-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(redshift-alpha): implement IGrantable with a default service IAM Role #28018
feat(redshift-alpha): implement IGrantable with a default service IAM Role #28018
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
* A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services. | ||
* | ||
* @default - Create a new role | ||
*/ | ||
readonly serviceRole?: iam.IRole; | ||
|
||
/** | ||
* A list of additional AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somewhat conflicted on whether this should even be a prop, but I am leaning towards having it since other services follow a similar pattern.
Exemption Request for a new integration test.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution!
I left some suggestions for improvements on documentation and tests.
Also, I think that an integration test would be a good addition in this case.
Finally, the module in the title should be just redshift
: feat(redshift): ...
.
/** | ||
* A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services. | ||
*/ | ||
public readonly serviceRole: iam.IRole; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/** | |
* A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services. | |
*/ | |
public readonly serviceRole: iam.IRole; | |
/** | |
* A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services. | |
*/ | |
private readonly serviceRole: iam.IRole; |
No need to make this public.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's useful to either make this public or add additional methods to allow users to add permissions to the role directly.
It's convenient for adding additional permissions beyond what grants provide. For example if I wanted to allow my cluster to read from a Glue Data Catalog.
@@ -779,6 +779,31 @@ describe('default IAM role', () => { | |||
}); | |||
|
|||
describe('IAM role', () => { | |||
|
|||
test('cluster instantiated with a default grantable IAM Role', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need unit tests for:
- A
Cluster
withserviceRole
specified via props - A
Cluster
withserviceRole
androles
specified via props
I can add one, but I'm not entirely sure what value an integration test specifically for this feature would add. The feature is already captured in all the other integration tests as the |
Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes, a couple of notes.
- feat(redshift-alpha): implement IGrantable with a default service IAM Role #28018 (comment) - Let's keep it
public
and see what maintainers say, but the indentation in the documentation still needs to be adjusted. - feat(redshift-alpha): implement IGrantable with a default service IAM Role #28018 (comment) - Tests are still needed.
- Finally, the module in the title should be just redshift: feat(redshift): .... - The title still needs to be updated.
- feat(redshift-alpha): implement IGrantable with a default service IAM Role #28018 (comment) - An integration test that specifies a custom
serviceRole
and grants permissions on the cluster should be added since not covered by the existing tests.
I know that it's a borderline case, but it's better to have extra coverage, and its good practice when adding features.
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
Per Kendra's request, I reviewed these changes and can confirm that these changes do not conflict with the glue-alpha L2 work in flight. Safe to merge pending all other CDK service team checks without impacting our work. |
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
The pull request linter fails with the following errors:
PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
Have Redshift Clusters implement the IGrantable interface with a default Service Role. This allows for easier permissioning for features like Redshift Spectrum.
Closes #28013
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license