Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(custom-resources): incorrect IAM prefix generated for CloudWatch actions #33078

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

samson-keung
Copy link
Contributor

@samson-keung samson-keung commented Jan 22, 2025

Issue # (if applicable)

Closes #32968.

Reason for this change

The mapping to look up the IAM prefix from a given service has a incorrect entry for Cloudwatch. It says Cloudwatch uses monitoring as the prefix but it is actually cloudwatch instead.

I cannot find any service that uses monitoring as prefix so I think it is safe to assume that nothing relies on the monitoring value. Therefore, there is no feature flag used in this PR.

Description of changes

Updated the IAM prefix mapping.

Describe any new or updated permissions being added

Updated the mapping to use correct IAM prefix.

Description of how you validated changes

Updated unit tests to use AwsCustomResource with a Cloudwatch call.

Added integ test to use AwsCustomResource with a Cloudwatch call to tag an alarm and verify the tag is indeed added successfully.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 22, 2025 22:45
@github-actions github-actions bot added the p2 label Jan 22, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 22, 2025
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

Copy link

codecov bot commented Jan 22, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.54%. Comparing base (6a9cbc2) to head (7642ffc).
Report is 4 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #33078   +/-   ##
=======================================
  Coverage   81.54%   81.54%           
=======================================
  Files         226      226           
  Lines       13777    13777           
  Branches     2414     2414           
=======================================
  Hits        11235    11235           
  Misses       2270     2270           
  Partials      272      272           
Flag Coverage Δ
suite.unit 81.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.94% <ø> (ø)
packages/aws-cdk-lib/core 82.17% <ø> (ø)

@aws-cdk-automation aws-cdk-automation dismissed their stale review January 23, 2025 17:56

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 and removed p2 labels Jan 23, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7642ffc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@samson-keung samson-keung marked this pull request as ready for review January 23, 2025 21:21
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 23, 2025
@GavinZZ
Copy link
Contributor

GavinZZ commented Jan 24, 2025

I want to understand this more. Have you tested on existing stack that uses AwsCustomResource with the monitoring iam prefix stack? Is this deployable or would it fail to deploy with monitoring as part of the iam statement?

@samson-keung
Copy link
Contributor Author

Is this deployable or would it fail to deploy with monitoring as part of the iam statement?

It is deployable. I don't think IAM blocks users from using wrong permission. This is observable from the IAM console as well. I was able to create a policy with the monitoring:* action but the console does warn me that monitoring is a unrecognized service.
Screenshot 2025-01-24 at 12 10 42 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(custom_resources): incorrect IAM prefix generated for CloudWatch actions
3 participants