search

aws / containers-roadmap

This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).
https://aws.amazon.com/about-aws/whats-new/containers/
Other
5.21k stars 317 forks source link

[AWS::ECS::Cluster] - [BUG] - false-positive drift for `FargateEphemeralStorageKmsKeyId` #2372

Closed r-heimann closed 4 days ago

r-heimann commented 3 months ago

Name of the resource

AWS::ECS::Cluster

Resource Name

No response

Issue Description

When creating a AWS::ECS::Cluster in eu-central-1 using

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      CapacityProviders:
        - FARGATE
      Configuration:
        ManagedStorageConfiguration:
          FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyId

it will cause a drift:

Property | Change | Expected value | Current value -- | -- | -- | -- Configuration.ManagedStorageConfiguration.FargateEphemeralStorageKmsKeyId | NOT_EQUAL | ["KMSKeyId"] | ["KMSKeyIdArn"] |

Expected Behavior

Drift is recognizing the KMS Key Id Arn, instead of the Id.

Observed Behavior

Drift thinks it wants to see a KMS Key Id.

Test Cases

AWSTemplateFormatVersion: 2010-09-09
Description: Drift Test

Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: "Test"
        Statement:
          - Sid: Allow root # Allow everything for root IAM Role
            Effect: Allow
            Action: kms:*
            Resource: "*"
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
          - Sid: "ECS: Allow generate data key access for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:GenerateDataKeyWithoutPlaintext
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
            Resource: "*"
          - Sid: "ECS: Allow grant creation permission for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:CreateGrant
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
              ForAllValues:StringEquals:
                kms:GrantOperations:
                  - Decrypt
            Resource: "*"

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: "Test"
      CapacityProviders:
        - FARGATE
      Configuration:
        ManagedStorageConfiguration:
          FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyId

Other Details

No response

r-heimann commented 3 months ago

https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2069

r-heimann commented 3 months ago

This is not the first time a new feature causes false-positive drifts in CloudFormation. It would be great if the Service Team can improve their CloudFormation debugging of new features.

r-heimann commented 4 days ago

Not a false-positive anymore.