Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-appconfig-alpha: SQS Extension association always creates cdk diff #27676

Closed
ghost opened this issue Oct 25, 2023 · 2 comments · Fixed by #28264
Closed

aws-appconfig-alpha: SQS Extension association always creates cdk diff #27676

ghost opened this issue Oct 25, 2023 · 2 comments · Fixed by #28264
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@ghost
Copy link

ghost commented Oct 25, 2023

Describe the bug

When using the onDeploymentComplete function on an Environment to create an Extension Association using SqsDestination, CDK will always show a diff. Deploying the stack does not resolve the issue and instead a new diff will be shown.

Expected Behavior

When running cdk diff which shows a diff, then running cdk deploy to deploy the diff, there shouldn't be a new diff corresponding to the same resources. Running cdk diff again should show no diff.

Current Behavior

You end up in an endless loop of diffs even when deploying every diff. The diff looks like:

IAM Statement

│ + │ ${ExampleAppConfigStack/ExampleQueue.Arn} │ Allow │ sqs:SendMessage │ AWS:${ExampleAppConfigStack/ExtensionE0E43/RoleECABE}
│ + │ ${ExampleAppConfigStack/ExtensionE0E43/RoleECABE.Arn} │ Allow │ sts:AssumeRole │ Service:appconfig.amazonaws.com    

Resources

[-] AWS::IAM::Role ExampleAppConfigStack/Extension2618C/RoleB5F1F Extension2618CRoleB5F1F9C6EF666 destroy
[-] AWS::AppConfig::Extension ExampleAppConfigStack/Extension2618C Extension2618C89E0498C destroy
[-] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResource92794 AssociationResource92794 destroy
[+] AWS::IAM::Role ExampleAppConfigStack/ExtensionE0E43/RoleECABE ExtensionE0E43RoleECABEABE1C8C2 
[+] AWS::AppConfig::Extension ExampleAppConfigStack/ExtensionE0E43 ExtensionE0E436C18B05C 
[+] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResourceB7E32 AssociationResourceB7E32 

Reproduction Steps

Create a stack like so

import * as appConfig from "@aws-cdk/aws-appconfig-alpha";
import { Stack, StackProps } from "aws-cdk-lib";
import { Queue } from "aws-cdk-lib/aws-sqs";
import { Construct } from "constructs";

export class ExampleAppConfigStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const application = new appConfig.Application(this, "ExampleAppConfigApp", {
      name: "ExampleApplication",
    });

    const appConfigEnvironment = new appConfig.Environment(
      this,
      "ExampleAppConfigEnvironment",
      {
        application,
        name: "ExampleEnvironment",
      }
    );

    // Queue for AppConfig SQS Extension events
    const appConfigExtensionSqs = new Queue(this, "ExampleQueue", {
      queueName: "ExampleSQSExtensionQueue",
    });

    // Associate the environment resource to the ON_DEPLOYMENT_COMPLETE extension
    appConfigEnvironment.onDeploymentComplete(
      new appConfig.SqsDestination(appConfigExtensionSqs)
    );
  }
}

Deploy the stack.
The stack should deploy without any issues.

Run cdk diff
The diff shows both IAM statement changes and resource changes:

IAM Statement

│ + │ ${ExampleAppConfigStack/ExampleQueue.Arn} │ Allow │ sqs:SendMessage │ AWS:${ExampleAppConfigStack/Extension308F5/Role13E8F}
│ + │ ${ExampleAppConfigStack/Extension308F5/Role13E8F.Arn} │ Allow │ sts:AssumeRole │ Service:appconfig.amazonaws.com 

Resources

[-] AWS::IAM::Role ExampleAppConfigStack/Extension7192E/Role034E5 Extension7192ERole034E52732B92F destroy
[-] AWS::AppConfig::Extension ExampleAppConfigStack/Extension7192E Extension7192EFCCE5705 destroy
[-] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResource6DC52 AssociationResource6DC52 destroy
[+] AWS::IAM::Role ExampleAppConfigStack/Extension308F5/Role13E8F Extension308F5Role13E8F2DC1482B 
[+] AWS::AppConfig::Extension ExampleAppConfigStack/Extension308F5 Extension308F554A0B6CA 
[+] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResourceBAD5E AssociationResourceBAD5E 

Deploy the stack again.
The stack should deploy without any issues.

Run cdk diff again
Again, the diff shows IAM and resource changes.

IAM Statement

│ + │ ${ExampleAppConfigStack/ExampleQueue.Arn} │ Allow │ sqs:SendMessage │ AWS:${ExampleAppConfigStack/ExtensionE0E43/RoleECABE}
│ + │ ${ExampleAppConfigStack/ExtensionE0E43/RoleECABE.Arn} │ Allow │ sts:AssumeRole │ Service:appconfig.amazonaws.com    

Resources

[-] AWS::IAM::Role ExampleAppConfigStack/Extension2618C/RoleB5F1F Extension2618CRoleB5F1F9C6EF666 destroy
[-] AWS::AppConfig::Extension ExampleAppConfigStack/Extension2618C Extension2618C89E0498C destroy
[-] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResource92794 AssociationResource92794 destroy
[+] AWS::IAM::Role ExampleAppConfigStack/ExtensionE0E43/RoleECABE ExtensionE0E43RoleECABEABE1C8C2 
[+] AWS::AppConfig::Extension ExampleAppConfigStack/ExtensionE0E43 ExtensionE0E436C18B05C 
[+] AWS::AppConfig::ExtensionAssociation ExampleAppConfigStack/AssociationResourceB7E32 AssociationResourceB7E32 

Possible Solution

Most likely, the reason for the bug is located at

this.executionRole = new iam.Role(this, `Role${getHash(eventDestination.extensionUri)}`, {

The statement eventDestination.extensionUri results in using the Queue.queueArn value in the case of the event destination being an SqsDestination:

this.extensionUri = queue.queueArn;

This results in a new ID being generated for the Role every time, ultimately replacing the current one as CDK treats it as a new Role.

A solution would be to use something else than the queueArnto create the ID of the Role.

Additional Information/Context

No response

CDK CLI Version

2.102.0 (build 2abc59a)

Framework Version

2.102.0-alpha.0

Node.js Version

18.18.2

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

@ghost ghost added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2023
@github-actions github-actions bot added the @aws-cdk/aws-sqs Related to Amazon Simple Queue Service label Oct 25, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2023
@ghost ghost changed the title aws-appconfig-alpha: SQS Extension association always creates ckd diff aws-appconfig-alpha: SQS Extension association always creates cdk diff Oct 26, 2023
@khushail
Copy link
Contributor

@fredricbillow-axis thanks for reporting this and sharing the link to the code as well. I am able to repro this.

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Oct 27, 2023
@mergify mergify bot closed this as completed in #28264 Dec 9, 2023
mergify bot pushed a commit that referenced this issue Dec 9, 2023
Fixing extensions CDK diff since before it would always generate a new diff even if nothing changed.

Closes #27676.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

github-actions bot commented Dec 9, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant