fix(cloudwatch): remove region from dashboard ARN (#22524)

Dashboards do not contain their region in the ARN, as shown in the Cloudwatch documentation [1]. Using ARNs with the region will cause operations like GetDashboard (used by, for example, the dashboard sharing mechanism) to fail with an AccessDenied. [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html#amazoncloudwatch-dashboard I ran into this while deploying resources to share a dashboard using a Cognito user pool. One of the permissions it requires is GetDashboard, and I kept receiving `AccessDenied`s when trying to open a shared dashboard link. I'm currently working around this by building the ARN myself, the same way it's built in this PR, by passing an empty `region` to the `formatArn` function ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 19, 2022 · 558d192 · 558d192
1 parent 5ef65e0
commit 558d192
Show file tree

Hide file tree

Showing 11 changed files with 403 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-cloudwatch/lib/dashboard.ts b/packages/@aws-cdk/aws-cloudwatch/lib/dashboard.ts
@@ -132,6 +132,7 @@ export class Dashboard extends Resource {
     this.dashboardArn = Stack.of(this).formatArn({
       service: 'cloudwatch',
       resource: 'dashboard',
+      region: '',
       resourceName: this.physicalName,
     });
   }

diff --git a/...hboard.integ.snapshot/DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets.json b/...hboard.integ.snapshot/DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...oard.integ.snapshot/DashboardIntegrationTestDefaultTestDeployAssert5BE38902.template.json b/...oard.integ.snapshot/DashboardIntegrationTestDefaultTestDeployAssert5BE38902.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...dk/aws-cloudwatch/test/dashboard.integ.snapshot/DashboardIntegrationTestStack.assets.json b/...dk/aws-cloudwatch/test/dashboard.integ.snapshot/DashboardIntegrationTestStack.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "b452fe16df3d8f84e50f1907b5f1c4ba0b5fe8de850fbc95a0e752203d6573ae": {
+      "source": {
+        "path": "DashboardIntegrationTestStack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "b452fe16df3d8f84e50f1907b5f1c4ba0b5fe8de850fbc95a0e752203d6573ae.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/.../aws-cloudwatch/test/dashboard.integ.snapshot/DashboardIntegrationTestStack.template.json b/.../aws-cloudwatch/test/dashboard.integ.snapshot/DashboardIntegrationTestStack.template.json
@@ -0,0 +1,64 @@
+{
+ "Resources": {
+  "DashCCD7F836": {
+   "Type": "AWS::CloudWatch::Dashboard",
+   "Properties": {
+    "DashboardBody": "{\"widgets\":[]}"
+   }
+  }
+ },
+ "Outputs": {
+  "DashboardArn": {
+   "Value": {
+    "Fn::Join": [
+     "",
+     [
+      "arn:",
+      {
+       "Ref": "AWS::Partition"
+      },
+      ":cloudwatch::",
+      {
+       "Ref": "AWS::AccountId"
+      },
+      ":dashboard/"
+     ]
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"21.0.0"}
diff --git a/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/integ.json b/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "21.0.0",
+  "testCases": {
+    "DashboardIntegrationTest/DefaultTest": {
+      "stacks": [
+        "DashboardIntegrationTestStack"
+      ],
+      "assertionStack": "DashboardIntegrationTest/DefaultTest/DeployAssert",
+      "assertionStackName": "DashboardIntegrationTestDefaultTestDeployAssert5BE38902"
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/manifest.json
@@ -0,0 +1,117 @@
+{
+  "version": "21.0.0",
+  "artifacts": {
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    },
+    "DashboardIntegrationTestStack.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "DashboardIntegrationTestStack.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "DashboardIntegrationTestStack": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "DashboardIntegrationTestStack.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b452fe16df3d8f84e50f1907b5f1c4ba0b5fe8de850fbc95a0e752203d6573ae.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "DashboardIntegrationTestStack.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "DashboardIntegrationTestStack.assets"
+      ],
+      "metadata": {
+        "/DashboardIntegrationTestStack/Dash/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "DashCCD7F836"
+          }
+        ],
+        "/DashboardIntegrationTestStack/DashboardArn": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "DashboardArn"
+          }
+        ],
+        "/DashboardIntegrationTestStack/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/DashboardIntegrationTestStack/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "DashboardIntegrationTestStack"
+    },
+    "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "DashboardIntegrationTestDefaultTestDeployAssert5BE38902": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets"
+      ],
+      "metadata": {
+        "/DashboardIntegrationTest/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/DashboardIntegrationTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "DashboardIntegrationTest/DefaultTest/DeployAssert"
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/tree.json b/packages/@aws-cdk/aws-cloudwatch/test/dashboard.integ.snapshot/tree.json
@@ -0,0 +1,99 @@
+{
+  "version": "tree-0.1",
+  "tree": {
+    "id": "App",
+    "path": "",
+    "children": {
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
+        "constructInfo": {
+          "fqn": "constructs.Construct",
+          "version": "10.1.129"
+        }
+      },
+      "DashboardIntegrationTestStack": {
+        "id": "DashboardIntegrationTestStack",
+        "path": "DashboardIntegrationTestStack",
+        "children": {
+          "Dash": {
+            "id": "Dash",
+            "path": "DashboardIntegrationTestStack/Dash",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "DashboardIntegrationTestStack/Dash/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::CloudWatch::Dashboard",
+                  "aws:cdk:cloudformation:props": {
+                    "dashboardBody": "{\"widgets\":[]}"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-cloudwatch.CfnDashboard",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/aws-cloudwatch.Dashboard",
+              "version": "0.0.0"
+            }
+          },
+          "DashboardArn": {
+            "id": "DashboardArn",
+            "path": "DashboardIntegrationTestStack/DashboardArn",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnOutput",
+              "version": "0.0.0"
+            }
+          }
+        },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "DashboardIntegrationTest": {
+        "id": "DashboardIntegrationTest",
+        "path": "DashboardIntegrationTest",
+        "children": {
+          "DefaultTest": {
+            "id": "DefaultTest",
+            "path": "DashboardIntegrationTest/DefaultTest",
+            "children": {
+              "Default": {
+                "id": "Default",
+                "path": "DashboardIntegrationTest/DefaultTest/Default",
+                "constructInfo": {
+                  "fqn": "constructs.Construct",
+                  "version": "10.1.129"
+                }
+              },
+              "DeployAssert": {
+                "id": "DeployAssert",
+                "path": "DashboardIntegrationTest/DefaultTest/DeployAssert",
+                "constructInfo": {
+                  "fqn": "@aws-cdk/core.Stack",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/integ-tests.IntegTestCase",
+              "version": "0.0.0"
+            }
+          }
+        },
+        "constructInfo": {
+          "fqn": "@aws-cdk/integ-tests.IntegTest",
+          "version": "0.0.0"
+        }
+      }
+    },
+    "constructInfo": {
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
+    }
+  }
+}