chore: remove use of deprecated ServicePrincipal Mapping#30832
chore: remove use of deprecated ServicePrincipal Mapping#30832mergify[bot] merged 9 commits intomainfrom
Conversation
They have now been standardized for a few years. We did not initially remove the old mappings out of caution and because we were unsure that the changes has made it to all regions yet. It is long past that happening at this point.
| public static servicePrincipal(service: string): string { | ||
| return `service-principal:${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}`; | ||
| return `${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}.amazonaws.com`; |
There was a problem hiding this comment.
isn't this breaking? I know you've deprecated it, but you're changing the behavior of this method
There was a problem hiding this comment.
This formatting was to do a lookup in the database, which resulted in returning what I have now changed it to.
| public servicePrincipal(service: string): string | undefined { | ||
| return Fact.find(this.name, FactName.servicePrincipal(service)); | ||
| return `${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}.amazonaws.com`; |
There was a problem hiding this comment.
Same as above.
scanlonp
left a comment
There was a problem hiding this comment.
How do the principals work for services that conditionally have the region in the principal? Are those still consistent after this change?
| "Action": "sts:AssumeRole", | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "Service": "glue.amazonaws.com" |
There was a problem hiding this comment.
Were these glue service principals simply wrong before?
There was a problem hiding this comment.
Correct, this policy wasn't actually in use in the test so it wasn't caught but it was invalid altogether.
| "states", | ||
| ], | ||
| }, | ||
| "Service": "states.amazonaws.com", |
There was a problem hiding this comment.
I believe this service principal should have the region in it, i.e. states.us-west-1.amazonaws.com. This could be right since the principal is sans region some of the time, but looking through the regional maps we had, a majority of the regions are included in the principal.
There was a problem hiding this comment.
Or at least it should not be static if it can be either. The test should be environment agnostic and be a mapping, correct?
There was a problem hiding this comment.
The only context in which any region should be included is in opt in regions when the permissions are cross region. This is not that case.
comcalvi
left a comment
There was a problem hiding this comment.
This is great work, nothing but some minor comments.
| * @deprecated - Use VpceEndpointService.VPC_ENDPOINT_SERVICE_NAME_PREFIX instead | ||
| */ | ||
| public static readonly VPC_ENDPOINT_SERVICE_NAME_PREFIX = 'com.amazonaws.vpce'; |
There was a problem hiding this comment.
You gave it a different name above, it's just DEFAULT_PREFIX now.
There was a problem hiding this comment.
OOOOOPS. Missed updating this.
| * | ||
| * Not in the list ==> default service principal mappings. | ||
| */ | ||
| export const AWS_SERVICES: readonly string[] = [ |
There was a problem hiding this comment.
yes! Deleting this is a win.
There was a problem hiding this comment.
DELETE ALL THE THINGS
| .filter((oldFact) => !newFacts.some((newFact) => factEq(oldFact, newFact))) | ||
| .map((fact) => ({ fact, key: `${fact[0]}:${fact[1]}` })) | ||
| // These aren't accessed directly and we've just updated our handling of them, | ||
| // not removed this functionality. The mapping is unnecessary. |
There was a problem hiding this comment.
Can you clarify which mapping this is referring to?
There was a problem hiding this comment.
We generate it at build time. I'll clarify.
| @@ -1,12 +1,15 @@ | |||
| /** | |||
| * Provides default values for certain regional information points. | |||
| * @deprecated - Service principals are now globally `<SERVICE>.amazonaws.com` | |||
There was a problem hiding this comment.
What's the direct replacement class / object / functionality that users should use instead of Default?
There was a problem hiding this comment.
I forgot to update this. Will change.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
They have now been standardized for a few years. We did not initially remove the old mappings out of caution and because we were unsure that the changes has made it to all regions yet. It is long past that happening at this point.
Because we never removed this or marked it as deprecated, we still have a not insignificant amount of customers who believe the individual mapping is necessary and cut tickets because it is not up-to-date.
Issue # (if applicable)
Closes #.
Reason for this change
Description of changes
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license