[custom-resources] getResponseField does not function properly when iterating over lists #9568

DarkmatterVale · 2020-08-10T14:06:19Z

When using the getResponseField method in a custom resource, it does not properly iterate over lists.

Reproduction Steps

Create a VPC
Add S3 & DynamoDB gateway endpoints in the vpc
Create a security group (name in this example: lambdaSg with setting allowAllOutbound: false)
Use a custom resource to call the AWS API to get the prefix lists, add them as egress targets for the security group:

const prefixListCall = new cr.AwsCustomResource(stack, 'GetPrefixListIds', {
    resourceType: 'Custom::GetPrefixListIds',
    onUpdate: {
        region: "REGION-HERE",
        service: 'EC2',
        action: 'describePrefixLists',
        parameters: {
            MaxResults: 10
        },
        physicalResourceId: cr.PhysicalResourceId.of('GetPrefixListIdsFunction')
    },
    policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
        resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE
    })
});
lambdaSg.connections.allowTo(ec2.Peer.prefixList(prefixListCall.getResponseField('PrefixLists.0.PrefixListId')), ec2.Port.allTraffic());
lambdaSg.connections.allowTo(ec2.Peer.prefixList(prefixListCall.getResponseField('PrefixLists.1.PrefixListId')), ec2.Port.allTraffic());

What did you expect to happen?

When I execute the above CDK and check the outbound rules for the security group in the console, I see 2 rules: one for the 0th item (PrefixLists.0.PrefixListId), and one for the 1st item (PrefixLists.1.PrefixListId).

What actually happened?

When I execute the above CDK and check the outbound rules for the security group in the console, I see only 1 rule for the 0th item (PrefixLists.0.PrefixListId).

Environment

CLI Version : 1.39
Framework Version: 1.39
Node.js Version: 14.0.5
OS : Mac OS X
Language (Version): TypeScript (3.9.3)

Other

If I replace prefixListCall.getResponseField(...) with hardcoded strings, everything works as expected.

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

jogold · 2020-08-10T19:18:22Z

Can you show the resulting CF template?

peterwoodworth · 2021-10-28T00:56:56Z

the allowTo method uses addEgressRule under the hood, so i suspect that the cause of this is the issue I've just posted #17201. Please go there to track this issue :)

github-actions · 2021-10-28T00:57:29Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

DarkmatterVale added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 10, 2020

github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Aug 10, 2020

github-actions bot assigned eladb Aug 10, 2020

eladb added effort/small Small work item – less than a day of effort p2 labels Aug 17, 2020

eladb assigned rix0rrr and unassigned eladb Aug 17, 2020

SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Nov 6, 2020

rix0rrr removed their assignment Jun 3, 2021

ramiro mentioned this issue Oct 21, 2021

ec2: look up AWS managed Prefix Lists #15115

Open

2 tasks

peterwoodworth closed this as completed Oct 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[custom-resources] getResponseField does not function properly when iterating over lists #9568

[custom-resources] getResponseField does not function properly when iterating over lists #9568

DarkmatterVale commented Aug 10, 2020

jogold commented Aug 10, 2020

peterwoodworth commented Oct 28, 2021

github-actions bot commented Oct 28, 2021