Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ServerlessRestApi for SAM templates. #337

Closed
gsmith077 opened this issue Jan 7, 2020 · 5 comments · Fixed by #387
Closed

Add ServerlessRestApi for SAM templates. #337

gsmith077 opened this issue Jan 7, 2020 · 5 comments · Fixed by #387
Assignees
@pshelby
Labels
bug
Projects
cfn_nag

Comments

@gsmith077
Copy link

Error encountered:

| FAIL FATAL
|
| Unresolved logical resource ids: ["ServerlessRestApi"]

Steps to reproduce:

  • Have a valid SAM template with transform specified.
    • Specification like Transform: AWS::Serverless-2016-10-31
  • Use the valid psuedo-parameter ServerlessRestApi
    • Commonly used to provide a link to the API Gateway as an output, I.E. Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Stage/encrypt"
  • Attempt a check with cfn_nag_scan --input-path affected-template.yaml

Further Context:
An issue has been made for SAM to improve documentation of this psuedo-parameter, which is demonstrated in the example application. However, there are currently no other references to this parameter from the official documentation.
At this time, attempting to check the affected template will generate no results aside from the fatal fail message, included above. I was able to work around this by providing a known good logical id to generate valid findings, but this might not be practical for other use cases.
@ghost ghost added this to To do in cfn_nag Jan 31, 2020
@pshelby
Copy link
Contributor

pshelby commented Feb 14, 2020

@gsmith077 I attempted to reproduce the error you received, however using the example template you linked above and the example template generated from sam init I wasn't able to see the same output. Could you please provide more details around how you found that error?

$ sam init
Which template source would you like to use?
        1 - AWS Quick Start Templates
        2 - Custom Template Location
Choice: 1
Which runtime would you like to use?
        1 - nodejs12.x
        2 - python3.8
        3 - ruby2.5
        4 - go1.x
        5 - java11
        6 - dotnetcore2.1
        7 - nodejs10.x
        8 - python3.7
        9 - python3.6
        10 - python2.7
        11 - java8
        12 - dotnetcore2.0
        13 - dotnetcore1.0
Runtime: 8
Project name [sam-app]:
Cloning app templates from https://github.com/awslabs/aws-sam-cli-app-templates.git
AWS quick start application templates:
        1 - Hello World Example
        2 - EventBridge Hello World
        3 - EventBridge App from scratch (100+ Event Schemas)
Template selection: 1
-----------------------
Generating application:
-----------------------
Name: sam-app
Runtime: python3.7
Dependency Manager: pip
Application Template: hello-world
Output Directory: .
Next steps can be found in the README file at ./sam-app/README.md

$ grep Serverless sam-app/template.yaml
Transform: AWS::Serverless-2016-10-31
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
  # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/"

$ bundle exec cfn_nag --rule-directory ../lib sam-app/template.yaml
------------------------------------------------------------
sam-app/template.yaml
------------------------------------------------------------
Failures count: 0
Warnings count: 0

$ cfn_nag_scan --input-path sam-app/template.yaml
------------------------------------------------------------
sam-app/template.yaml
------------------------------------------------------------
Failures count: 0
Warnings count: 0

@gsmith077
Copy link
Author

Dug in a bit more to create this. Looks like it's recognized correctly in the context of an output. In an earlier section of the code, we have a block like this;

PathMapping:
    Type: "AWS::ApiGateway::BasePathMapping"
    Properties:
      BasePath: test-app
      DomainName: !Ref DomainName
      RestApiId: !Ref ServerlessRestApi

The !Ref: for RestApiId is the one that's causing the error.

We have an output at the end of the template;

Outputs:
  Api:
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/test-app/"

This reference seems to be fine. I'm wondering if it's something handled differently between a !Ref and a !Sub.

@ghost
Copy link

ghost commented Feb 17, 2020

@pshelby there were some changes to the model around ignoring things not too long ago. it's entirely possible this is OBE. if you can't reproduce, please close out the issue.

@gsmith077
Copy link
Author

gsmith077 commented Feb 17, 2020
edited

I have recreated this issue with a template from sam init. All that is needed to create the error on 0.5.7 is adding a BasePathMapping. See included template.yaml;

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  sam-app

  Sample SAM Template for sam-app

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 3

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.7
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Path: /hello
            Method: get

  PathMapping:
    Type: "AWS::ApiGateway::BasePathMapping"
    Condition: CreateProdResources
    Properties:
      # Next line causes the FATAL FAIL in cfn_nag_scan
      RestApiId: !Ref ServerlessRestApi

Outputs:
  # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
  # Find out more about other implicit resources you can reference within SAM
  # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
  HelloWorldApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/"
  HelloWorldFunction:
    Description: "Hello World Lambda Function ARN"
    Value: !GetAtt HelloWorldFunction.Arn
  HelloWorldFunctionIamRole:
    Description: "Implicit IAM Role created for Hello World function"
    Value: !GetAtt HelloWorldFunctionRole.Arn

I also replaced the !Sub in the output with a !Ref, and that worked, so it currently looks semi-specific to the Type: "AWS::ApiGateway::BasePathMapping" Resource.

Addendum: I just validated the template with both sam validate and aws cloudformation validate-template, so it's not syntax related.

@pshelby pshelby self-assigned this Feb 20, 2020
@pshelby pshelby moved this from To do to In progress in cfn_nag Feb 20, 2020
pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 20, 2020
stelligent/cfn_nag#337 Adding 'generated resources' when a SAM templa…
a7fe1b0 
…te is transformed which contains a ServerlessRestApi reference.
@pshelby pshelby mentioned this issue Feb 20, 2020
Merged
@pshelby
Copy link
Contributor

pshelby commented Feb 20, 2020

Since these 'generated resources' are part of the SAM magic, they weren't fully supported during the cfn-model Serverless transformation. I just created stelligent/cfn-model#62 to enhance support in cfn-model for the Api generated resources. Once cfn-model is updated, I'll update the required version in cfn_nag and validate.

pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 24, 2020
stelligent/cfn_nag#337 Passing function name through to API creation …
6ce54a8 
…for proper URI names, and adding a second function to the test template for single API demo purposes.
ghost pushed a commit to stelligent/cfn-model that referenced this issue Feb 24, 2020
@pshelby
#62 Enhancing Serverless transform with Api generated resources (#62)
f98891c 
* stelligent/cfn_nag#337 Adding 'generated resources' when a SAM template is transformed which contains a ServerlessRestApi reference.

* Correcting syntax of PathMapping resource.

* stelligent/cfn_nag#337 Passing function name through to API creation for proper URI names, and adding a second function to the test template for single API demo purposes.
pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 24, 2020
stelligent/cfn_nag#337 Updating Serverless transform to add line numb…
7210011 
…ers when the CFN template has already been parsed with line numbers. Also adding StageDescription for AWS::ApiGateway::Deployment to pass all cfn_nag rules.
pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 24, 2020
stelligent/cfn_nag#337 Adding rspec test for Serverless transforms wi…
d376ccc 
…th line numbers enabled.
@pshelby pshelby mentioned this issue Feb 25, 2020
Merged
@ghost ghost moved this from In progress to Done in cfn_nag Feb 25, 2020
@pshelby pshelby moved this from Done to In progress in cfn_nag Feb 25, 2020
pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 25, 2020
stelligent/cfn_nag#337 Cleaning up code for readability in serverless…
1ad4512 
… transform.
pshelby pushed a commit to pshelby/cfn-model that referenced this issue Feb 25, 2020
stelligent/cfn_nag#337 More cleaning for readability in serverless tr…
113aafe 
…ansform.
ghost pushed a commit to stelligent/cfn-model that referenced this issue Feb 25, 2020
@pshelby
#337 Updating Serverless transform to add line numbers when required (#…
1de1e92 
…63)

* stelligent/cfn_nag#337 Updating Serverless transform to add line numbers when the CFN template has already been parsed with line numbers.  Also adding StageDescription for AWS::ApiGateway::Deployment to pass all cfn_nag rules.

* stelligent/cfn_nag#337 Adding rspec test for Serverless transforms with line numbers enabled.

* stelligent/cfn_nag#337 Cleaning up code for readability in serverless transform.

* stelligent/cfn_nag#337 More cleaning for readability in serverless transform.
pshelby pushed a commit to pshelby/cfn_nag that referenced this issue Feb 25, 2020
stelligent#337 Creating rspec test for Serverless transform with Serv…
1c6badc 
…erlessRestApi reference. Bumping cfn-model version to latest.
pshelby pushed a commit to pshelby/cfn_nag that referenced this issue Feb 25, 2020
stelligent#337 Bumping cfn-model version to 0.4.18, which contains a …
af8f541 
…fix for resource types and line numbers.
@pshelby pshelby mentioned this issue Feb 25, 2020
Merged
@pshelby pshelby added the bug label Feb 26, 2020
@ghost ghost closed this as completed in #387 Feb 26, 2020
cfn_nag automation moved this from In progress to Done Feb 26, 2020
ghost pushed a commit that referenced this issue Feb 26, 2020
@pshelby
#337 Inherit proper Serverless generated resource handling from lates…
f879684 
…t cfn-model (#387)

* Updating deprecated 'version' property to 'ruby-version' for setup-ruby action.

* #337 Creating rspec test for Serverless transform with ServerlessRestApi reference.  Bumping cfn-model version to latest.

* #337 Bumping cfn-model version to 0.4.18, which contains a fix for resource types and line numbers.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pshelby pshelby

Labels
bug
Projects
cfn_nag
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#337 Inherit proper Serverless generated resource handling from latest cfn-model pshelby/cfn_nag
2 participants
@pshelby @gsmith077