Merge pull request #1123 from dbsystel/fix/invalid-arn

markussiebert · web-flow · commit 03b4b072e5a1 · 2025-02-14T11:30:01.000+01:00
fix: invalid arn
diff --git a/lambda/internal/event/event.go b/lambda/internal/event/event.go
@@ -99,6 +99,10 @@ func FromCfnEvent(event cfn.Event) (*SopsSyncResourcePropertys, error) {
 	return &props, nil
 }
 
+func GenerateTempPhysicalResourceId() string {
+	return fmt.Sprintf("%s:%s:%s", "arn:custom:sopssync:", "temp", "temp")
+}
+
 func (p *SopsSyncResourcePropertys) GeneratePhysicalResourceId() string {
 	return fmt.Sprintf("%s:%s:%s", "arn:custom:sopssync:", p.ResourceType, p.Target)
 }
diff --git a/lambda/main.go b/lambda/main.go
@@ -17,11 +17,11 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe
 
 	// If it's a delete request, we don't have to do anything
 	if e.RequestType == cfn.RequestDelete {
-		return "", nil, nil
+		return event.GenerateTempPhysicalResourceId(), nil, nil
 	}
 	// We have to run this code only, if it is a CloudFormation Create or Update request
 	if e.RequestType != cfn.RequestCreate && e.RequestType != cfn.RequestUpdate {
-		return "", nil, fmt.Errorf("requestType '%s' not supported", e.RequestType)
+		return event.GenerateTempPhysicalResourceId(), nil, fmt.Errorf("requestType '%s' not supported", e.RequestType)
 	}
 
 	// Get the event input from the cloudformation event
@@ -33,19 +33,19 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe
 	// Get the encrypted secret input provided by the user
 	secretEncrypted, secretEncryptedErr := props.GetEncryptedSopsSecret(clients)
 	if secretEncryptedErr != nil {
-		return "", nil, secretEncryptedErr
+		return props.GeneratePhysicalResourceId(), nil, secretEncryptedErr
 	}
 
 	// Decrypt the secret input with sops
 	secretDecrypted, secretDecryptedErr := secretEncrypted.Decrypt()
 	if secretDecryptedErr != nil {
-		return "", nil, secretDecryptedErr
+		return props.GeneratePhysicalResourceId(), nil, secretDecryptedErr
 	}
 
 	// Generate a data object by parsing the decrypted secret depending on the data input type
 	secretDecryptedData, secretDecryptedDataErr := secretDecrypted.ToData()
 	if secretDecryptedDataErr != nil {
-		return "", nil, secretDecryptedDataErr
+		return props.GeneratePhysicalResourceId(), nil, secretDecryptedDataErr
 	}
 
 	baseProps := BaseProps{
@@ -63,7 +63,7 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe
 	case event.PARAMETER:
 		return handleParameter(baseProps)
 	default:
-		return "", nil, fmt.Errorf("unsupported resource type %s", props.ResourceType)
+		return props.GeneratePhysicalResourceId(), nil, fmt.Errorf("unsupported resource type %s", props.ResourceType)
 	}
 }
 
diff --git a/test/PARAMETER.integ.snapshot/PARAMETER.assets.json b/test/PARAMETER.integ.snapshot/PARAMETER.assets.json
@@ -1,28 +1,28 @@
 {
   "version": "39.0.0",
   "files": {
-    "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738": {
+    "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447": {
       "source": {
-        "path": "asset.25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+        "path": "asset.0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+          "objectKey": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "37def6adf4558bddf4723ee9abf52e10ead2d79b4b47a9bf5a833adf267f6067": {
+    "d9c7c4b954f7da502041c1cffcce93337f268b1dcf0bcd8c35bd0f0c0450e98c": {
       "source": {
         "path": "PARAMETER.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "37def6adf4558bddf4723ee9abf52e10ead2d79b4b47a9bf5a833adf267f6067.json",
+          "objectKey": "d9c7c4b954f7da502041c1cffcce93337f268b1dcf0bcd8c35bd0f0c0450e98c.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/test/PARAMETER.integ.snapshot/PARAMETER.template.json b/test/PARAMETER.integ.snapshot/PARAMETER.template.json
@@ -139,7 +139,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip"
+     "S3Key": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip"
     },
     "Environment": {
      "Variables": {
diff --git a/test/PARAMETER_MULTI.integ.snapshot/PARAMETERMULTI.assets.json b/test/PARAMETER_MULTI.integ.snapshot/PARAMETERMULTI.assets.json
@@ -1,28 +1,28 @@
 {
   "version": "39.0.0",
   "files": {
-    "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738": {
+    "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447": {
       "source": {
-        "path": "asset.25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+        "path": "asset.0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+          "objectKey": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "28d288317e12002ccd1278a63d361d7f2d9e4a56c5adcc0d811cce75635e03a0": {
+    "e8dc3019fbf8aefef0b7995dde54188dd2edff6b5d0019db69f128b8bbe9b250": {
       "source": {
         "path": "PARAMETERMULTI.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "28d288317e12002ccd1278a63d361d7f2d9e4a56c5adcc0d811cce75635e03a0.json",
+          "objectKey": "e8dc3019fbf8aefef0b7995dde54188dd2edff6b5d0019db69f128b8bbe9b250.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/test/PARAMETER_MULTI.integ.snapshot/PARAMETERMULTI.template.json b/test/PARAMETER_MULTI.integ.snapshot/PARAMETERMULTI.template.json
@@ -535,7 +535,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip"
+     "S3Key": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip"
     },
     "Environment": {
      "Variables": {
diff --git a/test/SECRET.integ.snapshot/SECRET.assets.json b/test/SECRET.integ.snapshot/SECRET.assets.json
@@ -1,28 +1,28 @@
 {
   "version": "39.0.0",
   "files": {
-    "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738": {
+    "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447": {
       "source": {
-        "path": "asset.25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+        "path": "asset.0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip",
+          "objectKey": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "1fae4d4a87802ffd6cca4899703d4ae019cfd8704e4af190094d36f8ff05aa36": {
+    "fcc5e01c0551c6c15cff589d93154f4e1323b8306560170d7585f4f783aed6f5": {
       "source": {
         "path": "SECRET.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "1fae4d4a87802ffd6cca4899703d4ae019cfd8704e4af190094d36f8ff05aa36.json",
+          "objectKey": "fcc5e01c0551c6c15cff589d93154f4e1323b8306560170d7585f4f783aed6f5.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/test/SECRET.integ.snapshot/SECRET.template.json b/test/SECRET.integ.snapshot/SECRET.template.json
@@ -166,7 +166,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "25761e14c3e98ba78192ce29ad629b6c4e047b2fb5ab49f2847927584e942738.zip"
+     "S3Key": "0018ac2cf82d6fd6a6a41fbcdabd1b5b7afc589b4d9f7b9b6ababf4b0a822447.zip"
     },
     "Environment": {
      "Variables": {

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,10 @@ func FromCfnEvent(event cfn.Event) (*SopsSyncResourcePropertys, error) {`
`99`	`99`	`return &props, nil`
`100`	`100`	`}`
`101`	`101`
	`102`	`+func GenerateTempPhysicalResourceId() string {`
	`103`	`+ return fmt.Sprintf("%s:%s:%s", "arn:custom:sopssync:", "temp", "temp")`
	`104`	`+}`
	`105`	`+`
`102`	`106`	`func (p *SopsSyncResourcePropertys) GeneratePhysicalResourceId() string {`
`103`	`107`	`return fmt.Sprintf("%s:%s:%s", "arn:custom:sopssync:", p.ResourceType, p.Target)`
`104`	`108`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,11 +17,11 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe`
`17`	`17`
`18`	`18`	`// If it's a delete request, we don't have to do anything`
`19`	`19`	`if e.RequestType == cfn.RequestDelete {`
`20`		`- return "", nil, nil`
	`20`	`+ return event.GenerateTempPhysicalResourceId(), nil, nil`
`21`	`21`	`}`
`22`	`22`	`// We have to run this code only, if it is a CloudFormation Create or Update request`
`23`	`23`	`if e.RequestType != cfn.RequestCreate && e.RequestType != cfn.RequestUpdate {`
`24`		`- return "", nil, fmt.Errorf("requestType '%s' not supported", e.RequestType)`
	`24`	`+ return event.GenerateTempPhysicalResourceId(), nil, fmt.Errorf("requestType '%s' not supported", e.RequestType)`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`// Get the event input from the cloudformation event`
`@@ -33,19 +33,19 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe`
`33`	`33`	`// Get the encrypted secret input provided by the user`
`34`	`34`	`secretEncrypted, secretEncryptedErr := props.GetEncryptedSopsSecret(clients)`
`35`	`35`	`if secretEncryptedErr != nil {`
`36`		`- return "", nil, secretEncryptedErr`
	`36`	`+ return props.GeneratePhysicalResourceId(), nil, secretEncryptedErr`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`// Decrypt the secret input with sops`
`40`	`40`	`secretDecrypted, secretDecryptedErr := secretEncrypted.Decrypt()`
`41`	`41`	`if secretDecryptedErr != nil {`
`42`		`- return "", nil, secretDecryptedErr`
	`42`	`+ return props.GeneratePhysicalResourceId(), nil, secretDecryptedErr`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`// Generate a data object by parsing the decrypted secret depending on the data input type`
`46`	`46`	`secretDecryptedData, secretDecryptedDataErr := secretDecrypted.ToData()`
`47`	`47`	`if secretDecryptedDataErr != nil {`
`48`		`- return "", nil, secretDecryptedDataErr`
	`48`	`+ return props.GeneratePhysicalResourceId(), nil, secretDecryptedDataErr`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`baseProps := BaseProps{`
`@@ -63,7 +63,7 @@ func HandleRequestWithClients(clients client.AwsClient, e cfn.Event) (physicalRe`
`63`	`63`	`case event.PARAMETER:`
`64`	`64`	`return handleParameter(baseProps)`
`65`	`65`	`default:`
`66`		`- return "", nil, fmt.Errorf("unsupported resource type %s", props.ResourceType)`
	`66`	`+ return props.GeneratePhysicalResourceId(), nil, fmt.Errorf("unsupported resource type %s", props.ResourceType)`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`