-
Notifications
You must be signed in to change notification settings - Fork 313
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ConnectionManager's call() method is too easy to misuse by not passing enough variables. #1299
Comments
This is awesome. Thanks for this! |
@SpyderDave, I'm working to get this into the v4 release. It's a major version, as there are some potentially breaking changes for a few edge cases. However, it'll be pretty feature-packed. You can see the current changelog here: https://github.com/Sceptre/sceptre/pull/1292/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4ed. This will get included there once I can get #1300 merged. |
## 4.0.0 (2023.02.08) ### Added - [Resolve #1283] Introducing `sceptre_role`, `cloudformation_service_role` (#1295) - These are just iam_role and role_arn renamed to be a lot clearer. See "Deprecations" below. ### Changed - [Resolve #1299] Making the ConnectionManager a more "friendly" interface for hooks, resolvers, and template handlers (#1287, #1300) - This creates adds the public `get_session()` and `create_session_environment_variables()` methods to make AWS interactions easier and more consistent with individual stack configurations for iam_role, profile, and region configurations. - The `call()` method now properly distinguishes between default stack configurations for profile, region, and `sceptre_role` and setting those to `None` to nullify them. - Preventing Duplicate Deprecation Warnings from being emitted (#1297) #### _Potentially_ Breaking Changes - The !cmd hook now invokes the passed command using the AWS environment variables that correspond with the stack's IAM configurations (i.e. iam_role, profile, region). This means that the hook will operate the same as every other part of Sceptre and regard how the stack is configured. This should make it easier to invoke other tools like AWS CLI with your hooks. However, if your project is setting environment variables with the intent to change how the command authenticates with AWS (such as a different token, profile, or region), these environment variables will be overridden. To maintain the same functionality, you should prefix your command with `export AWS_SESSION_TOKEN={{environment_variable.AWS_SESSION_TOKEN}} &&` (or whatever other environment variable(s) you need to explicitly set). ### Deprecations - [Resolve #1283] Deprecating `iam_role`, `role_arn`, and `template_path` (#1295) - `iam_role` and `role_arn` have been aliased to `sceptre_role` and `cloudformation_service_role`. Using these fields will result in a DeprecationWarning. - `template_path` has actually been slated for removal since v2.7. `template` should be used instead. Using `template_path` will result in a DeprecationWarning. - All three deprecated StackConfig fields will be removed in v5.0.0. ## 3.3.0 (2023.02.06) ### Added - [Resolve #1261] Add coloured differ (#1260) - Implements coloured diffs for the diff (difflib) command. Responds to --no-color. - [Resolves #1271] Extend stack colourer to include "IMPORT" states (#1272) - [Resolves #1179] cloudformation disable-rollback option (#1282) - Allow user to disable a cloudformation rollback on a sceptre deployment. ### Changed - [Resolve #1098] Deploy docker container to sceptreorg repo (#1265) - Deploy sceptre docker images to dockerhub sceptreorg repo instead of cloudreach repo - Updating Setuptools and wheel versions to avert security issues - [Resolve #1293] Improve the Stack Config Jinja Syntax Error Message to include the Stack Name (#1294) - [Resolves #1267] Improve the Stack Config Jinja Error Message to include the Stack Name (#1269) ### Fixed - [Resolve #1273] Events start from response time (#1275) - Resolves #1273 by starting event filtering from the timestamp returned in the AWS response headers rather than relying on the workstation clock. - [Resolve #1253] Failed downloads raise error (#1277) - Throwing an informative error when the template fails to download instead of passing the error message to CloudFormation. - [Resolves #1179] Changed disable-rollback default to None (#1288) - We want the default value to be None to represent "Do whatever's configured in the StackConfig" and True/False will override the StackConfig. ### Nonfunctional - Add tweet-release to CircleCI config (#1259) - [Resolves #1276] Adopt Black Auto-formatter (#1278) - Reformatting all Python files using the Black code formatter. This also delivers a new function for generating `__repr__` methods which was needed to deal with a line-too-long issue in Template. Per discussion in #1276 this PR also disables E203 in flake8. - Update sceptre-circleci docker image (#1284) - Update to build and test with a docker image that's based on the official circleci python docker image. - [Resolve #1264] Updating the CDK docs to point to the new sceptre-cdk-handler (#1285) - This updates our docs to no longer reference the old CDK approach (which didn't work with CDK assets). In its place, it references the new sceptre-cdk-handler package that covers that functionality.
Subject of the issue
The ConnectionManager is used by many hooks, plugins, and template managers. It is essential for interacting with AWS using the StackConfig's values. However, as a result of how it operates, it can (and often is) misused accidentally.
The source of the issue is here:
The problem is that this code assumes that if someone wants to use the Stack default configurations, one would pass
None
forregion
,profile
, andsceptre_role
. If all three are None, it is assumed that the stack values ought to be utilized. But if any one of those is not None, then it is assumed that all three have been specified and all three are used.The result of this is we end up with outdated hooks and resolvers (such as the SSM Resolver) that are passing the profile and region, but not the sceptre_role (aka iam_role). Since
region
is always specified (by necessity), it will mean theiam_role
parameter is overridden and set toNone
.Fundamentally, the issue is that there isn't here a distinction between setting a value to
None
to nullify a setting (meaning "don't use any iam_role") and setting a value toNone
to retain the stack's configuration.The solution to this is set the default values for
call()
to a third constant that is interpreted as the Stack default, similar to how the newget_session()
method operates:The text was updated successfully, but these errors were encountered: