fix: custom resources log sensitive ResponseURL field (#20976)

This is an automatic backport of pull request #20899 done by [Mergify](https://mergify.com). Cherry-pick of 6b4f92f has failed: ``` On branch mergify/bp/v1-main/pr-20899 Your branch is up to date with 'origin/v1-main'. You are currently cherry-picking commit 6b4f92f. (fix conflicts and run "git cherry-pick --continue") (use "git cherry-pick --skip" to skip this patch) (use "git cherry-pick --abort" to cancel the cherry-pick operation) Changes to be committed: modified: packages/@aws-cdk/aws-dynamodb/lib/replica-handler/index.ts modified: packages/@aws-cdk/aws-ecs-patterns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs-patterns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/manifest.json modified: packages/@aws-cdk/aws-ecs-patterns/test/ec2/scheduled-ecs-task.lit.integ.snapshot/aws-ecs-integ-ecs.template.json modified: packages/@aws-cdk/aws-ecs/lib/drain-hook/lambda-source/index.py modified: packages/@aws-cdk/aws-ecs/test/ec2/app-mesh-proxy-config.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/bottlerocket.integ.snapshot/aws-ecs-integ-bottlerocket.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/capacity-provider.integ.snapshot/integ-ec2-capacity-provider.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/clb-host-nw.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/cloudmap-container-port.integ.snapshot/aws-ecs-integ.template.json deleted: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/asset.8ad7bbf8be94e05d569da95ddb82511dcc959f25054825394cbb86028ccd1b6a.zip deleted: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/asset.be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824/__entrypoint__.js deleted: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/asset.be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824/index.d.ts deleted: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/asset.be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824/index.js deleted: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/asset.be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824/index.ts modified: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/manifest.json modified: packages/@aws-cdk/aws-ecs/test/ec2/exec-command.integ.snapshot/aws-ecs-integ-exec-command.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/firelens-s3-config.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/graviton-bottlerocket.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/graviton.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/lb-awsvpc-nw.integ.snapshot/aws-ecs-integ.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/lb-bridge-nw.integ.snapshot/aws-ecs-integ-ecs.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/sd-awsvpc-nw.integ.snapshot/aws-ecs-integ-ecs.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/sd-bridge-nw.integ.snapshot/aws-ecs-integ-ecs.template.json modified: packages/@aws-cdk/aws-ecs/test/ec2/spot-drain.integ.snapshot/aws-ecs-integ-spot.template.json modified: packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py modified: packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py modified: packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py modified: packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py modified: packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py modified: packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py modified: packages/@aws-cdk/aws-eks/lib/kubectl-handler/index.py modified: packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py modified: packages/@aws-cdk/aws-events-targets/lib/aws-api-handler/index.ts modified: packages/@aws-cdk/aws-events-targets/test/ecs/event-ec2-task.lit.integ.snapshot/aws-ecs-integ-ecs.template.json modified: packages/@aws-cdk/aws-logs/lib/log-retention-provider/index.ts modified: packages/@aws-cdk/aws-stepfunctions-tasks/lib/eval-nodejs-handler/index.ts modified: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-run-task.integ.snapshot/aws-sfn-tasks-ecs-ec2-integ.template.json modified: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-task.integ.snapshot/aws-ecs-integ2.template.json modified: packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts modified: packages/@aws-cdk/custom-resources/lib/provider-framework/runtime/cfn-response.ts modified: packages/@aws-cdk/custom-resources/lib/provider-framework/runtime/framework.ts modified: packages/@aws-cdk/integ-tests/lib/assertions/providers/lambda-handler/base.ts modified: packages/@aws-cdk/triggers/lib/lambda/index.ts Unmerged paths: (use "git add/rm <file>..." as appropriate to mark resolution) deleted by us: packages/@aws-cdk/aws-dynamodb/test/global-replicas-provisioned.integ.snapshot/asset.5d88959fad6bed204d22b24bf15826b8c7591c586a60a313e54f1948d9cdf80f/index.js deleted by us: packages/@aws-cdk/aws-ecs-patterns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs-patterns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs-patterns/test/ec2/scheduled-ecs-task.lit.integ.snapshot/aws-ecs-integ-ecs.assets.json both modified: packages/@aws-cdk/aws-ecs-patterns/test/ec2/scheduled-ecs-task.lit.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/app-mesh-proxy-config.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/app-mesh-proxy-config.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/bottlerocket.integ.snapshot/aws-ecs-integ-bottlerocket.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/bottlerocket.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/capacity-provider.integ.snapshot/integ-ec2-capacity-provider.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/capacity-provider.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/clb-host-nw.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/clb-host-nw.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/cloudmap-container-port.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/cloudmap-container-port.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/aws-ecs-integ.template.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/environment-file.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/exec-command.integ.snapshot/aws-ecs-integ-exec-command.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/exec-command.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/firelens-s3-config.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/firelens-s3-config.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/graviton-bottlerocket.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/graviton-bottlerocket.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/graviton.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/graviton.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/lb-awsvpc-nw.integ.snapshot/aws-ecs-integ.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/lb-awsvpc-nw.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/lb-bridge-nw.integ.snapshot/aws-ecs-integ-ecs.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/lb-bridge-nw.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/sd-awsvpc-nw.integ.snapshot/aws-ecs-integ-ecs.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/sd-awsvpc-nw.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/sd-bridge-nw.integ.snapshot/aws-ecs-integ-ecs.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/sd-bridge-nw.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-ecs/test/ec2/spot-drain.integ.snapshot/aws-ecs-integ-spot.assets.json both modified: packages/@aws-cdk/aws-ecs/test/ec2/spot-drain.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-events-targets/test/ecs/event-ec2-task.lit.integ.snapshot/aws-ecs-integ-ecs.assets.json both modified: packages/@aws-cdk/aws-events-targets/test/ecs/event-ec2-task.lit.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-run-task.integ.snapshot/aws-sfn-tasks-ecs-ec2-integ.assets.json both modified: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-run-task.integ.snapshot/tree.json deleted by us: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-task.integ.snapshot/aws-ecs-integ2.assets.json both modified: packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/ec2-task.integ.snapshot/tree.json both modified: packages/aws-cdk/does-not-exist.json ``` To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.com/). You can also trigger Mergify actions by commenting on this pull request: - `@Mergifyio refresh` will re-evaluate the rules - `@Mergifyio rebase` will rebase this PR on its base branch - `@Mergifyio update` will merge the base branch into this PR - `@Mergifyio backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.com/) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.com </details>
aws · Jul 4, 2022 · 8ac9540 · 8ac9540
1 parent 20f5fa4
commit 8ac9540
Show file tree

Hide file tree

Showing 87 changed files with 2,332 additions and 1,986 deletions.
diff --git a/packages/@aws-cdk/aws-dynamodb/lib/replica-handler/index.ts b/packages/@aws-cdk/aws-dynamodb/lib/replica-handler/index.ts
@@ -3,7 +3,7 @@ import type { IsCompleteRequest, IsCompleteResponse, OnEventRequest, OnEventResp
 import { DynamoDB } from 'aws-sdk'; // eslint-disable-line import/no-extraneous-dependencies
 
 export async function onEventHandler(event: OnEventRequest): Promise<OnEventResponse> {
-  console.log('Event: %j', event);
+  console.log('Event: %j', { ...event, ResponseURL: '...' });
 
   const dynamodb = new DynamoDB();
 
@@ -50,7 +50,7 @@ export async function onEventHandler(event: OnEventRequest): Promise<OnEventResp
 }
 
 export async function isCompleteHandler(event: IsCompleteRequest): Promise<IsCompleteResponse> {
-  console.log('Event: %j', event);
+  console.log('Event: %j', { ...event, ResponseURL: '...' });
 
   const dynamodb = new DynamoDB();
 

diff --git a/....snapshot/asset.5d88959fad6bed204d22b24bf15826b8c7591c586a60a313e54f1948d9cdf80f/index.js b/....snapshot/asset.5d88959fad6bed204d22b24bf15826b8c7591c586a60a313e54f1948d9cdf80f/index.js
diff --git a/...2/multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.assets.json b/...2/multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "20.0.0",
+  "files": {
+    "2cc27380df0d00a7348926c8fe9b6ae056ac18cee09087d824792e9611cde97e": {
+      "source": {
+        "path": "aws-ecs-integ.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "2cc27380df0d00a7348926c8fe9b6ae056ac18cee09087d824792e9611cde97e.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.template.json b/...multiple-application-load-balanced-ecs-service.integ.snapshot/aws-ecs-integ.template.json
@@ -729,7 +729,7 @@
    "Type": "AWS::Lambda::Function",
    "Properties": {
     "Code": {
-     "ZipFile": "import boto3, json, os, time\n\necs = boto3.client('ecs')\nautoscaling = boto3.client('autoscaling')\n\n\ndef lambda_handler(event, context):\n  print(json.dumps(event))\n  cluster = os.environ['CLUSTER']\n  snsTopicArn = event['Records'][0]['Sns']['TopicArn']\n  lifecycle_event = json.loads(event['Records'][0]['Sns']['Message'])\n  instance_id = lifecycle_event.get('EC2InstanceId')\n  if not instance_id:\n    print('Got event without EC2InstanceId: %s', json.dumps(event))\n    return\n\n  instance_arn = container_instance_arn(cluster, instance_id)\n  print('Instance %s has container instance ARN %s' % (lifecycle_event['EC2InstanceId'], instance_arn))\n\n  if not instance_arn:\n    return\n\n  task_arns = container_instance_task_arns(cluster, instance_arn)\n  \n  if task_arns:\n    print('Instance ARN %s has task ARNs %s' % (instance_arn, ', '.join(task_arns)))\n\n  while has_tasks(cluster, instance_arn, task_arns):\n    time.sleep(10)\n\n  try:\n    print('Terminating instance %s' % instance_id)\n    autoscaling.complete_lifecycle_action(\n        LifecycleActionResult='CONTINUE',\n        **pick(lifecycle_event, 'LifecycleHookName', 'LifecycleActionToken', 'AutoScalingGroupName'))\n  except Exception as e:\n    # Lifecycle action may have already completed.\n    print(str(e))\n\n\ndef container_instance_arn(cluster, instance_id):\n  \"\"\"Turn an instance ID into a container instance ARN.\"\"\"\n  arns = ecs.list_container_instances(cluster=cluster, filter='ec2InstanceId==' + instance_id)['containerInstanceArns']\n  if not arns:\n    return None\n  return arns[0]\n\ndef container_instance_task_arns(cluster, instance_arn):\n  \"\"\"Fetch tasks for a container instance ARN.\"\"\"\n  arns = ecs.list_tasks(cluster=cluster, containerInstance=instance_arn)['taskArns']\n  return arns\n\ndef has_tasks(cluster, instance_arn, task_arns):\n  \"\"\"Return True if the instance is running tasks for the given cluster.\"\"\"\n  instances = ecs.describe_container_instances(cluster=cluster, containerInstances=[instance_arn])['containerInstances']\n  if not instances:\n    return False\n  instance = instances[0]\n\n  if instance['status'] == 'ACTIVE':\n    # Start draining, then try again later\n    set_container_instance_to_draining(cluster, instance_arn)\n    return True\n\n  task_count = None\n\n  if task_arns:\n    # Fetch details for tasks running on the container instance\n    tasks = ecs.describe_tasks(cluster=cluster, tasks=task_arns)['tasks']\n    if tasks:\n      # Consider any non-stopped tasks as running\n      task_count = sum(task['lastStatus'] != 'STOPPED' for task in tasks) + instance['pendingTasksCount']\n  \n  if not task_count:\n    # Fallback to instance task counts if detailed task information is unavailable\n    task_count = instance['runningTasksCount'] + instance['pendingTasksCount']\n    \n  print('Instance %s has %s tasks' % (instance_arn, task_count))\n\n  return task_count > 0\n\ndef set_container_instance_to_draining(cluster, instance_arn):\n  ecs.update_container_instances_state(\n      cluster=cluster,\n      containerInstances=[instance_arn], status='DRAINING')\n\n\ndef pick(dct, *keys):\n  \"\"\"Pick a subset of a dict.\"\"\"\n  return {k: v for k, v in dct.items() if k in keys}\n"
+     "ZipFile": "import boto3, json, os, time\n\necs = boto3.client('ecs')\nautoscaling = boto3.client('autoscaling')\n\n\ndef lambda_handler(event, context):\n  print(json.dumps(dict(event, ResponseURL='...')))\n  cluster = os.environ['CLUSTER']\n  snsTopicArn = event['Records'][0]['Sns']['TopicArn']\n  lifecycle_event = json.loads(event['Records'][0]['Sns']['Message'])\n  instance_id = lifecycle_event.get('EC2InstanceId')\n  if not instance_id:\n    print('Got event without EC2InstanceId: %s', json.dumps(dict(event, ResponseURL='...')))\n    return\n\n  instance_arn = container_instance_arn(cluster, instance_id)\n  print('Instance %s has container instance ARN %s' % (lifecycle_event['EC2InstanceId'], instance_arn))\n\n  if not instance_arn:\n    return\n\n  task_arns = container_instance_task_arns(cluster, instance_arn)\n\n  if task_arns:\n    print('Instance ARN %s has task ARNs %s' % (instance_arn, ', '.join(task_arns)))\n\n  while has_tasks(cluster, instance_arn, task_arns):\n    time.sleep(10)\n\n  try:\n    print('Terminating instance %s' % instance_id)\n    autoscaling.complete_lifecycle_action(\n        LifecycleActionResult='CONTINUE',\n        **pick(lifecycle_event, 'LifecycleHookName', 'LifecycleActionToken', 'AutoScalingGroupName'))\n  except Exception as e:\n    # Lifecycle action may have already completed.\n    print(str(e))\n\n\ndef container_instance_arn(cluster, instance_id):\n  \"\"\"Turn an instance ID into a container instance ARN.\"\"\"\n  arns = ecs.list_container_instances(cluster=cluster, filter='ec2InstanceId==' + instance_id)['containerInstanceArns']\n  if not arns:\n    return None\n  return arns[0]\n\ndef container_instance_task_arns(cluster, instance_arn):\n  \"\"\"Fetch tasks for a container instance ARN.\"\"\"\n  arns = ecs.list_tasks(cluster=cluster, containerInstance=instance_arn)['taskArns']\n  return arns\n\ndef has_tasks(cluster, instance_arn, task_arns):\n  \"\"\"Return True if the instance is running tasks for the given cluster.\"\"\"\n  instances = ecs.describe_container_instances(cluster=cluster, containerInstances=[instance_arn])['containerInstances']\n  if not instances:\n    return False\n  instance = instances[0]\n\n  if instance['status'] == 'ACTIVE':\n    # Start draining, then try again later\n    set_container_instance_to_draining(cluster, instance_arn)\n    return True\n\n  task_count = None\n\n  if task_arns:\n    # Fetch details for tasks running on the container instance\n    tasks = ecs.describe_tasks(cluster=cluster, tasks=task_arns)['tasks']\n    if tasks:\n      # Consider any non-stopped tasks as running\n      task_count = sum(task['lastStatus'] != 'STOPPED' for task in tasks) + instance['pendingTasksCount']\n\n  if not task_count:\n    # Fallback to instance task counts if detailed task information is unavailable\n    task_count = instance['runningTasksCount'] + instance['pendingTasksCount']\n\n  print('Instance %s has %s tasks' % (instance_arn, task_count))\n\n  return task_count > 0\n\ndef set_container_instance_to_draining(cluster, instance_arn):\n  ecs.update_container_instances_state(\n      cluster=cluster,\n      containerInstances=[instance_arn], status='DRAINING')\n\n\ndef pick(dct, *keys):\n  \"\"\"Pick a subset of a dict.\"\"\"\n  return {k: v for k, v in dct.items() if k in keys}\n"
     },
     "Role": {
      "Fn::GetAtt": [

diff --git a/...erns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/manifest.json b/...erns/test/ec2/multiple-application-load-balanced-ecs-service.integ.snapshot/manifest.json
@@ -321,6 +321,12 @@
             "data": "myServiceTaskDefTaskRole1C1DE6CC"
           }
         ],
+        "/aws-ecs-integ/myService/TaskDef/TaskRole/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "myServiceTaskDefTaskRoleDefaultPolicyD48473C0"
+          }
+        ],
         "/aws-ecs-integ/myService/TaskDef/Resource": [
           {
             "type": "aws:cdk:logicalId",