fix(cloudtrail): Trail fails during resource creation due to invalid template properties when management events are 'None' #23569
Conversation
|
|
github-actions
bot
added
beginning-contributor
| @@ -403,7 +403,7 @@ export class Trail extends Resource { | |||
| } | |||
|
|
|||
| /** | |||
| * Log all Lamda data events for all lambda functions the account. | |||
| * Log all Lambda data events for all lambda functions the account. | |||
| @@ -625,19 +625,77 @@ describe('cloudtrail', () => { | |||
| }); | |||
| }); | |||
|
|
|||
| test('managementEvents set to None correctly turns off management events', () => { | |||
| test('not provided and managementEvents set to None throws', () => { | |||
There was a problem hiding this comment.
For this test can we specify the error instead of just "throws", i.e. using toThrowError() and then specify the exception in the test description here. I think the exception is InvalidEventSelectorsException, but whatever the error we expect is.
There was a problem hiding this comment.
Is it just the description you want updated? As far as I understand, exceptions thrown using node.addValidation(...) use a generic throw new Error(...) rather than a custom exception class.
There was a problem hiding this comment.
Gotcha I think I misunderstood exactly what toThrow and what toThrowError did. I just wanted to ensure it wouldn't just capture any error, and it would look for that specific one. But it may have been doing that with toThrow anyway. Title is also more descriptive which always helps. Looks good to me
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
HBobertz’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Overview
Currently CDK produces invalid CloudFormation that fails validation by the CloudTrail API upon deployment when setting the
managementEventsparameter toReadWriteType.NONE.Although this is a contribution to a stable module, I consider this change to not have breaking changes as the original implementation generates CloudFormation that would result in stack deployment failure so is currently broken.
Behaviour changes
Setting
managementEventstoReadWriteType.NONEOld behaviour: Successfully synthesises but produces CloudFormation that fails to deploy.
New behaviour: Fails synthesis with a validation error if no additional event selectors are added to the trail, as the default behaviour of CloudTrail is to enable management events if no event selectors are provided. Sets
includeManagementEventstofalseby default when new event selectors are added unless overridden explicitly by the user.Other options considered
The previous PR had a suggestion to just always set
includeManagementEventstofalsewhen adding additional event selectors rather than only setting it tofalsewhen the Trail was created withReadWriteType.NONE. However, this would break backwards compatibility for some scenarios (such as where users don't setmanagementEventswhen creating the trail and later add an event selector, as well as a bunch of other esoteric edge cases).Related
Previous PR that was closed for staleness (#16387).
Closes #15488
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license