search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

[AWS::WAFv2::LoggingConfiguration] - [BUG] - On creation failure, CloudFront tries to delete the non existing resource #2055

Open yvele opened 1 month ago

yvele commented 1 month ago

Name of the resource

AWS::WAFv2::LoggingConfiguration

Resource Name

No response

Issue Description

If I create a brand new AWS::WAFv2::LoggingConfiguration with an invalid ResourceArn the creation fails as expected, but then CloudFormation tries to rollback by deleting the non existing resource.

Expected Behavior

During rollback, CloudFormation should not try to delete a WAFv2 LoggingConfiguration that has never been created (due to invalid ResourceArn).

Observed Behavior

TS Logical ID Status Status reason
17:37 StackSet UPDATE_ROLLBACK_COMPLETE Update successful. One or more resources could not be deleted.
17:36 LoggingConfig DELETE_FAILED Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: NOT_AN_ARN (Service: Wafv2, Status Code: 400, Request ID: xxxx)" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)
17:36 LoggingConfig DELETE_IN_PROGRESS -
14:35 LoggingConfig DELETE_FAILED Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: NOT_AN_ARN (Service: Wafv2, Status Code: 400, Request ID: xxxx)" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)
14:34 LoggingConfig DELETE_IN_PROGRESS -
11:33 LogGroup DELETE_COMPLETE -
11:32 LogGroup DELETE_IN_PROGRESS -
11:31 LoggingConfig DELETE_FAILED Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: NOT_AN_ARN (Service: Wafv2, Status Code: 400, Request ID: xxxx)" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)
11:30 LoggingConfig DELETE_IN_PROGRESS -
11:29 StackSet UPDATE_ROLLBACK_COMPLETE _CLEANUP_IN_PROGRESS -
11:28 WafApvizIoPrivate UPDATE_COMPLETE -
11:26 WafApvizIoPrivate UPDATE_IN_PROGRESS -
11:23 StackSet UPDATE_ROLLBACK_IN_PROGRESS The following resource(s) failed to create: [LoggingConfig].
11:23 LoggingConfig CREATE_FAILED Resource handler returned message: "Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: NOT_AN_ARN (Service: Wafv2, Status Code: 400, Request ID: xxxx)" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)
11:22 LoggingConfig CREATE_IN_PROGRESS Resource creation Initiated
11:21 LoggingConfig CREATE_IN_PROGRESS -

Test Cases

LoggingConfig:
  Type: AWS::WAFv2::LoggingConfiguration
  Properties:
    ResourceArn: NOT_AN_ARN
    LogDestinationConfigs:
      - !GetAtt WafLogGroup.Arn

LogGroup:
  Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: aws-waf-logs-test

Other Details

Not that I'm facing the problem in a StackSet, I have not tested in a classic stack.