Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(aws-s3-sns): created new construct #849

Merged
merged 21 commits into from
Dec 4, 2022
Merged

feat(aws-s3-sns): created new construct #849

merged 21 commits into from
Dec 4, 2022

Conversation

georgebearden
Copy link
Contributor

Issue #, if available:
N/A

Description of changes:
README for the new aws-s3-sns construct

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 51db29c
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: ee52701
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@biffgaut biffgaut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think .gitkeep should be checked in to Github.

@georgebearden
Copy link
Contributor Author

The aws-s3-sns construct has 100% line coverage for unit tests, and respective integration tests. I've deployed each integration test case and validated the events are actually published to the destination SNS Topic.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: adf993d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@biffgaut biffgaut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looked at all files, but stopped about 1/3 of the way through the unit tests. Look through the rest of the tests and apply my comments that we need to ensure the correctness of what is created, not just the existence of what was created.


if (props.enableEncryptionWithCustomerManagedKey === undefined ||
props.enableEncryptionWithCustomerManagedKey === true) {
enableEncryptionParam = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just using

if (props.enableEncryptionWithCustomerManagedKey !== false)

directly in the code achieves the same result without hiding the meaning within another variable. Could even:

if (props.enableEncryptionWithCustomerManagedKey !== false) // default to true

for clarity

(quick code snippet from Typescript Playground for proof:

interface test {
    attrib?: boolean
}

let testValue: test;

testValue = { attrib: false };

if (testValue.attrib !== false) {
    console.log('attrib: false, incorrect');
} else {;
    console.log('attrib: false, correct')
}

testValue = {};

if (testValue.attrib !== false) {
    console.log('attrib: undefined, correct');
} else {;
    console.log('attrib: undefined, incorrect')
}

testValue = { attrib: true };

if (testValue.attrib !== false) {
    console.log('attrib: true, correct');
} else {;
    console.log('attrib: true, incorrect')
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait - all we do is pass this to an optional prop attribute on BuildTopicProps? Why not just handle this default inside of BuildTopicProps? That ensures consistent behavior across constructs better than code reviews that check if each construct is using the correct default value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do on the simplified if logic.

Regarding the default value- I'd love to do that, but, unfortunately the sns-helper defaults the value to False, which is not overridden in other constructs, so we would be changing the behavior there as well. Specifically, the following constructs keep the default as False - aws-fargate-sns, aws-lambda-sns, aws-sns-lambda.

Let me know how you would prefer to proceed, leaving it alone, or updating it as described. If updating the default to True, which will use a CMK results in a better security posture anyway, then maybe we should do it for both consistency and security's sake.

this.s3BucketInterface = bucket;

// Setup the topic
[this.snsTopic, this.encryptionKey] = defaults.buildTopic(this, {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really hate how dependent we are becoming on this paradigm of returning an array of anonymous values (there's a lot more of this in firehose-s3).

I think we need to start considering defining an interface for return values from our build* functions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I love that idea too. I'd prefer to keep this PR for the new construct and then do that refactor as a quick follow-up. I've created #853 to track it.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 70e8994
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: fa4eb4b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

'kms:GenerateDataKey*',
);
}
this.encryptionKey?.grant(new iam.ServicePrincipal("s3.amazonaws.com"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the topic is not encrypted and this.encryptionKey is undefined, won't this break?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is using optional chaining in typescript, so if encryptionKey evaluates to null, it will immediately stop running the expression.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've created a new set of unit/integ tests to prove it out.

const cmk = defaults.buildEncryptionKey(stack);
const cmk = defaults.buildEncryptionKey(stack, {
description: 'existing-key-description'
});
const [ existingTopicObj ] = defaults.buildTopic(stack, {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my comment above, we need a test with an unencrypted topic and no key to prove to me that the code I flagged will not break.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've created a new set of unit/integ tests to prove it out.

* @param description The value of the Description property on the CloudFormation Resource
* @returns The Logical ID of the found resource
*/
export function getResourceLogicalIdFromDescription(stack: Stack, resourceType: string, description: string): string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splitting the execution of these tests between this function and then checking the resulting logical ID in the test itself hides the extra level of confirmation. Let's expand this function to perform the entire "Is the resource we expect actually attached to the correct parent resource" check in one place:

function expectKmsKeyAttachedToCorrectResource(
  stack: Stack,
  parentResourceType: string,
  keyDescription: string) {

    // Find the unique KMS key we expect to be in
    // in the stack
    const template = Template.fromStack(stack);
    const resource = template.findResources('AWS::KMS::Key', {
      Properties: {
        Description: Match.exact(keyDescription)
      }
    });
    const [     const [ keyResourceId ] = Object.keys(resource); ] = Object.keys(resource);
  
    // Confirm that the key is attached to the
    // parent resource we expect
    expect(stack).toHaveResource(parentResourceType, {
      KmsMasterKeyId: {
        "Fn::GetAtt": [
          keyResourceId,
          "Arn"
        ]
      }
    });
   
  }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion - Updated in latest revision.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 3ffe4b1
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: d330ada
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 7048e3f
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 1f6d9bc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@biffgaut biffgaut merged commit 3e5da92 into main Dec 4, 2022
@biffgaut biffgaut deleted the aws-s3-sns branch December 4, 2022 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants