-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
❗️NOTICE: ECR: Template error: Cannot use Fn::ImportValue in Conditions. #32238
Comments
Reproducible using CDK version Running Resources:
TaskDefinitionTaskRoleFD40A61D:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: my-stack/TaskDefinition/TaskRole/Resource
TaskDefinitionB36D86D9:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Essential: true
Image:
Fn::Join:
- ""
- - 12345.dkr.ecr.us-east-1.
- Ref: AWS::URLSuffix
- /my-repo
- Fn::If:
- ECRRepoIsInputDigest1074C652E
- Fn::Join:
- ""
- - "@"
- Fn::ImportValue: Environment
- Fn::Join:
- ""
- - ":"
- Fn::ImportValue: Environment
Name: Container
Cpu: "256"
ExecutionRoleArn:
Fn::GetAtt:
- TaskDefinitionExecutionRole8D61C2FB
- Arn
Family: mystackTaskDefinition2584F5A1
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- TaskDefinitionTaskRoleFD40A61D
- Arn
Metadata:
aws:cdk:path: my-stack/TaskDefinition/Resource
TaskDefinitionExecutionRole8D61C2FB:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Tags:
- Key: aws-cdk:id
Value: my-stack_c8c1b9dd68a0daa0e77928f61c00ac4bca0bd07573
Metadata:
aws:cdk:path: my-stack/TaskDefinition/ExecutionRole/Resource
TaskDefinitionExecutionRoleDefaultPolicy1F3406F5:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Effect: Allow
Resource: arn:aws:ecr:us-east-1:12345:repository/my-repo
- Action: ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: TaskDefinitionExecutionRoleDefaultPolicy1F3406F5
Roles:
- Ref: TaskDefinitionExecutionRole8D61C2FB
Metadata:
aws:cdk:path: my-stack/TaskDefinition/ExecutionRole/DefaultPolicy/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/12NQQuCQBSEf4v39ZUWQdeMzmLd47U+66Xui90VkcX/HioVdJqZbxgmhWS3h3WEvYt1WccN3yCcPepaYe+ugbSDcEJ7R08XdPWRKjbsWYzKKvNPxHhkQ/bHRsXYQiikoWkway4N62GKixsVaQsFvcSxFzsc0NGoCnLSWT3PMjHl9/RTjCof/EPMagNJCtvo6Zhj2xnPLUGx6BttU00i3wAAAA==
Metadata:
aws:cdk:path: my-stack/CDKMetadata/Default
Conditions:
ECRRepoIsInputDigest1074C652E:
Fn::Equals:
- Fn::Select:
- 0
- Fn::Split:
- ":"
- Fn::ImportValue: Environment
- sha256
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] Running
Using CDK version Resources:
TaskDefinitionTaskRoleFD40A61D:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: my-stack/TaskDefinition/TaskRole/Resource
TaskDefinitionB36D86D9:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Essential: true
Image:
Fn::Join:
- ""
- - 12345.dkr.ecr.us-east-1.
- Ref: AWS::URLSuffix
- "/my-repo:"
- Fn::ImportValue: Environment
Name: Container
Cpu: "256"
ExecutionRoleArn:
Fn::GetAtt:
- TaskDefinitionExecutionRole8D61C2FB
- Arn
Family: mystackTaskDefinition2584F5A1
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- TaskDefinitionTaskRoleFD40A61D
- Arn
Metadata:
aws:cdk:path: my-stack/TaskDefinition/Resource
TaskDefinitionExecutionRole8D61C2FB:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Tags:
- Key: aws-cdk:id
Value: my-stack_c8c1b9dd68a0daa0e77928f61c00ac4bca0bd07573
Metadata:
aws:cdk:path: my-stack/TaskDefinition/ExecutionRole/Resource
TaskDefinitionExecutionRoleDefaultPolicy1F3406F5:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Effect: Allow
Resource: arn:aws:ecr:us-east-1:12345:repository/my-repo
- Action: ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: TaskDefinitionExecutionRoleDefaultPolicy1F3406F5
Roles:
- Ref: TaskDefinitionExecutionRole8D61C2FB
Metadata:
aws:cdk:path: my-stack/TaskDefinition/ExecutionRole/DefaultPolicy/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/12LQQrCMBBFz9J9OtoqPYCK6xLdyxinOrZNJJNSSsjdpVYQXL33H/wSiqqCdYaj5ObW5h1fIZ4CmlbhKJdIRiAe0d8x0BmlPVDDlgM7q/aN/S/OBmRL/teSYuwhatfRfPiwdh2baZ6LJUXGg6aXEw7OTzsUSkqTuMGb5fb1pOopPJxdbaAoYZs9hTn3gw3cE+iFb6pXnajSAAAA
Metadata:
aws:cdk:path: my-stack/CDKMetadata/Default
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] Running |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
Please add your +1 👍 to let us know you have encountered this
Status: RESOLVED
Overview:
When retrieving an image with a tag equal to the environment name, which is stored as a CFN Export.
Resultant CFN YAML
aws-cdk-lib==2.166.0
aws-cdk-lib==2.167.0
In 2.167.0 there exists Fn::ImportValue is now in an Fn::If Condition. Which gives the error "Template error: Cannot use Fn::ImportValue in Conditions." when deploying.
Complete Error Message:
Workaround:
Pin
aws-cdk-lib
to"2.166.0"
.Solution:
Describe the bug
This works in 2.166.0, but does not work in 2.167.0. I believe it is due to this commit.
We are retrieving an image with a tag equal to the environment name, which is stored as a CFN Export.
Resultant CFN YAML
aws-cdk-lib==2.166.0
aws-cdk-lib==2.167.0
In 2.167.0 you can see that the Fn::ImportValue is now in an Fn::If Condition. Which gives the error "Template error: Cannot use Fn::ImportValue in Conditions." when deploying.
Regression Issue
Last Known Working CDK Version
2.166.0
Expected Behavior
Resultant CFN will deploy to AWS.
Current Behavior
Resultant CFN gives the error "Template error: Cannot use Fn::ImportValue in Conditions." when deploying to AWS.
Reproduction Steps
Run
cdk synth
with the following files with aws-cdk-lib==2.167.0.cdk.json
app.py
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.167.0
Framework Version
No response
Node.js Version
v20.17.0
OS
Windows 10
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: