Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opensearch,elasticsearch,events-targets: Custom Resources provided in these modules always attempt to install latest version of AWS SDK v2 #23113

Closed
mrgrain opened this issue Nov 28, 2022 · 2 comments · Fixed by #23591
Closed

opensearch,elasticsearch,events-targets: Custom Resources provided in these modules always attempt to install latest version of AWS SDK v2 #23113

mrgrain opened this issue Nov 28, 2022 · 2 comments · Fixed by #23591
Assignees
@mrgrain @rix0rrr
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@mrgrain
Copy link
Contributor

mrgrain commented Nov 28, 2022
edited
Loading

Describe the bug

The following built-in Custom Resources force the install of the latest AWS SDK version in their Lambda which will fail in environments with restricted internet access (e.g. China Regions or when internet access is disabled in Lambdas):

  • OpenSearchAccessPolicy in aws-elasticsearch
  • ElasticsearchAccessPolicy in aws-opensearch
  • LogGroupResourcePolicy in aws-elasticsearch, aws-opensearch and aws-events-targets

There is no way to disable this behavior, because the resources extend AwsCustomResource which defaults installLatestAwsSdk to true. They do not provide an option to disable this.

Expected Behavior

The affected resources do not attempt to install the latest SDK version. All API request for these resources are known so it's not required to have the latest version available.

Current Behavior

They always attempt to install the latest SDK version.

Reproduction Steps

class TestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const domainProps: opensearch.DomainProps = {
      removalPolicy: RemovalPolicy.DESTROY,
      version: opensearch.EngineVersion.ELASTICSEARCH_7_1,
      ebs: {
        volumeSize: 10,
        volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD,
      },
      logging: {
        slowSearchLogEnabled: true,
        appLogEnabled: true,
      },
      nodeToNodeEncryption: true,
      encryptionAtRest: {
        enabled: true,
      },
      advancedOptions: {
        'rest.action.multi.allow_explicit_index': 'false',
        'indices.fielddata.cache.size': '25',
        'indices.query.bool.max_clause_count': '2048',
      },
      // test the access policies custom resource works
      accessPolicies: [
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: ['es:ESHttp*'],
          principals: [new iam.AccountRootPrincipal()],
          resources: ['*'],
        }),
      ],
    };

    // create 2 domains to ensure that Cloudwatch Log Group policy names dont conflict
    new opensearch.Domain(this, 'Domain1', domainProps);
    new opensearch.Domain(this, 'Domain2', domainProps);
  }
}

Possible Solution

  • Check if we can default the setting to false for these custom resources
    It should be possible to ascertain if the used APIs are available in the default SDK
    Then add installLatestAwsSdk: false to here
  • Use a layer to provide the latest version of the SDK
    Similar to how we provide the AWS CLI already

Additional Information/Context

Workaround:

declare stack: cdk.Stack;

// Create an Aspect to stop installing the latest SDK version
class AwsCustomResourceUseDefaultAwsSdk implements cdk.IAspect {
  public readonly resourceTypes: string[];

  public constructor(resourceTypes: string[] = ['Custom::AWS']) {
    this.resourceTypes = resourceTypes;
  }

  public visit(node: IConstruct): void {
    if (node instanceof cdk.CfnResource && this.resourceTypes.includes(node.cfnResourceType)) {
      node.addPropertyOverride('InstallLatestAwsSdk', false);
    }
  }
}

// Apply this Aspect to any Stack
// Note that specific resource types have to be provided in the constructor call
cdk.Aspects.of(stack).add(new AwsCustomResourceUseDefaultAwsSdk(['Custom::OpenSearchAccessPolicy']));

CDK CLI Version

2.52.20

Framework Version

2.52.0

Node.js Version

any

OS

macos

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

These Custom Resources currently run in nodejs14.x which defaults the AWS SDK for JS to version 2.1055.0 (source).

I have checked and confirm that the API for OpenSearchAccessPolicy & ElasticSearchAccessPolicy is available in this particular version of the SDK.
@mrgrain mrgrain added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 28, 2022
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Nov 28, 2022
@peterwoodworth peterwoodworth added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 29, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 5, 2023

installLatestAwsSdk: true should never have been the default.

Let's:

  • Explicitly configure it as false for all custom resources we instantiate
  • Create a feature flag to make false the new default

@mrgrain mrgrain self-assigned this Jan 5, 2023
rix0rrr added a commit that referenced this issue Jan 6, 2023
@rix0rrr
fix(aws-custom-resource): switch off installLatestAwsSdk by default
b56ef31 
The `AwsCustomResource` reaches out to the internet to install the
latest AWS SDK by default. This will make it fail if it is being bound
to a VPC that doesn't have internet connectivity, or in
regions/partitions that are not able to freely connect to `npmjs.com`.

This was a poorly chosen default from the time we didn't know any
better, but we do know right now. Switch the behavior off by default
(under feature flag), and explicitly disable it for all
`AwsCustomResource`s the L2 library uses. Lambda advertises 2.1055.0
of the SDK everywhere, and I checked to make sure that all APIs we
use are part of that SDK version, so we don't need any newer version.

That version is a year old (!) so this is not the end of the story,
but it's at least an improvement over what we currently have.

Fixes #23113.
@rix0rrr rix0rrr mentioned this issue Jan 6, 2023
Merged
@mergify mergify bot closed this as completed in #23591 Jan 10, 2023
mergify bot pushed a commit that referenced this issue Jan 10, 2023
@rix0rrr
fix(aws-custom-resource): switch off installLatestAwsSdk by default (
c9b2548 
…#23591)

The `AwsCustomResource` reaches out to the internet to install the latest AWS SDK by default. This will make it fail if it is being bound to a VPC that doesn't have internet connectivity, or in regions/partitions that are not able to freely connect to `npmjs.com`.

This was a poorly chosen default from the time we didn't know any better, but we do know right now. Switch the behavior off by default (under feature flag), and explicitly disable it for all `AwsCustomResource`s the L2 library uses. Lambda advertises 2.1055.0 of the SDK everywhere, and I checked to make sure that all APIs we use are part of that SDK version, so we don't need any newer version.

That version is a year old (!) so this is not the end of the story, but it's at least an improvement over what we currently have.

Fixes #23113.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

DerkSchooltink pushed a commit to DerkSchooltink/aws-cdk that referenced this issue Jan 23, 2023
@rix0rrr @DerkSch
fix(aws-custom-resource): switch off installLatestAwsSdk by default (
a4db485 
…aws#23591)

The `AwsCustomResource` reaches out to the internet to install the latest AWS SDK by default. This will make it fail if it is being bound to a VPC that doesn't have internet connectivity, or in regions/partitions that are not able to freely connect to `npmjs.com`.

This was a poorly chosen default from the time we didn't know any better, but we do know right now. Switch the behavior off by default (under feature flag), and explicitly disable it for all `AwsCustomResource`s the L2 library uses. Lambda advertises 2.1055.0 of the SDK everywhere, and I checked to make sure that all APIs we use are part of that SDK version, so we don't need any newer version.

That version is a year old (!) so this is not the end of the story, but it's at least an improvement over what we currently have.

Fixes aws#23113.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@victorchan314 victorchan314 mentioned this issue May 24, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrgrain mrgrain

@rix0rrr rix0rrr

Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
3 participants
@mrgrain @rix0rrr @peterwoodworth