-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(elasticsearch): Decouple setting access policies from domain constructor #15876
Conversation
190f01c
to
7af3695
Compare
@BenChaimberg Do you need any additional info to approve this PR? I would really like to set up a cross-region firehose config, and I'm blocked by this issue. I'd be happy to provide anything I can to speed this one up. |
Unless I'm confused, this change should not be necessary. If you are setting a resource policy (which this effectively is), then you do not need to specify the full resource ARN; it's assumed to be the ARN of the resource you are attaching the policy to. That means you should be able to use a wildcard for the resource name like so: If this is not the case, I will continue to review this PR |
@BenChaimberg I'm on vacation this week, but I will try it next week to check if that does what I need. |
@BenChaimberg I took a look, and while your approach will satisfy my immediate use case, it opens up a very nasty potential security issue. Because the domain and path are part of the resource configuration using a wildcard for the domain name may result in you giving more permission than you intended if you are not careful. Consider the following example:
The expectation there would be that I want to let a This is true for any URL that can be made to end with a valid post-wildcard segment. It wouldn't affect my usecase directly, since I don't expect firehose will ever query anything it doesn't need, but it could happen in more advanced cases. |
Understood the potential use-case, will add this to my queue! |
Pull request has been modified.
@BenChaimberg Most of the PR comments should be fixed |
Pull request has been modified.
@BenChaimberg Updated as per your previous review |
packages/@aws-cdk/aws-elasticsearch/lib/elasticsearch-access-policy.ts
Outdated
Show resolved
Hide resolved
Pull request has been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see comment above about missing test
Pull request has been modified.
packages/@aws-cdk/aws-elasticsearch/test/elasticsearch-access-policy.test.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-elasticsearch/test/elasticsearch-access-policy.test.ts
Outdated
Show resolved
Hide resolved
@BenChaimberg The |
@kaizen3031593 Sure, I can poke at it today |
c9680cf
to
5b92cc3
Compare
@kaizen3031593 Can you clarify a bit about the direction of |
@kaizen3031593 This PR should be ready for review |
@TikiTDO as long as both opensearch and elasticsearch are stable, we're going to have to support feature parity between the two. However, the plan is to deprecate elasticsearch soon and once that happens, I think we'll only support p0 bugs in elasticsearch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @TikiTDO! And sorry it took forever to get this in. I just went in and changed a few more elasticsearches into opensearches.
Looks like the tests segfaulted on an unrelated module. |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
…structor (aws#15876) Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain. ### Use Cases See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/ ### Proposed Solution This PR extracts the access policy setting to a helper method which can be used if the `accessPolicies` and `useUnsignedBasicAuth` props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain.
Use Cases
See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/
Proposed Solution
This PR extracts the access policy setting to a helper method which can be used if the
accessPolicies
anduseUnsignedBasicAuth
props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license