Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

imagebuilder.CfnImagePipeline: AWS::ImageBuilder::ImagePipeline WorkflowConfiguration #29910

Closed
include opened this issue Apr 19, 2024 · 8 comments
Labels
@aws-cdk/aws-imagebuilder Related to EC2 Image Builder bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@include
Copy link

include commented Apr 19, 2024

Describe the bug

I am defining a default Amazon-managed AMI build workflow (arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1) but it breaks.

The snippet of code I am using: (reduced to the essential):

    const pipeline = new imagebuilder.CfnImagePipeline(this, 'Pipeline', {
      name: this.stackName + '-pipeline',
      // (...)
      workflows: [
        {
          onFailure: 'ABORT',
          workflowArn: 'arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1',
        },
      ],
    });

Expected Behavior

Build a image pipeline using a standard workflow.

Current Behavior

12:40:45 AM | CREATE_FAILED        | AWS::ImageBuilder::ImagePipeline               | Pipeline
Resource handler returned message: "The value supplied for parameter 'workflows' is not valid. AWS managed workflows must have latest version 'x.x.x' for '{workflow_arn_str}' (Service:
Imagebuilder, Status Code: 400, Request ID: c02cd8e3-1ecd-4ddf-ae0a-3c3ca29ee39a)" (RequestToken: e006e4e0-8450-41c7-93ed-5fb154cb1950, HandlerErrorCode: InvalidRequest)

Reproduction Steps

As show above, the deployment of the following resource; using workflows.

    const pipeline = new imagebuilder.CfnImagePipeline(this, 'Pipeline', {
      name: this.stackName + '-pipeline',
      description: 'Image pipeline',
      distributionConfigurationArn: euAllDistribution.attrArn,
      enhancedImageMetadataEnabled: true,
      executionRole: iamRoleforimageBuilder.roleArn,
      imageRecipeArn: baseRecipe.attrArn,
      imageScanningConfiguration: {
        imageScanningEnabled: imageScanningEnabled,
      },
      imageTestsConfiguration: {
        imageTestsEnabled: false,
        timeoutMinutes: 60,
      },
      infrastructureConfigurationArn: infraConfig.attrArn,
      schedule: {
        pipelineExecutionStartCondition: 'EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE',
        scheduleExpression: 'cron(0 0 * * ? *)',
      },
      status: status,
      tags: tags,
      workflows: [
        {
          onFailure: 'ABORT',
          parallelGroup: '1',
          workflowArn: 'arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1',
        },
      ],
    });

Possible Solution

No response

Additional Information/Context

The official CloudFormation page https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-imagebuilder-imagepipeline-workflowconfiguration.html#cfn-imagebuilder-imagepipeline-workflowconfiguration-workflowarn points out the correct regexp for this parameter:

WorkflowArn
The Amazon Resource Name (ARN) of the workflow resource.

Required: No

Type: String

Pattern: ^arn:aws(?:-[a-z]+)*:imagebuilder:[a-z]{2,}(?:-[a-z]+)+-[0-9]+:(?:[0-9]{12}|aws):workflow/(build|test|distribution)/[a-z0-9-_]+/(?:(?:([0-9]+|x)\.([0-9]+|x)\.([0-9]+|x))|(?:[0-9]+\.[0-9]+\.[0-9]+/[0-9]+))$

In the meantime just for testing the pattern I've used in TS, (using https://regex101.com/ to test the regexp), I had to escape all "/" like following bellow to get it working; in any case the deployment failed.


/^arn:aws(?:-[a-z]+)*:imagebuilder:[a-z]{2,}(?:-[a-z]+)+-[0-9]+:(?:[0-9]{12}|aws):workflow\/(build|test|distribution)\/[a-z0-9-_]+\/(?:(?:([0-9]+|x)\.([0-9]+|x)\.([0-9]+|x))|(?:[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+))$/gm
```

### CDK CLI Version

2.138.0

### Framework Version

_No response_

### Node.js Version

v20.0.0

### OS

mac 14.4.1

### Language

TypeScript

### Language Version

_No response_

### Other information

_No response_
@include include added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-imagebuilder Related to EC2 Image Builder label Apr 19, 2024
@pahud
Copy link
Contributor

pahud commented Apr 20, 2024

This seems to be an issue of CFN not CDK. Can you share the synthesized CFN template of this resource?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 20, 2024
@include
Copy link
Author

include commented Apr 20, 2024

Hi @pahud thank you for picking up this.

Here it goes that synth section which looks fine to me.

  Pipeline:
    Type: AWS::ImageBuilder::ImagePipeline
    Properties:
      Description: Image pipeline
      DistributionConfigurationArn:
        Fn::GetAtt:
          - euAllDistribution
          - Arn
      EnhancedImageMetadataEnabled: true
      ExecutionRole:
        Fn::GetAtt:
          - EC2InstanceProfileForImageBuilderA043DE9F
          - Arn
      ImageRecipeArn:
        Fn::GetAtt:
          - BaseRecipe
          - Arn
      ImageScanningConfiguration:
        ImageScanningEnabled: false
      ImageTestsConfiguration:
        ImageTestsEnabled: false
        TimeoutMinutes: 60
      InfrastructureConfigurationArn:
        Fn::GetAtt:
          - infraConfig
          - Arn
      Name: pipe-img-builder-x-pipeline
      Schedule:
        PipelineExecutionStartCondition: EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE
        ScheduleExpression: cron(0 0 * * ? *)
      Status: ENABLED
      Tags:
        Name: pipe-img-builder
        Release: live
        Version: 0.1.0
      Workflows:
        - OnFailure: ABORT
          WorkflowArn: arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1
    Metadata:
      aws:cdk:path: PipeImgBuilderStack/Pipeline

I've noted that in the main page (AWS Console) / EC2 Image Builder / Image workflows: the 'build-image' has the following "Arn: arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1", but if you click "build-image" to see its details, the Arn is: "arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1". Not much a difference and in fact I've tested both; returns the same error.

PS: I can ship the entire synth if you need.

Thank you in advance,
F

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Apr 20, 2024
@nmussy
Copy link
Contributor

nmussy commented Apr 20, 2024

The workflow ARN should be correct according to the CLI, and yeah, 1.0.1 seems to be an alias of 1.0.1/1:

$ aws imagebuilder get-workflow --workflow-build-version-arn arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1 | jq '.workflow | .arn'
"arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1"

$ aws imagebuilder get-workflow --workflow-build-version-arn arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1 | jq '.workflow | .arn'
"arn:aws:imagebuilder:eu-west-1:aws:workflow/build/build-image/1.0.1/1"

@nmussy
Copy link
Contributor

nmussy commented Apr 20, 2024

But I would agree with @pahud, the synthesized template looks correct to me, and the workflow ARN is also correct according to the API. I would open an issue with https://github.com/aws-cloudformation/cloudformation-coverage-roadmap, there's not much we can do on the CDK end

@include
Copy link
Author

include commented Apr 20, 2024

Hi @nmussy - yes I ran that same awscli and got the same result but well - always good to confirm with the "keymaker" :)

In the meantime, link to the CloudFormation case: aws-cloudformation/cloudformation-coverage-roadmap#2016

@include
Copy link
Author

include commented Apr 24, 2024

Hey @nmussy, @pahud , just to give some feedback. Looks like the CloudFormation documentation is not clear about the Workflows.
aws-cloudformation/cloudformation-coverage-roadmap#2016 (comment)

Thank you for looking into this problem. Closing this.

PS: I really like CDK and CF but, I pick too many issues like this API/Documentation mismatch between CloudFormation/CDK and honestly I think this gives a bad reputation to CDK.

Kind regards,
F

@include include closed this as completed Apr 24, 2024
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-imagebuilder Related to EC2 Image Builder bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Development

No branches or pull requests

4 participants