Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support private HTTP template URLs #39

Merged
merged 2 commits into from
Dec 22, 2017
Merged

Support private HTTP template URLs #39

merged 2 commits into from
Dec 22, 2017

Conversation

jpb
Copy link
Contributor

@jpb jpb commented Dec 19, 2017

Use signed URL for http/https Templates to support non-public readable templates hosted on S3.

@jpb jpb force-pushed the private-http-template-url branch from ba744d1 to f9919d8 Compare December 19, 2017 22:43
ghost
ghost approved these changes Dec 20, 2017
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

tavisrudd
tavisrudd reviewed Dec 21, 2017
View reviewed changes
src/cfn/index.ts Outdated
@@ -546,6 +582,11 @@ async function loadCFNTemplate(location: string, baseLocation: string):
if (_.isUndefined(location)) {
return {};
}
if (location.match(/^http/) !== null) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if the location is already a signed s3 url (possibly from a different account)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I can tell, S3 doesn't support signature v2 which has a maximum one year expiry. Signature v4 has a maximum 7 day expiry. Given that signed URLs have such a short lifetime, I don't think this is an edge case we need to support right now. I think a better solution would be to give the current IAM principal access to the other account's bucket or just use a bucket in the same account.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regardless of the expiration issue, I think we need to respect that other tooling might be passing one in. A check for Signature= in the location would suffice to handle that case.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also add a comment explaining why we're checking / rewriting the URL here and how this use case is different from the s3://... url rewrite that this function does on lines 601-608.

@garbles
Copy link

garbles commented Dec 22, 2017

Seems good

@tavisrudd tavisrudd merged commit 8a79833 into master Dec 22, 2017
@tavisrudd tavisrudd deleted the private-http-template-url branch December 22, 2017 21:46
@jpb
Copy link
Contributor Author

jpb commented Jan 15, 2018

It looks like this introduced a bug for rendered templates - Template: render:stack.yaml produces the error:

error: Your cloudformation Template from stack.yaml appears to use iidy's yaml pre-processor syntax.
 You need to prefix the template location with "render:".
 e.g.   Template: "render:stack.yaml"

tavisrudd added a commit that referenced this pull request Jan 15, 2018
@tavisrudd
fix bug introduced PR #39: bad pre-processor detection logic
f702264
tavisrudd added a commit that referenced this pull request Jan 15, 2018
@tavisrudd
fix bug introduced PR #39: bad pre-processor detection logic
cecd065
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tavisrudd tavisrudd tavisrudd left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jpb @garbles @tavisrudd