Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(appconfig): scope generated alarm role policy to '*' for composite alarm support #29171

Merged
merged 11 commits into from
Feb 20, 2024

Conversation

chenjane-dev
Copy link
Contributor

@chenjane-dev chenjane-dev commented Feb 19, 2024

Reason for this change

Customers could create an alarm of type IAlarm where the alarm would be a composite alarm (for ex, when importing composite alarms, they return a type IAlarm instead of CompositeAlarm. This caused the logic that differentiates a composite alarm to mistakenly categorize the alarm incorrectly.

Description of changes

Add one policy scoped to * for any alarm passed to an environment.

Description of how you validated changes

Unit and integration tests

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added admired-contributor [Pilot] contributed between 13-24 PRs to the CDK p2 labels Feb 19, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team February 19, 2024 22:01
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, is there a way to integ test this to be sure that the policy is correctly formatted now?

const policy = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['cloudwatch:DescribeAlarms'],
resources: [alarmArn],
resources: ['*'],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why '*' and not monitor.alarmArn? I don't like the default to all resources from a security perspective, so if this has to stay, we have to document exactly why we are doing it this way. * sends off alarm bells in a lot of customer use cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integ test already tests this because there is only one policy being created now with resource set to *.

Yeah, I discussed this with a senior engineer on my team and it is only being scoped to all resources for DescribeAlarms so I think this should be okay. But, after doing some personal testing, I found out that the original policy we had for composite alarms actually works when scoped narrower than * so the CW docs must be incorrect here. We could change this to that if you want too

https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarms.html

Copy link
Contributor

@kaizencc kaizencc Feb 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re: integ test

the test checks if the policy is being created with the resource set to *. it does not yet test that that policy can be used successfully. i argue that the latter is the important part, the former is simply a unit test.

edit: you know what I'm fine with this as is. disregard the above statement.

re: resource

since it is just a scope for describeAlarms, i.e. a readonly prop, we should be fine with *. Can you document in the code that we are okay with this for the readonly permissions and link to the doc page?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@kaizencc kaizencc added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Feb 20, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review February 20, 2024 16:04

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

private createAlarmRole(monitor: Monitor, index: number): iam.IRole {
const logicalId = monitor.isCompositeAlarm ? 'RoleCompositeAlarm' : `Role${index}`;
private createOrGetAlarmRole(): iam.IRole {
const logicalId = 'Role';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, we should have a much more descriptive logicalId here if we are searching for it in the tree. This name feels far too generic and can result in collisions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Updated

@mergify mergify bot dismissed kaizencc’s stale review February 20, 2024 16:31

Pull request has been modified.

kaizencc
kaizencc previously approved these changes Feb 20, 2024
@mergify mergify bot dismissed kaizencc’s stale review February 20, 2024 17:08

Pull request has been modified.

kaizencc
kaizencc previously approved these changes Feb 20, 2024
@mergify mergify bot dismissed kaizencc’s stale review February 20, 2024 18:56

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7aa65c9
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 20, 2024
Copy link
Contributor

mergify bot commented Feb 20, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit c17879d into aws:main Feb 20, 2024
13 checks passed
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 20, 2024
@chenjane-dev chenjane-dev deleted the composite-alarm branch February 20, 2024 21:11
GavinZZ pushed a commit that referenced this pull request Feb 22, 2024
…e alarm support (#29171)

### Reason for this change

Customers could create an alarm of type `IAlarm` where the alarm would be a composite alarm (for ex, when importing composite alarms, they return a type `IAlarm` instead of `CompositeAlarm`. This caused the logic that differentiates a composite alarm to mistakenly categorize the alarm incorrectly.

### Description of changes

Add one policy scoped to `*` for any alarm passed to an environment.

### Description of how you validated changes

Unit and integration tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
admired-contributor [Pilot] contributed between 13-24 PRs to the CDK p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants