Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_ssm_document always attemts to replace the document on update #1426

Closed
sh-dan opened this issue Feb 9, 2024 · 4 comments · Fixed by #1737
Closed

awscc_ssm_document always attemts to replace the document on update #1426

sh-dan opened this issue Feb 9, 2024 · 4 comments · Fixed by #1737
Labels
bug service/ssm upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.

Comments

@sh-dan
Copy link

sh-dan commented Feb 9, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.7.3
on darwin_arm64

  • provider registry.terraform.io/hashicorp/awscc v0.70.0

Affected Resource(s)

  • awscc_ssm_document

Terraform Configuration Files

terraform {
  required_providers {
    awscc = {
      source  = "hashicorp/awscc"
      version = "~> 0.1"
    }
  }
}

resource "awscc_ssm_document" "test_schema" {
  name            = "configSchema"
  document_type   = "ApplicationConfigurationSchema"
  document_format = "JSON"
  content         = file("${path.module}/app_config_schema.json")
  update_method   = "NewVersion"
}

And minimal Schema app_config_schema:

{
    "$schema": "http://json-schema.org/draft-07/schema#",
    "additionalProperties": false,
    "description": "Test Schema",
    "required":
    [
        "testBool"
    ],
    "properties":
    {
        "testBool":
        {
            "description": "Prop Desc.",
            "type": "boolean"
        }
    },
    "type": "object"
}

Expected Behavior

When update_method = NewVersion
a new version of the SSM document should be created

Actual Behavior

Provider attempts to replace the SSM document instead of creating a new version.
StatusMessage: Create-Only │ Property cannot be updated.. ErrorCode: NotUpdatable Error

Steps to Reproduce

  1. terraform apply
  2. Modify the config schema
  3. terraform apply

Important Factoids

Comparing Cloud Control API Patch requests from TF DEBUG logs for different update_method types,
NewVersion only sends one replace operation for /Content and does not include an UpdateMethod:

"[{"op":"replace","path":"/Content","value":"{\n    \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n    \"additionalProperties\": false,\n    \"description\": \"Test Schema\",\n    \"required\":\n    [\n        \"updatedProp\"\n    ],\n    \"properties\":\n    {\n        \"updatedProp\":\n        {\n            \"description\": \"Prop Desc.\",\n            \"type\": \"boolean\"\n        }\n    },\n    \"type\": \"object\"\n}"}]"

While Replace sends an UpdateMethod op as well.

"[{"op":"replace","path":"/UpdateMethod","value":"Replace"},{"op":"replace","path":"/Content","value":"{\n    \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n    \"additionalProperties\": false,\n    \"description\": \"Test Schema\",\n    \"required\":\n    [\n        \"updatedProp\"\n    ],\n    \"properties\":\n    {\n        \"updatedProp\":\n        {\n            \"description\": \"Prop Desc.\",\n            \"type\": \"boolean\"\n        }\n    },\n    \"type\": \"object\"\n}"}]"

NewVersion should be setting UpdateMethod to NewVersion As that's the other allowed value and Replace Is the default according to the docs

Debug Output

Debug update logs with update_method = NewVersion and update_method = Replace:
https://gist.github.com/sh-dan/355795f9d270b46793ea398f4e0c63b7

Including Replace as I'm not certain that setting UpdateMethod is sufficient since Replace doesn't seem to work correctly either and getting a different error:
api error ValidationException: [REPLACE Operation] noSuchPath in source, path provided : //UpdateMethod"
@wellsiau-aws
Copy link
Collaborator

I noticed that update_method is a writeOnlyProperties in CCAPI:

aws cloudformation describe-type --type RESOURCE --type-name AWS::SSM::Document | jq -r ".Schema" | jq ".writeOnlyProperties"
[
  "/properties/UpdateMethod",
  "/properties/Attachments"
]

As per: https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html#schema-properties-writeonlyproperties

writeOnlyProperties

    Resource properties that can be specified by the user, but can't be returned by a read or list request. Write-only properties are often used to contain passwords, secrets, or other sensitive data.

This obviously conflicting with what @sh-dan found from CloudFormation doc

@wellsiau-aws
Copy link
Collaborator

relates to #1149

@wellsiau-aws
Copy link
Collaborator

as demonstrated when you try to inspect the resource using CCAPI, the attribute update_method is not included in the response:

aws cloudcontrol get-resource --type-name AWS::SSM::Document --identifier "configSchema" | jq -r ".ResourceDescription.Properties" | jq "."
{
  "DocumentFormat": "JSON",
  "Content": "{\n  \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n  \"additionalProperties\": false,\n  \"description\": \"Test Schema\",\n  \"required\":\n  [\n      \"testBool\"\n  ],\n  \"properties\":\n  {\n      \"testBool\":\n      {\n          \"description\": \"Prop Desc.\",\n          \"type\": \"boolean\"\n      }\n  },\n  \"type\": \"object\"\n}",
  "DocumentType": "ApplicationConfigurationSchema",
  "Tags": [],
  "Name": "configSchema"
}

@wellsiau-aws wellsiau-aws added bug upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency. and removed needs-triage labels Feb 17, 2024
@wellsiau-aws
Copy link
Collaborator

I forgot to mention and address the other part of this issue, a.k.a where you trying to update the content attribute, which are not writeOnlyProperties and also not a createOnlyProperties.

  "required": [
    "Content"
  ],
  "createOnlyProperties": [
    "/properties/Name",
    "/properties/DocumentType"
  ],
  "conditionalCreateOnlyProperties": [
    "/properties/Content",
    "/properties/Attachments",
    "/properties/VersionName",
    "/properties/DocumentFormat",
    "/properties/TargetType",
    "/properties/Requires"
  ],
  "writeOnlyProperties": [
    "/properties/UpdateMethod",
    "/properties/Attachments"
  ],

as such, its not clear yet why updating the content triggers this error. I suspect that doc type ApplicationConfigurationSchema is not supported

@ewbankkit ewbankkit mentioned this issue May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug service/ssm upstream-aws Unable to proceed due to missing or broken functionality from an AWS dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correctly update write-only properties. hashicorp/terraform-provider-awscc
2 participants
@wellsiau-aws @sh-dan