Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-backup: Parameter names with incorrect casing for AWS::Backup::Framework L1 construct in Python #29117

Open
pwed opened this issue Feb 15, 2024 · 4 comments
Open

aws-backup: Parameter names with incorrect casing for AWS::Backup::Framework L1 construct in Python #29117

pwed opened this issue Feb 15, 2024 · 4 comments
Labels
@aws-cdk/aws-backup Related AWS Backup bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@pwed
Copy link

pwed commented Feb 15, 2024
edited
Loading

Describe the bug

Can not deploy AWS Backup Audit Manager Framework using the L1 construct

The issue is that the property name for the sub type FrameworkControl.ControlScope.ComplianceResourceTypes is synthesized as complianceResourceTypes (lowercase c) and CFN will fail validation.

Expected Behavior

L1 construct for AWS::Backup::Framework.FrameworkControl.ControlScope.ComplianceResourceTypes would synth with the correct casing

        "DefaultFramework": {
            "Type": "AWS::Backup::Framework",
            "Properties": {
                "FrameworkControls": [
                    {
                        "ControlInputParameters": [],
                        "ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
                        "ControlScope": {
                            "ComplianceResourceTypes": [ // <-- Expect Upper Case "C"
                                "RDS"
                            ]
                        }
                    }
              ]
         }
    }
  • [ ]

Current Behavior

L1 construct for AWS::Backup::Framework.FrameworkControl.ControlScope.ComplianceResourceTypes synth produces the following with a lowercase "c"

        "DefaultFramework": {
            "Type": "AWS::Backup::Framework",
            "Properties": {
                "FrameworkControls": [
                    {
                        "ControlInputParameters": [],
                        "ControlName": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
                        "ControlScope": {
                            "complianceResourceTypes": [ // <-- Produces lower case "c"
                                "RDS"
                            ]
                        }
                    }
              ]
         }
    }
# cdk deploy

...

The stack named backup-audit-sandpit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Properties validation failed for resource Framework with message:
#/FrameworkControls/1/ControlScope: extraneous key [complianceResourceTypes] is not permitted

Reproduction Steps

from aws_cdk import (
    aws_backup as backup,
    Stack,
    App,
)


class BackupAudit(Stack):
    def __init__(self, app: App, id: str, **kwargs) -> None:
        super().__init__(app, id, **kwargs)

        default_framework = backup.CfnFramework(
            self,
            "DefaultFramework",
            framework_controls=[
                backup.CfnFramework.FrameworkControlProperty(
                    control_name="BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
                    control_input_parameters=[],
                    control_scope=backup.CfnFramework.ControlScopeProperty(
                        compliance_resource_types=[
                            "RDS",
                            "Aurora",
                            "EFS",
                            "EC2",
                            "EBS",
                            "DynamoDB",
                            "FSx",
                        ],
                    ),
                ),
            ],
        )


app = App()

BackupAudit(app, "backup-audit-sandpit")

app.synth()

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.127.0 (build 6c90efc)

Framework Version

aws-cdk-lib 2.128.0

Node.js Version

v20.11.0

OS

Ubuntu 22.04 (WSL)

Language

Python

Language Version

Python 3.10.12

Other information

Passing a raw dictionary into control_scope with the correct key values will produce the correct CFN output

The issue only seems to occur when you use the backup.CfnFramework.ControlScopeProperty() class as an input
@pwed pwed added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-backup Related AWS Backup label Feb 15, 2024
@pwed
Copy link
Author

pwed commented Feb 15, 2024

I have tested with a typescript project and this doesn't seem to be an issue as you can just pass in a Dict with the correct key names

// aws-backup-test/lib/aws-backup-test-stack.ts
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as backup from 'aws-cdk-lib/aws-backup';

export class AwsBackupTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const backupFramework = new backup.CfnFramework(this, "Framework", {
      frameworkControls: [
        {
          controlName: "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
          controlScope: {
            "ComplianceResourceTypes": [
              "RDS"
            ]
          }
        }
      ]
    })
  }
}

@pwed
Copy link
Author

pwed commented Feb 15, 2024
edited
Loading

A workaround I have found for python is to not use the backup.CfnFramework.ControlScopeProperty() class and just pass in a raw Dict as the value for control_scope.

from aws_cdk import (
    aws_backup as backup,
    Stack,
    App,
)


class BackupAudit(Stack):
    def __init__(self, app: App, id: str, **kwargs) -> None:
        super().__init__(app, id, **kwargs)

        default_framework = backup.CfnFramework(
            self,
            "DefaultFramework",
            framework_controls=[
                backup.CfnFramework.FrameworkControlProperty(
                    control_name="BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
                    control_input_parameters=[],
                    control_scope={
                        "ComplianceResourceTypes": [
                            "RDS",
                            "Aurora",
                            "EFS",
                            "EC2",
                            "EBS",
                            "DynamoDB",
                            "FSx",
                        ],
                    },
                ),
            ],
        )


app = App()

BackupAudit(app, "backup-audit-sandpit")

app.synth()

@pwed pwed changed the title aws-backup: Parameter names with incorrect casing for AWS::Backup::Framework L1 construct aws-backup: Parameter names with incorrect casing for AWS::Backup::Framework L1 construct in Python Feb 15, 2024
@pahud
Copy link
Contributor

pahud commented Feb 16, 2024

The controlScope is type any which means it's not typed and you'll need to pass a JSON dict to it as you mentioned above.
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_backup.CfnFramework.FrameworkControlProperty.html#controlscope

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 16, 2024
@pwed
Copy link
Author

pwed commented Feb 17, 2024

Hi @pahud,

Thanks for your response

My issue was specifically with the python class backup.CfnFramework.ControlScopeProperty which can be used to construct the JSON Dict. When using this class, and using the key work argument compliance_resource_types, I would expect it to render correctly.

I peeked into the source and found that the L1 constructs are generated by a build step so could not see a simple way to override the output of this type of class

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 17, 2024
@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
@rix0rrr rix0rrr mentioned this issue Nov 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-backup Related AWS Backup bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @pwed