toolkit: surface potentially risky changes and enforce confirmation #978
Comments
|
That's beautiful in theory but coming up with messaging that is clear in the general case will be challenging ( Also, this brings you zero benefits if you're not using the |
I don't think we need "general" messaging, I think we need deep understanding of IAM policies and very specific messaging as to what has changed. It's going to be a set of heuristics that we understand and we can always fall back to showing a nice JSON diff of statements or fragments we don't understand.
I think this should actually part of the synthesizer, which is needed whether you deploy via the toolkit or not. |
eladb
changed the title
eladb
changed the title
|
Extra highlight (summary) of cross-account (or even public) permissions. |
|
My plan was to annotate all attributes that encode sensitive data (IAM policies and Security Group) in the spec, half-manually and half-automatically. We can then look up the annotations for every attribute after generating the diff, and then doing something intelligent with the diffs based on the annotation type (such as collect into a summary table). I have some code around this, let me know if you want it. |
|
@eladb I'm ready to pick this up again if you're busy doing other things. My plan is to add a summary table to every deployment that looks somewhat like this:
The diff will be done before every deployment, and the table will be shown and needs to be acknowledged if there are differences in it. |
|
Looks great @rix0rrr! How are we going to handle acknowledgement in CI/CD? I sense we need some way to "store" the acknowledgement. Feels like a a more general purpose mechanism for "diff ack" that we can implement. Perhaps in a separate PR, so maybe in the meantime, this can just be in the output of "diff"? |
Add awareness of potentially risky permissions changes to the cfnspec and diff tool, and surface those changes in an easily digestible format. This is an initial commit. Feature TODO: - [ ] Recognize AWS::Lambda::Permission objects - [ ] Recognize managed policies - [ ] Add support for SecurityGroup rules - [ ] Reverse engineer construct paths from logical IDs - [ ] Apply same logic to format inline diffs for IAM policy property updates. - [ ] Automatically diff and confirm statement additions on every 'deploy'. Quality TODO: - [ ] property tests on statement equality, parsing - [ ] tests on 'uncfn' routines - [ ] Replace CLI table library in aws-cdk to be the same as this one (supports newlines in cells and generally looks better). Fixes #978.
Add awareness of potentially risky permissions changes to the cfnspec and diff tool, and surface those changes in an easily digestible format. Control feature using `--require-approval` command-line flag or `requireApproval` field in `cdk.json`. Also see http://bit.ly/cdk-2EhF7Np This is an initial version, and there will be future changes to this feature. Fixes #978, fixes #1299.
"cdk diff" should surface to the user any changes to IAM permissions in a very explicit way. Users should be able to see exactly which permissions were added or removed from their app.
This is particularly important when using 3rd party construct libraries, it's important to ensure that any permissions changes are clearly visible to the user.
We should also consider requiring an explicit interactive approval for permission changes in "cdk deploy". Something like:
The text was updated successfully, but these errors were encountered: