) -> ResolutionResult:
                 for r_value, r_validator, r_errs in self._resolve_fn(key, value):  # type: ignore
                     if not r_errs:
                         try:
-                            if self.cfn.conditions.satisfiable(
-                                r_validator.context.conditions.status,
-                                r_validator.context.ref_values,
+                            for _, region_context in r_validator.context.ref_value(
+                                "AWS::Region"
                             ):
-                                r_validator = r_validator.evolve(
-                                    context=r_validator.context.evolve(
-                                        is_resolved_value=True,
-                                    )
-                                )
-                                yield r_value, r_validator, r_errs
+                                if self.cfn.conditions.satisfiable(
+                                    region_context.conditions.status,
+                                    region_context.ref_values,
+                                ):
+                                    yield r_value, r_validator.evolve(
+                                        context=region_context.evolve(
+                                            is_resolved_value=True,
+                                        )
+                                    ), r_errs
                         except UnknownSatisfisfaction as err:
                             LOGGER.debug(err)
                             return
                     else:
-                        yield None, self, r_errs  # type: ignore
+                        yield None, r_validator, r_errs  # type: ignore
                 return
 
             # The return type is a Protocol and we are returning an instance
diff --git a/test/unit/module/conditions/test_conditions.py b/test/unit/module/conditions/test_conditions.py
index 9668c81190..b5752811dd 100644
--- a/test/unit/module/conditions/test_conditions.py
+++ b/test/unit/module/conditions/test_conditions.py
@@ -254,7 +254,7 @@ def test_check_condition_region(self):
             ],
         )
         self.assertListEqual(
-            list(cfn.conditions.build_scenerios_on_region({"Ref": "Foo"}, "us-east-1")),
+            list(cfn.conditions.build_scenerios_on_region(1, "us-east-1")),
             [],
         )