Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support for IAM Identity Center in security diff #30009

Merged
merged 11 commits into from May 2, 2024
Merged

feat: support for IAM Identity Center in security diff #30009

merged 11 commits into from May 2, 2024
+940 −7

Conversation

bergjaak
Copy link
Contributor

@bergjaak bergjaak commented Apr 30, 2024
edited

Issue # (if applicable)

Closes #29835

Reason for this change

IAM Identity Center resources were ignored in the security diff

Description of changes

  • Adds the IAM Identity Center resources to CDK diff
  • fixes not presenting property changes when a resource is removed from the template

Description of how you validated changes

  • Added unit tests and integration tests.
  • Ran the integration tests that mention cdk diff (bin/run-suite -a cli-integ-tests -t 'cdk diff'):
Test Suites: 2 skipped, 1 passed, 1 of 3 total
Tests:       90 skipped, 13 passed, 103 total
Snapshots:   0 total
Time:        312.397 s
Ran all test suites with tests matching "cdk diff":

Dependent PRs

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p1 label Apr 30, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team April 30, 2024 01:27
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Apr 30, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Apr 30, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@bergjaak
Copy link
Contributor Author

bergjaak commented Apr 30, 2024
edited

Exemption Request:

We are cli integ testing this change which would not generate a snapshot.

@bergjaak bergjaak mentioned this pull request Apr 30, 2024
Merged
github-merge-queue bot pushed a commit to cdklabs/awscdk-service-spec that referenced this pull request Apr 30, 2024
@bergjaak
chore: add support for IAM Identity Center in security diff (#1052)
f1e77e8 
For issue aws/aws-cdk#29835

This is the first of 2 PRs. The other PR will be to the main aws-cdk
repository.

Notice that AWS::SSO::PermissionSet has a property called
`ManagedPolicies`. That's why I add that property check. And judging by
the db.json that we create in this package (the service spec),
AWS::SSO::PermissionSet is the only resource with that property name:

```
(18:36:39) bergjak@bcd074b101ed ~/workplace/CDK/awscdk-service-spec AwsSsoFix ✔
 ➜ cat ~/db.json4 | jq '.schema.resource.entities.[]' | jq '.properties' | grep ManagedPolicies
    "scrutinizable": "ManagedPolicies"
    "scrutinizable": "ManagedPolicies"
    "scrutinizable": "ManagedPolicies"
    "scrutinizable": "ManagedPolicies"
    "scrutinizable": "CustomerManagedPolicies"
  "ManagedPolicies": {
    "scrutinizable": "ManagedPolicies"
```

AWS::SSO is the IAM Identity Center, and therefore changes to AWS SSO
resources are security sensitive. Hence the issue.

### Testing
As you'll see in the next pull request, I have integration tests for
this change
* Here is the PR with all the testing
aws/aws-cdk#30009
comcalvi
comcalvi requested changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing but minor comments, this looks really good! Nice work.

packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/cloudformation-diff/lib/diff/types.ts Show resolved Hide resolved
packages/@aws-cdk/cloudformation-diff/lib/iam/iam-identity-center.ts Show resolved Hide resolved
@github-actions github-actions bot mentioned this pull request May 1, 2024
Closed
@bergjaak bergjaak added pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels May 1, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review May 1, 2024 14:01

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 9db78cf
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented May 2, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 0a3cb94 into main May 2, 2024
13 checks passed
@mergify mergify bot deleted the AwsSsoFix branch May 2, 2024 14:51
@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@bergjaak bergjaak added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label May 2, 2024
@github-actions github-actions bot mentioned this pull request May 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@comcalvi comcalvi comcalvi approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p1 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CDK Diff and Deploy do not include AWS::SSO::Assignment in security related changes
3 participants
@bergjaak @aws-cdk-automation @comcalvi