Aws-cdk: CfnAssociation outputs invalid CloudFormation

Created on 26 Jun 2019  路  14Comments  路  Source: aws/aws-cdk

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • [X] :beetle: bug report
    • [ ] :rocket: feature request
    • [ ] :books: construct library gap
    • [ ] :phone: security issue or vulnerability => Please see policy
    • [ ] :question: support request => Please see note at the top of this template.

  • What is the current behavior?
    When creating a CfnAssociation parameter:

Parameters = new Dictionary<string, Amazon.CDK.AWS.SSM.CfnAssociation.ParameterValuesProperty>
{ 
  {
    "Operation", new Amazon.CDK.AWS.SSM.CfnAssociation.ParameterValuesProperty
    { 
      ParameterValues = new[] { "Scan" } 
    }
  }
}

The output appears to be correct, but cloud formation reports the following error: "Value of {Parameters} must be a map where each value is a list of {String}"

Looking at the documentation, it appears from the sample yaml it should be:

Parameters:
      Directory: ["myWorkSpace"]

but what is emitted from the code above is:

Parameters:
  Operation:
    ParameterValues:
      - Scan
  • What is the expected behavior (or behavior of feature suggested)?

Would expect the association to be created with the correct parameters and values.

  • What is the motivation / use case for changing the behavior or adding this feature?

Would like to have CfnAssociation working.

  • Please tell us about your environment:

    • CDK CLI Version: 0.28.0
    • Module Version: 0.28.0
    • OS: Windows 10
    • Language: CSharp

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

@aws-cdaws-ssm bug needs-cfn p2 packagcfn
Source
picture kuhnboy

Most helpful comment

Confirming. I'm working on a fix.

picture skinny85 on 10 Sep 2020
👍3

All 14 comments

@kuhnboy according to the CloudFormation documentation, the first YAML you posted is actually correct... can you tell us what is the error you get from CloudFormation when trying to deploy this?

Thanks,
Adam

skinny85 picture skinny85 on 6 Sep 2019

I've got the same problem, this is my synth template:

SSMAssociationApplyPatchBaseline:
    Type: AWS::SSM::Association
    Properties:
      Name: AWS-RunPatchBaseline
      AssociationName: Apply-Patch-Baseline
      Parameters:
        Operations:
          ParameterValues:
            - Install
      Targets:
        - Key: tag:Patching
          Values:
            - enabled

CF error is: "Value of {Parameters} must be a map where each value is a list of {String}"

Using python, I build it (bit retarted tbh, why not just accept dict / array lol):

params = _ssm.CfnAssociation.ParameterValuesProperty(parameter_values = ['Install'])

ssm.CfnAssociation(...
parameters = {"Operations": params})

If I deploy a manually adjusted cfn like this:

      Parameters:
        Operation:
        - Install

CF is deploying it all fine - maybe there is a problem with the AWS documentation?

tgmedia-nz picture tgmedia-nz on 19 Oct 2019
👍1

Btw I've submitted feedback to AWS about the documentation being either confusing or wrong :)

tgmedia-nz picture tgmedia-nz on 1 Nov 2019

I've received confirmation from AWS that their documentation is wrong and they will update it:

Thanks for sending along the feedback about the association parametervalues documentation. We鈥檒l get this updated

Best wishes,
-Jim
Jim Brotherton

Amazon Web Services
Senior Technical Writer
AWS Systems Manager

Could you guys fix the CDK part ("Parameters" : {Key : Value, ...}) - cheers

tgmedia-nz picture tgmedia-nz on 2 Nov 2019

I'm hitting this today with this version

"@aws-cdk/aws-ssm": "^1.19.0",

I have this snippet of CDK code

    new ssm.CfnAssociation(this, 'config-gateway', {
      associationName: 'HC-TSP-Config-Gateway',
      name: 'AWS-RunPowerShellScript',
      scheduleExpression: 'rate(30 minutes)',
      targets: [{key: 'SSM_Association', values: [this.gtw_ssm_assoc]}],
      parameters: {
        commands: {parameterValues: ['return c:\\docutap\\util\\tsp\\Run-GatewayConfig.ps1']}
      }
    })

And I get this cloudformation yaml

  configgateway:
    Type: AWS::SSM::Association
    Properties:
      Name: AWS-RunPowerShellScript
      AssociationName: HC-TSP-Config-Gateway
      Parameters:
        commands:
          ParameterValues:
            - return c:\docutap\util\tsp\Run-GatewayConfig.ps1
      ScheduleExpression: rate(30 minutes)
      Targets:
        - Key: SSM_Association
          Values:
            - PHI-tspgtw-prod
    Metadata:
      aws:cdk:path: tsplus-prod/config-gateway

And the same error about the contents of the parameter field as above.

I'm going to try flipping to an IResolvable produced by this class: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.Lazy.html

bo67192 picture bo67192 on 19 Dec 2019

It looks like there was a workaround in this issue

https://github.com/aws/aws-cdk/issues/4057

I get what looks like valid cloudformation with

    const config_gateway_assoc = new ssm.CfnAssociation(this, 'config-gateway', {
      associationName: 'HC-TSP-Config-Gateway',
      name: 'AWS-RunPowerShellScript',
      scheduleExpression: 'rate(30 minutes)',
      targets: [{key: 'tag:SSM_Association', values: [this.gtw_ssm_assoc]}],
      // parameters: {
      //   commands: cdk.Lazy.anyValue({'return c:\\docutap\\util\\tsp\\Run-GatewayConfig.ps1'})
      // }
    })
    config_gateway_assoc.addPropertyOverride('Parameters.commands', ['return c:\\docutap\\util\\tsp\\Run-GatewayConfig.ps1']);

EDIT: Fixing target syntax, and making Association parameters a list

bo67192 picture bo67192 on 19 Dec 2019

@skinny85 I noted above in my original post what the error I was getting from cloud formation:

"Value of {Parameters} must be a map where each value is a list of {String}"

Interesting this hasn't been fixed yet but I as well do not set Parameters and have to do a property override:

`
//Parameters = new Dictionary
//{
// {
// "Operation", new CfnAssociation.ParameterValuesProperty
// {

            //          ParameterValues = new[] { "Scan" }
            //      }
            //  }
            //},
            ScheduleExpression = "rate(1 day)"
        });

        assoc.AddPropertyOverride("Parameters", new Dictionary<string, string[]>
        {
            {
                "Operation", new[] { "Scan" }
            }
        });

`

kuhnboy picture kuhnboy on 10 Jan 2020

The CloudFormation schema is wrong. Please report this issue to CloudFormation

rix0rrr picture rix0rrr on 23 Jan 2020

The CloudFormation schema is wrong. Please report this issue to CloudFormation

What does that mean? It seems that the way cdk is outputting is not correct, cloud formation expects it in a different format. When we output custom code it works. So how is it an issue with cloud formation?

kuhnboy picture kuhnboy on 23 Jan 2020

@rix0rrr I'm happy to open another bug report on the cloudformation side, but can you share what lead you to that conclusion?

bo67192 picture bo67192 on 23 Jan 2020

This is still happening.

Contacted AWS support and confirmed they have an internal issue for the documentation, since it states the same as CDK produces. They raised a ticket with the Cloudformation team. Also filed it in their Roadmap: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/474

The root cause seems to be that specs are missing the AWS::SSM::Association.ParameterValues definition

Related to CDK, something in the build is not quite correct as it appears to be hitting the us-east-1 spec URL, according to this code

update-spec \
    "CloudFormation Resource Specification" \
    "https://d1uauaxba7bl26.cloudfront.net/latest/gzip/CloudFormationResourceSpecification.json" \
    spec-source/000_CloudFormationResourceSpecification.json \
    true

But that spec does not have the definition, so at some point, CDK is hitting another spec (eg: us-east-2) where that exists, therefore producing templates that are not possible to deploy

    "AWS::SSM::Association.ParameterValues": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-association-parametervalues.html",
      "Properties": {
        "ParameterValues": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-association-parametervalues.html#cfn-ssm-association-parametervalues-parametervalues",
          "DuplicatesAllowed": false,
          "PrimitiveItemType": "String",
          "Required": true,
          "Type": "List",
          "UpdateType": "Mutable"
        }
      }
    },

For a workaround similar to what @bo67192 posted above, see also: https://github.com/aws/aws-cdk/issues/4057#issuecomment-605064202

chefren picture chefren on 21 May 2020

Issue still active in 1.50

tlinkin picture tlinkin on 7 Jul 2020
👍1

Confirming. I'm working on a fix.

skinny85 picture skinny85 on 10 Sep 2020
👍3

Thanks @skinny85! Excited for the next release to try this and remove my overrides.

udondan picture udondan on 16 Sep 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nzspambot picture nzspambot  路  3Comments
cybergoof picture cybergoof  路  3Comments
NukaCody picture NukaCody  路  3Comments
sudoforge picture sudoforge  路  3Comments
EduardTheThird picture EduardTheThird  路  3Comments