Assets: upload to and grant permissions on prefix #510
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We need to give asset consumers permissions on all versions of an asset, not just the latest version. Otherwise, we will never be able to do rolling updates. Also add caching on AWS client instances, so with multiple asset uploads we don't have to construct a new S3 client for every asset (incurring credential lookups for each one). This fixes #484.
|
Practical changes: The assets are now uploaded to something like: And we give permissions on the prefix I'm not entirely sure I like the additional input
The last one seems very brittle, the first one lacks flexibility and helps only by 33%. So I'm leaning towards combining multiple parameter values into one formal CloudFormation |
eladb
reviewed
Aug 6, 2018
There was a problem hiding this comment.
@rix0rrr I agree that the additional parameter is a going to be a problem very quickly. And I am concerned how this is going to work with CodePipelines. Will we use the pipeline bucket as the prefix?
I wonder if instead of using only a path separator, we could delimit using a sequence (i.e. @/@), so the S3 key will always look something like bla/bla/bla/prefix@/@suffix and then we can just Fn::Split with "@/@" as the delimiter to separate the prefix and the concrete object key. Still not sure how this will work with CP.
| // Even though this code looks horrible, this is actually not a terrible thing | ||
| // to do. The generated ID will contain the *stack name* as well, which is a | ||
| // perfectly nice thing to do to disambiguate similarly named assets in different stacks. | ||
| const uniqueId = new cdk.HashedAddressingScheme().allocateAddress(this.path.split('/')); |
There was a problem hiding this comment.
I keep wondering if we should just expose a uniqueId in the Construct level (and use for resource.logicalId). This keeps coming back and I think might be useful generally, and not only for CloudFormation resource identifiers.
There was a problem hiding this comment.
I agree, but their scopes are different, which complicates it a bit.
In a tree like this:
root
└── Stack
└── Construct
└── Construct
├─────── path ───────┤
├─ logical id ──┤
The .path is from the root to the construct, but the logical ID is only calculated off the nearest enclosing stack to the construct. If we didn't do that, all enclosing logical IDs would being with the stack name, which is not terrible for the IDs that they are, but they're also used to generate human-readable names, where that would be quite ugly (and in fact CFN sometimes--but not always!--prepends the stack name itself as well).
So we should probably still keep them separated, or have something like uniqueIdRelativeTo(ancestor)
There was a problem hiding this comment.
We could allow constructs to opt-out of the human portion of name generation, so they will be "skipped" when producing the human portion (something like hideName = true).
| // different versions of the same file will have the same prefix | ||
| // and we don't want to accidentally revoke permission on old versions | ||
| // when deploying a new version. | ||
| this.bucket.grantRead(principal, new cdk.FnConcat(this.s3PrefixParam.value, "*")); |
|
This change is pending #518 |
added 7 commits
August 16, 2018 15:43
RomainMuller
approved these changes
Aug 17, 2018
|
|
||
| // grant the lambda's role read permissions on the code s3 object | ||
| this.s3Prefix = new cdk.FnSelect(0, new cdk.FnSplit(cxapi.ASSET_PREFIX_SEPARATOR, keyParam.value)); | ||
| const s3Filename = new cdk.FnSelect(1, new cdk.FnSplit(cxapi.ASSET_PREFIX_SEPARATOR, keyParam.value)); |
There was a problem hiding this comment.
You realize (however unlikely that is), that || might actually be part of the object key?
There was a problem hiding this comment.
That is going to be true for any separator we pick. So yeah, I'm balancing aesthetics vs likelihood
There was a problem hiding this comment.
You do realize that git commit hashes may clash? :p
rix0rrr
pushed a commit
that referenced
this pull request
Sep 11, 2018
The headliners of this release are __.NET support__, and a wealth of commits by external contributors who are stepping up to fix the CDK for their use cases! Thanks all for the effort put into this release! * Add strongly-named .NET targets, and a `cdk init` template for C# projects ([@mpiroc] in [#617](#617), [#643](#643)). * __@aws-cdk/aws-autoscaling__: Allow attaching additional security groups to Launch Configuration ([@moofish32] in [#636](#636)). * __@aws-cdk/aws-autoscaling__: Support update and creation policies on AutoScalingGroups ([@rix0rrr] in [#595](#595)). * __@aws-cdk/aws-codebuild__: Add support for running script from an asset ([@rix0rrr] in [#677](#677)). * __@aws-cdk/aws-codebuild__: New method `addBuildToPipeline` on Project ([@skinny85] in [783dcb3](783dcb3)). * __@aws-cdk/aws-codecommit__: New method `addToPipeline` on Repository ([@skinny85] in [#616](#616)). * __@aws-cdk/aws-codedeploy__: Add initial support for CodeDeploy ([@skinny85] in [#593](#593), [#641](#641)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB autoscaling ([@SeekerWing] in [#637](#637)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB streams ([@rhboyd] in [#633](#633)). * __@aws-cdk/aws-dynamodb__: Add support for server-side encryption ([@jungseoklee] in [#684](#864)). * __@aws-cdk/aws-ec2__ (_**BREAKING**_): SecurityGroup can now be used as a Connectable [#582](#582)). * __@aws-cdk/aws-ec2__: Add VPC tagging ([@moofish] in [#538](#538)). * __@aws-cdk/aws-ec2__: Add support for `InstanceSize.Nano` ([@rix0rrr] in [#581](#581)) * __@aws-cdk/aws-lambda__: Add support for dead letter queues ([@SeekerWing] in [#663](#663)). * __@aws-cdk/aws-lambda__: Add support for placing a Lambda in a VPC ([@rix0rrr] in [#598](#598)). * __@aws-cdk/aws-logs__: Add `extractMetric()` helper function ([@rix0rrr] in [#676](#676)). * __@aws-cdk/aws-rds__: Add support for Aurora PostreSQL/MySQL engines ([@cookejames] in [#586](#586)) * __@aws-cdk/aws-s3__: Additional grant methods for Buckets ([@eladb] in [#591](#591)) * __@aws-cdk/aws-s3__: New method `addToPipeline` on Bucket ([@skinny85] in [c8b7a49](c8b7a49)). * __aws-cdk__: Add support for HTTP proxies ([@rix0rrr] in [#666](#666)). * __aws-cdk__: Toolkit now shows failure reason if stack update fails ([@rix0rrr] in [#609](#609)). * __cdk-build-tools__: Add support for running experiment JSII versions ([@RomainMuller] in [#649](#649)). * _**BREAKING**_: Generate classes and types for the CloudFormation resource `.ref` attributes ([@rix0rrr] in [#627](#627)). * _**BREAKING**_: Make types accepted in Policy-related classes narrower (from `any` to `Arn`, for example) to reduce typing mistakes ([@rix0rrr] in [#629](#629)). * __@aws-cdk/aws-codepipeline__ (_**BREAKING**_): Align the CodePipeline APIs ([@skinny85] in [#492](#492), [#568](#568)) * __@aws-cdk/aws-ec2__ (_**BREAKING**_): Move Fleet/AutoScalingGroup to its own package ([@rix0rrr] in [#608](#608)). * __aws-cdk__: Simplify plugin protocol ([@RomainMuller] in [#646](#646)). * __@aws-cdk/aws-cloudfront__: Fix CloudFront behavior for ViewerProtocolPolicy ([@mindstorms6] in [#615](#615)). * __@aws-cdk/aws-ec2__: VPC Placement now supports picking Isolated subnets ([@rix0rrr] in [#610](#610)). * __@aws-cdk/aws-logs__: Add `export()/import()` capabilities ([@rix0rrr] in [#630](#630)). * __@aws-cdk/aws-rds__: Fix a bug where a cluster with 1 instance could not be created ([@cookejames] in [#578](#578)) * __@aws-cdk/aws-s3__: Bucket notifications can now add dependencies, fixing creation order ([@eladb] in [#584](#584)). * __@aws-cdk/aws-s3__: Remove useless bucket name validation ([@rix0rrr] in [#628](#628)). * __@aws-cdk/aws-sqs__: Make `QueueRef.encryptionMasterKey` readonly ([@RomainMuller] in [#650](#650)). * __assets__: S3 read permissions are granted on a prefix to fix lost permissions during asset update ([@rix0rrr] in [#510](#510)). * __aws-cdk__: Remove bootstrapping error if multiple stacks are in the same environment ([@RomainMuller] in [#625](#625)). * __aws-cdk__: Report and continue if git throws errors during `cdk init` ([@rix0rrr] in [#587](#587)). * __@aws-cdk/cfnspec__: Updated [CloudFormation resource specification] to `v2.6.0` ([@RomainMuller] in [#594](#594)) + **New AWS Construct Library** - `@aws-cdk/aws-sagemaker` supports AWS::SageMaker resources + **New Resource Types** - AWS::AmazonMQ::Broker - AWS::AmazonMQ::Configuration - AWS::CodePipeline::Webhook - AWS::Config::AggregationAuthorization - AWS::Config::ConfigurationAggregator - AWS::EC2::VPCEndpointConnectionNotification - AWS::EC2::VPCEndpointServicePermissions - AWS::IAM::ServiceLinkedRole - AWS::SSM::ResourceDataSync - AWS::SageMaker::Endpoint - AWS::SageMaker::EndpointConfig - AWS::SageMaker::Model - AWS::SageMaker::NotebookInstance - AWS::SageMaker::NotebookInstanceLifecycleConfig + **Attribute Changes** - AWS::CodePipeline::Pipeline Version (__added__) + **Property Changes** - AWS::AppSync::DataSource HttpConfig (__added__) - AWS::DAX::Cluster SSESpecification (__added__) - AWS::DynamoDB::Table Stream (__added__) - AWS::DynamoDB::Table AutoScalingSupport (__added__) - AWS::EC2::VPCEndpoint IsPrivateDnsEnabled (__added__) - AWS::EC2::VPCEndpoint SecurityGroupIds (__added__) - AWS::EC2::VPCEndpoint SubnetIds (__added__) - AWS::EC2::VPCEndpoint VPCEndpointType (__added__) - AWS::EC2::VPCEndpoint RouteTableIds.DuplicatesAllowed (__deleted__) - AWS::EC2::VPCPeeringConnection PeerRegion (__added__) - AWS::EFS::FileSystem ProvisionedThroughputInMibps (__added__) - AWS::EFS::FileSystem ThroughputMode (__added__) - AWS::EMR::Cluster KerberosAttributes (__added__) - AWS::Glue::Classifier JsonClassifier (__added__) - AWS::Glue::Classifier XMLClassifier (__added__) - AWS::Glue::Crawler Configuration (__added__) - AWS::Lambda::Lambda DLQConfigurationSupport (__added__) - AWS::Neptune::DBInstance DBSubnetGroupName.UpdateType (__changed__) - Old: Mutable - New: Immutable - AWS::SNS::Subscription DeliveryPolicy (__added__) - AWS::SNS::Subscription FilterPolicy (__added__) - AWS::SNS::Subscription RawMessageDelivery (__added__) - AWS::SNS::Subscription Region (__added__) - AWS::SQS::Queue Tags (__added__) - AWS::ServiceDiscovery::Service HealthCheckCustomConfig (__added__) + **Property Type Changes** - AWS::AppSync::DataSource.HttpConfig (__added__) - AWS::DAX::Cluster.SSESpecification (__added__) - AWS::EMR::Cluster.KerberosAttributes (__added__) - AWS::Glue::Classifier.JsonClassifier (__added__) - AWS::Glue::Classifier.XMLClassifier (__added__) - AWS::ServiceDiscovery::Service.HealthCheckCustomConfig (__added__) - AWS::CloudFront::Distribution.CacheBehavior FieldLevelEncryptionId (__added__) - AWS::CloudFront::Distribution.DefaultCacheBehavior FieldLevelEncryptionId (__added__) - AWS::CodeBuild::Project.Artifacts EncryptionDisabled (__added__) - AWS::CodeBuild::Project.Artifacts OverrideArtifactName (__added__) - AWS::CodeBuild::Project.Environment Certificate (__added__) - AWS::CodeBuild::Project.Source ReportBuildStatus (__added__) - AWS::ServiceDiscovery::Service.DnsConfig RoutingPolicy (__added__) - AWS::WAF::WebACL.ActivatedRule Action.Required (__changed__) - Old: true - New: false * __@aws-cdk/cfnspec__: Updated Serverless Application Model (SAM) Resource Specification ([@RomainMuller] in [#594](#594)) + **Property Changes** - AWS::Serverless::Api MethodSettings (__added__) + **Property Type Changes** - AWS::Serverless::Function.SQSEvent (__added__) - AWS::Serverless::Function.EventSource Properties.Types (__changed__) - Added SQSEvent
Merged
rix0rrr
added a commit
that referenced
this pull request
Sep 11, 2018
The headliners of this release are __.NET support__, and a wealth of commits by external contributors who are stepping up to fix the CDK for their use cases! Thanks all for the effort put into this release! * Add strongly-named .NET targets, and a `cdk init` template for C# projects ([@mpiroc] in [#617](#617), [#643](#643)). * __@aws-cdk/aws-autoscaling__: Allow attaching additional security groups to Launch Configuration ([@moofish32] in [#636](#636)). * __@aws-cdk/aws-autoscaling__: Support update and creation policies on AutoScalingGroups ([@rix0rrr] in [#595](#595)). * __@aws-cdk/aws-codebuild__: Add support for running script from an asset ([@rix0rrr] in [#677](#677)). * __@aws-cdk/aws-codebuild__: New method `addBuildToPipeline` on Project ([@skinny85] in [783dcb3](783dcb3)). * __@aws-cdk/aws-codecommit__: New method `addToPipeline` on Repository ([@skinny85] in [#616](#616)). * __@aws-cdk/aws-codedeploy__: Add initial support for CodeDeploy ([@skinny85] in [#593](#593), [#641](#641)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB autoscaling ([@SeekerWing] in [#637](#637)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB streams ([@rhboyd] in [#633](#633)). * __@aws-cdk/aws-dynamodb__: Add support for server-side encryption ([@jungseoklee] in [#684](#864)). * __@aws-cdk/aws-ec2__ (_**BREAKING**_): SecurityGroup can now be used as a Connectable [#582](#582)). * __@aws-cdk/aws-ec2__: Add VPC tagging ([@moofish] in [#538](#538)). * __@aws-cdk/aws-ec2__: Add support for `InstanceSize.Nano` ([@rix0rrr] in [#581](#581)) * __@aws-cdk/aws-lambda__: Add support for dead letter queues ([@SeekerWing] in [#663](#663)). * __@aws-cdk/aws-lambda__: Add support for placing a Lambda in a VPC ([@rix0rrr] in [#598](#598)). * __@aws-cdk/aws-logs__: Add `extractMetric()` helper function ([@rix0rrr] in [#676](#676)). * __@aws-cdk/aws-rds__: Add support for Aurora PostreSQL/MySQL engines ([@cookejames] in [#586](#586)) * __@aws-cdk/aws-s3__: Additional grant methods for Buckets ([@eladb] in [#591](#591)) * __@aws-cdk/aws-s3__: New method `addToPipeline` on Bucket ([@skinny85] in [c8b7a49](c8b7a49)). * __aws-cdk__: Add support for HTTP proxies ([@rix0rrr] in [#666](#666)). * __aws-cdk__: Toolkit now shows failure reason if stack update fails ([@rix0rrr] in [#609](#609)). * __cdk-build-tools__: Add support for running experiment JSII versions ([@RomainMuller] in [#649](#649)). * _**BREAKING**_: Generate classes and types for the CloudFormation resource `.ref` attributes ([@rix0rrr] in [#627](#627)). * _**BREAKING**_: Make types accepted in Policy-related classes narrower (from `any` to `Arn`, for example) to reduce typing mistakes ([@rix0rrr] in [#629](#629)). * __@aws-cdk/aws-codepipeline__ (_**BREAKING**_): Align the CodePipeline APIs ([@skinny85] in [#492](#492), [#568](#568)) * __@aws-cdk/aws-ec2__ (_**BREAKING**_): Move Fleet/AutoScalingGroup to its own package ([@rix0rrr] in [#608](#608)). * __aws-cdk__: Simplify plugin protocol ([@RomainMuller] in [#646](#646)). * __@aws-cdk/aws-cloudfront__: Fix CloudFront behavior for ViewerProtocolPolicy ([@mindstorms6] in [#615](#615)). * __@aws-cdk/aws-ec2__: VPC Placement now supports picking Isolated subnets ([@rix0rrr] in [#610](#610)). * __@aws-cdk/aws-logs__: Add `export()/import()` capabilities ([@rix0rrr] in [#630](#630)). * __@aws-cdk/aws-rds__: Fix a bug where a cluster with 1 instance could not be created ([@cookejames] in [#578](#578)) * __@aws-cdk/aws-s3__: Bucket notifications can now add dependencies, fixing creation order ([@eladb] in [#584](#584)). * __@aws-cdk/aws-s3__: Remove useless bucket name validation ([@rix0rrr] in [#628](#628)). * __@aws-cdk/aws-sqs__: Make `QueueRef.encryptionMasterKey` readonly ([@RomainMuller] in [#650](#650)). * __assets__: S3 read permissions are granted on a prefix to fix lost permissions during asset update ([@rix0rrr] in [#510](#510)). * __aws-cdk__: Remove bootstrapping error if multiple stacks are in the same environment ([@RomainMuller] in [#625](#625)). * __aws-cdk__: Report and continue if git throws errors during `cdk init` ([@rix0rrr] in [#587](#587)). * __@aws-cdk/cfnspec__: Updated [CloudFormation resource specification] to `v2.6.0` ([@RomainMuller] in [#594](#594)) + **New AWS Construct Library** - `@aws-cdk/aws-sagemaker` supports AWS::SageMaker resources + **New Resource Types** - AWS::AmazonMQ::Broker - AWS::AmazonMQ::Configuration - AWS::CodePipeline::Webhook - AWS::Config::AggregationAuthorization - AWS::Config::ConfigurationAggregator - AWS::EC2::VPCEndpointConnectionNotification - AWS::EC2::VPCEndpointServicePermissions - AWS::IAM::ServiceLinkedRole - AWS::SSM::ResourceDataSync - AWS::SageMaker::Endpoint - AWS::SageMaker::EndpointConfig - AWS::SageMaker::Model - AWS::SageMaker::NotebookInstance - AWS::SageMaker::NotebookInstanceLifecycleConfig + **Attribute Changes** - AWS::CodePipeline::Pipeline Version (__added__) + **Property Changes** - AWS::AppSync::DataSource HttpConfig (__added__) - AWS::DAX::Cluster SSESpecification (__added__) - AWS::DynamoDB::Table Stream (__added__) - AWS::DynamoDB::Table AutoScalingSupport (__added__) - AWS::EC2::VPCEndpoint IsPrivateDnsEnabled (__added__) - AWS::EC2::VPCEndpoint SecurityGroupIds (__added__) - AWS::EC2::VPCEndpoint SubnetIds (__added__) - AWS::EC2::VPCEndpoint VPCEndpointType (__added__) - AWS::EC2::VPCEndpoint RouteTableIds.DuplicatesAllowed (__deleted__) - AWS::EC2::VPCPeeringConnection PeerRegion (__added__) - AWS::EFS::FileSystem ProvisionedThroughputInMibps (__added__) - AWS::EFS::FileSystem ThroughputMode (__added__) - AWS::EMR::Cluster KerberosAttributes (__added__) - AWS::Glue::Classifier JsonClassifier (__added__) - AWS::Glue::Classifier XMLClassifier (__added__) - AWS::Glue::Crawler Configuration (__added__) - AWS::Lambda::Lambda DLQConfigurationSupport (__added__) - AWS::Neptune::DBInstance DBSubnetGroupName.UpdateType (__changed__) - Old: Mutable - New: Immutable - AWS::SNS::Subscription DeliveryPolicy (__added__) - AWS::SNS::Subscription FilterPolicy (__added__) - AWS::SNS::Subscription RawMessageDelivery (__added__) - AWS::SNS::Subscription Region (__added__) - AWS::SQS::Queue Tags (__added__) - AWS::ServiceDiscovery::Service HealthCheckCustomConfig (__added__) + **Property Type Changes** - AWS::AppSync::DataSource.HttpConfig (__added__) - AWS::DAX::Cluster.SSESpecification (__added__) - AWS::EMR::Cluster.KerberosAttributes (__added__) - AWS::Glue::Classifier.JsonClassifier (__added__) - AWS::Glue::Classifier.XMLClassifier (__added__) - AWS::ServiceDiscovery::Service.HealthCheckCustomConfig (__added__) - AWS::CloudFront::Distribution.CacheBehavior FieldLevelEncryptionId (__added__) - AWS::CloudFront::Distribution.DefaultCacheBehavior FieldLevelEncryptionId (__added__) - AWS::CodeBuild::Project.Artifacts EncryptionDisabled (__added__) - AWS::CodeBuild::Project.Artifacts OverrideArtifactName (__added__) - AWS::CodeBuild::Project.Environment Certificate (__added__) - AWS::CodeBuild::Project.Source ReportBuildStatus (__added__) - AWS::ServiceDiscovery::Service.DnsConfig RoutingPolicy (__added__) - AWS::WAF::WebACL.ActivatedRule Action.Required (__changed__) - Old: true - New: false * __@aws-cdk/cfnspec__: Updated Serverless Application Model (SAM) Resource Specification ([@RomainMuller] in [#594](#594)) + **Property Changes** - AWS::Serverless::Api MethodSettings (__added__) + **Property Type Changes** - AWS::Serverless::Function.SQSEvent (__added__) - AWS::Serverless::Function.EventSource Properties.Types (__changed__) - Added SQSEvent
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We need to give asset consumers permissions on all versions of
an asset, not just the latest version. Otherwise, we will never
be able to do rolling updates.
Also add caching on AWS client instances, so with multiple
asset uploads we don't have to construct a new S3 client for
every asset (incurring credential lookups for each one).
This fixes #484.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.