fix(core): respect host-stack permissions boundary for ref-time custom resource roles#33467
fix(core): respect host-stack permissions boundary for ref-time custom resource roles#33467jstephenson wants to merge 2 commits intoaws:mainfrom
Conversation
The permissions boundary applied to a stack is not propagated to roles created by custom resources where these enter the assembly at reference-resolution time. Examples of this are cross-stack references and references to list values which must be JSON stringified. This change exposes the PB assigned to a stack and uses this to apply a custom resource's host stack PB to its roles.
github-actions
bot
added
beginning-contributor
kaizencc
changed the title
kaizencc
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-maintainer-review
godwingrs22
added
the
skip-abstractions-board
|
Thank you for this PR @jstephenson. As you can see, I haven't had time to dive deep into the initial problem or your potential solution (which you admit isn't ready for prime time in its current form). What needs to happen is for us to properly investigate the issue and then follow the idea you've proposed here, but this effort is not prioritized at the moment. I am going to close this PR to keep our open PR list somewhat cleaner; this PR can always be revived if/when we decide to invest in a solution for #30179. Sorry for the disappointing news. |
|
Comments on closed issues and PRs are hard for our team to see. |
6 participants
Issue # (if applicable)
Closes #30179
Reason for this change
The permissions boundary applied to a stack is not propagated to roles created by custom resources where these enter the assembly at reference-resolution time. Examples of this are cross-stack references and references to list values which must be JSON stringified.
Presently various custom-resource-backed CDK features cannot be deployed into environments which require a permissions boundary on workload-created roles.
Please see my comment on the issue for a bit more detail.
Description of changes
This change exposes the PB assigned to a stack and uses this to apply a custom resource's host stack PB to its roles.
The change is straightforward but it changes the API surface of
Stack, and as such I propose this as a solution sketch and do not expect it to be accepted in its current form. I am not sufficiently familiar with the design of the codebase to know where best to solve this, though, so would welcome contributor/maintainer views.Some thoughts:
PermissionsBoundaryis accepted byStackas a prop as it stands. Perhaps this could be returned from a public field onStackand plumbed into the proposed solution instead.Stackcould be factored out to somewhere else and used in both placesDescribe any new or updated permissions being added
None. Existing PB configuration now respected, however.
Description of how you validated changes
Simple unit tests added
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license