Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serverless Transform with YAML removes leading 0 in account number field. #1469

Closed
brjonath opened this issue Feb 26, 2020 · 3 comments
Closed

Serverless Transform with YAML removes leading 0 in account number field. #1469

brjonath opened this issue Feb 26, 2020 · 3 comments

Comments

@brjonath
Copy link

brjonath commented Feb 26, 2020
edited by keetonian
Loading

Description:

When submitting a template to 'AWS::Serverless-2016-10-31' Transform where template has a resource's property corresponding to account number with a leading zero '0', the transfrom just remove this zero '0' and processed template returened by this transform ends up having a wrong account number.

Observations:

  • Issue happens when template is specified using YAML format and account number is specified without using any quotes.
  • When specifying within quotes, correct account number is returned but just sometimes - not clear on this why.
  • Workaround is to use JSON to specify your template.

Replication:

  • Use below Template to create a stack and comparing Original and Processed templates will show the different values for TestBucket -> Properties -> ReplicationConfiguration -> Rules -> Description -> Account
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Resources:
  TestRawBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      VersioningConfiguration:
        Status: Enabled
      ReplicationConfiguration:
        Role: !GetAtt 
          - TestReplicationRoleSecure
          - Arn
        Rules:
          - Id: replication-to-S3raw-test
            Status: Enabled
            Prefix: ''
            Destination:
              Bucket: 'arn:aws:s3:::bucket-name'
              Account: 098693111088
              AccessControlTranslation:
                Owner: Destination
  TestReplicationRoleSecure:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - s3.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - !Ref ReplicationRolePolicy
  ReplicationRolePolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Path: /
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:Get*'
              - 's3:ListBucket'
            Effect: Allow
            Resource:
              - 'arn:aws:s3:::bucket-name'
              - 'arn:aws:s3:::bucket-name/*'
          - Action:
              - 's3:ReplicateObject'
              - 's3:ReplicateDelete'
              - 's3:ReplicateTags'
              - 's3:GetObjectVersionTagging'
              - 's3:ObjectOwnerOverrideToBucketOwner'
            Effect: Allow
            Resource: 'arn:aws:s3:::bucket-name-dest/*'
@timoschilling
Copy link
Contributor

timoschilling commented Feb 26, 2020
edited
Loading

You defined the Account as an Number, but it must be a String.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationconfiguration-rules-destination.html#cfn-s3-bucket-replicationdestination-account

@dkropman-Slalom
Copy link

dkropman-Slalom commented Feb 26, 2020
edited
Loading

I tested this with a similar account number starting with a leading zero. If I run it through SAM, the account number does not load correctly. I can double quote, single quote or no quote the account number and I get the same error. If I remove the Transform and upload template through cloudformation (double quoted), it works. Could it be that during the transform, it is converting to an number?

@keetonian
Copy link
Contributor

@brjonath this is a known issue in CloudFormation. See #200 (comment) for more information regarding this bug and possible workarounds. Closing in favor of #200.

@richardhboyd richardhboyd mentioned this issue May 9, 2022
Open
@lihaoyi-databricks lihaoyi-databricks mentioned this issue Sep 7, 2023
Merged
lihaoyi-databricks added a commit to databricks/sjsonnet that referenced this issue Sep 8, 2023
@lihaoyi-databricks
Avoid generating unquoted octal-like strings to avoid parser bugs (#183)
4109fc6 
Not every YAML parser distinguishes between unquoted string literals the
same way:

- kubernetes/kubernetes#82296
- https://blog.rowanudell.com/aws-accounts-with-leading-zeros/
- aws/serverless-application-model#1469
- hashicorp/terraform-provider-aws#15310

This PR forces strings like `088579281390` to be rendered as quoted
`'088579281390'`. While this is not strictly necessary, there are
several YAML parsers which mis-handle this kind of output, and so we
ensure things are quoted to avoid triggering this edge case.

Added a unit test that on master fails due to generation of non-quoted
octal-like strings, and on this PR passes with all strings quoted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timoschilling @keetonian @brjonath @dkropman-Slalom