Serverless canary creates IAM role resource if Role property is not provided + Policies property added #2107
Conversation
…ode review changes
… made name lower case to follow synthetics canary requirements
Co-authored-by: Chris Rehn <crehn@outlook.com>
…S3Location property
…rovided + Policies property added
aaythapa
changed the title
Codecov Report
@@ Coverage Diff @@
## feat/sam-canary #2107 +/- ##
==================================================
Coverage ? 94.01%
==================================================
Files ? 93
Lines ? 6348
Branches ? 1278
==================================================
Hits ? 5968
Misses ? 175
Partials ? 205 Continue to review full report at Codecov.
|
samtranslator/model/iam.py
Outdated
| @@ -129,3 +129,45 @@ def lambda_invoke_function_role_policy(cls, function_arn, logical_id): | |||
| }, | |||
| } | |||
| return document | |||
|
|
|||
| @classmethod | |||
| def execute_canary_policy(cls, logical_id, result_bucket, canary_name): | |||
There was a problem hiding this comment.
Some documentation on what this method do.
There was a problem hiding this comment.
Also we can make the method naming consistent with others above: <service>-<action>-policy.
samtranslator/model/sam_resources.py
Outdated
| if synthetics_canary.ArtifactS3Location is None: | ||
|
|
||
| artifact_bucket_name = "" | ||
| if self.ArtifactS3Location is None: |
There was a problem hiding this comment.
Why did this change from synthetics_canary.ArtifactS3Location to self.ArtifactS3Location?
There was a problem hiding this comment.
to keep it consistent with the other times that I check whether or not a property is None. Like for example later in the code is check for self.Tracing and self.VpcConfig
samtranslator/model/sam_resources.py
Outdated
| :rtype: model.iam.IAMRole | ||
| """ | ||
|
|
||
| assume_role_policy_document = IAMRolePolicies.lambda_assume_role_policy() |
There was a problem hiding this comment.
So this feels like user have no way to override this. In SAM Function we have a property AssumeRolePolicyDocument which allows user to override this. Can we do similar to that?
For more context if user want to have more protection by adding condition for account ID check they can do that without AssumeRolePolicyDocument
| # if user has defined Policies property, those policies will be appended to this role | ||
| function_policies = ResourcePolicies( | ||
| {"Policies": self.Policies}, | ||
| # No support for policy templates in the "core" |
There was a problem hiding this comment.
the No support for policy templates in the "core"? Not too sure, it was included in the other places where ResourcePolicies is used so I included it here just in case
samtranslator/model/iam.py
Outdated
| @classmethod | ||
| def execute_canary_policy(cls, logical_id, result_bucket, canary_name): | ||
| document = { | ||
| "PolicyName": logical_id + "CanaryPolicy", |
There was a problem hiding this comment.
Can we split this into 3 methods, one for each statement?
samtranslator/model/iam.py
Outdated
| @@ -129,3 +129,45 @@ def lambda_invoke_function_role_policy(cls, function_arn, logical_id): | |||
| }, | |||
| } | |||
| return document | |||
|
|
|||
| @classmethod | |||
| def execute_canary_policy(cls, logical_id, result_bucket, canary_name): | |||
There was a problem hiding this comment.
Also we can make the method naming consistent with others above: <service>-<action>-policy.
samtranslator/model/iam.py
Outdated
| "Fn::Join": [ | ||
| "", | ||
| [ | ||
| { | ||
| "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${" | ||
| "AWS::AccountId}:log-group:/${AWS::Partition}/lambda/cwsyn-" | ||
| }, | ||
| canary_name, | ||
| "-*", | ||
| ], | ||
| ] |
There was a problem hiding this comment.
Is there a reason we don't put canary_name into the Fn::Sub string? (removing Join)
There was a problem hiding this comment.
did some more testing on the logs and turns out the canary name is not even needed. Will take it out and take out the Fn::Join as well
samtranslator/model/sam_resources.py
Outdated
| """Constructs a Role based on this SAM Canaries's Policies and ArtifactS3Location property. | ||
There was a problem hiding this comment.
could use more comments here to explain what is happening here (what polices will be added in what scenario)
| # The policy to execute the canary is only added to the role if the user hasn't defined ArtifactS3Location | ||
| # this emulates CloudWatch Synthetics Canary dashboard's behavior | ||
| policy_documents = [] | ||
| if self.ArtifactS3Location is None: |
There was a problem hiding this comment.
nit: We didn't use if self.Tracing is not None above, to keep consistent, can we use if not self.ArtifactS3Location: here?
| { | ||
| "Effect": "Allow", | ||
| "Action": "cloudwatch:PutMetricData", | ||
| "Resource": "*", |
There was a problem hiding this comment.
Is there a way to be more specific about the resource? (or the condition below is enough)
There was a problem hiding this comment.
the condition should be enough, its the same one used by cloudwatch dashboard when you generate a role policy through there
There was a problem hiding this comment.
I don't think that is Sam meant about Resources. To answer Sam's question we allow Canary Lambda to putmetricdata so that the integration to publishing metrics is not very brittle. Another approach could be that metric data is created and only permission to those will be granted. But every time we require to publish new metric we have to update it. Plus I couldn't find any way to create metric data using CFN, so it might have to be done by hand. This is similar to LambdaBasicExecution permission for logs.
samtranslator/model/sam_resources.py
Outdated
| role_attributes = self.get_passthrough_resource_attributes() | ||
| if self.AssumeRolePolicyDocument is not None: |
There was a problem hiding this comment.
nit: Use if self.AssumeRolePolicyDocument:
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
nit: Add an extra line at the end of the file
| { | ||
| "Effect": "Allow", | ||
| "Action": "cloudwatch:PutMetricData", | ||
| "Resource": "*", |
There was a problem hiding this comment.
I don't think that is Sam meant about Resources. To answer Sam's question we allow Canary Lambda to putmetricdata so that the integration to publishing metrics is not very brittle. Another approach could be that metric data is created and only permission to those will be granted. But every time we require to publish new metric we have to update it. Plus I couldn't find any way to create metric data using CFN, so it might have to be done by hand. This is similar to LambdaBasicExecution permission for logs.
Issue #, if available:
Description of changes:
Description of how you validated changes:
Checklist:
make prpassesExamples?
Please reach out in the comments, if you want to add an example. Examples will be
added to
sam initthrough https://github.com/awslabs/aws-sam-cli-app-templates/By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.