feat(appconfig): add grantReadConfig method to Environment Construct #30180
Conversation
github-actions
bot
added
repeat-contributor
aws-cdk-automation
added
the
pr/needs-community-review
| */ | ||
| grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; | ||
|
|
||
| /** TODO |
There was a problem hiding this comment.
I guess this TODO can be removed?
There was a problem hiding this comment.
@daschaa
Oops...sorry, I removed it.
| @@ -78,6 +78,24 @@ new appconfig.Environment(this, 'MyEnvironment', { | |||
| Environment monitors also support L1 `CfnEnvironment.MonitorsProperty` constructs through the `fromCfnMonitorsProperty` method. | |||
| However, this is not the recommended approach for CloudWatch alarms because a role will not be auto-generated if not provided. | |||
|
|
|||
| See [About the AWS AppConfig data plane service](https://docs.aws.amazon.com/appconfig/latest/userguide/about-data-plane.html) more information. | |||
There was a problem hiding this comment.
@daschaa
Thank you for your review.
I added for.
|
|
||
| ### Permissions | ||
|
|
||
| You can grant read configuration permission on an Environment to any Principal as follows: |
There was a problem hiding this comment.
This sounds a bit raw to me. Maybe: You can grant permissions to read a configuration to an Environment with the grantReadConfig method as follows:
What do you think?
There was a problem hiding this comment.
@daschaa
I think your suggestion is better.
I edited it.
|
|
||
| /** | ||
| * Grants read configuration permissions for this environment | ||
| * to an IAM principal (Role/Group/User). |
There was a problem hiding this comment.
Is the Grantable interface === IAM principal? Or is it even broader?
Are other docstrings for grant methods also describing this in this way?
There was a problem hiding this comment.
@daschaa
From my understanding, the Grantable interface === IAM principal.
I have revised the explanation referring to the documentation of the grant method of the DynamoDB Table v2 Construct.
There was a problem hiding this comment.
@mazyu36 Awesome! Thank you very much for the explanation!
| * Adds an IAM policy statement associated with this environment to an IAM principal's policy. | ||
| * | ||
| * @param grantee the principal (no-op if undefined) | ||
| * @param actions the set of actions to allow (i.e., 'appconfig:GetLatestConfiguration', 'appconfig:StartConfigurationSession', etc.) |
There was a problem hiding this comment.
I think the comma after i.e. can be removed, right? 🤔
There was a problem hiding this comment.
@daschaa
I'm adding a comma (,) to align with the descriptions for DynamoDB.
|
@mazyu36 Thank you very much for the pull requests and sorry for the back and forth with the docstrings. |
aws-cdk-automation
added
pr/needs-maintainer-review
| return iam.Grant.addToPrincipal({ | ||
| grantee, | ||
| actions, | ||
| resourceArns: [`${this.environmentArn}/*`], |
There was a problem hiding this comment.
I'm not too familiar with appconfig usage. Any document supporting that this is the correct arns and least privilege?
There was a problem hiding this comment.
Thank you for your comment.
Upon reviewing it again, I found that the scope of the resourcesArn for grantReadConfig was too broad, so I made a modification (added /configuration/).
In AppConfig, a Configuration Profile represents a parameter (e.g., a Feature Flag), and an Environment represents a logical group of deployed Configuration Profiles. (docs)
The ARN of a Configuration belonging to an Environment takes the following format. (docs)
arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/configuration/${ConfigurationProfileId}
For this issue, I wanted to grant read permission for the parameters (Configurations) belonging to a logical group (Environment), so I needed to use a wildcard for /configuration/ and beyond, as I realized.
Previously, the wildcard was applied from /${EnvironmentId}/ onward, which was too broad in scope.
Regarding the grant method, I changed it to limit the resources to the Environment only.
| @@ -3,13 +3,13 @@ | |||
|
|
|||
| This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. | |||
|
|
|||
| For a high level overview of what AWS AppConfig is and how it works, please take a look here: | |||
There was a problem hiding this comment.
Nice, thanks for removing the whitespaces.
Co-authored-by: GZ <hz351086153@gmail.com>
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@GavinZZ |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
Issue # (if applicable)
Closes #28585
Reason for this change
To simplify policy configuration for AppConfig Environments.
Description of changes
add grantReadConfig method to Environment Construct
Description of how you validated changes
Add unit test and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license