cli: permissions snapshot integration testing #32088
Labels
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p1
package/tools
Related to AWS CDK Tools or CLI
Describe the feature
Every CLI integration test will record a file containing all IAM roles it assumed and all IAM actions it performed during the test execution.
This file will serve as a snapshot, which will fail the test in case it contains changes.
Use Case
It is not uncommon for organizations to have very strict IAM policy requirements. So strict in fact that the roles used by the CLI are configured to only allow the actions and principals that are currently required for it to operate.
In such cases, any changes to which roles are assumed, or which actions are performed will break customer deployments. While the CDK doesn't make guarantees it will never do so (it would be close to impossible to add new features if we did), it would still be advantageous to catch those occurrences and handle them with more care.
Proposed Solution
One option to catch these types of changes is configure our own policies to be as strict as possible when we run integration tests. This however can be cumbersome to operate and maintain. Instead, we would like an automatic mechanism that doesn't require infrastructure changes.
Research required, but there must be a way to hook into the aws sdk and intercept service calls, to form a snapshot of the roles and actions used during the test.
In case a test fails because the snapshot changed, we will:
The aggregation of all snapshots from all tests can also serve as a public document, detailing which actions are required for each command.
Other Information
No response
Acknowledgements
CDK version used
ALL
Environment details (OS name and version, etc.)
ALL
The text was updated successfully, but these errors were encountered: