fix(pipelines): policy size too large at around ~70 actions #20189
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Two changes: - Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using a lot of CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is *not* about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). - If inline policies grow bigger than 10k, split additional statements off into ManagedPolicies. Since we want to do the splitting post-merging (to get the most bang for our buck), we now need to do statement merging during the `prepare` phase (that is, pre-rendering, instead of post-rendering). That means it had to be modified to work on `PolicyStatement` objects, instead of on raw IAM JSON documents. Closes #19276, closes #19939, closes #19835.
|
|
github-actions
bot
added
the
effort/medium
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
rix0rrr
added a commit
that referenced
this pull request
May 18, 2022
(This change has been split off from #20189 because that PR was growing too big) Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using many CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is not about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). Relates to #19276, #19939, #19835.
This was referenced May 18, 2022
|
This PR was getting too big and has been split into 4 other PRs. |
mergify bot
pushed a commit
that referenced
this pull request
May 24, 2022
(This change has been split off from #20189 because that PR was growing too big) Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using many CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is not about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). Relates to #19276, #19939, #19835. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Two changes:
fresh Role to run the CodeBuild action. Change to use one Role for all
CodeBuild actions. This saves a lot of resources and policy space when
using a lot of CodeBuild steps, and doesn't appreciably change the
security posture of the Pipeline (note: this is not about the
Execution Role of the CodeBuild projects, this is about the Role
assumed by the Pipeline to initiate execution of the Project).
off into ManagedPolicies.
Since we want to do the splitting post-merging (to get the most bang for
our buck), we now need to do statement merging during the
preparephase (that is, pre-rendering, instead of post-rendering). That means it
had to be modified to work on
PolicyStatementobjects, instead of onraw IAM JSON documents. This requires being able to deduplicate principals
at the object graph level as well, so we need to be able to compare them.
Closes #19276, closes #19939, closes #19835.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license