chore: add support for IAM Identity Center in security diff #1052
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Are there any tests that can be added here? |
I believe there are no tests for scrutinies in this package because they're tested in the |
|
@aws-cdk/aws-service-spec: Model database diff detected |
comcalvi
approved these changes
Apr 30, 2024
mergify bot
pushed a commit
to aws/aws-cdk
that referenced
this pull request
May 2, 2024
### Issue # (if applicable) Closes #29835 ### Reason for this change IAM Identity Center resources were ignored in the security diff ### Description of changes * Adds the IAM Identity Center resources to CDK diff * fixes not presenting property changes when a resource is removed from the template ### Description of how you validated changes * Added unit tests and integration tests. * Ran the integration tests that mention cdk diff (`bin/run-suite -a cli-integ-tests -t 'cdk diff'`): ``` Test Suites: 2 skipped, 1 passed, 1 of 3 total Tests: 90 skipped, 13 passed, 103 total Snapshots: 0 total Time: 312.397 s Ran all test suites with tests matching "cdk diff": ``` ### Dependent PRs * Before this change can be merged, this change cdklabs/awscdk-service-spec#1052 must be merged. ### Checklist - [Y] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
rix0rrr
pushed a commit
to aws/aws-cdk-cli-testing
that referenced
this pull request
Dec 24, 2024
### Issue # (if applicable) Closes #29835 ### Reason for this change IAM Identity Center resources were ignored in the security diff ### Description of changes * Adds the IAM Identity Center resources to CDK diff * fixes not presenting property changes when a resource is removed from the template ### Description of how you validated changes * Added unit tests and integration tests. * Ran the integration tests that mention cdk diff (`bin/run-suite -a cli-integ-tests -t 'cdk diff'`): ``` Test Suites: 2 skipped, 1 passed, 1 of 3 total Tests: 90 skipped, 13 passed, 103 total Snapshots: 0 total Time: 312.397 s Ran all test suites with tests matching "cdk diff": ``` ### Dependent PRs * Before this change can be merged, this change cdklabs/awscdk-service-spec#1052 must be merged. ### Checklist - [Y] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For issue aws/aws-cdk#29835
This is the first of 2 PRs. The other PR will be to the main aws-cdk repository.
Notice that AWS::SSO::PermissionSet has a property called
ManagedPolicies. That's why I add that property check. And judging by the db.json that we create in this package (the service spec), AWS::SSO::PermissionSet is the only resource with that property name:AWS::SSO is the IAM Identity Center, and therefore changes to AWS SSO resources are security sensitive. Hence the issue.
Testing
As you'll see in the next pull request, I have integration tests for this change