search

aws-cloudformation / cloudformation-resource-schema

The CloudFormation Resource Schema defines the shape and semantic for resources provisioned by CloudFormation. It is used by provider developers using the CloudFormation RPDK.
Apache License 2.0
90 stars 38 forks source link

Inconsistent pattern for AWS::Backup::BackupSelection BackupSelection.SelectionName property in eu-central-1 #118

Open calebplum opened 3 years ago

calebplum commented 3 years ago

Hi,

I noticed the pattern requirement for the BackupSelection.SelectionName property of the AWS::Backup::BackupSelection resource in eu-central-1 is different to other regions.

The schema definitions for this property are as follows:

eu-central-1

"SelectionName" : {
  "type" : "string",
  "pattern" : "^[a-zA-Z0-9\\-\\_\\.]{1,50}$"
}

us-west-1

"SelectionName" : {
  "type" : "string"
}

ap-southeast-2

"SelectionName" : {
  "type" : "string"
}

Other regions appear to be consistent with us-west-1 and ap-southeast-2, having no pattern requirement.

The impact of this is that we cannot deploy BackupSelection resources in eu-central-1 with the same SelectionName as those in other regions. I think the schema in eu-central-1 must have been changed recently because we still have stacks deployed there which violate the pattern, we're unable to update those stacks without modifying the SelectionName.

pavbollu commented 3 years ago

@calebplum Currently backup service is using that pattern for selection name https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html . Could you please provide the SelectionName used for updating. Could you please provide the backup plan arn, stack arn as well. Based on the details provided we will look into it and get back

calebplum commented 3 years ago

The resource schema for eu-central-1 has been updated and no longer contains the pattern requirement.

calebplum commented 3 years ago

I believe the documentation at https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BackupSelection.html is incorrect because Cloudformation will successfully create a AWS::Backup::BackupSelection resource with a whitespace character in the SelectionName field, which violates its regex pattern according to the documentation.

For example, this template will deploy without issues:

AWSTemplateFormatVersion: '2010-09-09'
Resources:

  IamRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - backup.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup

  BackupVault:
    Type: AWS::Backup::BackupVault
    Properties:
      BackupVaultName: test-vault

  BackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: test-plan
        BackupPlanRule:
          - RuleName: test-plan-rule
            TargetBackupVault: !Ref BackupVault

  BackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupPlanId: !GetAtt BackupPlan.BackupPlanId
      BackupSelection:
        IamRoleArn: !GetAtt IamRole.Arn
        SelectionName: 'Test Selection'
        ListOfTags:
          - ConditionKey: test-key
            ConditionType: STRINGEQUALS
            ConditionValue: test-value