Bug: Malformed condition causes module type registration to hang

[travbale]

I tried making a simple module which had a typo in the condition section. When I ran validate it passed but when I went to submit the module the registration hung for a few hours before failing.

Template Fragment that triggers the Error (in YAML for readability actual template was in JSON)

AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  MyParameter:
    Type: String
    Default: "NOT_SET"

Conditions:
  MyCondition:
    Fn::Not:
    - Fn::Equal: # Should be Fn::Equals
      - Ref: MyParameter
      - "NOT_SET"
  
Resources:
  TestResource:
     Condition: MyCondition
     Type: AWS::CloudFormation::WaitConditionHandle
      Properties: {}

During registration the process hangs. Inspecting the registration token via describe-type-registration yields the following:

{
    "ProgressStatus": "IN_PROGRESS",
    "Description": "Deployment is currently in VALIDATION_STAGE of status IN_PROGRESS; Next is DEPLOY_STAGE with status PENDING"
}

It seems that this template has caused the VALIDATION_STAGE to hang in some manner.

This locks out updating the module for several hours until it fails.

[PatMyron]

Recommend trying the CloudFormation Linter in VSCode to see some of these errors inline while authoring templates along with autocompletion and documentation links:

[cfn-lint] E8005: Fn::Not list must be another valid condition

Hasn't been released to PyPI yet, but #644 should call these out during module validation

[travbale]

I appreciate the advice on utilizing CloudFormation Linter to avoid this issue, but I would still like to understand why a malformed template would cause the register-type call to lock the registration for over 4 hours.

Thinking from a security perspective, I could imagine an attack where someone calls register type with a no-op module that undoes everything provisioned, deletes all previous versions, then locks the resource name by calling register-type with a malformed template fragment.

[miparnisari]

Hey @travbale, thank you for reporting this! I tried to reproduce using your fragment in JSON and got a failure right away:

Successfully submitted type. Waiting for registration with token 'fbb4652b-30d8-4e1a-9cfe-d94a30779c16' to complete.
Failed to register the type with registration token 'fbb4652b-30d8-4e1a-9cfe-d94a30779c16'.
Please see response for additional information: 
  '{'ProgressStatus': 'FAILED',
   'Description': 'Deployment is currently in VALIDATION_STAGE of status FAILED; Next is DEPLOY_STAGE with status CANCELLED\nDeployment failed with error. 
     Error message: [fbb4652b-30d8-4e1a-9cfe-d94a30779c16] Error validating module fragment and schema definition: malformed module fragment found  (...),

    'ResponseMetadata': {'RequestId': '732469b0-1035-4a7a-a947-e628d56e69ba', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '732469b0-1035-4a7a-a947-e628d56e69ba', 'content-type': 'text/xml', 'content-length': '1580', 'date': 'Thu, 07 Jan 2021 23:11:01 GMT'}, 'RetryAttempts': 0}}'

[travbale]

I will attempt to reproduce myself and if I am able to will share more detailed steps. Will report back with my findings and thank you for taking a look.

[MalikAtalla-AWS]

Hey @travbale any updates on the steps to reproduce? It may have been a temporary issue in one of our services or something that was already fixed. So, if we can't reproduce it now, I would close this issue.

[travbale]

Yep happy to close. I have not been able to make it happen since.