RFC: missing security-impacting changes from cdk diff "scrutiny report" #1299
Comments
|
Here's a known list of resources that are not currently included in the diff:
|
eladb
changed the title
eladb
added
enhancement
package/tools
srchase
added
feature-request
|
I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great. A flag like --accept-scrutiny-report would be really helpful for me. |
|
@insanitybit |
|
That looks like it'd be exactly what I want, thanks. |
|
Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not. |
|
"CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:" My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ): I like seeing the changes in console using oups - just noticed this has been closed ... |
|
Still relevant. Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us? Although the issue is closed, the conversation is not locked. |
|
Using CfnInclude with template |
|
It is not @gmiretti .... would you mind opening us a separate issue about this? |
|
Bug reported as #8683 |
Thanks! |
|
I receive this message... I'm unsure why the message is showing up. The diff shows me IAM changes and security group changes. Is that the reason it's showing up? It claims that there may be security related changes not in the list, but I don't know what that means. Could the message just tell me what other security related changes there are? |
|
Is this still an issue? I'm always seeing the warning, but not sure if it's kept updated. |
|
yeah please remove the warning if its not relevant, PLEASE |
|
CDK Deploy gives a warning that implies there are known issues preventing IAM policy diffs from showing up in the confirmation prompt, and directs users to read this issue for more information. However, this issue reads like you know there is an issue, but you don't know what it is. There is no information on this page. Why is it necessary for developers to consult this page on every deployment? It seems unnecessary. Should I assume that all similar warnings from the CDK are equally irrelevant? Please consider what action you are requesting from developers when they deploy, and then reword the known issue warning to make it clear, or remove it if there is no action required from developers. |
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.
This change allows us to run:
```bash
npm -w cdk run diff:code
```
to yield something like this:
```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)
Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
└─ [-] ManagedPolicyArns
└─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
└─ [~] ContainerDefinitions (requires replacement)
└─ @@ -11,7 +11,7 @@
[ ] "App": "service-catalogue"
[ ] },
[ ] "Essential": true,
[-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
[+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
[ ] "LogConfiguration": {
[ ] "LogDriver": "awsfirelens",
[ ] "Options": {
✨ Number of stacks with differences: 1
```
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.
This change allows us to run:
```bash
npm -w cdk run diff:code
```
to yield something like this:
```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)
Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
└─ [-] ManagedPolicyArns
└─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
└─ [~] ContainerDefinitions (requires replacement)
└─ @@ -11,7 +11,7 @@
[ ] "App": "service-catalogue"
[ ] },
[ ] "Essential": true,
[-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
[+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
[ ] "LogConfiguration": {
[ ] "LogDriver": "awsfirelens",
[ ] "Options": {
✨ Number of stacks with differences: 1
```
|
Is this still relevant? I am seeing this issue linked in |
|
I'm using CDK version 2.158.0 and for me this message still appears. |
Summary
CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:
Request for comments
Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?
The text was updated successfully, but these errors were encountered: