search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

aws-ec2: ec2 key import error is unhelpful #25929

Closed marios-zindilis closed 1 year ago

marios-zindilis commented 1 year ago

Describe the bug

This is the entire stack:

import { Stack, StackProps } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const cfnKeyPair = new ec2.CfnKeyPair(this, 'MyCfnKeyPair', {
      keyName: 'keyName',
      publicKeyMaterial: [
        'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtS/sY98Yk6RqJXrWQIqMrRoesRKTI0s6xRUlSPJzx7G8kbWKEH1YS+kE0xFOfdbo/MpXpU',
        'yFf9vTIKS5HEG5ZKhFnLpbh3fBBfFmkFNazJcxpyu4yGQyy8SEhavM8xMl1NCpIhBmg8fccn78FwHVjrwBDaXlLkCkHkQf5AM+Fgx2lEOuSNz',
        '4NmIvDBAEzJi8gixgKlZM5wnyEOHXyUQ04Xs+vS6RHLxmBQ90ncmMga9FhflqfmSC8r/1uMVQYgW+8/pXOGvbMRmdy9zxxnIz6EBcNtAyWhGO',
        'sWB743fdXpCpbIqtiMXImkpjnItU15ar9ij+vkgB5nKBBqFbIvlQ0IKYZ5VJxZMFlpRNZAVyEDedcDWSvc8As5APYau/UgdEv73ingEZpqZR5',
        'VcpKQfP4F3psgHtIO+cyPvKss0Q0vKPMwmpl7z5RRcbKxWGXizsQ+B9kvVs3HzK8gu4qaDW1RbEyWkdIzOkV+ovnhqzbn9o6078hkdIU62wix',
        'k7fI9ugiOEFLoTiiAUo2H/nQ+Z06I+rxrOgF3ucGpBmAm6VaIO0upjysbKL+g05WRj5BKsHp2a2DfMlzp+TcDbpMcy/4YXYwA+BGIilIKeFbR',
        'AkWDT6MP/mLfh0ud4+xZpdymS1Qvq4AzasRVQatVWZpaVWOpGzjF5KJkzhWz4DHAnL5Q== m@e'
      ].join()
    });
  }
}

This is the resulting CloudFormation template from cdk synth:

Resources:
  MyCfnKeyPair:
    Type: AWS::EC2::KeyPair
    Properties:
      KeyName: keyName
      PublicKeyMaterial: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtS/sY98Yk6RqJXrWQIqMrRoesRKTI0s6xRUlSPJzx7G8kbWKEH1YS+kE0xFOfdbo/MpXpU,yFf9vTIKS5HEG5ZKhFnLpbh3fBBfFmkFNazJcxpyu4yGQyy8SEhavM8xMl1NCpIhBmg8fccn78FwHVjrwBDaXlLkCkHkQf5AM+Fgx2lEOuSNz,4NmIvDBAEzJi8gixgKlZM5wnyEOHXyUQ04Xs+vS6RHLxmBQ90ncmMga9FhflqfmSC8r/1uMVQYgW+8/pXOGvbMRmdy9zxxnIz6EBcNtAyWhGO,sWB743fdXpCpbIqtiMXImkpjnItU15ar9ij+vkgB5nKBBqFbIvlQ0IKYZ5VJxZMFlpRNZAVyEDedcDWSvc8As5APYau/UgdEv73ingEZpqZR5,VcpKQfP4F3psgHtIO+cyPvKss0Q0vKPMwmpl7z5RRcbKxWGXizsQ+B9kvVs3HzK8gu4qaDW1RbEyWkdIzOkV+ovnhqzbn9o6078hkdIU62wix,k7fI9ugiOEFLoTiiAUo2H/nQ+Z06I+rxrOgF3ucGpBmAm6VaIO0upjysbKL+g05WRj5BKsHp2a2DfMlzp+TcDbpMcy/4YXYwA+BGIilIKeFbR,AkWDT6MP/mLfh0ud4+xZpdymS1Qvq4AzasRVQatVWZpaVWOpGzjF5KJkzhWz4DHAnL5Q== m@e
    Metadata:
      aws:cdk:path: MyStack/MyCfnKeyPair
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzfXM1BMLC/WTU7J1s3JTNKrDi5JTM7WAQrFpyYb6Tmn5XmnVgYkZhbpAJlBqcX5pUXJqSC2c35eSmZJZn5erU5efkqqXlaxfpmhhZ6hGdDArOLMTN2i0rySzNxUvSAIDQArsb2zbAAAAA==
    Metadata:
      aws:cdk:path: MyStack/CDKMetadata/Default
    Condition: CDKMetadataAvailable
Conditions:
  CDKMetadataAvailable:
    Fn::Or:
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - af-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-northwest-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-3
          - Fn::Equals:
              - Ref: AWS::Region
              - me-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - sa-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-2
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-2
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

Expected Behavior

If the key creation fails, we should get a meaningful error.

Current Behavior

The resource with name MyCfnKeyPair and type AWS::EC2::KeyPair fails to create with unhelpful error:

Resource handler returned message: "null" (RequestToken: c6817ee0-0c65-b552-f35f-336715c567ce, HandlerErrorCode: InvalidRequest)

Reproduction Steps

cdk deploy the provided stack.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.77.0 (build 06a0b19)

Framework Version

No response

Node.js Version

v18.16.0

OS

Ubuntu 22.04

Language

Typescript

Language Version

4.9.5

Other information

No response

marios-zindilis commented 1 year ago

Copying from CloudTrail:

{
    "eventVersion": "1.08",
    "userIdentity": "...",
    "eventTime": "2023-06-11T08:18:31Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "ImportKeyPair",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "Client.InvalidKey.Format",
    "errorMessage": "Key is not in valid OpenSSH public key format",
    "requestParameters": {
        "keyName": "keyName",
        "publicKeyMaterial": "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFDdFMvc1k5OFlrNlJxSlhyV1FJcU1yUm9lc1JLVEkwczZ4UlVsU1BKeng3RzhrYldLRUgxWVMra0UweEZPZmRiby9NcFhwVSx5RmY5dlRJS1M1SEVHNVpLaEZuTHBiaDNmQkJmRm1rRk5hekpjeHB5dTR5R1F5eThTRWhhdk04eE1sMU5DcEloQm1nOGZjY243OEZ3SFZqcndCRGFYbExrQ2tIa1FmNUFNK0ZneDJsRU91U056LDRObUl2REJBRXpKaThnaXhnS2xaTTV3bnlFT0hYeVVRMDRYcyt2UzZSSEx4bUJROTBuY21NZ2E5RmhmbHFmbVNDOHIvMXVNVlFZZ1crOC9wWE9HdmJNUm1keTl6eHhuSXo2RUJjTnRBeVdoR08sc1dCNzQzZmRYcENwYklxdGlNWElta3Bqbkl0VTE1YXI5aWordmtnQjVuS0JCcUZiSXZsUTBJS1laNVZKeFpNRmxwUk5aQVZ5RURlZGNEV1N2YzhBczVBUFlhdS9VZ2RFdjczaW5nRVpwcVpSNSxWY3BLUWZQNEYzcHNnSHRJTytjeVB2S3NzMFEwdktQTXdtcGw3ejVSUmNiS3hXR1hpenNRK0I5a3ZWczNIeks4Z3U0cWFEVzFSYkV5V2tkSXpPa1Yrb3ZuaHF6Ym45bzYwNzhoa2RJVTYyd2l4LGs3Zkk5dWdpT0VGTG9UaWlBVW8ySC9uUStaMDZJK3J4ck9nRjN1Y0dwQm1BbTZWYUlPMHVwanlzYktMK2cwNVdSajVCS3NIcDJhMkRmTWx6cCtUY0RicE1jeS80WVhZd0ErQkdJaWxJS2VGYlIsQWtXRFQ2TVAvbUxmaDB1ZDQreFpwZHltUzFRdnE0QXphc1JWUWF0VldacGFWV09wR3pqRjVLSmt6aFd6NERIQW5MNVE9PQ=="
    },
    "responseElements": null,
    "requestID": "c5bf8f19-d84b-424a-b3bd-329b0b463a00",
    "eventID": "d70b02ea-7571-47b4-bbcb-91436b6a25ed",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "...",
    "eventCategory": "Management"
}

Why is the public key material different from the one in the CDK and in the CloudFormation template?

pahud commented 1 year ago

Unfortunately this error is from cloudformation and is not from CDK. Please kindly report this error to cloudformation coverage roadmap to help the cloudformation team add this in their backlog.

I guess in your case you should use join('') rather than join()

marios-zindilis commented 1 year ago

Thank you @pahud -- you are correct of course, it was a bug in my code. It worked with join('') rather than join(). I have created an issue in CloudFormation Coverage to surface a more helpful error: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1711

Closing this issue in favour of the one in cloudformation-coverage-roadmap.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.