[AWS::ECS::Cluster] - [BUG] - false-positive drift for `FargateEphemeralStorageKmsKeyId`

r-heimann commented 3 months ago

Name of the resource

AWS::ECS::Cluster

Resource Name

No response

Issue Description

When creating a AWS::ECS::Cluster in eu-central-1 using

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      CapacityProviders:
        - FARGATE
      Configuration:
        ManagedStorageConfiguration:
          FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyId

it will cause a drift:

Expected Behavior

Drift is recognizing the KMS Key Id Arn, instead of the Id.

Observed Behavior

Drift thinks it wants to see a KMS Key Id.

Test Cases

AWSTemplateFormatVersion: 2010-09-09
Description: Drift Test

Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: "Test"
        Statement:
          - Sid: Allow root # Allow everything for root IAM Role
            Effect: Allow
            Action: kms:*
            Resource: "*"
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
          - Sid: "ECS: Allow generate data key access for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:GenerateDataKeyWithoutPlaintext
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
            Resource: "*"
          - Sid: "ECS: Allow grant creation permission for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:CreateGrant
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
              ForAllValues:StringEquals:
                kms:GrantOperations:
                  - Decrypt
            Resource: "*"

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: "Test"
      CapacityProviders:
        - FARGATE
      Configuration:
        ManagedStorageConfiguration:
          FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyId

Other Details

No response

greg5123334 commented 3 months ago

Yup, i get the same.

Interesting to note...

Outputs:
  KMSKeyIdGetAtt:
    Description: Key ID GetAtt
    Value: !GetAtt KMSKey.KeyId
  KMSKeyIdGetRef:
    Description: Key ID Ref
    Value: !Ref KMSKey
  KMSKeyArn:
    Description: The ID of the KMS key
    Value: !GetAtt KMSKey.Arn

KMSKeyArn   arn:aws:kms:eu-central-1:00000000000:key/xxxxxx-65cc-4a96-b072-xxxxxxx
KMSKeyIdGetAtt  xxxxxxx-65cc-4a96-b072-xxxxxxxxx
KMSKeyIdGetRef  xxxxxx-65cc-4a96-b072-xxxxxxxxxxx

seems to resolve correctly in the template itself....

and looking in the corresponding CreateCluster API call...

{
        "requestParameters": {
        "clusterName": "Test",
        "tags": [
            {
                "key": "aws:cloudformation:stack-name",
                "value": "test"
            },
            {
                "key": "aws:cloudformation:logical-id",
                "value": "ECSCluster"
            },
            {
                "key": "aws:cloudformation:stack-id",
                "value": "arn:aws:cloudformation:eu-central-1:000000000000:stack/test/xxxxxxx-2c9d-11ef-9597-000000000000"
            }
        ],
        "settings": [],
        "configuration": {
            "managedStorageConfiguration": {
                "fargateEphemeralStorageKmsKeyId": "xxxxxxx-65cc-4a96-b072-xxxxxxx"
            }
        },
        "capacityProviders": [
            "FARGATE"
        ],
        "defaultCapacityProviderStrategy": []
    },
    "responseElements": {
        "cluster": {
            "clusterArn": "arn:aws:ecs:eu-central-1:000000000000:cluster/Test",
            "clusterName": "Test",
            "configuration": {
                "managedStorageConfiguration": {
                    "fargateEphemeralStorageKmsKeyId": "arn:aws:kms:eu-central-1:000000000000:key/xxxxxxx-65cc-4a96-b072-xxxxxxx"
                }
            },
            "status": "ACTIVE",
            "registeredContainerInstancesCount": 0,
            "runningTasksCount": 0,
            "pendingTasksCount": 0,
            "activeServicesCount": 0,
            "statistics": [],
            "tags": [
                {
                    "key": "aws:cloudformation:stack-name",
                    "value": "test"
                },
                {
                    "key": "aws:cloudformation:stack-id",
                    "value": "arn:aws:cloudformation:eu-central-1:000000000000:stack/test/xxxxxxx-2c9d-11ef-9597-000000000000"
                },
                {
                    "key": "aws:cloudformation:logical-id",
                    "value": "ECSCluster"
                }
            ],
            "settings": [
                {
                    "name": "containerInsights",
                    "value": "disabled"
                }
            ],
            "capacityProviders": [
                "FARGATE"
            ],
            "defaultCapacityProviderStrategy": []
        },
        "clusterCount": 1
    }}

it would appear that Cloudformation is sending the correct value (Key id)...but KMS is returning the incorrect value (KMS Arn) in the response!

greg5123334 commented 3 months ago

Created ticket on KMS issue tracker who are responsible for this resource type.

r-heimann commented 4 days ago

Seems to be fixed.

aws-cloudformation / cloudformation-coverage-roadmap