chore(bootstrap): improve permissions boundary switch message (#24354)

If you were not applying a permissions boundary at all (previously or currently) then you would get a message like `Switching from to undefined...`. This PR fixes that and updates the wording a little. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 27, 2023 · 5aadf2a · 5aadf2a
1 parent bb4311b
commit 5aadf2a
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 3 deletions.
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts b/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts
@@ -139,16 +139,26 @@ export class Bootstrapper {
  * - the name indicating the custom permissions boundary to be used
  * Re-bootstrapping will NOT be blocked by either tightening or relaxing the permissions' boundary.
  */
- const currentPermissionsBoundary = current.parameters.InputPermissionsBoundary;
+
+ // InputPermissionsBoundary is an `any` type and if it is not defined it
+ // appears as an empty string ''. We need to force it to evaluate an empty string
+ // as undefined
+ const currentPermissionsBoundary: string | undefined = current.parameters.InputPermissionsBoundary || undefined;
  const inputPolicyName = params.examplePermissionsBoundary ? CDK_BOOTSTRAP_PERMISSIONS_BOUNDARY : params.customPermissionsBoundary;
- let policyName;
+ let policyName: string | undefined;
  if (inputPolicyName) {
  // If the example policy is not already in place, it must be created.
  const sdk = (await sdkProvider.forEnvironment(environment, Mode.ForWriting)).sdk;
  policyName = await this.getPolicyName(environment, sdk, inputPolicyName, partition, params);
  }
  if (currentPermissionsBoundary !== policyName) {
- warning(`Switching from ${currentPermissionsBoundary} to ${policyName} as permissions boundary`);
+ if (!currentPermissionsBoundary) {
+ warning(`Adding new permissions boundary ${policyName}`);
+ } else if (!policyName) {
+ warning(`Removing existing permissions boundary ${currentPermissionsBoundary}`);
+ } else {
+ warning(`Changing permissions boundary from ${currentPermissionsBoundary} to ${policyName}`);
+ }
  }
 
  return current.update(

diff --git a/packages/aws-cdk/test/api/bootstrap2.test.ts b/packages/aws-cdk/test/api/bootstrap2.test.ts
@@ -12,9 +12,15 @@ import { mockBootstrapStack, MockSdk, MockSdkProvider } from '../util/mock-sdk';
 let bootstrapper: Bootstrapper;
 let mockGetPolicyIamCode: (params: IAM.Types.GetPolicyRequest) => IAM.Types.GetPolicyResponse;
 let mockCreatePolicyIamCode: (params: IAM.Types.CreatePolicyRequest) => IAM.Types.CreatePolicyResponse;
+let stderrMock: jest.SpyInstance;
 
 beforeEach(() => {
  bootstrapper = new Bootstrapper({ source: 'default' });
+ stderrMock = jest.spyOn(process.stderr, 'write').mockImplementation(() => { return true; });
+});
+
+afterEach(() => {
+ stderrMock.mockRestore();
 });
 
 function mockTheToolkitInfo(stackProps: Partial<AWS.CloudFormation.Stack>) {
@@ -114,6 +120,14 @@ describe('Bootstrapping v2', () => {
  });
 
  test('passes value to PermissionsBoundary', async () => {
+ mockTheToolkitInfo({
+ Parameters: [
+ {
+ ParameterKey: 'InputPermissionsBoundary',
+ ParameterValue: 'existing-pb',
+ },
+ ],
+ });
  await bootstrapper.bootstrapEnvironment(env, sdk, {
  parameters: {
  customPermissionsBoundary: 'permissions-boundary-name',
@@ -125,6 +139,71 @@ describe('Bootstrapping v2', () => {
  InputPermissionsBoundary: 'permissions-boundary-name',
  }),
  }));
+ expect(stderrMock.mock.calls).toEqual(expect.arrayContaining([
+ expect.arrayContaining([
+ expect.stringMatching(/Changing permissions boundary from existing-pb to permissions-boundary-name/),
+ ]),
+ ]));
+ });
+
+ test('permission boundary switch message does not appear', async () => {
+ mockTheToolkitInfo({
+ Parameters: [
+ {
+ ParameterKey: 'InputPermissionsBoundary',
+ ParameterValue: '',
+ },
+ ],
+ });
+ await bootstrapper.bootstrapEnvironment(env, sdk);
+
+ expect(stderrMock.mock.calls).toEqual(expect.arrayContaining([
+ expect.not.arrayContaining([
+ expect.stringMatching(/Changing permissions boundary/),
+ ]),
+ ]));
+ });
+
+ test('adding new permissions boundary', async () => {
+ mockTheToolkitInfo({
+ Parameters: [
+ {
+ ParameterKey: 'InputPermissionsBoundary',
+ ParameterValue: '',
+ },
+ ],
+ });
+ await bootstrapper.bootstrapEnvironment(env, sdk, {
+ parameters: {
+ customPermissionsBoundary: 'permissions-boundary-name',
+ },
+ });
+
+ expect(stderrMock.mock.calls).toEqual(expect.arrayContaining([
+ expect.arrayContaining([
+ expect.stringMatching(/Adding new permissions boundary permissions-boundary-name/),
+ ]),
+ ]));
+ });
+
+ test('removing existing permissions boundary', async () => {
+ mockTheToolkitInfo({
+ Parameters: [
+ {
+ ParameterKey: 'InputPermissionsBoundary',
+ ParameterValue: 'permissions-boundary-name',
+ },
+ ],
+ });
+ await bootstrapper.bootstrapEnvironment(env, sdk, {
+ parameters: {},
+ });
+
+ expect(stderrMock.mock.calls).toEqual(expect.arrayContaining([
+ expect.arrayContaining([
+ expect.stringMatching(/Removing existing permissions boundary permissions-boundary-name/),
+ ]),
+ ]));
  });
 
  test('passing trusted accounts without CFN managed policies results in an error', async () => {