fix(config): Creating multiple rules from the same lambda #21594
Conversation
|
|
github-actions
bot
added
bug
watany-dev
changed the title
watany-dev
force-pushed
the
fix-multiple-rules-from-same-lambda
branch
from
b4280f0 to
b7fe9f8
Compare
|
Hi. |
| if (!props.lambdaFunction.permissionsNode.tryFindChild(customRulePermissionId)) { | ||
| props.lambdaFunction.addPermission(customRulePermissionId, { | ||
| principal: new iam.ServicePrincipal('config.amazonaws.com'), | ||
| sourceAccount: this.env.account, |
There was a problem hiding this comment.
I think this wouldn't work if we had multiple config rules in different accounts. This would only add the permission for the first account. I think we somehow need to add the account into the id.
There was a problem hiding this comment.
And actually I wonder if it would be better to handle this in the addPermission method since this problem is probably not unique to config. We could probably do something similar to what we do for grantInvoke
There was a problem hiding this comment.
Add.
I have created a hash from FunctionName, AccountID, and Region to make the suffix unique.
Therefore, the omitted parts in the test code have been modified to fix the result.
There was a problem hiding this comment.
@watany-dev what do you think about my suggestion for doing this in the addPermission method instead? That would be a more global fix for this issue.
There was a problem hiding this comment.
I guess I misunderstood your comment. I should have fixed the Lambda addPermission.I will implement it.
There was a problem hiding this comment.
@corymhall
I have a concern during the design process and am seeking advice
...Example grantInvoke is
- generate a unique ID from grantee information
- If the ID has not been used before, grant it.
Also, addpermissions will set the id as it comes in the argument.
If addPermission is modified with this requirement, it would look like the following.
"Generate a unique hash from the argument permission of addPermisson and set the incoming id and permission if it was not used before."
This appears to be a vexing problem specific to addPermission taking the id as an argument rather than generating it dynamically; how should this work if the permission is different and the id is duplicated? I fear that some destructive change would be necessary.
There was a problem hiding this comment.
yeah I see your point. Ok i'm good with your solution, just a couple of comments on the integ tests.
watany-dev
force-pushed
the
fix-multiple-rules-from-same-lambda
branch
from
b7fe9f8 to
41b31dc
Compare
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
Addendum:. |
|
Excuse me for being busy, I tried to fix it with reference to the lambda implementation, but what do you think? |
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
| if (!props.lambdaFunction.permissionsNode.tryFindChild(customRulePermissionId)) { | ||
| props.lambdaFunction.addPermission(customRulePermissionId, { | ||
| principal: new iam.ServicePrincipal('config.amazonaws.com'), | ||
| sourceAccount: this.env.account, |
There was a problem hiding this comment.
yeah I see your point. Ok i'm good with your solution, just a couple of comments on the integ tests.
| @@ -38,5 +39,7 @@ class ConfigStack extends cdk.Stack { | |||
| } | |||
| } | |||
|
|
|||
| new ConfigStack(app, 'aws-cdk-config-rule-integ'); | |||
| new ConfigStack(app, 'aws-cdk-config-rule-integ', { | |||
| env: { account: '123456789012', region: 'us-east-1' }, | |||
There was a problem hiding this comment.
| env: { account: '123456789012', region: 'us-east-1' }, |
The integ tests stacks should be environment agnostic.
There was a problem hiding this comment.
Let me leave this comment as it is. It is certainly not a process that asks for region and account ID. However, if it is randomized, the hash seed of the snapshot test will change every time, and the test will not converge.
There was a problem hiding this comment.
I think it's probably because when the env is not defined then the account and region are tokens.
I left a review comment on what you need to updated.
| @@ -4,12 +4,15 @@ import * as config from '../lib'; | |||
|
|
|||
| const app = new cdk.App(); | |||
|
|
|||
| const stack = new cdk.Stack(app, 'aws-cdk-config-rule-scoped-integ'); | |||
| const stack = new cdk.Stack(app, 'aws-cdk-config-rule-scoped-integ', { | |||
| env: { account: '123456789012', region: 'us-east-1' }, | |||
There was a problem hiding this comment.
| env: { account: '123456789012', region: 'us-east-1' }, |
There was a problem hiding this comment.
Let me leave this comment as it is. It is certainly not a process that asks for region and account ID. However, if it is randomized, the hash seed of the snapshot test will change every time, and the test will not converge.
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
|
Thanks for confirming. I was satisfied with your comments and have incorporated all of them. |
watany-dev
force-pushed
the
fix-multiple-rules-from-same-lambda
branch
from
62918dd to
368ecd2
Compare
| const hash = createHash('sha256') | ||
| .update(JSON.stringify({ | ||
| fnName: props.lambdaFunction.functionName.toString, | ||
| accountId: this.env.account, |
There was a problem hiding this comment.
Both account and region need to be resolved. This should fix the issue you are having with the environment agnostic integ tests.
accountId: Stack.of(this).resolve(this.env.account),…com/watany-dev/aws-cdk into fix-multiple-rules-from-same-lambda
watany-dev
force-pushed
the
fix-multiple-rules-from-same-lambda
branch
from
9d269e0 to
d50e428
Compare
watany-dev
requested review from
corymhall and
Naumel
and removed request for
Naumel and
corymhall
|
@Naumel |
|
@watany-dev sorry for the delay on this. We have been discussing this change internally and our hesitation is whether or not changing the logicalId of the permission resource is a breaking change or not. When the logicalId changes a new resource will be created and the existing resource will be deleted. I think that should be fine because the new permission will be created first, establishing the permission and then the old one will be deleted. What we don't know is whether there is any delay in this taking place. For this to work, the change needs to be instant and not cause any permission errors. We need to test this scenario to be sure, but i'm not sure how. |
|
@corymhall Here's a suggested implementation
I will follow and respond to the above implementation suggestions, or better ideas. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed stale reviews from TheRealAmazonKendra and corymhall
Pull request has been modified.
watany-dev
force-pushed
the
fix-multiple-rules-from-same-lambda
branch
from
387470a to
4bfa8b9
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Removed the conflict. please confirm. |
watany-dev
requested review from
TheRealAmazonKendra
and removed request for
Naumel
|
Is this conversation
concluded? |
|
I haven't changed the implementation since corymhall tried to merge. This time I only fixed the conflicting test code |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
fixes aws#17582 because the id of ".addPermission" is set to a fixed value of ″permission″, which means that only one can be set in the stack. 1. and add a unique suffix to the id. This will allow multiple custom rules to be handled in one stack. 2. Do the id check before addPermission. This will allow only one permission to be granted to a custom rule from the config service. Addendum:. I have created a hash from FunctionName, AccountID, and Region to make the suffix unique. Therefore, the omitted parts in the test code have been modified to fix the result. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #17582
because the id of ".addPermission" is set to a fixed value of ″permission″, which means that only one can be set in the stack.
Addendum:.
I have created a hash from FunctionName, AccountID, and Region to make the suffix unique.
Therefore, the omitted parts in the test code have been modified to fix the result.
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license