Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(custom_resources): incorrect IAM prefix generated for CloudWatch actions #32968

Open
1 task
konoui opened this issue Jan 16, 2025 · 1 comment
Open
1 task

(custom_resources): incorrect IAM prefix generated for CloudWatch actions #32968

konoui opened this issue Jan 16, 2025 · 1 comment
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@konoui
Copy link
Contributor

konoui commented Jan 16, 2025

Describe the bug

AwsCustomResource in custom_resources generates an incorrect IAM action prefix monitoring:<action> for CloudWatch actions. The correct prefix should be cloudwatch:<action>.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The generated IAM action prefix should be cloudwatch:<action>.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html

Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

Current Behavior

The generated IAM action prefix is monitoring:<action>.

Reproduction Steps

  1. Use AwsCustomResource to create a resource for a CloudWatch action (e.g., tagResource).
  2. Run cdk synth.
  3. Observe the generated IAM policy in the synthesized template.
new custom_resources.AwsCustomResource(this, "CustomResource", {
  onCreate: {
    service: "CloudWatch",
    action: "tagResource",
    parameters: {
      ResourceARN: "dummy",
      Tags: [{ Key: "Name", Value: "prod" }],
    },
    physicalResourceId: custom_resources.PhysicalResourceId.of("add_tag"),
  },
  policy: custom_resources.AwsCustomResourcePolicy.fromSdkCalls({
    resources: custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
});
cdk synth

(snip)
  CustomResourceCustomResourcePolicy887CD354:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: monitoring:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: CustomResourceCustomResourcePolicy887CD354
      Roles:
        - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
(snip)

Possible Solution

The issue seems to originate in the sdk-v3-metadata.json file, which maps CloudWatch actions to the incorrect prefix monitoring.

https://github.com/aws/aws-cdk/blob/v2.176.0/packages/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-v3-metadata.json#L198

Additional Information/Context

No response

CDK CLI Version

2.176.0

Framework Version

No response

Node.js Version

v22.8.0

OS

macOS Monterey

Language

TypeScript

Language Version

No response

Other information

No response
@konoui konoui added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 16, 2025
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Jan 16, 2025
@ashishdhingra ashishdhingra self-assigned this Jan 16, 2025
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Jan 16, 2025
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Jan 16, 2025
edited
Loading

Reproducible using CDK version 2.176.0 (build 899965d). It generates the following CFN template:

Resources:
  CustomResource8CDCD7A7:
    Type: Custom::AWS
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - AWS679f53fac002430cb0da5b7982bd22872D164C4C
          - Arn
      Create: '{"service":"CloudWatch","action":"tagResource","parameters":{"ResourceARN":"dummy","Tags":[{"Key":"Name","Value":"prod"}]},"physicalResourceId":{"id":"add_tag"}}'
      InstallLatestAwsSdk: false
    DependsOn:
      - CustomResourceCustomResourcePolicy887CD354
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdktestStackNew/CustomResource/Resource/Default
  CustomResourceCustomResourcePolicy887CD354:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: monitoring:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: CustomResourceCustomResourcePolicy887CD354
      Roles:
        - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
    Metadata:
      aws:cdk:path: CdktestStackNew/CustomResource/CustomResourcePolicy/Resource
  AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: CdktestStackNew/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource
  AWS679f53fac002430cb0da5b7982bd22872D164C4C:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: cdk-hnb659fds-assets-<<ACCOUNT-ID>>-us-east-2
        S3Key: ce2f3595a340d6c519a65888ef97e3b9b64f053f83608e32cc28162e22d7d99a.zip
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
          - Arn
      Runtime: nodejs20.x
      Timeout: 120
    DependsOn:
      - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
    Metadata:
      aws:cdk:path: CdktestStackNew/AWS679f53fac002430cb0da5b7982bd2287/Resource
      aws:asset:path: asset.ce2f3595a340d6c519a65888ef97e3b9b64f053f83608e32cc28162e22d7d99a
      aws:asset:is-bundled: false
      aws:asset:property: Code
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/12Oyw6CMBBFv8V9GRWNukUS1wY+gIxlJAOlTZhWYgj/buqDhat75tzcZFLYHg+wWeEoia67xPANptKj7pQO4l1fDSQuDJoEslHytyu+SuEo1WSwv9UIU8m2MeSdvQSrPTurFsjvi5wVYw/T1RnWz1h8qXCG4hlzVrKrUIS8QBZDyQ7OQXfkzyg0q7834uzHC7yHpceGbTMr62qCVtaP7QnSDexXrTAnQ7Cee4Liky/B7auRDQEAAA==
    Metadata:
      aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Findings:

Refer PR #31874 (this is still pending ownership by CDK squad since integration snapshots update need to be done differently) on how to use /scripts/update-sdkv3-parameters-model.sh to generate new sdk-v2-to-v3.json (it perhaps also generates new packages/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-v3-metadata.json). However, in the PR run as well, it had incorrect mapping for cloudwatch service.

PR which introduced sdk-v3-metadata.json #27313. It mentions below:

From SDKv3 models, extract a new sdk-v3-metadata.json which contains the following information:

  • IAM prefix for every service
  • A list of APIs that end in the word Command, so we can disambiguate around these.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 16, 2025
@ashishdhingra ashishdhingra removed their assignment Jan 16, 2025
@ashishdhingra ashishdhingra added p1 and removed p2 labels Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konoui @ashishdhingra