search

aws-cloudformation / aws-cloudformation-resource-providers-cloudformation

The CloudFormation Resource Provider Package For AWS CloudFormation
https://aws.amazon.com/cloudformation/
Apache License 2.0
48 stars 35 forks source link

`AWS::CloudFormation::ResourceVersion` tag changes causing "internal failure" errors #58

Open jarreds opened 3 years ago

jarreds commented 3 years ago

Seeing internal failure errors when updating tags on AWS::CloudFormation::ResourceVersion resources.

Repro

Define a resource version similar to the following in a CloudFormation stack. As you can see, there are no tags defined:

    "ClientResourceVersion": {
      "Type": "AWS::CloudFormation::ResourceVersion",
      "Properties": {
        "ExecutionRoleArn": {
          "Fn::Sub": "${ResourceRole.Arn}"
        },
        "LoggingConfig": {
          "LogGroupName": "###-resource-group",
          "LogRoleArn": {
            "Fn::Sub": "${ResourceLogRole.Arn}"
          }
        },
        "SchemaHandlerPackage": "s3://###/###_resource.zip",
        "TypeName": "###::###::###"
      }
    },

Deploy the stack.

Next, generate a changeset for the stack with new tags. Eg:

aws cloudformation create-change-set \
    --stack-name my-stack \
    --change-set-name my-change-set \
    --template-body file://template.yaml \
    --tags my_tag=12345
    --capabilities CAPABILITY_IAM

Execute the changeset and observe the "internal failure" error. It's also possible that the internal failure doesn't occur until a subsequent update, but I have not confirmed.

Here is a sample changeset generated that causes an "internal failure" error in our system.

  {
    "resourceChange": {
      "logicalResourceId": "ClientResourceVersion",
      "action": "Modify",
      "physicalResourceId": "arn:aws:cloudformation:us-east-1:###########:type/resource/#########/00000007",
      "resourceType": "AWS::CloudFormation::ResourceVersion",
      "replacement": "Conditional",
      "moduleInfo": null,
      "details": [
        {
          "target": {
            "name": "LoggingConfig",
            "requiresRecreation": "Always",
            "attribute": "Properties"
          },
          "causingEntity": "ResourceLogRole.Arn",
          "evaluation": "Dynamic",
          "changeSource": "ResourceAttribute"
        },
        {
          "target": {
            "name": "ExecutionRoleArn",
            "requiresRecreation": "Always",
            "attribute": "Properties"
          },
          "causingEntity": "ResourceRole.Arn",
          "evaluation": "Dynamic",
          "changeSource": "ResourceAttribute"
        },
        {
          "target": {
            "name": null,
            "requiresRecreation": "Never",
            "attribute": "Tags"
          },
          "causingEntity": null,
          "evaluation": "Static",
          "changeSource": null
        }
      ],
      "changeSetId": null,
      "scope": [
        "Properties",
        "Tags"
      ]
    },
    "hookInvocationCount": null,
    "type": "Resource"
  }