6.0.0 has updated PassRole resource constraint definition that breaks upgrades or new installs if stack name is greater than 26 characrters

[bobpskier]

Describe the bug Stack updates or fresh stack installs fail if stack name is greater than 26 characters. Leaves stack in a rollback failed state.

To Reproduce Fresh install of 6.0.0 using a stack name of "agency-proj-t-dev-qnabotstack" fails due to actual role created by CloudFormation with a resource name that has truncated the stack name portion of the resource. CloudFormation then fails to create the resource "OpenSearchDashboardsRoleAttachment" with an error of

Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: User: arn:aws:sts::NNNNNNNNNNNN:assumed-role/agency-proj-t-dev-qnabotstack-CFNLambdaRole-NNNNNNNNNNNN/agency-proj-t-dev-qnabotstack-CFNLambda-NNNNNNNNNNNN is not authorized to perform: iam:PassRole on resource: arn:aws:iam::NNNNNNNNNNNN:role/agency-proj-t-dev-qnabotst-OpenSearchDashboardsRole-NNNNNNNNNNNN because no identity-based policy allows the iam:PassRole action

Note the actual name of the role has truncated the stack name portion of the role name.

The attempt to set a resource constraint on the iam:PassRole definition for CFNLambaRole in roles.json which was a change from 5.5.2 will break upgrades or installs when using stack name size > 26 unless a fix is incorporated that computes the abbreviated role names correctly when setting the iam:PassRole conditions.

Don't upgrade to 6.0.0 unless you are sure your stack name is less than 26 characters.

Expected behavior The iam:PassRole action resource constraints should be set in CFNLambdaRole such that downstream resources and can be created or updated and not leave the stack in a Rollback Failed state.

Please complete the following information about the solution:

• [ 6.0.0] Version: 6.0.0 - particularly applies to upgrades from earlier versions
• [ us-west-2] Region: us-west-2
• [No] Was the solution modified from the version published on this repository?
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [Not applicable ] Have you checked your service quotas for the services this solution uses?
• [ No] Were there any errors in the CloudWatch Logs? - Cloud formation logs

Screenshots N/A

Additional context

[jangidms]

Hi @bobpskier thanks for reporting this We'll look into this and get back to you Thanks

[bchunduri]

Hi @bobpskier, a quick question. I am planning to deploy this v6.0.0 on a fresh install and would the above problem going to block this ? Appreciate your response.

Cheers...

[bobpskier]

@bchunduri It will not block you as long as you specify a CloudFormation stack name less than or equal to 26 characters in length. Anything longer than 26 characters will result in a failure during cloudformation deployment.

[tmekari]

Hey @bobpskier, our team has looked into it and used a different role name to address this. We will be issuing a patch release soon that will include the change. Thank you for bringing it to our attention!

[tmekari]

Hi @bobpskier, this has been addressed in our latest release. We were able to patch this issue but uncovered a larger bug with other resources that we also use stack name for that has been in the application for awhile. For the time being, the patch allows stack names to at least 34 characters and is reflected in the implementation guide. We will be releasing a larger fix that addresses the overarching problem in our next minor release to unblock stack names completely. Thanks again for bringing it to our attention.