Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AgentPermissions in CloudFormation (Schema + CreateHandler) #10

Merged
merged 6 commits into from
May 26, 2020
Merged

Add support for AgentPermissions in CloudFormation (Schema + CreateHandler) #10

merged 6 commits into from
May 26, 2020

Conversation

mirelap-amazon
Copy link
Contributor

@mirelap-amazon mirelap-amazon commented May 19, 2020
edited
Loading

Screenshot 2020-05-21 at 11 03 42

Screenshot 2020-05-21 at 11 04 10

Screenshot 2020-05-21 at 11 04 25

Issue #, if available:

Description of changes:
This includes updates for the schema, to the CreateHandler resource and its related unit test.

Testing was done as suggested in the README.md file. See the screenshots for more details.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

gimki
gimki suggested changes May 19, 2020
View reviewed changes
Copy link
Contributor

@gimki gimki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure it is handling the edge case when PG has been created successfully but putPermission failed.

...filinggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java Outdated Show resolved Hide resolved
...filinggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java Outdated Show resolved Hide resolved
aws-codeguruprofiler-profilinggroup/sample-template.json Outdated Show resolved Hide resolved
aws-codeguruprofiler-profilinggroup/sample-template.json Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
ivoanjo
ivoanjo suggested changes May 19, 2020
View reviewed changes
Copy link
Contributor

@ivoanjo ivoanjo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiniest of tiniest of notes: We usually never end commit titles with "." :)

aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json Outdated
@@ -16,6 +20,33 @@
"maxLength": 255,
"pattern": "^[\\w-]+$"
},
"Permissions": {
"description": "The permissions attached for this profiling group.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"description": "The permissions attached for this profiling group.",
"description": "The permissions attached to this profiling group.",

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I will update.

aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json Outdated
Comment on lines 25 to 47
"type": "object",
"additionalProperties": false,
"required": [
"AgentPermissions"
],
"properties": {
"AgentPermissions": {
"type": "object",
"description": "The permissions for the agent.",
"additionalProperties": false,
"required": [
"Principals"
],
"properties": {
"Principals": {
"description": "The principals for the agent permissions.",
"type": "array",
"items": {
"$ref": "#/definitions/ArnIam"
}
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This structure seems quite deep:

{
  "Type": "AWS::CodeGuruProfiler::ProfilingGroup",
  "Properties": {
    "ProfilingGroupName": "some-profiling-group",
    "Permissions": {
      "AgentPermissions": {
        "Principals": ["...list of principals... "]
      }
    }
  }
}

What do you think of making it a little more flatter by going with

{
  "Type": "AWS::CodeGuruProfiler::ProfilingGroup",
  "Properties": {
    "ProfilingGroupName": "some-profiling-group",
    "Permissions": [
      {
        "ActionGroup": "agentPermissions",
        "Principals": ["...list of principals..."]
      }
    ]
  }
}

or

{
  "Type": "AWS::CodeGuruProfiler::ProfilingGroup",
  "Properties": {
    "ProfilingGroupName": "some-profiling-group",
    "AgentPermissions": {
      "Principals": ["...list of principals... "]
    }
  }
}

?

Cloudformation is already quite verbose, so the more lightweight we can make it, the better :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I will update the code with having AgentPermissions as first-level property, thanks.

aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json Outdated
@@ -26,7 +57,8 @@
},
"additionalProperties": false,
"required": [
"ProfilingGroupName"
"ProfilingGroupName",
"Permissions"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems potentially problematic -- what happens to existing customers that have cloudformation written without specifying permissions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes sense, I will update then the code for Permissions to not be required, thanks.

aws-codeguruprofiler-profilinggroup/pom.xml Outdated
Comment on lines 79 to 89
<dependencyManagement>
<dependencies>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>bom</artifactId>
<version>2.13.16</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to see this change in a separate commit and with an explanation of what it does, so that it would be clear and we could refer to it in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was later extracted by @gimki as part of PR #11.

@gimki gimki mentioned this pull request May 20, 2020
Merged
@mirelap-amazon mirelap-amazon requested review from ivoanjo and gimki May 20, 2020 18:10
@mirelap-amazon mirelap-amazon changed the title Add support for AgentPermissions in CloudFormation. Add support for AgentPermissions in CloudFormation (Schema + CreateHandler) May 20, 2020
ivoanjo
ivoanjo reviewed May 21, 2020
View reviewed changes
Copy link
Contributor

@ivoanjo ivoanjo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! I've left a bunch of comments regarding code style and small improvements, and I think we're almost good to go.

...filinggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java Outdated Show resolved Hide resolved
...filinggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java Outdated Show resolved Hide resolved
...filinggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated
Comment on lines 69 to 71
proxy = mock(AmazonWebServicesClientProxy.class);
logger = mock(Logger.class);

request = makeValidRequest();
subject = new CreateHandler();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: All of these can be inlined with the filed declaration itself.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thanks, I will update.

...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
...nggroup/src/test/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandlerTest.java Outdated Show resolved Hide resolved
@mirelap-amazon mirelap-amazon requested review from ivoanjo and gimki May 23, 2020 10:09
@gimki gimki self-assigned this May 26, 2020
ivoanjo
ivoanjo approved these changes May 26, 2020
View reviewed changes
Copy link
Contributor

@ivoanjo ivoanjo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM 👍

@gimki gimki changed the base branch from master to resource-auth May 26, 2020 13:10
@gimki gimki merged commit ee0cbc5 into aws-cloudformation:resource-auth May 26, 2020
@gimki gimki mentioned this pull request May 27, 2020
Merged
PatMyron
PatMyron reviewed Jun 10, 2020
View reviewed changes
aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json
},
"ArnIam": {
"type": "string",
"pattern": "^arn:aws(-(cn|gov))?:iam::([0-9]{12}):[^.]+$"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GovCloud partition is incorrect and the isolated partitions are missing in the current Arn definitions

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking into it in #19

ivoanjo added a commit that referenced this pull request Jul 16, 2020
@ivoanjo
Fix and improve patterns used for ARN validation
969f85b 
As pointed out by @PatMyron
[in this comment](#10 (comment))
our regular expression patterns for validating arns were missing quite
a few partitions.

I've gone ahead and fixed that, adding tests as well.

I also did the following extra changes:

* Made the pattern used for ProfilingGroupArns more specific
* Tweaked the pattern used for ChannelUri to allow Arns without
  region
@ivoanjo ivoanjo mentioned this pull request Jul 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PatMyron PatMyron PatMyron left review comments

@ivoanjo ivoanjo ivoanjo approved these changes

@gimki gimki gimki approved these changes

Assignees

@gimki gimki

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mirelap-amazon @ivoanjo @PatMyron @gimki