Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(config): add custom policy rule constructs #21794

Merged
merged 6 commits into from
Oct 14, 2022

Conversation

watany-dev
Copy link
Contributor

@watany-dev watany-dev commented Aug 28, 2022

feat(config) #21441

I have created a new config.CustomPolicy so that this functionality is available in L2 Constructs.

The resources that can currently be created with AWS::Config::ConfigRule can be created with config.CustomRule and config.ManagedRule in the CDK. This is because the restrictions on the various properties are different.
CustomPolicy has different constraints compared to CustomRule as follows.

  • There is a restriction on the format that can be selected in SourceDetails.
  • Properties that refer to Lambda are unnecessary.
  • CustomPolicyDetails must be specified.

To avoid this limitation and complexity, CustomPolicy can be separated, making it more convenient for users. It also reduces the dependence on each rule type for updates during maintenance.


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Aug 28, 2022

@github-actions github-actions bot added the p2 label Aug 28, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team August 28, 2022 11:52
@TheRealAmazonKendra TheRealAmazonKendra changed the title feat(config) add Custom Policy Rule Constructs feat(config): add custom policy rule constructs Sep 1, 2022
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process (See Contributing Guide, Pull Requests).

Please update and then we will provide a meaningful review.

Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process (See Contributing Guide, Pull Requests).

Please update and then we will provide a meaningful review.

@watany-dev
Copy link
Contributor Author

Sorry for the lack of intent in the explanation. I described the awareness of the issues and the intention to realize this function developed.

Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! Overall this is great work and we appreciate you taking the time to do the implementation! I just have a few comments inline.

Additionally, overall, I think there's some room in rule.ts to remove duplication of code. If you are open to taking that on, I'd definitely love to see some refactoring.

Comment on lines +152 to +162
rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == %status
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
%pitr == "ENABLED"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we model these rules in a way that they can be implemented via code instead of just being blocks of code? I get that they're custom rules so there may be a lot of complexity there, so if it doesn't make sense, let me know.

Copy link
Contributor Author

@watany-dev watany-dev Sep 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry if my understanding is wrong. You need to attempt to parse the GuardDSL in the link below into a grammar in CDK.
https://github.com/aws-cloudformation/cloudformation-guard/blob/main/docs/CLAUSES.md

I am aware that this is a complex effort at this stage, and while it is great as a loadmap, would it be acceptable at this stage to work on it without a detailed parsing of the string as we do with other CustomRules?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only problem with that approach is that, if we're changing the contract in the future, that's a breaking change. I suppose we can leave the string option and/or deprecate it so that it's not technically breaking. Considering that this is how we implement else where, though, I suppose I'm fine with this.

packages/@aws-cdk/aws-config/lib/rule.ts Outdated Show resolved Hide resolved
configRuleName: this.physicalName,
description: props.description,
inputParameters: props.inputParameters,
scope: Lazy.any({ produce: () => renderScope(this.ruleScope) }), // scope can use values such as stack id (see CloudFormationStackDriftDetectionCheck)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add an additional integration test that uses something like stackId where it needs to be produced late.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TheRealAmazonKendra
This comment is actually still copied from CustomRule.

I am reading the documentation that might be relevant, but there doesn't appear to be an i/f where I can enter a stackid.
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_config.RuleScope.html
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_config.CloudFormationStackDriftDetectionCheck.html

As a suggestion, can we remove this misleading comment from CustomRule and CustomPolicy.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment looks accurately written. Render scope does the following

function renderScope(ruleScope?: RuleScope): CfnConfigRule.ScopeProperty | undefined {
  return ruleScope ? {
    complianceResourceId: ruleScope.resourceId,
    complianceResourceTypes: ruleScope.resourceTypes?.map(resource => resource.complianceResourceType),
    tagKey: ruleScope.key,
    tagValue: ruleScope.value,
  } : undefined;
}

So, if the resource that this scope is being assigned to doesn't yet have its resource id created at the time of this policy rule being declared, this needs to produce that information after that resource has been created. Basically, if this is declared.

This test can be written by creating a resource of some sort and then making the rule scope specific to that resource by adding the id as the second input for fromResource. It will have to be produced via Lazy.

packages/@aws-cdk/aws-config/lib/rule.ts Show resolved Hide resolved
@watany-dev watany-dev force-pushed the add-config-custom-policy branch from a2a16c7 to 50611ad Compare September 10, 2022 07:31
@mergify mergify bot dismissed TheRealAmazonKendra’s stale review September 10, 2022 07:31

Pull request has been modified.

* that triggers AWS Config to evaluate your AWS resources.
*
*/
readonly eventSource : string;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
readonly eventSource : string;
readonly eventSource: string;

/**
* The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger.
*/
readonly maximumExecutionFrequency? : MaximumExecutionFrequency;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
readonly maximumExecutionFrequency? : MaximumExecutionFrequency;
readonly maximumExecutionFrequency?: MaximumExecutionFrequency;

/**
* The type of notification that triggers AWS Config to run an evaluation for a rule.
*/
readonly messageType : MessageType;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
readonly messageType : MessageType;
readonly messageType: MessageType;

configRuleName: this.physicalName,
description: props.description,
inputParameters: props.inputParameters,
scope: Lazy.any({ produce: () => renderScope(this.ruleScope) }), // scope can use values such as stack id (see CloudFormationStackDriftDetectionCheck)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment looks accurately written. Render scope does the following

function renderScope(ruleScope?: RuleScope): CfnConfigRule.ScopeProperty | undefined {
  return ruleScope ? {
    complianceResourceId: ruleScope.resourceId,
    complianceResourceTypes: ruleScope.resourceTypes?.map(resource => resource.complianceResourceType),
    tagKey: ruleScope.key,
    tagValue: ruleScope.value,
  } : undefined;
}

So, if the resource that this scope is being assigned to doesn't yet have its resource id created at the time of this policy rule being declared, this needs to produce that information after that resource has been created. Basically, if this is declared.

This test can be written by creating a resource of some sort and then making the rule scope specific to that resource by adding the id as the second input for fromResource. It will have to be produced via Lazy.

this.ruleScope = props.ruleScope;

sourceDetails.push({
eventSource: 'aws.config',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are any other event sources possible?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-config-configrule-source-sourcedetails.html
After checking the document, it seems that only aws.config is entered. Define it as an enum like MessageType

@watany-dev watany-dev force-pushed the add-config-custom-policy branch from 50611ad to bef9728 Compare September 12, 2022 07:44
@mergify mergify bot dismissed TheRealAmazonKendra’s stale review September 12, 2022 07:45

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Sep 12, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot dismissed TheRealAmazonKendra’s stale review September 12, 2022 22:20

Pull request has been modified.

Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is as a result of another change that was merged between this being opened and approved. Please just rerun the integ tests with the --update-on-failed flag.

@mergify mergify bot dismissed TheRealAmazonKendra’s stale review September 12, 2022 23:23

Pull request has been modified.

@TheRealAmazonKendra
Copy link
Contributor

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Sep 13, 2022

update

☑️ Nothing to do

  • #commits-behind>0 [:pushpin: update requirement]
  • -closed [:pushpin: update requirement]

@TheRealAmazonKendra
Copy link
Contributor

Odd that it updated in the opposite direction. Did you build first with the most updated changes from main?

@watany-dev
Copy link
Contributor Author

Hmmm, the BUILD may have been leaking. I will try the buildup again.

@watany-dev
Copy link
Contributor Author

watany-dev commented Sep 13, 2022

@TheRealAmazonKendra
Check the contents of my branch for the latest version,
/workspace/aws-cdk/packages/@aws-cdk/aws-config$ ... /... /... /scripts/buildup,
I got the following error. (package.json?).
Do you know how to deal with this kind of situation?

/workspace/aws-cdk/packages/aws-cdk: yarn build  (55 remaining)
yarn run v1.22.19
$ cdk-build
[eslint-import-resolver-typescript]: option `directory` is deprecated, please use `project` instead
Validating circular imports
Validating resources
Validating attributions
In package package.json
- [@aws-cdk/node-bundle => outdated-attributions] THIRD_PARTY_LICENSES is outdated (fixable)
Error: Some package.json files had errors
    at main (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint.js:30:15)
    at Object.<anonymous> (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint.js:33:1)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint:2:1)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
Error: pkglint exited with error code 1
Build failed.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
error: last command failed. fix problem and resume by executing: /workspace/aws-cdk/scripts/foreach.sh
directory:    /workspace/aws-cdk/packages/aws-cdk

@watany-dev
Copy link
Contributor Author

I'll try a full build just to be sure.

@TheRealAmazonKendra
Copy link
Contributor

@TheRealAmazonKendra Check the contents of my branch for the latest version, /workspace/aws-cdk/packages/@aws-cdk/aws-config$ ... /... /... /scripts/buildup, I got the following error. (package.json?). Do you know how to deal with this kind of situation?

/workspace/aws-cdk/packages/aws-cdk: yarn build  (55 remaining)
yarn run v1.22.19
$ cdk-build
[eslint-import-resolver-typescript]: option `directory` is deprecated, please use `project` instead
Validating circular imports
Validating resources
Validating attributions
In package package.json
- [@aws-cdk/node-bundle => outdated-attributions] THIRD_PARTY_LICENSES is outdated (fixable)
Error: Some package.json files had errors
    at main (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint.js:30:15)
    at Object.<anonymous> (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint.js:33:1)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/workspace/aws-cdk/tools/@aws-cdk/pkglint/bin/pkglint:2:1)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
Error: pkglint exited with error code 1
Build failed.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
error: last command failed. fix problem and resume by executing: /workspace/aws-cdk/scripts/foreach.sh
directory:    /workspace/aws-cdk/packages/aws-cdk

Ah, yes. Just run yarn install and that will take care of that.

@watany-dev
Copy link
Contributor Author

Thank you.
I have successfully done the build based on your advice, and the integ test also confirmed that the version is newer and the build succeeded with a successful commit.
12ce62a

@watany-dev
Copy link
Contributor Author

@TheRealAmazonKendra
Could you please check this again? The snapshot shows the version up instead of down, and it seems to have completed successfully.

@mergify
Copy link
Contributor

mergify bot commented Oct 13, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Oct 14, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: cab0e77
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 09a5cc4 into aws:main Oct 14, 2022
@mergify
Copy link
Contributor

mergify bot commented Oct 14, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@watany-dev watany-dev deleted the add-config-custom-policy branch October 14, 2022 01:22
mrgrain pushed a commit to mrgrain/aws-cdk that referenced this pull request Oct 24, 2022
feat(config) aws#21441

I have created a `new config.CustomPolicy` so that this functionality is available in L2 Constructs.

The resources that can currently be created with `AWS::Config::ConfigRule` can be created with `config.CustomRule` and `config.ManagedRule` in the CDK. This is because the restrictions on the various properties are different.
CustomPolicy has different constraints compared to CustomRule as follows.

- There is a restriction on the format that can be selected in `SourceDetails`.
    - [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configrule-source.html)
- Properties that refer to Lambda are unnecessary.
- `CustomPolicyDetails` must be specified.
    - [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configrule-source-sourcedetails.html)

To avoid this limitation and complexity, `CustomPolicy` can be separated, making it more convenient for users. It also reduces the dependence on each rule type for updates during maintenance.



----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [x] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants