(cloudformation-include): detect cycles in the input template #16654
Comments
acdoussan
added
bug
github-actions
bot
added
the
@aws-cdk/cloudformation-include
|
Hey @acdoussan, thanks for opening the issue. Even though you didn't include it in your snippet, I assume this template uses the Serverless transform, correct? Would you mind downloading the processed template from CloudFormation (the one without Thanks, |
|
Hey @skinny85 You're right, here is the transform field: Downloaded both the processed and unprocessed template from the AWS console, both still gave a stack overflow. Unprocessed was in yaml and still had |
|
Would you mind uploading both templates, the one with the transform and the one without the transform, to this issue, so I can take a look? Feel free to anonymize it if needed, of course. |
|
Provided full cfn templates via private channels |
|
Thanks for providing the templates @acdoussan. Here are the results of my investigation. For the unprocessed template you provided (the one with the "APIGatewayExecutionRole":
"Properties":
"AssumeRolePolicyDocument":
"Statement":
- "Action":
- "sts:AssumeRole"
"Effect": "Allow"
"Principal":
"Service":
- "apigateway.amazonaws.com"
"Version": "2012-10-17"
"Policies":
- "PolicyDocument":
"Statement":
- "Action":
- "lambda:Invoke*"
"Effect": "Allow"
"Resource":
"Fn::Join":
- ""
- - "Fn::GetAtt": "LambdaFunction.Arn"
- "*"
"Version": "2012-10-17"
"PolicyName": "apigInvokeLambda"
"Type": "AWS::IAM::Role"
"LambdaFunction":
"Properties":
"AutoPublishAlias":
"Ref": "LambdaAliasName"
"CodeUri":
"Bucket":
"Fn::If":
- "UseBatsKey"
- !Ref "PipelinesControlledRegionBucket"
- "Fn::ImportValue":
"Ref": "DeploymentBucketImportName"
"Key": "TEBALambda/development:TEBALambda-1.0:AWSLambda-1.0:TEBALambda-1.0/24e89002-eb0c-42c5-b58c-fe88b19fd96e/3aa9c6c8-11de-4d1c-9eb1-54e6d840fdf1-lambda.zip"
"Events":
"APIG":
"Properties":
"Method": "ANY"
"Path": "/"
"RestApiId":
"Ref": "LambdaAPIDefinition"
"Type": "Api"
"Handler": "com.amazon.tebalambda.TEBALambdaEntryPoint::handleRequest"
"MemorySize": !!int "2048"
"Role":
"Fn::GetAtt":
- "LambdaRole"
- "Arn"
"Runtime": "java8"
"Type": "AWS::Serverless::Function"
"LambdaAPIDefinition":
"DependsOn": "APIGatewayAccount"
"Properties":
"DefinitionBody":
"paths":
"/blue-anvil-data-cleanup/update-default-rate-card-sim-upload":
"post":
"x-amazon-apigateway-integration":
"credentials":
"Fn::GetAtt":
- "APIGatewayExecutionRole"
- "Arn"
"httpMethod": "POST"
"passthroughBehavior": "NEVER"
"responses":
"default":
"statusCode": "200"
"type": "aws_proxy"
"uri":
"Fn::Sub":
- "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaArn}${LambdaAlias}/invocations"
- "LambdaAlias": ":live"
"LambdaArn":
"Fn::GetAtt":
- "LambdaFunction"
- "Arn"
"Type": "AWS::Serverless::Api"As you can see, As for the processed file (the one without any transforms), I was actually able to include it successfully, without any errors. Can you please try to include it in your CDK app, and let me know if it works? I'm keeping this issue open to provide a better error message when a cycle in the input template has been found. Thanks, |
skinny85
changed the title
skinny85
added
effort/medium
|
You're right, looks like the JSON includes, I likely forgot to rebuild the typescript after pointing to the JSON before rerunning the cdk command. Is it the correct interpretation that you're recommending we use the downloaded JSON to import our stack into CDK? We are trying to migrate to cdk from our existing cloudformation, and then slowly eliminate the cloudformation as we can. I'm not too sure that importing the JSON from AWS is a great solution, we have some things that may need to be updated at some point that are currently built with jinja, and there are also things that are injected here by dependencies that we would have to handle somehow as well. Not to mention trying to maintain a giant file is also problematic (what is provided is after a build stage, our existing implementation is separated into multiple files). Looks like we could maybe hack in the translation (appears there is an implementation here) but this sort of feels like something the library should handle. Is integrating that / handling serverless transform something you would consider? |
Yes, I'm recommending you use the processed JSON file with
After you do that migration, you can use CDK to edit your resources, as shown in this video. You will never have to touch that huge JSON file again - everything will be done through CDK code. Hope that helps! |
|
Gotcha, took a look, not the ideal solution I think because you still have to dig through the file to make changes, but otherwise does look pretty nice. Only slightly confusing thing is that example states to use the unprocessed template, I assume this example just didn't run into whatever is going wrong here. One final question, we use SAM toolkit deploys to allow each developer to have their own stack to test with before deploying to a beta environment, since we are stripping out the SAM stuff from the template I imagine that won't be possible anymore. Is there a something similar we can do from the CDK side? I suppose we could create multiple instances of the same stack, just wondering if there is a best practice / recommended way to do this. |
Yes, because that example did not contain a cycle in the SAM template, so using an unprocessed template is better, because of the thing I mentioned in this comment:
The only time you should need to dig through the template file is to get the logical ID of the resources to retrieve them in your CDK code - no other digging should be necessary 🙂.
Yes, absolutely! You actually have many options in this area:
Thanks, |
Add code that detects when the CloudFormation template being included contains a cycle between any of irs resources. While that's not allowed in pure CloudFormation, Serverless templates can unfortunately contain cycles before they are processed. Fixes aws#16654
…19871) Add code that detects when the CloudFormation template being included contains a cycle between any of its resources. While that's not allowed in pure CloudFormation, Serverless templates can unfortunately contain cycles before they are processed. Fixes #16654 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…ws#19871) Add code that detects when the CloudFormation template being included contains a cycle between any of its resources. While that's not allowed in pure CloudFormation, Serverless templates can unfortunately contain cycles before they are processed. Fixes aws#16654 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
The fix that closed this issue doesn't solve the problem in full, as stated initially "Not totally sure how cloudformation manages to resolve this, but it should probably be mirrored here." Currently, all the fix does is enable throwing a more descriptive error, not including an unprocessed template using transforms that results in circular references. I believe this issue should be re-opened so that a PR can accurately be prioritized if submitted to resolve this lack of parity. |
|
@AlexanderADietrich this issue was about detecting cycles, and that was fixed. Handling cycles is a separate issue 🙂. |
Cloudformation include gets into a recursive loop and stack overflows with a valid lambda behind API gateway configuration
Reproduction Steps
import the following cloudformation, run
cdk ls, get stack overflow. I've stripped down this cloudformation as best as I can, so it may not be strictly valid, but its valid enough to show off the issue.In this example, the APIGatewayExecutionRole depends on the LambdaFunction.Arn, then the LambdaFunction depends on the LambdaAPIDefinition for its events, and finally the LambdaAPIDefinition depends on the APIGatewayExecutionRole for the credentials.
What did you expect to happen?
CDK imports the cfn successfully.
What actually happened?
Stack overflow error. At a minimum this should throw an error for a circular reference, however, cloudformation itself can handle this, so I believe CDK should be able to handle this as well.
Environment
Other
The main issue seems to be
aws-cdk/packages/@aws-cdk/cloudformation-include/lib/cfn-include.ts
Line 587 in 8ad33b8
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: