search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.34k stars 3.76k forks source link

CfnInclude: fails to parse/load a CloudFormation template which is acceptable to CloudFormation CreateStack #29642

Open climbertjh2 opened 3 months ago

climbertjh2 commented 3 months ago

Describe the bug

CloudFormation template which specifies a string-concatenation for AssumeRolePolicyDocument attribute in AWS::IAM::Role resource is NOT accepted by CfnInclude(). cdk synth fails with a exception:

CfnSynthesisError: Resolution error: Supplied properties not correct for "CfnRoleProps"
  assumeRolePolicyDocument: "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}" should be an 'object'.

See various permutations for the AssumeRoelPolicyDocument attribute in the iam-role.yaml file attached to this ticket. iam-role.yaml.txt

Expected Behavior

CfnInclude() should accept CloudFormation YAML files that are accepted by CloudFormation CreateStack.

Current Behavior

cdk synth fails with an exception.

Reproduction Steps

Create YAML file as described. Run cdk synth using a CDK application which uses CfnInclude() to include the YAML file.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.134.0 (build 265d769)

Framework Version

No response

Node.js Version

v20.7.0

OS

MacOS

Language

TypeScript

Language Version

TypeScript (5.1.6)

Other information

No response

climbertjh2 commented 3 months ago

Looking into this a bit more, it appears that CfnRoleProps only accepts a PolicyDocument object as input for the assumeRolePolicyDocument attribute, while CloudFormation itself is a bit more lenient and will accept a string as input where the string contains JSON mark-up.

This seems to be complicated by CfnRole and CfnRoleProps being in the set of code that is iam_generated?

khushail commented 2 months ago

Thanks @climbertjh2 for reporting this issue. I am able to reproduce this and facing the same error.

climbertjh2 commented 2 months ago

@khushail - Thanks for looking into this. If you need someone to test out your updates, let me know.

I found it a bit strange that creating a string using !Join in the CloudFormation template seems to work, while just specifying a string (over multiple lines) using | or >- does not work. There seem to be some special cases implemented by CloudFormation which are not quite handled by the CfnRoleProps construct.