Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-backup): (BackupVault.fromBackupVaultArn fails to parse backup vault ARN) #25212

Closed
eriklztiqqe opened this issue Apr 20, 2023 · 2 comments · Fixed by #25259
Closed

(aws-backup): (BackupVault.fromBackupVaultArn fails to parse backup vault ARN) #25212

eriklztiqqe opened this issue Apr 20, 2023 · 2 comments · Fixed by #25259
Labels
@aws-cdk/aws-backup Related AWS Backup bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@eriklztiqqe
Copy link

eriklztiqqe commented Apr 20, 2023
edited by pahud
Loading

Describe the bug

If you try to include a reference to an already defined backup vault through its ARN, and then use the vault in a backup plan rule, you get an error when you try to deploy the stack which uses it.

Error: Failed to create ChangeSet cdk-deploy-change-set on datalake-redshift: FAILED, Template error: Fn::Select cannot select nonexistent value at index 1

Expected Behavior

No error, referencing the backup vault construct in a backup plan should work.

Current Behavior

A stack trace when the change set is about to be created, which includes the error:

Error: Failed to create ChangeSet cdk-deploy-change-set on datalake-redshift: FAILED, Template error: Fn::Select cannot select nonexistent value at index 1

Reproduction Steps

const vault = BackupVault.fromBackupVaultArn('arn:aws:backup:eu-north-1:123456789012:backup-vault:blablabla')
const plan = new backupPlan(scope, 'plan', { backupVault: vault });

Workaround currently is to change the ARN to use a slash between "backup-vault" and the backup vault name, before calling fromBackupVaultArn().

Possible Solution

Change fromBackupVaultArn to use ArnFormat.COLON_RESOURCE_NAME instead of ArnFormat.SLASH_RESOURCE_NAME.

Additional Information/Context

Looking at the generated CloudFormation where it is used, one can see the following below. The problem here is that "Fn::Select" uses index 1, after splitting by "/". However, there is no "/" separator in a backup vault ARN, only ":". So the index does not work.

"BackupPlanRule": [
      {
       "EnableContinuousBackup": true,
       "Lifecycle": {
        "DeleteAfterDays": 7
       },
       "RuleName": "datalake_backup_plan-PITR-rule",
       "TargetBackupVault": {
        "Fn::Select": [
         1,
         {
          "Fn::Split": [
           "/",
           {
            "Fn::Select": [
             5,
             {
              "Fn::Split": [
               ":",
               {
                "Ref": "backupvaultarnparamParameter"
               }
              ]
             }
            ]
           }
          ]
         }
        ]

This is verified by looking at the code for the BackupVault in aws-backup module (below from release 2.76.0), where fromBackupVaultArn() uses ArnFormat.SLASH_RESOURCE_NAME instead of ArnFormat.COLON_RESOURCE_NAME.

/**
 * A backup vault
 */
export class BackupVault extends BackupVaultBase {
  /**
   * Import an existing backup vault by name
   */
  public static fromBackupVaultName(scope: Construct, id: string, backupVaultName: string): IBackupVault {
    const backupVaultArn = Stack.of(scope).formatArn({
      service: 'backup',
      resource: 'backup-vault',
      resourceName: backupVaultName,
      arnFormat: ArnFormat.COLON_RESOURCE_NAME,
    });

    return BackupVault.fromBackupVaultArn(scope, id, backupVaultArn);
  }

  /**
   * Import an existing backup vault by arn
   */
  public static fromBackupVaultArn(scope: Construct, id: string, backupVaultArn: string): IBackupVault {
    const parsedArn = Stack.of(scope).splitArn(backupVaultArn, ArnFormat.SLASH_RESOURCE_NAME);

CDK CLI Version

2.76.0

Framework Version

No response

Node.js Version

16

OS

macOS

Language

Python

Language Version

3.8

Other information

No response
@eriklztiqqe eriklztiqqe added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 20, 2023
@github-actions github-actions bot added the @aws-cdk/aws-backup Related AWS Backup label Apr 20, 2023
@pahud pahud self-assigned this Apr 20, 2023
@pahud
Copy link
Contributor

pahud commented Apr 20, 2023

Thank you for your detailed insight. I can confirm the ArnFormat is inconsistent.

aws-cdk/packages/aws-cdk-lib/aws-backup/lib/vault.ts

Lines 227 to 246 in cefbb33

export class BackupVault extends BackupVaultBase {
/**
* Import an existing backup vault by name
*/
public static fromBackupVaultName(scope: Construct, id: string, backupVaultName: string): IBackupVault {
const backupVaultArn = Stack.of(scope).formatArn({
service: 'backup',
resource: 'backup-vault',
resourceName: backupVaultName,
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
});
return BackupVault.fromBackupVaultArn(scope, id, backupVaultArn);
}
/**
* Import an existing backup vault by arn
*/
public static fromBackupVaultArn(scope: Construct, id: string, backupVaultArn: string): IBackupVault {
const parsedArn = Stack.of(scope).splitArn(backupVaultArn, ArnFormat.SLASH_RESOURCE_NAME);

Making this a p2 bug. Any PRs are welcome and appreciated!

@pahud pahud removed their assignment Apr 20, 2023
@pahud pahud added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 20, 2023
@lpizzinidev lpizzinidev mentioned this issue Apr 24, 2023
Merged
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Apr 24, 2023
@mergify
Merge branch 'main' into awsgh-25212
ce12454
@mergify mergify bot closed this as completed in #25259 Apr 24, 2023
mergify bot pushed a commit that referenced this issue Apr 24, 2023
@lpizzinidev
fix(backup): BackupVault.fromBackupVaultArn parses wrong arn format (
c2082a7 
…#25259)

`BackupVault.fromBackupVaultArn` parsed ARNs using the `ArnFormat.SLASH_RESOURCE_NAME` format.
This fix changes it to the [expected](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html#awsbackup-resources-for-iam-policies) `ArnFormat.COLON_RESOURCE_NAME` format.

Closes #25212 .

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-backup Related AWS Backup bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(backup): BackupVault.fromBackupVaultArn parses wrong arn format lpizzinidev/aws-cdk
2 participants
@pahud @eriklztiqqe