Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): AccountPrincipal accepts values which aren't account IDs #20292

Merged
merged 9 commits into from
May 19, 2022
Merged

fix(iam): AccountPrincipal accepts values which aren't account IDs #20292

merged 9 commits into from
May 19, 2022

Conversation

tejasmr
Copy link
Contributor

@tejasmr tejasmr commented May 11, 2022

Changed the type of accountId in AccountPrincipal constructor to string from any fixes #20288


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Changed the type of accountId in AccountPrincipal constructor to string from any to fix issue #20288
@gitpod-io
Copy link

gitpod-io bot commented May 11, 2022

@github-actions github-actions bot added the p2 label May 11, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team May 11, 2022 14:26
@tejasmr tejasmr changed the title Changed type of accountId from any to string fix(iam): Changed type of accountId from any to string May 11, 2022
@tejasmr
Copy link
Contributor Author

tejasmr commented May 11, 2022

The parameter accountId was having the type 'any' and being assigned to a data member of class AccountPrincipal called principalAccount which is of type 'string | undefined'. accountId and principalAccount are meant to hold the AWS account id which should be in the form of string. Changing the type annotation of accountId as parameter in AccountPrincipal constructor won't have any other effects other than specifying the TypeScript linter the type of the parameter accountId. There doesn't seem to be any other reason for the type of accountId to be 'any' since this parameter is only part of the constructor, and will be used to create the stack dependent token and assigning to principalAccount in the constructor. The format of the stack dependent token only works with valid accountId, and the principalAccount should also be valid accountId. If you pass an object, it should give you TypeError to indicate the error in the format given to the AccountPrincipal constructor.

@tejasmr
Copy link
Contributor Author

tejasmr commented May 11, 2022

Seems like a check compatibility issue: check-api-compatibility.sh
From this, aws-iam folder, there is a .warnings.jsii.js file which is not tracked in git.
This file has the following line:

function _aws_cdk_aws_iam_AccountPrincipal(p) {
}
...
module.exports = { ..., _aws_cdk_aws_iam_AccountPrincipal, ... };

The build is failing because of this. Adding it to allowed-breaking-changes.txt

Added `incompatible-argument:@aws-cdk/aws-iam.AccountPrincipal.<initializer>` to allowed-breaking-changes.txt to fix the build error.
@tejasmr
Copy link
Contributor Author

tejasmr commented May 14, 2022

@rix0rrr can you review this PR?

Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree this is poor choices in the past, but unencoded tokens (IResolvable) are accepted here, and the change would require code changes by consumers (i.e., not acceptable).

We have to change this into a run-time check, unfortunately:

if (!Token.isUnresolved(accountId) && typeof accountId !== 'string') {
  throw new Error('...');
}

Copy link
Contributor Author

@tejasmr tejasmr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this change inside the constructor and reverted back to any. Should this be a fix or a chore?

@tejasmr tejasmr requested a review from rix0rrr May 16, 2022 17:56
Added run time check for accountId type and added appropriate error message for that. Reverted the type annotation for accountId to any
@mergify mergify bot dismissed rix0rrr’s stale review May 16, 2022 18:07

Pull request has been modified.

@github-actions github-actions bot added the bug This issue is a bug. label May 16, 2022
@tejasmr tejasmr changed the title fix(iam): Changed type of accountId from any to string fix(iam): Type of accountId in AccountPrincipal constructor is any May 16, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented May 17, 2022

I added this change inside the constructor and reverted back to any. Should this be a fix or a chore?

Both are reasonable. You can call it a fix if you want to :)

@rix0rrr
Copy link
Contributor

rix0rrr commented May 17, 2022

@aws-cdk/aws-iam: lib/principals.ts:396:10 - error TS2304: Cannot find name 'Token'.
@aws-cdk/aws-iam: 396     if (!Token.isUnresolved(accountId) && typeof accountId !== 'string') {

Fixed the error
```bash
@aws-cdk/aws-iam: lib/principals.ts:395:3 - error TS2376: A 'super' call must be the first statement in the constructor when a class contains initialized properties, parameter properties, or private identifiers.
```
@tejasmr
Copy link
Contributor Author

tejasmr commented May 17, 2022

@rix0rrr can you review?

Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still needs a test, and the breaking changes except is no longer necessary

@mergify mergify bot dismissed rix0rrr’s stale review May 18, 2022 13:26

Pull request has been modified.

@tejasmr tejasmr requested a review from rix0rrr May 18, 2022 15:27
@rix0rrr rix0rrr changed the title fix(iam): Type of accountId in AccountPrincipal constructor is any fix(iam): AccountPrincipal accepts values which aren't account IDs May 19, 2022
@mergify
Copy link
Contributor

mergify bot commented May 19, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 23fa8f8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit d0163f8 into aws:master May 19, 2022
@mergify
Copy link
Contributor

mergify bot commented May 19, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

wphilipw pushed a commit to wphilipw/aws-cdk that referenced this pull request May 23, 2022
…ws#20292)

Changed the type of accountId in AccountPrincipal constructor to string from any fixes aws#20288 


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@rix0rrr rix0rrr added the effort/small Small work item – less than a day of effort label May 25, 2022
mergify bot pushed a commit that referenced this pull request Sep 21, 2022
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---

With the merge of [#20292](#20292) the accountID type was essentially required to be a string with the exception of an unencoded token. So, while the type of accountId cannot be set to string and must remain any to preserve compatibility, the hint for accountId should at least suggest that a string should be used rather than an int.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_iam: any parameter type in AccountPrinciple constructor
4 participants