-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(aws-cdk-readme): replace deprecated method used in aws-chatbot README.md #13521
Conversation
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
0f547f8
to
baf1ee4
Compare
slackChannel.addNotificationPermissions(); | ||
slackChannel.addSupportCommandPermissions(); | ||
slackChannel.addReadOnlyCommandPermissions(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can remove these lines as the are also deprecated.
const invokeCommandStatement = new iam.PolicyStatement({ | ||
effect: iam.Effect.ALLOW, | ||
resources: ["RESOURCE_ARNS_ALLOWED"], | ||
actions: ["INVOKING_ACTION_ALLOWED"], | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can document this clearer and encourage a more idiomatic usage with the grantX
methods on corresponding resources. IE, if we change this to.
const lambdaFn = new lambda.Function(this, 'MyChatbotHandler', {
code: lambda.Code.fromAsset('./code'),
runtime: lambda.Runtime.NODE_JS_14_X,
});
lambdaFn.grantInvoke(slackChannel.role);
@BLasan do you agree?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yuh, I think this would be ideal. But we need to add the permissions to the role first right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so lambdaFn.grantInvoke(slackChannel.role);
should handle all of that. This should be the only grant statement needed for the chatbot to invoke the function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed
slackChannel.addLambdaInvokeCommandPermissions(); | ||
const invokeCommandStatement = new iam.PolicyStatement({ | ||
effect: iam.Effect.ALLOW, | ||
resources: ["RESOURCE_ARNS_ALLOWED"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NitPick: use single quotes to match the general repo style. (I prefer double but what can ya do 🤷🏻♂️ )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad. Will change this :)
Pull request has been modified.
@MrArnoldPalmer Updated |
const invokeCommandStatement = new iam.PolicyStatement({ | ||
effect: iam.Effect.ALLOW, | ||
resources: ['RESOURCE_ARNS_ALLOWED'], | ||
actions: ['INVOKING_ACTION_ALLOWED'], | ||
}); | ||
|
||
slackChannel.addToRolePolicy(invokeCommandStatement); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the lambda grant invoke removes the need for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MrArnoldPalmer Updated. please review
Pull request has been modified.
const lambdaFn = new lambda.Function(this, 'MyChatbotHandler', { | ||
code: lambda.Code.fromAsset('./code'), | ||
runtime: lambda.Runtime.NODE_JS_14_X, | ||
handler: 'FILE_NAME.handler', | ||
}); | ||
lambdaFn.grantInvoke(slackChannel.role) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I'm not sure if this is needed here. I misinterpreted the point of the previous calls I believe. I'm not sure if addLambdaInvokeCommandPermissions
is actually meant to grant access to a single specific lambda function. These aren't managed policies but just templates that the chatbot console will create a role with.
Perhaps we should just remove the usage of the methods that don't exist for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yuh, that method is for granting permissions in order to access a particular lambda function. Should we remove this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah lets remove this and the only changes from the original will be removing the calls to the deprecated methods. I do think users should be granting access to specific lambdas, cloudwatch metrics, etc and not using *
resources. This however should be demonstrated in a more specific example.
Pull request has been modified.
@MrArnoldPalmer Looks good? |
const invokeCommandStatement = new iam.PolicyStatement({ | ||
effect: iam.Effect.ALLOW, | ||
resources: ['RESOURCE_ARNS_ALLOWED'], | ||
actions: ['INVOKING_ACTION_ALLOWED'], | ||
}); | ||
|
||
slackChannel.addToRolePolicy(invokeCommandStatement); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should remove this as well. If you want to include examples about adding template policies, it should be done in a separate snippet with corresponding documentation in a different PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, will remove this as well :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MrArnoldPalmer Made the requested changes. Please review
…README.md Currently addLambdaInvokeCommandPermissions method used to get the permissions, which is a deprecated method now. Use addToPolicy method to get necessary permissions.
Pull request has been modified.
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Currently addLambdaInvokeCommandPermissions method used to get the permissions,
which is a deprecated method now.
Use addToPolicy method to get necessary permissions
fix: #13444
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license