You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a list of IPs that are allowed to execute my function stored in an SSM parameter of type StringList. When I pass this parameter to my SAM template as type AWS::SSM::Parameter::Value<CommaDelimitedList> (I also tried AWS::SSM::Parameter::Value<List<String>>) and reference this parameter in IpRangeWhitelist it is expanded to an array within an array.
Create a new SAM project using sam init, selecting Node12 and hello-world template
Modify template.yml to the following (aditional lines marked with # New, outputs omitted):
AWSTemplateFormatVersion: '2010-09-09'Transform: AWS::Serverless-2016-10-31Description: > sam-ip-test Sample SAM Template for sam-ip-test# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rstGlobals:
Function:
Timeout: 3Parameters: # NewAllowedIps: # NewType: AWS::SSM::Parameter::Value<CommaDelimitedList> # NewDefault: /test/iplist # NewResources:
HelloWorldFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunctionProperties:
CodeUri: hello-world/Handler: app.lambdaHandlerRuntime: nodejs12.xEvents:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#apiProperties:
Auth: # NewResourcePolicy: # NewIpRangeWhitelist: !Ref AllowedIps # NewPath: /helloMethod: get
Attempt to deploy the stack with sam build && sam deploy --guided
Observed result
Deploy fails on AWS::ApiGateway::RestApi, Excerpts from sam deploy --debug output:
Deploying with following values
===============================
Stack name : sam-ip-test
Region : ap-southeast-2
Confirm changeset : False
Deployment s3 bucket : aws-sam-cli-managed-default-samclisourcebucket-1bsmklq160tr9
Capabilities : ["CAPABILITY_IAM"]
Parameter overrides : {'AllowedIps': '/test/iplist'}
...
CloudFormation events from changeset
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE_IN_PROGRESS AWS::IAM::Role HelloWorldFunctionRole -
CREATE_IN_PROGRESS AWS::IAM::Role HelloWorldFunctionRole Resource creation Initiated
CREATE_COMPLETE AWS::IAM::Role HelloWorldFunctionRole -
CREATE_IN_PROGRESS AWS::Lambda::Function HelloWorldFunction Resource creation Initiated
CREATE_IN_PROGRESS AWS::Lambda::Function HelloWorldFunction -
CREATE_COMPLETE AWS::Lambda::Function HelloWorldFunction -
CREATE_IN_PROGRESS AWS::ApiGateway::RestApi ServerlessRestApi -
CREATE_FAILED AWS::ApiGateway::RestApi ServerlessRestApi Invalid policy document. Please check the policy syntax and ensure that Principals are
valid. (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;
Request ID: 885b35c4-b08a-4998-b000-c348ba1349f6)
ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack sam-ip-test The following resource(s) failed to create: [ServerlessRestApi]. . Rollback requested by
user.
DELETE_COMPLETE AWS::ApiGateway::RestApi ServerlessRestApi -
DELETE_IN_PROGRESS AWS::Lambda::Function HelloWorldFunction -
DELETE_COMPLETE AWS::Lambda::Function HelloWorldFunction -
DELETE_IN_PROGRESS AWS::IAM::Role HelloWorldFunctionRole -
DELETE_COMPLETE AWS::IAM::Role HelloWorldFunctionRole -
ROLLBACK_COMPLETE AWS::CloudFormation::Stack sam-ip-test -
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Inspecting the ServerlessRestApi CREATE_FAILED event with aws cloudformation describe-stack-events shows the following (ResourceProperties reformatted for readability):
Edit: I'd like to add that in addition to the above-mentionned bug, when providing a manual list of IP addresses, the resulting policy applies the IP Whitelist to an erroneous endpoint:
I can confirm that adding the AWS::LanguageExtensions transform to the provided template resolves both the issue with improper formatting of the IP list and properly resolves the stage name in the API Gateway resource policy.
Description
I have a list of IPs that are allowed to execute my function stored in an SSM parameter of type
StringList
. When I pass this parameter to my SAM template as typeAWS::SSM::Parameter::Value<CommaDelimitedList>
(I also triedAWS::SSM::Parameter::Value<List<String>>
) and reference this parameter inIpRangeWhitelist
it is expanded to an array within an array.Steps to reproduce
Create an SSM Parameter of allowed IPs
aws ssm put-parameter --name /test/iplist --type StringList --value "192.168.1.1/32,192.168.1.5/32,192.168.1.100/31"
Create a new SAM project using
sam init
, selecting Node12 and hello-world templateModify
template.yml
to the following (aditional lines marked with# New
, outputs omitted):Attempt to deploy the stack with
sam build && sam deploy --guided
Observed result
Deploy fails on
AWS::ApiGateway::RestApi
, Excerpts fromsam deploy --debug
output:Inspecting the
ServerlessRestApi CREATE_FAILED
event withaws cloudformation describe-stack-events
shows the following (ResourceProperties
reformatted for readability):aws:SourceIp
in the generated ResourcePolicy contains my ip list in an array inside another arrayExpected result
I expect the generated ResourcePolicy to include the following JSON from my ip blacklist:
Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
sam --version
:1.1.0
Add --debug flag to command you are running
The text was updated successfully, but these errors were encountered: