cli: permissions snapshot integration testing #32088
Comments
iliapolo
added
feature-request
pahud
added
p2
effort/medium
|
I propose the following: First, we create an iam-tracking interface that does the following:
This interface will be implemented for each cli command. We will need two different behaviors:
Baseline should only be run with contributor/maintainer intervention (pass a flag like --set-iam-baseline), while compare should run on every PR. |
|
The IAMClient used by integration tests can be wrapped with an HOC that tracks its activity. We should then format this and store it into a file for each integration test that uses it. When we baseline, this should either create a new file or overwrite/version up the baseline file. We can pass a flag to the integ runner like When we run integ tests normally, we should expect there to be a baseline file, or fail the test. If there is a mismatch between the newly generated IAM activity and the existing baseline, we should investigate and decide whether it's an acceptable change. Hoping to discuss this on Tuesday with @iliapolo. |
|
Met with @iliapolo. Working POC pushed to a branch: https://github.com/aws/aws-cdk/tree/iankhou-cli-iam-tracking In this implementation, I created a middleware that logs every SDK call for an SDK client (S3, CFn, etc.), then uses an STSClient to get the role used (SDK calls only pass access key ID and secret key, not the role itself). Then the service, operation, and role are written to a file. This middleware is applied to every SDK client (not just the IAMClient as mentioned above). In my POC branch, I saved a file for the |
|
Comments on closed issues and PRs are hard for our team to see. |
Describe the feature
Every CLI integration test will record a file containing all IAM roles it assumed and all IAM actions it performed during the test execution.
This file will serve as a snapshot, which will fail the test in case it contains changes.
Use Case
It is not uncommon for organizations to have very strict IAM policy requirements. So strict in fact that the roles used by the CLI are configured to only allow the actions and principals that are currently required for it to operate.
In such cases, any changes to which roles are assumed, or which actions are performed will break customer deployments. While the CDK doesn't make guarantees it will never do so (it would be close to impossible to add new features if we did), it would still be advantageous to catch those occurrences and handle them with more care.
Proposed Solution
One option to catch these types of changes is configure our own policies to be as strict as possible when we run integration tests. This however can be cumbersome to operate and maintain. Instead, we would like an automatic mechanism that doesn't require infrastructure changes.
Research required, but there must be a way to hook into the aws sdk and intercept service calls, to form a snapshot of the roles and actions used during the test.
In case a test fails because the snapshot changed, we will:
The aggregation of all snapshots from all tests can also serve as a public document, detailing which actions are required for each command.
Other Information
No response
Acknowledgements
CDK version used
ALL
Environment details (OS name and version, etc.)
ALL
The text was updated successfully, but these errors were encountered: