RFC: missing security-impacting changes from cdk diff "scrutiny report" #1299
Comments
|
Here's a known list of resources that are not currently included in the diff:
|
eladb
changed the title
eladb
added
enhancement
package/tools
srchase
added
feature-request
|
I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great. A flag like --accept-scrutiny-report would be really helpful for me. |
|
@insanitybit |
|
That looks like it'd be exactly what I want, thanks. |
|
Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not. |
|
"CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:" My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ): I like seeing the changes in console using oups - just noticed this has been closed ... |
|
Still relevant. Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us? Although the issue is closed, the conversation is not locked. |
|
Using CfnInclude with template |
|
It is not @gmiretti .... would you mind opening us a separate issue about this? |
|
Bug reported as #8683 |
Thanks! |
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.
This change allows us to run:
```bash
npm -w cdk run diff:code
```
to yield something like this:
```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)
Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
└─ [-] ManagedPolicyArns
└─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
└─ [~] ContainerDefinitions (requires replacement)
└─ @@ -11,7 +11,7 @@
[ ] "App": "service-catalogue"
[ ] },
[ ] "Essential": true,
[-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
[+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
[ ] "LogConfiguration": {
[ ] "LogDriver": "awsfirelens",
[ ] "Options": {
✨ Number of stacks with differences: 1
```
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.
This change allows us to run:
```bash
npm -w cdk run diff:code
```
to yield something like this:
```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)
Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
└─ [-] ManagedPolicyArns
└─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
└─ [~] ContainerDefinitions (requires replacement)
└─ @@ -11,7 +11,7 @@
[ ] "App": "service-catalogue"
[ ] },
[ ] "Essential": true,
[-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
[+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
[ ] "LogConfiguration": {
[ ] "LogDriver": "awsfirelens",
[ ] "Options": {
✨ Number of stacks with differences: 1
```
|
Is this still relevant? I am seeing this issue linked in |
|
I'm using CDK version 2.158.0 and for me this message still appears. |
|
Guys I am now at |
Summary
CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:
Request for comments
Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?
The text was updated successfully, but these errors were encountered: