Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Serverless Transform with YAML removes leading 0 in account number field. #1469

Closed
brjonath opened this issue Feb 26, 2020 · 3 comments
Closed

Serverless Transform with YAML removes leading 0 in account number field. #1469

brjonath opened this issue Feb 26, 2020 · 3 comments

Comments

@brjonath
Copy link

brjonath commented Feb 26, 2020
edited by keetonian
Loading

Description:

When submitting a template to 'AWS::Serverless-2016-10-31' Transform where template has a resource's property corresponding to account number with a leading zero '0', the transfrom just remove this zero '0' and processed template returened by this transform ends up having a wrong account number.

Observations:

  • Issue happens when template is specified using YAML format and account number is specified without using any quotes.
  • When specifying within quotes, correct account number is returned but just sometimes - not clear on this why.
  • Workaround is to use JSON to specify your template.

Replication:

  • Use below Template to create a stack and comparing Original and Processed templates will show the different values for TestBucket -> Properties -> ReplicationConfiguration -> Rules -> Description -> Account
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Resources:
  TestRawBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      VersioningConfiguration:
        Status: Enabled
      ReplicationConfiguration:
        Role: !GetAtt 
          - TestReplicationRoleSecure
          - Arn
        Rules:
          - Id: replication-to-S3raw-test
            Status: Enabled
            Prefix: ''
            Destination:
              Bucket: 'arn:aws:s3:::bucket-name'
              Account: 098693111088
              AccessControlTranslation:
                Owner: Destination
  TestReplicationRoleSecure:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - s3.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - !Ref ReplicationRolePolicy
  ReplicationRolePolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Path: /
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:Get*'
              - 's3:ListBucket'
            Effect: Allow
            Resource:
              - 'arn:aws:s3:::bucket-name'
              - 'arn:aws:s3:::bucket-name/*'
          - Action:
              - 's3:ReplicateObject'
              - 's3:ReplicateDelete'
              - 's3:ReplicateTags'
              - 's3:GetObjectVersionTagging'
              - 's3:ObjectOwnerOverrideToBucketOwner'
            Effect: Allow
            Resource: 'arn:aws:s3:::bucket-name-dest/*'
@timoschilling
Copy link
Contributor

timoschilling commented Feb 26, 2020
edited
Loading

You defined the Account as an Number, but it must be a String.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationconfiguration-rules-destination.html#cfn-s3-bucket-replicationdestination-account

@dkropman-Slalom
Copy link

dkropman-Slalom commented Feb 26, 2020
edited
Loading

I tested this with a similar account number starting with a leading zero. If I run it through SAM, the account number does not load correctly. I can double quote, single quote or no quote the account number and I get the same error. If I remove the Transform and upload template through cloudformation (double quoted), it works. Could it be that during the transform, it is converting to an number?

@keetonian
Copy link
Contributor

@brjonath this is a known issue in CloudFormation. See #200 (comment) for more information regarding this bug and possible workarounds. Closing in favor of #200.

@richardhboyd richardhboyd mentioned this issue May 9, 2022
Open
@lihaoyi-databricks lihaoyi-databricks mentioned this issue Sep 7, 2023
Merged
lihaoyi-databricks added a commit to databricks/sjsonnet that referenced this issue Sep 8, 2023
@lihaoyi-databricks
Avoid generating unquoted octal-like strings to avoid parser bugs (#183)
4109fc6 
Not every YAML parser distinguishes between unquoted string literals the
same way:

- kubernetes/kubernetes#82296
- https://blog.rowanudell.com/aws-accounts-with-leading-zeros/
- aws/serverless-application-model#1469
- hashicorp/terraform-provider-aws#15310

This PR forces strings like `088579281390` to be rendered as quoted
`'088579281390'`. While this is not strictly necessary, there are
several YAML parsers which mis-handle this kind of output, and so we
ensure things are quoted to avoid triggering this edge case.

Added a unit test that on master fails due to generation of non-quoted
octal-like strings, and on this PR passes with all strings quoted
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timoschilling @keetonian @brjonath @dkropman-Slalom