fix(aws-kms): Incomplete KMS Resource Policy Permissions #3459
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 9 commits
April 19, 2019 21:49
* 'master' of https://github.com/awslabs/aws-cdk: fix(toolkit): fix broken confirmation prompt (#2333)
* 'master' of https://github.com/awslabs/aws-cdk: fix(toolkit): don't fail when terminal width is 0 (#2355) chore: fix build, apply pkglint rule to new package (#2354) chore: remove tsbuildinfo from repository and NPM (#2324) feat(codepipeline): change to stand-alone Artifacts. (#2338) chore: update PR template (#2351) feat(events-targets): LambdaFunction (#2350) feat(aws-events-targets): centralized module for cloudwatch event targets (#2343)
* aws-master: chore: fix build by removing 'main' from a cli-only package chore: remove arguments from `pack.sh` (#2374) chore: Remove main and types from simple-resource-bundler v0.29.0 (#2366) feat(codepipeline): make the default CodePipeline Bucket have an encryption key (#2241) refactor: rename MetricCustomization => MetricOptions (#2360) chore: update jsii to 0.10.3 (#2364) chore: fix init templates (#2361) fix(toolkit): stop 'cdk doctor' from printing AWS_ variables (#2357) fix(aws-cloudwatch): remove workaround on optional DashboardName
* 'master' of https://github.com/awslabs/aws-cdk: feat(cdk-test): check API compatibility (#2356) chore: re-add tsconfig.json to NPM packages (#2382)
* 'master' of https://github.com/awslabs/aws-cdk: (429 commits) feat(ecs): ECS optimized Windows images (#3376) fix(toolkit): avoid EMFILE and preserve mode when zipping (#3428) Revert "feat(autoscaling): health check configuration (#3390)" (#3435) v1.2.0 (#3432) feat(autoscaling): health check configuration (#3390) docs(stepfunctions-tasks): clarify that ITaskDefinition cannot be used in RunEcsEc2Task. (#3425) feat(cli): VPC context provider looks up RouteTable IDs (#3171) fix(ecs): make URL domain-suffix dependent (#3394) fix(assert): CfnParameter MatchStyle diff support (#3408) feat(core): allow multiple transforms on ITemplateOptions (#3395) fix(s3): fail early with bad notification filters (#3397) feat(s3): bucket access control (#3391) feat(s3): bucket websiteRedirect (#3392) feat(cloudwatch): dashboardName validation (#3382) build: remove unsupported metadata target (#3375) chore(route53): replace HostedZoneProvider example (#3374) core: update package-lock.json (#3370) doc(region-info): fix typo in readme (#3365) fix(events): allow adding same target to rule multiple times (#3353) feat(cloudformation): update to Resource Specification v4.2.0 (#3351) ...
Fixes an incomplete default resource policy, issue reference #3458. Adds additional permissions to allow S3 write operations.
eladb
approved these changes
Jul 29, 2019
Also missed it in one of the test that was formatted wide.
…andy/aws-kms * 'IPyandy/aws-kms' of github.com:ipyandy/aws-cdk: feat(ecs): support secret environment variables (#2994)
Not sure why local build+test passed with these missing
|
Build is failing... |
yea unfortunately I keep finding these dependencies only after the build fails once pushed. A local run of build+test pass. if there's something I'm missing for this to be found locally I'm all ears. right now I'm doing a search for anything in the |
RomainMuller
approved these changes
Jul 29, 2019
|
@IPyandy you might want to make a full-clean build, by running |
added 3 commits
July 29, 2019 11:47
Attempt to find all resource integ and unit tests that depend on the new resource policy for a kms key
…master * 'master' of https://github.com/awslabs/aws-cdk: chore: update package-lock.json (#3461) feat(ecs): make cluster and vpc optional for higher level constructs (#2773) feat(ecs): support secret environment variables (#2994)
eladb
suggested changes
Jul 29, 2019
packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json
Outdated
Show resolved
Hide resolved
added 6 commits
July 29, 2019 13:26
this single line of code change, has turned out to be a pain.
It seems I had the files changed correctly to pass tests. What I didn't know was these files had to be pushed to repo in order for the tests to pass, since the tests source from remote. Sorry for all the back and forth commits.
This one was hard to track down since I was limiting the search to the packages/@aws-cdk folder and this was outside. local build completes 100% now
|
This one single line of code change has turned out to be quite a pain. This kms:GenerateDataKey action trickled into quite a few different packages. I did not expect so many dependencies for it. Local code builds from scratch 100% now, hopefully, the codebuild and travisci stages pass now. |
eladb
approved these changes
Jul 30, 2019
|
Thanks for this @IPyandy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3458 where incomplete default resource policy for root account principal was generated and requiring a workaround.
See issue #3458 for the complete reference.
Please read the contribution guidelines and follow the pull-request checklist.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license