fix(custom-resources): incorrect IAM prefix generated for CloudWatch actions

[samson-keung]

Issue # (if applicable)

Closes #32968.

Reason for this change

The mapping to look up the IAM prefix from a given service has a incorrect entry for Cloudwatch. It says Cloudwatch uses monitoring as the prefix but it is actually cloudwatch instead.

I cannot find any service that uses monitoring as prefix so I think it is safe to assume that nothing relies on the monitoring value. Therefore, there is no feature flag used in this PR.

Description of changes

Updated the IAM prefix mapping.

Describe any new or updated permissions being added

Updated the mapping to use correct IAM prefix.

Description of how you validated changes

Updated unit tests to use AwsCustomResource with a Cloudwatch call.

Added integ test to use AwsCustomResource with a Cloudwatch call to tag an alarm and verify the tag is indeed added successfully.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.78%. Comparing base (ab9dd0a) to head (49d8f41).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33078   +/-   ##
=======================================
  Coverage   80.78%   80.78%           
=======================================
  Files         232      232           
  Lines       14111    14111           
  Branches     2453     2453           
=======================================
  Hits        11400    11400           
  Misses       2431     2431           
  Partials      280      280           

Flag	Coverage Δ
suite.unit	80.78% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.51% <ø> (ø)
packages/aws-cdk-lib/core	82.17% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[GavinZZ]

I want to understand this more. Have you tested on existing stack that uses AwsCustomResource with the monitoring iam prefix stack? Is this deployable or would it fail to deploy with monitoring as part of the iam statement?

[samson-keung]

Is this deployable or would it fail to deploy with monitoring as part of the iam statement?

It is deployable. I don't think IAM blocks users from using wrong permission. This is observable from the IAM console as well. I was able to create a policy with the monitoring:* action but the console does warn me that monitoring is a unrecognized service.

[GavinZZ]

Changes look good, just one minor comment.

[GavinZZ]

Should we add a new test instead of modifying this one so that we can continue testing cloudwatch-logs?

[samson-keung]

I did this because the onCreate is already testing service: 'CloudWatchLogs' (on line 19 above). So my thinking is, rather than testing the same thing via onDelete, I can change the onDelete to test service: 'CloudWatch'.

[GavinZZ]

@samson-keung this PR is 3 times the GetFunction custom resource PR.. This worries me a bit.

[samson-keung]

@samson-keung this PR is 3 times the GetFunction custom resource PR.. This worries me a bit.

That one was 700 files. This is way smaller. I had some trouble making the big one. This one was good, no trouble.

[GavinZZ]

@samson-keung this PR is 3 times the GetFunction custom resource PR.. This worries me a bit.

That one was 700 files. This is way smaller. I had some trouble making the big one. This one was good, no trouble.

OK cool, I was looking at the lines changed and this one is much bigger.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: checks failed.

The merge conditions cannot be satisfied due to failing checks:

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 49d8f41
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.