fix(stepfunctions-tasks): run task permission is too broad (under feature flag) #30389
Conversation
github-actions
bot
added
effort/medium
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
Exemption Request: I updated integration snapshots, but a change in the integration test file isn't needed. |
There was a problem hiding this comment.
I agree that we were granting too much permission in the current solution based on the documentation you provided. However, I'm a bit worried that this would introduce breaking changes for existing users (who incorrectly rely on the broad permissions) and accepting this would break their application.
GavinZZ
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed stale reviews from themself
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
Yes, thanks for leaving a comment. I think feature flag is needed in this case to guarantee no breaking change. IMO I think it's likely that only few users would experience any breaking changes from this change, but I don't have the data on me and it's our promise that stable module don't bring breaking changes. |
I don't even think this was working previously. See my PR description here: #27891. |
|
@msambol Sorry for the delayed response. A bit confused here. It seems there was an issue with too little permission and you've fixed it half a year ago. So I'm assuming this is working now except we've giving too much permission in the resource field, meaning that this is currently working right and it may be a breaking change? |
This https://github.com/aws/aws-cdk/pull/27891/files#diff-9d5f521b191b7a78f695205cd6cdbf39fce4ffcae0de03b4c4a92d3c59c06f3cL343 permission was initially there, but it didn't actually work or allow the integration tests to run properly. Adding https://github.com/aws/aws-cdk/pull/27891/files#diff-9d5f521b191b7a78f695205cd6cdbf39fce4ffcae0de03b4c4a92d3c59c06f3cR346 permission fixed it. I should have removed the initial condition when I added the other one. But if you feel we should do a feature flag just in case, we can add that. |
|
I would like to ask to add a feature flag just in case. Reason being is that my understanding is that currently we allow |
|
@GavinZZ Do you have an example on where we use a FF like this? |
|
This one seems to be similar https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.ts#L987 |
packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts
Show resolved
Hide resolved
|
@GavinZZ Let me know what you think of this. Default is the extra permission gets added. |
GavinZZ
changed the title
aws-cdk-automation
removed
the
pr/needs-community-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
aws-cdk-automation
removed
the
pr/needs-community-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Closes #30368.
Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies