feat(app-delivery) IAM policy for deploy stack

[moofish32]

• The changeset and apply changeset may need specific IAM permissions
  and the user can now customize them via deployStackAction.role
• Document updates for proper build stage configuration
• Fixes Correct docs for app-delivery & improve usability #1151

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[eladb]

@skinny85 can you take a look please?

[rix0rrr]

In general, looks good and thanks, just want to hear from @skinny85 about design decisions w.r.t. CFN capabitilies.

[rix0rrr]

I would default this to "anonymous" IAM capabilities, that should make 95% of all CDK templates work out of the box and doesn't introduce much appreciable risk.

People will then be able to opt out of IAM completely or opt-in to strongly-named IAM objects as they desire.

Also, an enum seems more ergonomic. I know it's not robust against future extension, but I do care about ergonomics today more than a hypothetical future extension, and we can always deal with that if it ever occurs (which I don't think it will any time soon).

[rix0rrr]

Also, fullPermissions implies named-IAM, I'm seeing in the source of the underlying construct:

https://github.com/awslabs/aws-cdk/blob/8e701adfc503d3338ae890c74d4903607c4130cd/packages/%40aws-cdk/aws-cloudformation/lib/pipeline-actions.ts#L201

Does named-IAM subsume anonymous IAM?

[rix0rrr]

I guess this is a request for upstream change then.

@skinny85 ?

[RomainMuller]

The CloudFormation documentation states that NamedIAM implies IAM, and that you need not specify both.

I would agree with defaulting to IAM in app-delivery, while letting the CFN L2 default be nothing. This is L3 so we can allow opinion in (and CDK applications will very often make use of IAM resources).

Now the fact that it's an array of CloudFormationCapabilities is because that is what CloudFormation accepts (even though there is no apparent use for it just yet). Maybe it's future-proofing? But I guess if the API we use is future-proofed, maybe there's a reason and we should "leak" the future-proofing out to avoid a bad surprise later?

[rix0rrr]

That future-proofing is exactly what I'm opposing to.

[moofish32]

I would default this to "anonymous" IAM capabilities, that should make 95% of all CDK templates work out of the box and doesn't introduce much appreciable risk.

People will then be able to opt out of IAM completely or opt-in to strongly-named IAM objects as they desire.

Also, an enum seems more ergonomic. I know it's not robust against future extension, but I do care about ergonomics today more than a hypothetical future extension, and we can always deal with that if it ever occurs (which I don't think it will any time soon).

@rix0rrr I'm confused here. Is anonymous an actual thing or are we saying just change the word none to anonymous because that's a better description? Right now if you don't create IAM entities the capabilities is empty, so I'm confused on the wording?

[skinny85]

@moofish32, I believe @rix0rrr means "anonymous IAM permissions" (as opposed to "named IAM permissions").

I agree wholeheartedly with Rico and Romain here. In general, we don't do these kind of future proofing in the CDK - we try to give a nicer API for the common case.

So, I would proceed as follows here:

1. Introduce a new enum in this module, with 3 values: None, AnonymousIAM, NamedIAM.
2. Make capabilities in PipelineDeployStackActionProps be of this new enum type (not an array), with default AnonymousIAM.
3. After this PR, open a separate PR to move this enum to the aws-cloudformation package, and change the API of the CFN Actions themselves to use it.

Does this make sense?

[moofish32]

If I can do it all in this PR should I? I haven't looked at how difficult this would be plumb.

[skinny85]

Probably easier to leave it out of this PR, as it's a breaking change. But knock yourself out if you want - I don't think it will be super difficult :).

[RomainMuller]

That's pretty good! There's a couple of things that I would like to have fixed (nothing major, really). I would also plan to give the README.md example the .lit.ts treatment (but don't you worry about this right now - I'll do it once this PR is merged) so we can make sure it at least compiles going forward.

[RomainMuller]

That's only true if you don't specify an inline buildspec with your CodeBuild project, so I wouldn't phrase it like so.

[RomainMuller]

The precision on .yaml is definitely a good one - I'd have moved it in the paragraph just above.

[RomainMuller]

I would copy the comment from the PipelineCreateReplaceChangeSetActionProps attribute (same for the other two). I think they're pretty detailed and they avoid insisting so much on the implementation detail here (customer is really just interesting at deploying a stack - the fact there is a ChangeSet being created, then executed, is mostly irrelevant).

[RomainMuller]

I don't think this is needed. fullPermissions defaults to false in PipelineCreateReplaceChangeSetAction (and I reckon we're quite unlikely to change this default, as it has pretty drastic security implications).

[RomainMuller]

You'll want to make sure you merge in the 0.17.0 version bump & update those :)

[RomainMuller]

I wouldn't specify this in the README.md, it could be distracting (or looking like it needs to be that).

[moofish32]

Made a comment instead as an example.

[skinny85]

Some dependencies are duplicated here (cdk-build-tools, cdk-integ-tools, @aws-cdk/aws-s3, @aws-cdk/aws-codepipeline) - I would remove the extra ones so that the @aws-cdk namespace ones are grouped at the beginning.

[moofish32]

copy and paste on resolution -- my bad fixing and will alphabetize too

[skinny85]

Nit: alphabetic order.

[skinny85]

Nit: alphabetic order.

[skinny85]

@moofish32, I believe @rix0rrr means "anonymous IAM permissions" (as opposed to "named IAM permissions").

I agree wholeheartedly with Rico and Romain here. In general, we don't do these kind of future proofing in the CDK - we try to give a nicer API for the common case.

So, I would proceed as follows here:

1. Introduce a new enum in this module, with 3 values: None, AnonymousIAM, NamedIAM.
2. Make capabilities in PipelineDeployStackActionProps be of this new enum type (not an array), with default AnonymousIAM.
3. After this PR, open a separate PR to move this enum to the aws-cloudformation package, and change the API of the CFN Actions themselves to use it.

Does this make sense?

[skinny85]

Looks great. Other than the capabilities thing (which is not a problem in this PR, but something we actually want to change upstream), I only have minor nitpicks.

[rix0rrr]

I will leave it to @RomainMuller and @skinny85 to merge this PR if they're satisfied.

[RomainMuller]

I think we'll be good to merge once @skinny85's suggestion with respects to defining an enum locally is implemented.

[moofish32]

I have updated the commit (via squash/rebase) and included this breaking change. If we are going to break let's just get on with it.

* The changeset and apply changeset can now apply role IAM permissions,
 and CloudFormation Capabilities
 * Updated CloudFormationCapabilities enum to include `None` and renamed `IAM` to `AnonymousIAM`.
 * Document updates for proper build stage configuration
 * Fixes #1151

BREAKING CHANGE: `CloudFormationCapabilities.IAM` renamed to
`CloudFormation.AnonymousIAM` and `PipelineCloudFormationDeployActionProps.capabilities?: CloudFormationCapabilities[]` has been changed to
`PipelineCloudFormationDeployActionProps.capabilities?:
CloudFormationCapabilities` no longer an array.

[eladb]

Related #286

[eladb]

This should have the word admin in it in my mind to ensure the extent of this grant is clear. I would even just call this administrator. It's okay that this also implies "capabilities=NAMED_IAM"...

[moofish32]

I went with adminPermissions because when I put in administrator I asked my self of what? I thought adminPermissions would be more clear, if you are set on administrator let me know.

[moofish32]

I'm not sure who has the final merge rights, but I've attempted to incorporate the feedback. Let me know if any further changes are needed.

[eladb]

LGTM @skinny85 you get the final approval

[RomainMuller]

Resolved the conflicts in package.json (hopefully correctly - I've done it from the web flow).

[skinny85]

Sorry @moofish32 , I still have comments here :(.

[skinny85]

Huh. This shows up as a new line without comments. Perhaps it's just GitHub's diff displaying it weirdly.

[moofish32]

legit mistake on me, GitHub doesn't lie

[skinny85]

Example contents of buildspec.yml:
// empty line here

version: 0.2
phases:

...

[moofish32]

👍

[skinny85]

I think this now clashes with the sentence above? "For example, a TypeScript or Javascript CDK App can add the following buildspec.yml at the root of the repository configured in the Source stage:". Perhaps it always did, I just never noticed ;p.

[skinny85]

I believe CAPABILITY_IAM is not the correct constant name anymore?

[moofish32]

👍

[skinny85]

Feel free to use the addActions method here, that takes a varargs argument, will be more concise.

[moofish32]

OH... I didn't see there was one!

[skinny85]

Sorry, maybe I wasn't clear before.

The capabilities should default to AnonymousIAM only in the app-delivery construct.

In the CFN Actions, the default should be undefined (that is, none), like it is now.

[moofish32]

I wondered about this change. With adminPermissions being required it seems a bit odd this default is allow IAM, but it's a pretty heavy coin flip considering it's rare not to deploy a role with a service.

[moofish32]

@skinny85 -- implementing changes requested in next push, if build passes I think I've incorporated the changes, if not I'll be fixing shortly.

[moofish32]

👍

[moofish32]

legit mistake on me, GitHub doesn't lie

[moofish32]

👍

[moofish32]

I wondered about this change. With adminPermissions being required it seems a bit odd this default is allow IAM, but it's a pretty heavy coin flip considering it's rare not to deploy a role with a service.

[moofish32]

Thanks for the conflict resolution @RomainMuller. @skinny85 did I get all the fixes in here?

[skinny85]

Can you revert the changes to the expected JSON files, and see if npm run test still passes for the packages? I'm pretty sure none of the changes to those files are needed, and I'd rather not change them if there's no reason (they are our biggest line of defense against regressions).

Also, some optional minor comments.

[skinny85]

I wouldn't comment out the whole thing, but instead just the usecase-specific part:

deployServiceAAction.addToRolePolicy(
  new iam.PolicyStatement()
    .addAction('service:SomeAction')
    .addResource(myResource.myResourceArn)
    // add more Action(s) and/or Resource(s) here, as needed
);

[moofish32]

👍

[skinny85]

I think this now clashes with the sentence above? "For example, a TypeScript or Javascript CDK App can add the following buildspec.yml at the root of the repository configured in the Source stage:". Perhaps it always did, I just never noticed ;p.

[skinny85]

I would actually make None the first enum value (I would sort them in the order of increasing capabilities).

[moofish32]

Just so we all know ... that enum was alphabetized, in accordance with multiple other nits from @skinny85 😮

[moofish32]

alright @skinny85 one more pass when ever you are back from the holiday.

[skinny85]

Looks great. Thanks for the patience @moofish32 !