(synthetics): Default role breaks in non aws partitions #12094

Khufu-I · 2020-12-15T22:06:24Z

Synthetics Canary default execution role hard codes 'arn:aws:logs:::*' in the IAM policy which does not work in non AWS partitions (i.e aws-cn or aws-us-gov)

Reproduction Steps

Synthesize the following code (cdk synth) for cn-north-1

import * as synthetics from '@aws-cdk/aws-synthetics';

const canary = new synthetics.Canary(this, 'MyCanary', {
  schedule: synthetics.Schedule.rate(Duration.minutes(5)),
  test: Test.custom({
    code: synthetics.Code.fromAsset(path.join(__dirname, 'canary')),
    handler: 'index.handler',
  }),
  runtime: synthetics.Runtime.SYNTHETICS_NODEJS_2_0,
});

What did you expect to happen?

The default execution role IAM policy should contain a partition aware log access policy

{
  "Action": [
    "logs:CreateLogStream",
    "logs:CreateLogGroup",
    "logs:PutLogEvents"
  ],
  "Effect": "Allow",
  "Resource": { "Fn::Join": ["", ["arn:", {"Ref": "AWS::Partition"}, ":logs:::*"]] }
}

What actually happened?

The default execution role contains an IAM policy which has aws hardcoded and isn't partition aware

{
  "Action": [
    "logs:CreateLogStream",
    "logs:CreateLogGroup",
    "logs:PutLogEvents"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:logs:::*"
}

Environment

CDK CLI Version : 1.76.0
Framework Version: Version: monocdk 1.77.0
Node.js Version: 12.9.1
OS : macOS 10.15.7
Language (Version): JavaScript 2020

Other

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

…12096) Canary default execution role should be partition aware instead of hardcoding aws. Fixes #12094 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2021-01-21T01:22:22Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…ws#12096) Canary default execution role should be partition aware instead of hardcoding aws. Fixes aws#12094 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Khufu-I added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 15, 2020

Khufu-I mentioned this issue Dec 15, 2020

fix(synthetics): default execution role breaks in non aws partitions #12096

Merged

SomayaB changed the title ~~[synthetics] Default role breaks in non aws partitions~~ (synthetics): Default role breaks in non aws partitions Dec 16, 2020

github-actions bot assigned NetaNir Dec 16, 2020

github-actions bot added the @aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics label Dec 16, 2020

NetaNir added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 16, 2020

mergify bot closed this as completed in #12096 Jan 21, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(synthetics): Default role breaks in non aws partitions #12094

(synthetics): Default role breaks in non aws partitions #12094

Khufu-I commented Dec 15, 2020

github-actions bot commented Jan 21, 2021