terraform-cdk
terraform-cdk copied to clipboard
hashicorp
HCL: HEREDOC invalid escaping
Expected Behavior
For a multiline string, which is rendered into a HEREDOC for HCL output, the quotes should not be escaped. Vault policy or AWS IAM policy render invalid.
Actual Behavior
Synth renders invalid strings, that are causing errors to apply at Vault or AWS.
Code: 400. Errors: * failed to parse policy: At 2:19: illegal char
Steps to Reproduce
y := `
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
`
policy.NewPolicy(stack, jsii.String("policy"), &policy.PolicyConfig{
Name: jsii.String("test),
Policy: jsii.String(y),
})
Results into:
cdktf synth -hcl
Note the escaped quotes:
resource "vault_policy" "policy" {
name = "test"
policy = <<EOF
path \"secret/*\" {
capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]
}
EOF
}
Versions
language Golang "version": "0.20.8" same problem with 0.21.0-pre.123
Providers
- aws
- vault
Workarounds
try to use a single line statement, like a minified json.
Anything Else?
No response
References
try the example of https://github.com/ahmadalibagheri/cdktf-go-aws-iam
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Another example issue for AWS IAM Policy:
iampolicy.NewIamPolicy(stack, jsii.String("test"), &iampolicy.IamPolicyConfig{
Name: jsii.String("CDKtf-Golang-policy-Demo"),
Policy: jsii.String(`{
"Version": "2012-10-17",
"Statement": [{
"Action": "*",
"Resource": ["arn:aws:ec2:*:*:client-vpn-endpoint/*"],
"Effect": "Allow"
}]
}`),
Description: jsii.String("This policy is for Golang demo"),
})
renders into escaped quotes in a heredoc which is invalid:
resource "aws_iam_policy" "test" {
description = "This policy is for Golang demo"
name = "CDKtf-Golang-policy-Demo"
policy = <<EOF
{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Action\": \"*\",
\"Resource\": [\"arn:aws:ec2:*:*:client-vpn-endpoint/*\"],
\"Effect\": \"Allow\"
}]
}
EOF
}
Note, even JSON synth is invalid! The references are escaped with double $ signs \"$$
"vault_policy": {
"test": {
"//": {
"metadata": {
"path": "o11n:union/policyo11n.artifactory@p",
"uniqueId": "policyo11nartifactoryp"
}
},
"name": "o11n.artifactory@p",
"policy": "path \"$${vault_aws_secret_backend_role.vroleo11nartifactorypjw-cd-cicd-01.backend}/+/$${vault_aws_secret_backend_role.vroleo11nartifactorypjw-cd-cicd-01.name}\" {\n capabilities = [\"read\"]\n}\npath \"$${vault_aws_secret_backend_role.vroleo11nartifactorypjw-cd-lab-...."
},
Seeing the same problem. Looking forward for a solution. Thank you very much! 😃
A workaround I've found is to escape newlines and emit one long line:
AwsIamSamlProvider(
'okta',
name='AWSSSO_da1234567890_DO_NOT_DELETE',
saml_metadata_document=(Path(__file__).parent / 'okta_saml_metadata.xml')
.read_text()
.replace('\n', r'\n'),
)
+++ b/deploys/people/terraform/main.tf
@@ -83,25 +83,7 @@ resource "aws_iam_group" "admins" {
resource "aws_iam_saml_provider" "okta" {
name = "AWSSSO_da1234567890_DO_NOT_DELETE"
- saml_metadata_document = <<EOF
-<?xml version=\"1.0\" encoding=\"UTF-8\"?>[...first line...]
- <md:IDPSSODescriptor[...second line...]
-EOF
+ saml_metadata_document = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>[...]\n <md:IDPSSODescriptor[...second line...]
I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}