Add support for AWS::IoT::SecurityProfile #19
Conversation
| "permissions": [ | ||
| "iot:CreateSecurityProfile", | ||
| "iot:AttachSecurityProfile", | ||
| "iam:PassRole" |
There was a problem hiding this comment.
Why do we need the permission for iam:PassRole for create and update calls?
There was a problem hiding this comment.
This is needed if the customer specifies an AlertTarget. Device Defender (as all other AWS services) requires customers to have a permission for passing the role.
| // SDK converts nulls from Describe API to empty DefaultSdkAutoConstructLists, | ||
| // so if we simply translate without the .has* check, nulls will turn into empty lists. | ||
| if (iotMetricValue.hasCidrs()) { | ||
| metricValueBuilder.cidrs(new HashSet<>(iotMetricValue.cidrs())); |
There was a problem hiding this comment.
Shouldn't this be Arrays, since we defining the type as Arrays.
There was a problem hiding this comment.
(Discussed offline) We've modeled Cidrs as well as other lists like Behaviors to have "insertionOrder=false", because the order of the elements doesn't matter to the service. That's why the generated Java objects have Sets not Lists.
aws-iot-securityprofile/src/main/java/com/amazonaws/iot/securityprofile/Translator.java
Show resolved
Hide resolved
| "AdditionalMetricsToRetain": { | ||
| "description": "This parameter has been deprecated, please use AdditionalMetricsToRetainV2.", | ||
| "type": "array", | ||
| "uniqueItems": true, | ||
| "insertionOrder": false, | ||
| "items": { | ||
| "type": "string", | ||
| "pattern": "[a-zA-Z0-9:_-]+", | ||
| "minLength": 1, | ||
| "maxLength": 128 | ||
| } | ||
| }, |
There was a problem hiding this comment.
Do we need to support this in Cloudformation? All resources created by CFN can be on-boarded to V2.
There was a problem hiding this comment.
That's a good point, all the security profiles being added to CFN templates would be newly created, and the field has been deprecated for a while. Removing it from the CFN model.
|
|
||
| ResourceModel model = request.getDesiredResourceState(); | ||
| if (!StringUtils.isEmpty(model.getSecurityProfileArn())) { | ||
| logger.log(String.format("Arn is read-only, but the caller passed %s.", model.getSecurityProfileArn())); |
There was a problem hiding this comment.
Does CFN logger not support error/info log levels?
There was a problem hiding this comment.
It doesn't, there's an open issue for it aws-cloudformation/cloudformation-cli-java-plugin#225
| "Behaviors": { | ||
| "description": "Specifies the behaviors that, when violated by a device (thing), cause an alert.", | ||
| "type": "array", | ||
| "maxLength": 100, |
There was a problem hiding this comment.
don't think minLength/maxLength can be applied to array types:
aws-cloudformation/cloudformation-cli#414
https://json-schema.org/understanding-json-schema/reference/array.html#length
(caught by running cfn validate)
| "Count": { | ||
| "description": "If the ComparisonOperator calls for a numeric value, use this to specify that (integer) numeric value to be compared with the metric.", | ||
| "type": "string", | ||
| "minimum": 0 |
There was a problem hiding this comment.
Should be minLength instead of minimum:
aws-cloudformation/cloudformation-cli#414
https://json-schema.org/understanding-json-schema/reference/string.html#length
(caught by running cfn validate)
Notes
Security Profiles are used to configure Device Defender Detect. API documentation can be found at https://docs.aws.amazon.com/iot/latest/apireference/API_CreateSecurityProfile.html. Main highlights for the resource from CloudFormation perspective:
Testing
pre-commit run --all-files,mvn verifysuccessfully.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.