Auth.ResourcePolicy.IpRangeWhitelist is malformed when populated from a CommaDelimitedList SSM Param #1696

frogamic · 2020-08-24T11:13:39Z

Description

I have a list of IPs that are allowed to execute my function stored in an SSM parameter of type StringList. When I pass this parameter to my SAM template as type AWS::SSM::Parameter::Value<CommaDelimitedList> (I also tried AWS::SSM::Parameter::Value<List<String>>) and reference this parameter in IpRangeWhitelist it is expanded to an array within an array.

Steps to reproduce

Create an SSM Parameter of allowed IPs

aws ssm put-parameter --name /test/iplist --type StringList --value "192.168.1.1/32,192.168.1.5/32,192.168.1.100/31"

Create a new SAM project using sam init, selecting Node12 and hello-world template

Modify template.yml to the following (aditional lines marked with # New, outputs omitted):

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  sam-ip-test

  Sample SAM Template for sam-ip-test
  
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 3

Parameters:                                                 # New
  AllowedIps:                                               # New
    Type: AWS::SSM::Parameter::Value<CommaDelimitedList>    # New
    Default: /test/iplist                                   # New

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs12.x
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Auth:                                           # New
              ResourcePolicy:                               # New
                IpRangeWhitelist: !Ref AllowedIps           # New
            Path: /hello
            Method: get

Attempt to deploy the stack with sam build && sam deploy --guided

Observed result

Deploy fails on AWS::ApiGateway::RestApi, Excerpts from sam deploy --debug output:

	Deploying with following values
	===============================
	Stack name                 : sam-ip-test
	Region                     : ap-southeast-2
	Confirm changeset          : False
	Deployment s3 bucket       : aws-sam-cli-managed-default-samclisourcebucket-1bsmklq160tr9
	Capabilities               : ["CAPABILITY_IAM"]
	Parameter overrides        : {'AllowedIps': '/test/iplist'}

...

CloudFormation events from changeset
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                                                                             ResourceType                                                                               LogicalResourceId                                                                          ResourceStatusReason
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE_IN_PROGRESS                                                                         AWS::IAM::Role                                                                             HelloWorldFunctionRole                                                                     -
CREATE_IN_PROGRESS                                                                         AWS::IAM::Role                                                                             HelloWorldFunctionRole                                                                     Resource creation Initiated
CREATE_COMPLETE                                                                            AWS::IAM::Role                                                                             HelloWorldFunctionRole                                                                     -
CREATE_IN_PROGRESS                                                                         AWS::Lambda::Function                                                                      HelloWorldFunction                                                                         Resource creation Initiated
CREATE_IN_PROGRESS                                                                         AWS::Lambda::Function                                                                      HelloWorldFunction                                                                         -
CREATE_COMPLETE                                                                            AWS::Lambda::Function                                                                      HelloWorldFunction                                                                         -
CREATE_IN_PROGRESS                                                                         AWS::ApiGateway::RestApi                                                                   ServerlessRestApi                                                                          -
CREATE_FAILED                                                                              AWS::ApiGateway::RestApi                                                                   ServerlessRestApi                                                                          Invalid policy document. Please check the policy syntax and ensure that Principals are
                                                                                                                                                                                                                                                                                 valid. (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;
                                                                                                                                                                                                                                                                                 Request ID: 885b35c4-b08a-4998-b000-c348ba1349f6)
ROLLBACK_IN_PROGRESS                                                                       AWS::CloudFormation::Stack                                                                 sam-ip-test                                                                                The following resource(s) failed to create: [ServerlessRestApi]. . Rollback requested by
                                                                                                                                                                                                                                                                                 user.
DELETE_COMPLETE                                                                            AWS::ApiGateway::RestApi                                                                   ServerlessRestApi                                                                          -
DELETE_IN_PROGRESS                                                                         AWS::Lambda::Function                                                                      HelloWorldFunction                                                                         -
DELETE_COMPLETE                                                                            AWS::Lambda::Function                                                                      HelloWorldFunction                                                                         -
DELETE_IN_PROGRESS                                                                         AWS::IAM::Role                                                                             HelloWorldFunctionRole                                                                     -
DELETE_COMPLETE                                                                            AWS::IAM::Role                                                                             HelloWorldFunctionRole                                                                     -
ROLLBACK_COMPLETE                                                                          AWS::CloudFormation::Stack                                                                 sam-ip-test                                                                                -
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Inspecting the ServerlessRestApi CREATE_FAILED event with aws cloudformation describe-stack-events shows the following (ResourceProperties reformatted for readability):

- EventId: ServerlessRestApi-CREATE_FAILED-2020-08-24T10:53:08.692Z
  LogicalResourceId: ServerlessRestApi
  PhysicalResourceId: ''
  ResourceProperties: '{
  "Body": {
    "paths": {
      "/hello": {
        "get": {
          "responses": {},
          "x-amazon-apigateway-integration": {
            "httpMethod": "POST",
            "type": "aws_proxy",
            "uri": "arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/arn:aws:lambda:ap-southeast-2:xxx:function:sam-ip-test-HelloWorldFunction-84ZFPFUA5LD8/invocations"
          }
        }
      }
    },
    "x-amazon-apigateway-policy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "execute-api:Invoke",
          "Resource": [
            "execute-api:/Prod/GET/hello"
          ],
          "Effect": "Allow",
          "Principal": "*"
        },
        {
          "Condition": {
            "NotIpAddress": {
              "aws:SourceIp": [
                [
                  "192.168.1.1/32",
                  "192.168.1.5/32",
                  "192.168.1.100/31"
                ]
              ]
            }
          },
          "Action": "execute-api:Invoke",
          "Resource": [
            "execute-api:/Prod/GET/hello"
          ],
          "Effect": "Deny",
          "Principal": "*"
        }
      ]
    },
    "swagger": "2.0",
    "info": {
      "title": "sam-ip-test",
      "version": "1.0"
    }
  }
}'
  ResourceStatus: CREATE_FAILED
  ResourceStatusReason: 'Invalid policy document. Please check the policy syntax and
    ensure that Principals are valid. (Service: AmazonApiGateway; Status Code: 400;
    Error Code: BadRequestException; Request ID: 885b35c4-b08a-4998-b000-c348ba1349f6)'
  ResourceType: AWS::ApiGateway::RestApi
  StackId: arn:aws:cloudformation:ap-southeast-2:xxx:stack/sam-ip-test/eb5f36f0-e5f7-11ea-a0bd-0a119d28256a
  StackName: sam-ip-test
  Timestamp: '2020-08-24T10:53:08.692000+00:00'

aws:SourceIp in the generated ResourcePolicy contains my ip list in an array inside another array

Expected result

I expect the generated ResourcePolicy to include the following JSON from my ip blacklist:

          "Condition": {
            "NotIpAddress": {
              "aws:SourceIp": [
                  "192.168.1.1/32",
                  "192.168.1.5/32",
                  "192.168.1.100/31"
              ]
            }
          }

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: macOS Catalina 10.15.6
sam --version: 1.1.0

Add --debug flag to command you are running

The text was updated successfully, but these errors were encountered:

jbernales5 · 2021-09-08T08:52:27Z

Hello all, any updates regarding this issue?

Edit: I'd like to add that in addition to the above-mentionned bug, when providing a manual list of IP addresses, the resulting policy applies the IP Whitelist to an erroneous endpoint:

Api Gateway Resource Policy result:

...
"Resource": "arn:aws:execute-api:eu-west-1:904469631622:jatafq8v33/Stage/GET/set-mfa",
...

Expected behaviour:

...
"Resource": "arn:aws:execute-api:eu-west-1:904469631622:jatafq8v33/<STAGE_NAME>/GET/set-mfa",
...

Where <STAGE_NAME> is provided in the Cloudformation SAM template:

MfaCatcherApi:
    Type: AWS::Serverless::Api
    Properties:
      Name: !Ref ApiName
      StageName: !Ref ApiStageName

hoffa · 2022-10-17T21:34:32Z

You might be able to get this to work by adding AWS::LanguageExtensions to Transform as such:

Transform:
  - AWS::LanguageExtensions
  - AWS::Serverless-2016-10-31

AWS::LanguageExtensions resolves intrinsic functions if the value is known when Transforms are run.

See #2533 for more information.

hoffa · 2022-11-03T23:13:03Z

Closing in favor of #2533.

acristin · 2023-01-27T00:53:11Z

I can confirm that adding the AWS::LanguageExtensions transform to the provided template resolves both the issue with improper formatting of the IP list and properly resolves the stage name in the API Gateway resource policy.

mingkun2020 self-assigned this Aug 27, 2020

mingkun2020 transferred this issue from aws/aws-sam-cli Sep 2, 2020

mingkun2020 mentioned this issue Sep 8, 2020

fix: remove square bracket around referred ip lists #1706

Closed

4 tasks

CoshUS added type/bug area/cloudformation labels Sep 16, 2020

aws-sam-cli-bot added the maintainer/need-response label Nov 23, 2021

jfuss added the area/intrinsics Ref, If, Sub, GetAtt, ... label Mar 29, 2022

hoffa mentioned this issue Oct 11, 2022

Unsupported intrinsic functions #2533

Open

hoffa added intrinsics/resolvable-predeployment labels Oct 17, 2022

hoffa removed the intrinsics/not-pass-through label Oct 17, 2022

aws-sam-cli-bot removed the maintainer/need-response label Oct 18, 2022

hoffa closed this as completed Nov 3, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth.ResourcePolicy.IpRangeWhitelist is malformed when populated from a CommaDelimitedList SSM Param #1696

Auth.ResourcePolicy.IpRangeWhitelist is malformed when populated from a CommaDelimitedList SSM Param #1696

frogamic commented Aug 24, 2020

jbernales5 commented Sep 8, 2021 •

edited

hoffa commented Oct 17, 2022

hoffa commented Nov 3, 2022

acristin commented Jan 27, 2023

Auth.ResourcePolicy.IpRangeWhitelist is malformed when populated from a CommaDelimitedList SSM Param #1696

Auth.ResourcePolicy.IpRangeWhitelist is malformed when populated from a CommaDelimitedList SSM Param #1696

Comments

frogamic commented Aug 24, 2020

Description

Steps to reproduce

Observed result

Expected result

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

jbernales5 commented Sep 8, 2021 • edited

hoffa commented Oct 17, 2022

hoffa commented Nov 3, 2022

acristin commented Jan 27, 2023

jbernales5 commented Sep 8, 2021 •

edited