Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: permissions snapshot integration testing #32088

Open
2 tasks
Tracked by #32171
iliapolo opened this issue Nov 11, 2024 · 0 comments
Open
2 tasks
Tracked by #32171

cli: permissions snapshot integration testing #32088

iliapolo opened this issue Nov 11, 2024 · 0 comments
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@iliapolo
Copy link
Contributor

iliapolo commented Nov 11, 2024

Describe the feature

Every CLI integration test will record a file containing all IAM roles it assumed and all IAM actions it performed during the test execution.

This file will serve as a snapshot, which will fail the test in case it contains changes.

Use Case

It is not uncommon for organizations to have very strict IAM policy requirements. So strict in fact that the roles used by the CLI are configured to only allow the actions and principals that are currently required for it to operate.

In such cases, any changes to which roles are assumed, or which actions are performed will break customer deployments. While the CDK doesn't make guarantees it will never do so (it would be close to impossible to add new features if we did), it would still be advantageous to catch those occurrences and handle them with more care.

Examples: #29483, #32219

Proposed Solution

One option to catch these types of changes is configure our own policies to be as strict as possible when we run integration tests. This however can be cumbersome to operate and maintain. Instead, we would like an automatic mechanism that doesn't require infrastructure changes.

Research required, but there must be a way to hook into the aws sdk and intercept service calls, to form a snapshot of the roles and actions used during the test.

In case a test fails because the snapshot changed, we will:

  1. Determine if the change is expected. If it isn't - great, we caught a bug.
  2. If it is, we bypass the validation and proceed. In this case, the snapshot file can serve as data that we can communicate to our customers, notifying them about what exactly changed so they can prepare for it.

The aggregation of all snapshots from all tests can also serve as a public document, detailing which actions are required for each command.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

ALL

Environment details (OS name and version, etc.)

ALL

@iliapolo iliapolo added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 11, 2024
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Nov 11, 2024
@pahud pahud added p2 effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. p2 labels Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

No branches or pull requests

2 participants