chore(aws-cdk-readme): replace deprecated method used in aws-chatbot README.md #13521
Conversation
|
|
|
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
BLasan
changed the title
BLasan
force-pushed
the
issue-13444
branch
3 times, most recently
from
0f547f8
to
baf1ee4
Compare
BLasan
changed the title
| slackChannel.addNotificationPermissions(); | ||
| slackChannel.addSupportCommandPermissions(); | ||
| slackChannel.addReadOnlyCommandPermissions(); |
There was a problem hiding this comment.
We can remove these lines as the are also deprecated.
| const invokeCommandStatement = new iam.PolicyStatement({ | ||
| effect: iam.Effect.ALLOW, | ||
| resources: ["RESOURCE_ARNS_ALLOWED"], | ||
| actions: ["INVOKING_ACTION_ALLOWED"], | ||
| }); |
There was a problem hiding this comment.
I think we can document this clearer and encourage a more idiomatic usage with the grantX methods on corresponding resources. IE, if we change this to.
const lambdaFn = new lambda.Function(this, 'MyChatbotHandler', {
code: lambda.Code.fromAsset('./code'),
runtime: lambda.Runtime.NODE_JS_14_X,
});
lambdaFn.grantInvoke(slackChannel.role);@BLasan do you agree?
There was a problem hiding this comment.
Yuh, I think this would be ideal. But we need to add the permissions to the role first right?
There was a problem hiding this comment.
so lambdaFn.grantInvoke(slackChannel.role); should handle all of that. This should be the only grant statement needed for the chatbot to invoke the function.
| slackChannel.addLambdaInvokeCommandPermissions(); | ||
| const invokeCommandStatement = new iam.PolicyStatement({ | ||
| effect: iam.Effect.ALLOW, | ||
| resources: ["RESOURCE_ARNS_ALLOWED"], |
There was a problem hiding this comment.
NitPick: use single quotes to match the general repo style. (I prefer double but what can ya do 🤷🏻♂️ )
There was a problem hiding this comment.
My bad. Will change this :)
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
|
@MrArnoldPalmer Updated |
| const invokeCommandStatement = new iam.PolicyStatement({ | ||
| effect: iam.Effect.ALLOW, | ||
| resources: ['RESOURCE_ARNS_ALLOWED'], | ||
| actions: ['INVOKING_ACTION_ALLOWED'], | ||
| }); | ||
|
|
||
| slackChannel.addToRolePolicy(invokeCommandStatement); |
There was a problem hiding this comment.
the lambda grant invoke removes the need for this.
There was a problem hiding this comment.
@MrArnoldPalmer Updated. please review
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
| const lambdaFn = new lambda.Function(this, 'MyChatbotHandler', { | ||
| code: lambda.Code.fromAsset('./code'), | ||
| runtime: lambda.Runtime.NODE_JS_14_X, | ||
| handler: 'FILE_NAME.handler', | ||
| }); | ||
| lambdaFn.grantInvoke(slackChannel.role) |
There was a problem hiding this comment.
Actually I'm not sure if this is needed here. I misinterpreted the point of the previous calls I believe. I'm not sure if addLambdaInvokeCommandPermissions is actually meant to grant access to a single specific lambda function. These aren't managed policies but just templates that the chatbot console will create a role with.
Perhaps we should just remove the usage of the methods that don't exist for now.
There was a problem hiding this comment.
Yuh, that method is for granting permissions in order to access a particular lambda function. Should we remove this?
There was a problem hiding this comment.
yeah lets remove this and the only changes from the original will be removing the calls to the deprecated methods. I do think users should be granting access to specific lambdas, cloudwatch metrics, etc and not using * resources. This however should be demonstrated in a more specific example.
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
|
@MrArnoldPalmer Looks good? |
| const invokeCommandStatement = new iam.PolicyStatement({ | ||
| effect: iam.Effect.ALLOW, | ||
| resources: ['RESOURCE_ARNS_ALLOWED'], | ||
| actions: ['INVOKING_ACTION_ALLOWED'], | ||
| }); | ||
|
|
||
| slackChannel.addToRolePolicy(invokeCommandStatement); |
There was a problem hiding this comment.
I think we should remove this as well. If you want to include examples about adding template policies, it should be done in a separate snippet with corresponding documentation in a different PR.
There was a problem hiding this comment.
Ok, will remove this as well :)
There was a problem hiding this comment.
@MrArnoldPalmer Made the requested changes. Please review
…README.md Currently addLambdaInvokeCommandPermissions method used to get the permissions, which is a deprecated method now. Use addToPolicy method to get necessary permissions.
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Currently addLambdaInvokeCommandPermissions method used to get the permissions,
which is a deprecated method now.
Use addToPolicy method to get necessary permissions
fix: #13444
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license