search

aws-cloudformation / rain

A development workflow tool for working with AWS CloudFormation.
Apache License 2.0
784 stars 71 forks source link

Rain cannot create a changeset from a specific template but AWS CLI can #526

Open dhx-mike-palandra opened 2 weeks ago

dhx-mike-palandra commented 2 weeks ago 
$ rain --version
Rain v1.15.0 linux/amd64

Attached is a GNU Makefile and a pair of templates that constitute a parent and nested stack.

Note that for both (phony) make targets below:

Example usage (all 3 files should be in the same directory):

# This should create a changeset successfully
$ make STACK_NAME=MyTestStack changeset-awscli

# This fails due to parameter validation on the nested stack
$ make STACK_NAME=MyTestStack changeset-rain

The specific error from rain:

error creating changeset: Each value of parameter 'PolicyArns' must match pattern arn:.+

It seems that this error is caused by specifying AllowedPattern on a parameter of type CommaDelimitedList in a nested stack.

rain-issue-525.zip

ericzbeard commented 12 hours ago

I wonder if this has something to do with how you are configuring the parameters. It deploys with rain Ok with me when I enter an ARN at the prompt during deployment.

dhx-mike-palandra commented 11 hours ago

The problem is triggered specifically when an empty value is passed for parameter PolicyArn from template parent.yaml. Note that this matches its AllowedPattern:

(arn:[^,]+)?

IIRC, CloudFormation requires a match on the complete input string.

In this case, condition CreatePolicy is true, and:

  1. Resource with logical ID Policy and type AWS::IAM::ManagedPolicy is created,
  2. The ARN of that resource is passed as a stack parameter to the nested stack (template is nested.yaml)

That's where things go wrong even when prompted for a parameter value:

$ rain deploy --no-exec ./parent.yaml RainTest
Enter a value for parameter 'PolicyArn' (default value: ): 
error creating changeset: Each value of parameter 'PolicyArns' must match pattern arn:.+

Please note that the parameter PolicyArns mentioned in this error message is from template nested.yaml (nested stack). Note that its pattern requires a full ARN (i.e. no empty string).

AWS CLI, in particular, aws cloudformation deploy, seems to handle this OK.

Interestingly, if nested.yaml is edited such that the type of parameter PolicyArns changes from CommaDelimitedList to String, and references to that parameter are adjusted accordingly, rain can produce a changeset. GitHub won't let me upload yaml anymore, so I'm pasting this transformed template inline here:

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  PolicyArns:
    Type: String
    AllowedPattern: arn:.+

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: '*'
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Ref PolicyArns
ericzbeard commented 10 hours ago

The rain deploy command packages and formats the template, I wonder if it's doing something to the parameter. Can you you it with --debug?