CodePipeline yaml template - problems with account number with leading zero

0

Hi,

I am experiencing a very strange problem in the template file for my pipeline. When I specify a configuration in a deploy stage, I use a parameter to specify the account number in the RoleArn - which works fine. However, when I do the exact same thing to specify the account number in the RoleArn for the action itself, the account number seems to get converted into a number and fails - because of the leading zero. Everything works fine for account numbers without a leading zero.

Does anyone know why one works fine while the other fails? I have included part of the code below and shown which RoleArn works and which one fails. Then the error I get is at the bottom

---
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  AccountNumber:
    Type: String
    Default: "012345678912"

Resources:
  CodeBuildProject:
    ...

  Pipeline
    Type: AWS::CodePipeline::Pipeline
    Properties:
      ...
      Stages:
      ...
      - Name: Deploy
        Actions:
          - Name: Create-ChangeSet
            InputArtifacts:
              - Name: BuildArtifact
            ActionTypeId:
              Category: Deploy
              Owner: AWS
              Version: "1"
              Provider: CloudFormation
            Configuration:
              ActionMode: CHANGE_SET_REPLACE
              ChangeSetName: service-name-changeset
              # Works:
              RoleArn: !Sub arn:aws:iam::${AccountNumber}:role/DeployerRole
              Capabilities: CAPABILITY_IAM
              StackName: service-name-stack
              TemplatePath: BuildArtifact::output-service-name.yaml
            RunOrder: 1
            # Fails:
            RoleArn: !Sub arn:aws:iam::${AccountNumber}:role/CloudFormationRole
...

This is the error I get:

Value 'arn:aws:iam::1.2345678912E10:role/CloudFormationRole' at 'pipeline.stages.3.member.actions.1.member.roleArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:aws(-[\w]+)*:iam::[0-9]{12}:role/.*;
avidon
preguntada hace 5 años686 visualizaciones
1 Respuesta
0

I found the issue quite quickly after posting. Unfortunately, every time I tried to post a reply, I got the error "Your message quota has been reached. Please try again later. " So now I'm posting after the weekend...

The problem was that the first time I used the template, I did not have quotes around the AccountNumber variable. When I introduced quotes, the problem should have been fixed, but the old value remained in the pipeline. By simply renaming the variable, I was able to kick the pipeline into understanding that the variable has changed - which finally fixed the problem.

It also turns out that the problem was the same with both RoleArn values; it's just that the RoleArn inside the Configuration block seems to have less validation and was happy to be defined with an invalid account number.

avidon
respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas