Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(diff): Support the --security-only option for nested stacks #30187

Open
1 of 2 tasks
sakurai-ryo opened this issue May 13, 2024 · 1 comment
Open
1 of 2 tasks

(diff): Support the --security-only option for nested stacks #30187

sakurai-ryo opened this issue May 13, 2024 · 1 comment
Labels
effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 package/tools Related to AWS CDK Tools or CLI

Comments

@sakurai-ryo
Copy link
Contributor

Describe the feature

The diff command with the --security-only option prints only security changes.
Resources such as newly created S3 buckets are ignored.
However, this does not work for Nested Stacks.

For example, suppose we have a stack like this.

export class CdkTestNestedStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new TestNestedStack(this, 'CdkTestNestedStack');
  }
}

class TestNestedStack extends NestedStack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
  }
}

If you add an IAM Role to the parent stack, it will be output as diff.

export class CdkTestNestedStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

+   new iam.Role(this, 'Role', {
+     assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+   });

    new TestNestedStack(this, 'CdkTestNestedStack');
  }
}

class TestNestedStack extends NestedStack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
  }
}
$ cdk diff --security-only
Stack CdkTestNestedStack
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────┬────────┬────────────────┬──────────────────────────────┬───────────┐
│   │ Resource    │ Effect │ Action         │ Principal                    │ Condition │
├───┼─────────────┼────────┼────────────────┼──────────────────────────────┼───────────┤
│ + │ ${Role.Arn} │ Allow  │ sts:AssumeRole │ Service:lambda.amazonaws.com │           │
└───┴─────────────┴────────┴────────────────┴──────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)


✨  Number of stacks with differences: 1

However, if it is added to Nested Stacks, it will not print as a diff.

export class CdkTestNestedStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new TestNestedStack(this, 'CdkTestNestedStack');
  }
}

class TestNestedStack extends NestedStack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
+  new iam.Role(this, 'Role', {
+    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+  });
  }
}
$ cdk diff --security-only
Stack CdkTestNestedStack

✨  Number of stacks with differences: 0

Use Case

A case where you want to check only the security-related diffs that have been changed in Nested Stacks.

Proposed Solution

Code needs to be added to the printSecurityDiff function to check the diff of Nested Stacks.

aws-cdk/packages/aws-cdk/lib/diff.ts

Line 115 in 65f2bd9

export function printSecurityDiff(

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.141.0

Environment details (OS name and version, etc.)

MacOS
@sakurai-ryo sakurai-ryo added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 13, 2024
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label May 13, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels May 13, 2024
@khushail khushail self-assigned this May 13, 2024
@khushail
Copy link
Contributor

Hi @sakurai-ryo ,thanks for reaching out.

I am able to repro the issue and could confirm cdk diff --security-only does not work with nested stack updates.
However I also checked running cdk diff command only and then also did not produce the nested stack changes for me.
I see various past github issues were created for the same and many attempts to get the issue resolved, although yours is related to security-only option.

Past issues and PRs -
#5722
https://github.com/aws/aws-cdk/pull/18207/files
#19618
#19224

Since you are asking for additional parameter with command, please feel free to submit a PR. Team would be happy to review it.

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels May 13, 2024
@khushail khushail removed their assignment May 13, 2024
@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sakurai-ryo @khushail