Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

E3037 not triggered for hard coded key values in AWS::ECS::TaskDefinition #2930

Open
bgardner-noggin opened this issue Oct 26, 2023 · 3 comments
Open

E3037 not triggered for hard coded key values in AWS::ECS::TaskDefinition #2930

bgardner-noggin opened this issue Oct 26, 2023 · 3 comments
Labels
v1 v1.X

Comments

@bgardner-noggin
Copy link

CloudFormation Lint Version

0.83.0

What operating system are you using?

Fedora

Describe the bug

E3037 does not get triggered for AWS::ECS::TaskDefinition, ContainerDefinitions -> Environment for hard coded keys

In the attached zip are two templates. Both of them should trigger the E3037 error however the one with environment keys

`Environment:

  • Name: DUPE_KEY
    Value: 'firstval'
  • Name: DUPE_KEY
    Value: 'secondval'
    `
    does not error

e3037-recreate.zip

Expected behavior

E3037 should be triggered for hard coded keys

Reproduction template

AWSTemplateFormatVersion: '2010-09-09'
Description: "Dupe env var recreate case"

Parameters:
    RoleARN:
        Type: String

Resources:

    TaskDefinitionFG:
        Type: AWS::ECS::TaskDefinition
        Properties:
            NetworkMode: awsvpc
            Family: "myservice"
            RequiresCompatibilities: [ FARGATE ]
            RuntimePlatform:
                CpuArchitecture: X86_64
                OperatingSystemFamily: LINUX
            TaskRoleArn: !Ref RoleARN
            ExecutionRoleArn: !Ref RoleARN
            Cpu: 512
            Memory: 1024
            ContainerDefinitions:
              - Name: "mycontainer"
                User: "user"
                Cpu: 512
                Memory: 1024
                Essential: true
                StopTimeout: 40
                Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/repo:latest"
                Command:
                  - 'run'
                LinuxParameters:
                    InitProcessEnabled: true
                Environment:
                  - Name: DUPE_KEY
                    Value: 'firstval'
                  - Name: DUPE_KEY
                    Value: 'secondval'
@kddejong
Copy link
Contributor

kddejong commented Oct 30, 2023
edited

This is an interesting one. We will have to create a new rule for this. So E3037 will flag on all elements not just one key.

So this should have flagged.

Environment:
- Name: DUPE_KEY
   Value: 'firstval'
- Name: DUPE_KEY
   Value: 'firstval'

The resulting task definition drops the secondary Name(s) which isn't an ideal experience. Going to ask some internal people on how we should handle this.

"environment": [
  {
    "name": "DUPE_KEY",
    "value": "firstval"
  }
]

@bgardner-noggin
Copy link
Author

The AWS result is worse than that. Out of 7 stacks we had installed through different accounts / regions, one of them, and only after one update, used the first value.

@kddejong kddejong mentioned this issue Dec 28, 2023
Merged
@kddejong
Copy link
Contributor

I've included a fix for this in v1. I still have some work to do for adding this to Tags.

@kddejong kddejong added the v1 v1.X label Dec 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v1 v1.X
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bgardner-noggin @kddejong