Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(ec2): 2.31.0 breaks deployments to vpcflow logs that don't specify optional DestinationOptions #21037

Closed
cmoore1776 opened this issue Jul 7, 2022 · 7 comments
Closed

(ec2): 2.31.0 breaks deployments to vpcflow logs that don't specify optional DestinationOptions #21037

cmoore1776 opened this issue Jul 7, 2022 · 7 comments
Assignees
@corymhall
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. language/python Related to Python bindings p1

Comments

@cmoore1776
Copy link
Contributor

Describe the bug

After CDK 2.31.0 aws_cdk.aws_ec2.FlowLogOptions synthesize with a new parameter DestinationOptions regardless of whether or not that parameter is defined in CDK code.

For example, you can implement aws_cdk.aws_ec2.FlowLogDestination.to_s3 without specifying destination options, resulting in a synthesized value of DestinationOptions set to {}.

This appears valid at first, an a CDK diff:

Stack prod-vpc-ap-northeast-1
--
Resources
[~] AWS::EC2::FlowLog primary/vpcFlowLogs/FlowLog primaryvpcFlowLogsFlowLogA2C669F8 replace
└─ [+] DestinationOptions (requires replacement)
└─ {}

But then fails CFN validation during deployment:

Failed resources:
--
prod-vpc-ap-northeast-1 | 3:19:15 PM | UPDATE_FAILED        | AWS::EC2::FlowLog
Resource handler returned message: "Model validation failed (#/DestinationOptions: 3 schema violations found)
#/DestinationOptions: required key [FileFormat] not found (#/DestinationOptions)
#/DestinationOptions: required key [HiveCompatiblePartitions] not found (#/DestinationOptions)
#/DestinationOptions: required key [PerHourPartition] not found (#/DestinationOptions)" (RequestToken: 3d6360da-a3f1-b912-c6c1-63fca4576878, HandlerErrorCode: InvalidRequest)

Looking at the CFN User Guide, DestinationOptions is not required, but apparently if specified, all three keys become required.

Expected Behavior

I expect the ec2.Vpc.add_flow_log method to synthesize without an empty DestinationOptions parameter.

e.g. this CDK python code:

self.prodVpc.add_flow_log(
  id= "prodVpcFlowLog",
  destination= ec2.FlowLogDestination.to_s3(
    bucket= self.vpcFlowLogsBucket,
    key_prefix= self.prodVpc.vpc_id
  ),
  traffic_type= ec2.FlowLogTrafficType.ALL
)

should synthesize as such:

[..]
{
  "Type": "AWS::EC2::FlowLog",
  "Properties": {
  "ResourceId": "vpc-xxx",
  "ResourceType": "VPC",
  "TrafficType": "ALL",
  "LogDestination": { "s3://xxxx" },
  "LogDestinationType": "s3"
 }
[..]

Current Behavior

Current behavior is ec2.Vpc.add_flow_log method synthesizes with an empty DestinationOptions parameter.

e.g. this CDK python code:

self.prodVpc.add_flow_log(
  id= "prodVpcFlowLog",
  destination= ec2.FlowLogDestination.to_s3(
    bucket= self.vpcFlowLogsBucket,
    key_prefix= self.prodVpc.vpc_id
  ),
  traffic_type= ec2.FlowLogTrafficType.ALL
)

synthesizes as invalid CFN:

[..]
{
  "Type": "AWS::EC2::FlowLog",
  "Properties": {
  "ResourceId": "vpc-xxx",
  "ResourceType": "VPC",
  "TrafficType": "ALL",
  "DestinationOptions": {},
  "LogDestination": { "s3://xxxx" },
  "LogDestinationType": "s3"
 }
[..]

Reproduction Steps

See "Expected Behavior"

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.31.0

Framework Version

No response

Node.js Version

16.15.1

OS

macOS 12.4

Language

Python

Language Version

Python 3.10.5

Other information

No response
@cmoore1776 cmoore1776 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 7, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jul 7, 2022
@corymhall
Copy link
Contributor

I can reproduce this on a python project, but not in a typescript project. I'm not sure why python is handling this differently. @rix0rrr @RomainMuller any ideas?

@corymhall corymhall added p1 language/python Related to Python bindings labels Jul 7, 2022
@peterwoodworth
Copy link
Contributor

I am also finding the same behavior here - and can confirm that this isn't seen on Python CDK version 2.30.0

@peterwoodworth peterwoodworth removed the needs-triage This issue or PR still needs to be triaged. label Jul 7, 2022
@corymhall
Copy link
Contributor

I am also finding the same behavior here - and can confirm that this isn't seen on Python CDK version 2.30.0

It was introduced in #20765

@cmoore1776 cmoore1776 changed the title (ec2): 2.31.0 breaks deployments to vpcflow logs that don't specifiy optional DestinationOptions (ec2): 2.31.0 breaks deployments to vpcflow logs that don't specify optional DestinationOptions Jul 7, 2022
@corymhall corymhall mentioned this issue Jul 7, 2022
Merged
4 tasks
mergify bot pushed a commit that referenced this issue Jul 7, 2022
@corymhall
fix(aws-ec2): flow log destinationOptions requires all properties (#2…
0a76009 
…1042)

PR #20765 introduced destinationOptions, but only introduced one of the
optional properties ('hiveCompatiblePartitions') since that is the only
property that was relevant for the PR. The [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-destinationoptions)
don't specify this, but if you provide `destinationOptions` you must
specify a value for each prop, otherwise you will receive an error
message on deploy.

This PR adds the two additional properties.

re #21037


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@RomainMuller
Copy link
Contributor

RomainMuller commented Jul 8, 2022
edited

This is because ec2.FlowLogDestination.toS3 accepts an optional S3DestinationOptions object at

aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts

Line 178 in 68f09b7

public static toS3(bucket?: s3.IBucket, keyPrefix?: string, options?: S3DestinationOptions): FlowLogDestination {
.

As far as Python is concerned, this terminal position property bag is a set of keyword arguments, and there is no way to explicitly pass None here, making Python treat those as ALWAYS empty object.

The issue actually is that this place assumes no S3DestinationOptions has different semantics than an empty S3DestinationOptions value, which is an anti-pattern (not passing any should mean "use defaults", which is effectively what happens when {} is passed).

@corymhall
Copy link
Contributor

I think this might be fixed in #21042 since I am explicitly setting destinationOptions to undefined in the bind method.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
@corymhall @daschaa
fix(aws-ec2): flow log destinationOptions requires all properties (aw…
2e9551b 
…s#21042)

PR aws#20765 introduced destinationOptions, but only introduced one of the
optional properties ('hiveCompatiblePartitions') since that is the only
property that was relevant for the PR. The [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-destinationoptions)
don't specify this, but if you provide `destinationOptions` you must
specify a value for each prop, otherwise you will receive an error
message on deploy.

This PR adds the two additional properties.

re aws#21037


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@macdrorepo
Copy link

macdrorepo commented Jul 28, 2022
edited

Update to 2.33.0 is the cure...

@github-actions
Copy link

github-actions bot commented Aug 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. language/python Related to Python bindings p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@RomainMuller @macdrorepo @cmoore1776 @corymhall @peterwoodworth