Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(resourceExtractor): Long S3 bucket names generate invalid partial ARNs #130

Open
maafk opened this issue Dec 7, 2022 · 0 comments
Open

bug(resourceExtractor): Long S3 bucket names generate invalid partial ARNs #130

maafk opened this issue Dec 7, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@maafk
Copy link
Contributor

maafk commented Dec 7, 2022

What is the problem?

The S3 default transformer doesn't handle long stack/bucket names appropriately

Reproduction Steps

import { App, Aspects, Stack } from 'aws-cdk-lib';
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';

const app = new App();
const stack = new Stack(app, 'LongBucketStackWithASuperLongNameHolyCowThatsAPrettyLongStackNameWhoaTherePartner');

const extractedStack = new Stack(app, 'extractedStack')
const bucket = new Bucket(stack, 'ThisBucketIdIsSeriouslySoLongThatItExceedsSomeSetLimitForCloudformation')
const fn = new Function(stack, "MyFunction", {
  code: Code.fromInline('def handler(event, context):\n    print(event)'),
  runtime: Runtime.PYTHON_3_9,
  handler: 'index.handler',
})

bucket.grantReadWrite(fn)
const synthed_app = app.synth()
Aspects.of(app).add(new ResourceExtractor({
  stackArtifacts: synthed_app.stacks,
  resourceTypesToExtract: [
    'AWS::IAM::Role',
    'AWS::IAM::Policy',
    'AWS::IAM::ManagedPolicy',
    'AWS::IAM::InstanceProfile',
  ],
  extractDestinationStack: extractedStack
}))
app.synth({force: true});

Synthesize to files using

cdk synth extractedStack > extracted.yml && cdk synth LongBucketStackWithASuperLongNameHolyCowThatsAPrettyLongStackNameWhoaTherePartner >> long_bucket.yml

The policy inside extracted.yml contains the following

Resource:
  - Fn::Join:
      - ""
      - - "arn:"
        - Ref: AWS::Partition
        - :s3:::longbucketstackwithasuperlongnameholycowthatsaprettylongstacknamewhoatherepartner-thisbucketidisseriouslysolongthatitexceedssomesetlimitforcloudformationd5c293f8*

However the S3 bucket created by Cloudformation has the name longbucketstackwithasupe-thisbucketidisseriouslys-19zd4povz2415

What did you expect to happen?

Expected the S3 bucket ARN in the extracted IAM policy to be valid

What actually happened?

The generated resource ARN doesn't match the bucket that was created

cdk-enterprise-iac version

0.0.102

Language

Typescript

Other information

No response
@maafk maafk added the bug Something isn't working label Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maafk