refactor: gate access to environment SDK behind new class by rix0rrr · Pull Request #31904 · aws/aws-cdk

rix0rrr · 2024-10-25T13:48:49Z

Previously there were methods on the Deployments class that made it possible to directly get an SDK from the SdkProvider for a particular environment. Calling these methods made it possible to get an SDK without thinking of assuming roles to go into a different account.

This PR introduces a new class, EnvironmentAccess, with a couple of public methods that are the only ones allowed to obtain SDKs with credentials. It has the methods:

accessStackForStackOperations(stack)
accessStackForLookup(stack)
accessStackForReading(stack)

These will always respect the role information on the stack.

Ideally there would have been similar methods for assets as well, but the cdk-assets library is entirely handling asset roles itself, and it's not in the scope of this PR to change that. That keeps on using a plain SdkProvider. Hotswap deployments will also just use CLI credentials and not assume role, so that also keeps on using an SdkProvider.

All other uses have moved to EnvironmentAccess.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Previously there were methods on the `Deployments` class that made it possible to directly get an SDK from the `SdkProvider` for a particular environment. Calling these methods made it possible to get an SDK without thinking of assuming roles to go into a different account. This PR introduces a new class, `EnvironmentAccess`, with a couple of public methods that are the only ones allowed to obtain SDKs with credentials. It has the methods: - accessStackForStackOperations(stack) - accessStackForLookup(stack) - accessStackForReading(stack) These will always respect the role information on the stack. Ideally there would have been similar methods for assets as well, but the `cdk-assets` library is entirely handling asset roles itself, and it's not in the scope of this PR to change that. That keeps on using a plain `SdkProvider`. Hotswap deployments will also just use CLI credentials and not assume role, so that also keeps on using an `SdkProvider`. All other uses have moved to `EnvironmentAccess`.

aws-cdk-automation

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

…to-creds

.npmrc

mrgrain

Looks great. My main issue is with the now seemingly required call of env.replacePlaceholders() by the caller. That is equally non obvious as the problem we were are trying to fix.

packages/aws-cdk/lib/api/environment-access.ts

packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts

packages/aws-cdk/lib/api/environment-access.ts

packages/aws-cdk/lib/api/util/cloudformation.ts

packages/aws-cdk/lib/api/deployments.ts

mrgrain · 2024-10-30T11:37:05Z

packages/aws-cdk/lib/api/util/placeholders.ts

  });
 }

+export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;


Suggested change

export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;

export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;

mrgrain · 2024-10-30T11:37:28Z

packages/aws-cdk/lib/util/type-brands.ts

+  return value as A;
+}
+
+type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;


Suggested change

type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;

type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;

mrgrain · 2024-10-30T11:39:43Z

packages/aws-cdk/lib/api/deploy-stack.ts

   * @default - Role specified on stack, otherwise current
   */
-  readonly roleArn?: string;
+  readonly roleArn?: StringWithoutPlaceholders;


Maybe add a note how to convert a string to StringWithoutPlaceholders.

aws-cdk-automation · 2024-10-31T12:59:09Z

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

mergify · 2024-10-31T16:15:39Z

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

mergify · 2024-11-01T10:10:30Z

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

aws-cdk-automation · 2024-11-01T10:42:47Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 1280632
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-11-01T10:43:17Z

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

github-actions · 2024-11-01T10:43:33Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions bot added the p2 label Oct 25, 2024

aws-cdk-automation requested a review from a team October 25, 2024 13:49

mergify bot added the contribution/core This is a PR that came from AWS. label Oct 25, 2024

rix0rrr had a problem deploying to test-pipeline October 25, 2024 13:49 — with GitHub Actions Failure

aws-cdk-automation previously requested changes Oct 25, 2024

View reviewed changes

aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 25, 2024

Merge remote-tracking branch 'origin/main' into huijbers/gate-access-…

fd1d41c

…to-creds

rix0rrr had a problem deploying to test-pipeline October 25, 2024 13:52 — with GitHub Actions Failure

mrgrain reviewed Oct 25, 2024

View reviewed changes

.npmrc Show resolved Hide resolved

Remove silly file

ffb491e

rix0rrr had a problem deploying to test-pipeline October 25, 2024 15:30 — with GitHub Actions Failure

github-actions bot mentioned this pull request Oct 28, 2024

Weekly PR metrics report #31915

Closed

Add .npmrc back

561c745

rix0rrr had a problem deploying to test-pipeline October 28, 2024 10:30 — with GitHub Actions Failure

mrgrain requested changes Oct 29, 2024

View reviewed changes

Review comments

0d60c69

rix0rrr had a problem deploying to test-pipeline October 29, 2024 14:22 — with GitHub Actions Failure

rix0rrr mentioned this pull request Oct 30, 2024

chore(cli): statically guarantee that assets aren't forgotten around makeBodyParameter #31750

Closed

Add type brands

ae49124

rix0rrr had a problem deploying to test-pipeline October 30, 2024 11:31 — with GitHub Actions Failure

More explanation in docs

ccf4976

rix0rrr had a problem deploying to test-pipeline October 30, 2024 11:35 — with GitHub Actions Failure

mrgrain reviewed Oct 30, 2024

View reviewed changes

mrgrain approved these changes Oct 30, 2024

View reviewed changes

Docs

07af33c

rix0rrr temporarily deployed to test-pipeline October 30, 2024 12:35 — with GitHub Actions Inactive

rix0rrr added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Oct 31, 2024

aws-cdk-automation removed the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 31, 2024

Merge branch 'main' into huijbers/gate-access-to-creds

d7c8ad3

mergify bot had a problem deploying to test-pipeline October 31, 2024 16:27 Failure

github-actions bot mentioned this pull request Nov 1, 2024

Monthly PR metrics report #31972

Closed

Bump coverage

84fa9a2

rix0rrr had a problem deploying to test-pipeline November 1, 2024 09:38 — with GitHub Actions Failure

Merge branch 'main' into huijbers/gate-access-to-creds

1280632

mergify bot had a problem deploying to test-pipeline November 1, 2024 10:11 Failure

mergify bot merged commit 4e715b8 into main Nov 1, 2024

mergify bot deleted the huijbers/gate-access-to-creds branch November 1, 2024 10:43

github-actions bot locked as resolved and limited conversation to collaborators Nov 1, 2024

rix0rrr self-assigned this Nov 6, 2024

	export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;
	export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;

	type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;
	type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;

Conversation

rix0rrr commented Oct 25, 2024

Uh oh!

aws-cdk-automation left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mrgrain left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mrgrain Oct 30, 2024

Choose a reason for hiding this comment

Uh oh!

mrgrain Oct 30, 2024

Choose a reason for hiding this comment

Uh oh!

mrgrain Oct 30, 2024

Choose a reason for hiding this comment

Uh oh!

aws-cdk-automation commented Oct 31, 2024

Uh oh!

mergify bot commented Oct 31, 2024

Uh oh!

mergify bot commented Nov 1, 2024

Uh oh!

aws-cdk-automation commented Nov 1, 2024

AWS CodeBuild CI Report

Uh oh!

mergify bot commented Nov 1, 2024

Uh oh!

github-actions bot commented Nov 1, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants