-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(stepfunctions-tasks): run task perm no longer valid #30788
Conversation
@GavinZZ JFYI since you have the most context on this.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
Exemption request: The related integrations tests already had this permission removed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this looks good to me. I left a question in the relevant issue here to help me understand the issue better. I just want to confirm this does not work for the current users to make sure it's non-breaking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is good to merge since the removed resource in IAM policy is not a valid arn and thus removing this should not create any breaking changes.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
### Issue # (if applicable) Closes aws#30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
const policyStatements = [ | ||
new iam.PolicyStatement({ | ||
actions: ['ecs:RunTask'], | ||
resources: [`${this.getTaskDefinitionFamilyArn()}:*`], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, this.getTaskDefinitionFamilyArn()
strips away the revision number from this.props.taskDefinition.taskDefinitionArn
. I am curious, would the CDK user be able to specify specific revision of the task definition if they would like to scope this down for strictest security?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's correct understanding.
I am curious, would the CDK user be able to specify specific revision of the task definition if they would like to scope this down for strictest security
Not easily, they could use escape hatch to scope it down further to a specific revision number.
Issue # (if applicable)
Closes #30751.
Reason for this change
runTask
on${taskDefinitionFamilyArn}
is no longer relevant (see validation errors in the linked issue.This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license