fix(aws-custom-resource): switch off installLatestAwsSdk by default
#23591
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `AwsCustomResource` reaches out to the internet to install the latest AWS SDK by default. This will make it fail if it is being bound to a VPC that doesn't have internet connectivity, or in regions/partitions that are not able to freely connect to `npmjs.com`. This was a poorly chosen default from the time we didn't know any better, but we do know right now. Switch the behavior off by default (under feature flag), and explicitly disable it for all `AwsCustomResource`s the L2 library uses. Lambda advertises 2.1055.0 of the SDK everywhere, and I checked to make sure that all APIs we use are part of that SDK version, so we don't need any newer version. That version is a year old (!) so this is not the end of the story, but it's at least an improvement over what we currently have. Fixes #23113.
|
|
github-actions
bot
added
bug
aws-cdk-automation
previously requested changes
Jan 6, 2023
rix0rrr
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
mrgrain
approved these changes
Jan 6, 2023
|
Re: Failing build. Looks like some integ test snapshots need to be updated. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Edit: After reading the change more thoroughly, I understood the mechanism of the new default: The The documentation still states that I suspect it's because the code documentation needs to be updated as well: |
DerkSchooltink
pushed a commit
to DerkSchooltink/aws-cdk
that referenced
this pull request
Jan 23, 2023
…aws#23591) The `AwsCustomResource` reaches out to the internet to install the latest AWS SDK by default. This will make it fail if it is being bound to a VPC that doesn't have internet connectivity, or in regions/partitions that are not able to freely connect to `npmjs.com`. This was a poorly chosen default from the time we didn't know any better, but we do know right now. Switch the behavior off by default (under feature flag), and explicitly disable it for all `AwsCustomResource`s the L2 library uses. Lambda advertises 2.1055.0 of the SDK everywhere, and I checked to make sure that all APIs we use are part of that SDK version, so we don't need any newer version. That version is a year old (!) so this is not the end of the story, but it's at least an improvement over what we currently have. Fixes aws#23113. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 task
mergify bot
pushed a commit
that referenced
this pull request
Apr 12, 2024
…y Group reference (#29620) ### Issue # (if applicable) Closes #23796 ### Reason for this change In #23591 `installLatestAwsSdk`. This results in a resource update for custom resources. The custom resource that fetches the security groups does not have an onUpdate handler (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-globalaccelerator/lib/_accelerator-security-group.ts#L32). When the empty object is returned, this results in an update failure in CloudFormation because the specific property isn't available and so it will fail with error below: ``` CustomResource attribute error: Vendor response doesn't contain SecurityGroups.0.GroupId key in object ``` When the update occurs, the response object does not have a `SecurityGroups.0.GroupId` field, resulting in failures when `SecurityGroups` is referenced. ### Description of changes Update the onCreate to onUpdate for custom resources to mitigate the CloudFormation update failure. Documentations: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html#oncreate. Similar fix for Cognito: #23798 ### Description of how you validated changes The integration test is updated with the latest assets. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
AwsCustomResourcereaches out to the internet to install the latest AWS SDK by default. This will make it fail if it is being bound to a VPC that doesn't have internet connectivity, or in regions/partitions that are not able to freely connect tonpmjs.com.This was a poorly chosen default from the time we didn't know any better, but we do know right now. Switch the behavior off by default (under feature flag), and explicitly disable it for all
AwsCustomResources the L2 library uses. Lambda advertises 2.1055.0 of the SDK everywhere, and I checked to make sure that all APIs we use are part of that SDK version, so we don't need any newer version.That version is a year old (!) so this is not the end of the story, but it's at least an improvement over what we currently have.
Fixes #23113.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license