search

awsdocs / aws-cloudformation-user-guide

The open source version of the AWS CloudFormation User Guide
Other
765 stars 1.3k forks source link

Systems Manager Incident Manager Circular Dependency #1287

Closed Jfrachal closed 11 months ago

Jfrachal commented 1 year ago

The AWS SSM Incident Manager service contains a circular dependency that can be observed in the CloudFormation Documentation.

AWS::SSMContacts::Contact and AWS::SSMContacts::ContactChannel require references to each other that must pre-exist in order to be created.

A AWS::SSMContacts::Contact contains the required property Plan that references property of type Stage, within a stage the Targets is "Required:No" creating a stack with the following resources will result in `Resource handler returned message: "Invalid request provided: AWS::SSMContacts::Contact" (RequestToken: REQUEST_TOKEN, HandlerErrorCode: InvalidRequest)

 DemoContactPersonal: # Can be contact or escalation plan
    Type: AWS::SSMContacts::Contact
    Properties:
      Alias: demo-contact
      DisplayName: Demo-Contact
      Plan:
        # A list of stages. A contact has an engagement plan with stages that
        # contact specified contact channels. An escalation plan uses stages
        # that contact specified contacts.
        - DurationInMinutes: 0
          # Targets:
          #   - ChannelTargetInfo:
          #       ChannelId: !Ref DemoContactChannelSMS
          #       RetryIntervalInMinutes: 5
            # - ContactTargetInfo:
            #     ContactId:
            #     IsEssential:
      Type: PERSONAL

Thus we have established that creating a AWS::SSMContacts::Contact resource without a channel listed is not possible. Following this the next step would be to create a resource that references an existing contact channel. This is not possible due to the fact that contact channels do not expose their ARN through the UI and the get-contact-channel requires that the user already knows the ARN. The only way found documented to get this ARN is to run the create-contact-channel CLI command which outputs a channel ARN. Note that this will not work as in order to run this command the user must attach the channel to an existing contact that would require the create-contact that similar to the CloudFormation stack requires an ARN of a contact channel (which cannot happen, documented below).

The only remaining method would be to create an AWS::SSMContacts::ContactChannel resource in CloudFormation alongside the AWS::SSMContacts::Contact resource. An issue arises performing however because the contact channel requires a reference to ContactId which creates a circular dependency.

We have now established that there is no way to create an AWS::SSMContacts::Contact with Type:PERSONAL due to the issues listed above without the use of the UI.

joshbean commented 11 months ago

Closing this issue or pull request in advance of archiving this repo. For more information about the decision to archive this repo (and others in the "awsdocs" org), see the announcement on the AWS News Blog.