fix(stepfunctions-tasks): cloudwatchlogs service generates wrong action in role policy #27623
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…on in role policy
github-actions
bot
added
bug
aws-cdk-automation
previously requested changes
Oct 20, 2023
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
scanlonp
requested changes
Oct 20, 2023
There was a problem hiding this comment.
Hey @go-to-k, this change looks great. Before approval, do you have a link to docs that state the correct action is logs:createLogStream?
Also in the original issue, the user states that the action should be logs:CreateLogStream with a capital C on Create. Another case where the docs would be helpful in confirming the correct action is being created.
aws-cdk-automation
removed
the
pr/needs-community-review
|
Thanks for your review. It cannot be pascal case like At first, the following description is in the UserGuide reference.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html The documentation link is also in the CDK codes. But the IAM actions are case insensitive, while StepFunctions SDK service integrations are case sensitive for API actions. The actions for StepFunctions must be camel case only. Also, by default, the
https://docs.aws.amazon.com/step-functions/latest/dg/supported-services-awssdk.html So, if you use In this regard, I |
scanlonp
previously approved these changes
Oct 24, 2023
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
scanlonp’s stale review
Pull request has been modified.
scanlonp
approved these changes
Oct 24, 2023
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify bot
pushed a commit
that referenced
this pull request
Oct 24, 2023
…n CallAwsService (#27635) This PR adds the following validations in CallAwsService. - `action` must be camelCase. - parameter names in `parameters` must be PascalCase. See the doc: https://docs.aws.amazon.com/step-functions/latest/dg/supported-services-awssdk.html > The API action will always be camel case, and parameter names will be Pascal case. For example, you could use Step Functions API action startSyncExecution and specify its parameter as StateMachineArn. CloudFormation fails with a following error if there are not these validations. ``` Deployment failed: Error: The stack named aws-stepfunctions-tasks-call-aws-service-logs-integ failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid State Machine Definition: 'SCHEMA_VALIDATION_FAILED: The resource provided arn:aws:states:::aws-sdk:cloudwatchlogs:CreateLogStream is not recognized. The value is not a valid resource ARN, or the resource is not available in this region. at /States/SendTaskSuccess/Resource' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidDefinition; Request ID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx; Proxy: null)" (RequestToken: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, HandlerErrorCode: InvalidRequest) ``` I think it is a good thing to make these errors in the synth phase, since there were actually cases of confusion as follows. #27623 (comment) I also thought to not validate but translate to camel (or pascal) cases. However I thought it would allow input that violates the explanation defined in the API documentation, so I decided not to. On the other hands, the `action` is also used for IAM actions so the IAM actions will be to camel cases (like `logs:createLogStream`). But I allowed it because IAM actions are case insensitive. If a translation is a better way to do it rather than the validation, I will consider that as well. https://github.com/aws/aws-cdk/blob/09c809b52fd2eeb27ac5bbc91d425ecf54e31bf9/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts#L92-L94 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mrgrain
pushed a commit
that referenced
this pull request
Nov 1, 2023
…n CallAwsService (#27635) This PR adds the following validations in CallAwsService. - `action` must be camelCase. - parameter names in `parameters` must be PascalCase. See the doc: https://docs.aws.amazon.com/step-functions/latest/dg/supported-services-awssdk.html > The API action will always be camel case, and parameter names will be Pascal case. For example, you could use Step Functions API action startSyncExecution and specify its parameter as StateMachineArn. CloudFormation fails with a following error if there are not these validations. ``` Deployment failed: Error: The stack named aws-stepfunctions-tasks-call-aws-service-logs-integ failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid State Machine Definition: 'SCHEMA_VALIDATION_FAILED: The resource provided arn:aws:states:::aws-sdk:cloudwatchlogs:CreateLogStream is not recognized. The value is not a valid resource ARN, or the resource is not available in this region. at /States/SendTaskSuccess/Resource' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidDefinition; Request ID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx; Proxy: null)" (RequestToken: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, HandlerErrorCode: InvalidRequest) ``` I think it is a good thing to make these errors in the synth phase, since there were actually cases of confusion as follows. #27623 (comment) I also thought to not validate but translate to camel (or pascal) cases. However I thought it would allow input that violates the explanation defined in the API documentation, so I decided not to. On the other hands, the `action` is also used for IAM actions so the IAM actions will be to camel cases (like `logs:createLogStream`). But I allowed it because IAM actions are case insensitive. If a translation is a better way to do it rather than the validation, I will consider that as well. https://github.com/aws/aws-cdk/blob/09c809b52fd2eeb27ac5bbc91d425ecf54e31bf9/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts#L92-L94 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mrgrain
pushed a commit
that referenced
this pull request
Nov 1, 2023
…on in role policy (#27623) This PR fixes the bug that a wrong action in role policy is generated when `cloudwatchlogs` service is specified. A correct action is `logs:xxx`, but current behavior is to `cloudwatchlogs:xxx` by using the `service` property. Closes #27573. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot
pushed a commit
that referenced
this pull request
Dec 5, 2023
… policy (#28082) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mwaa` as service in CallAwsService, CDK generates wrong policy statement such as `mwaa:listEnvironments`. Correct service prefix for MWAA is `airflow`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html > Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding `mwaa` into iamServiceMap. This is similar with #27623. Closes #28081 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
chenjane-dev
pushed a commit
to chenjane-dev/aws-cdk
that referenced
this pull request
Dec 5, 2023
… policy (aws#28082) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mwaa` as service in CallAwsService, CDK generates wrong policy statement such as `mwaa:listEnvironments`. Correct service prefix for MWAA is `airflow`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html > Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding `mwaa` into iamServiceMap. This is similar with aws#27623. Closes aws#28081 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot
pushed a commit
that referenced
this pull request
Jan 31, 2024
…ion in role policy (#28775) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html > Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082. Closes #28774. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
SankyRed
pushed a commit
that referenced
this pull request
Feb 8, 2024
…ion in role policy (#28775) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html > Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082. Closes #28774. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes the bug that a wrong action in role policy is generated when
cloudwatchlogsservice is specified.A correct action is
logs:xxx, but current behavior is tocloudwatchlogs:xxxby using theserviceproperty.Closes #27573.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license