Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(firehose): remove unused role during DeliveryStream creation #26930

Merged
merged 10 commits into from
Sep 5, 2023

Conversation

msambol
Copy link
Contributor

@msambol msambol commented Aug 30, 2023

When a DeliveryStream is created without sourceStream or encryptionKey,
an extra role is being created that is unused. This PR removes creation of that role.

I also learned that the role created for encryptionKey is used "indirectly" for a grant
put on the KMS key...interesting.

Closes #26927.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the repeat-contributor [Pilot] contributed between 3-5 PRs to the CDK label Aug 30, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team August 30, 2023 04:43
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p2 labels Aug 30, 2023
Copy link
Contributor

@mrgrain mrgrain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this is kind of changing the contract for DeliveryStream.grantPrincipal. Yes technically it is still a principle, but now it might be unusable. (Although, grantPrincipal 🤨 why isn't this just called role - but that's a different story).

Can you change this.grantPrincipal to use a getter that will return the role if we already have one and only create the unused role when the property is accessed? That should give us the best of both worlds. What do you think?

@msambol
Copy link
Contributor Author

msambol commented Aug 30, 2023

Hmm, this is kind of changing the contract for DeliveryStream.grantPrincipal. Yes technically it is still a principle, but now it might be unusable. (Although, grantPrincipal 🤨 why isn't this just called role - but that's a different story).

Can you change this.grantPrincipal to use a getter that will return the role if we already have one and only create the unused role when the property is accessed? That should give us the best of both worlds. What do you think?

@mrgrain Thanks for the review! I'm totally up for making that change but wanted to point out one line of code: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L1274. There seems to be some precedent for this? I'm good either way, let me know what you'd prefer.

@mrgrain
Copy link
Contributor

mrgrain commented Aug 31, 2023

@mrgrain Thanks for the review! I'm totally up for making that change but wanted to point out one line of code: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L1274. There seems to be some precedent for this? I'm good either way, let me know what you'd prefer.

Yes there's precedent and if it were a new construct I'd probably lean that way. But because it is a change, I'd like us to comply with the previously established contract.

@mergify mergify bot dismissed mrgrain’s stale review August 31, 2023 16:26

Pull request has been modified.

@msambol
Copy link
Contributor Author

msambol commented Aug 31, 2023

@mrgrain Updated per your feedback—thanks!

@msambol
Copy link
Contributor Author

msambol commented Aug 31, 2023

This is expected as I'm removing the unused role:

Stack: aws-cdk-firehose-delivery-stream-s3-all-properties - Resource: DeliveryStreamServiceRole964EEBCC - Impact: WILL_DESTROY

@mrgrain mrgrain changed the title fix(firehose): remove unused role during DeliveryStream creation fix(firehose): DeliveryStream creates unused roles Sep 1, 2023
mrgrain
mrgrain previously approved these changes Sep 1, 2023
@msambol
Copy link
Contributor Author

msambol commented Sep 3, 2023

@mrgrain Good to :shipit: ? Test failing because it's deleting a resource..

@mrgrain
Copy link
Contributor

mrgrain commented Sep 3, 2023

Good to ship, but we'll need the build passing. Can you run that integration test and update the snapshot?

@mergify mergify bot dismissed mrgrain’s stale review September 3, 2023 18:11

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Sep 3, 2023
@msambol
Copy link
Contributor Author

msambol commented Sep 3, 2023

@mrgrain I missed those other ones—apologies!

@msambol msambol changed the title fix(firehose): DeliveryStream creates unused roles fix(firehose): remove unused role during DeliveryStream creation Sep 4, 2023
@mergify
Copy link
Contributor

mergify bot commented Sep 4, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Sep 4, 2023
@mergify
Copy link
Contributor

mergify bot commented Sep 4, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 69c366d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 993ee48 into aws:main Sep 5, 2023
8 checks passed
@mergify
Copy link
Contributor

mergify bot commented Sep 5, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

mikewrighton pushed a commit that referenced this pull request Sep 14, 2023
)

When a DeliveryStream is created without `sourceStream` or `encryptionKey`,
an extra role is being created that is unused. This PR removes creation of that role. 

I also learned that the role created for `encryptionKey` is used "indirectly" for a grant 
put on the KMS key...interesting.

Closes #26927.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@msambol msambol deleted the kinesisfirehose-extra-role branch October 22, 2023 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p2 repeat-contributor [Pilot] contributed between 3-5 PRs to the CDK
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(kinesisfirehose): DeliveryStream creates useless role
3 participants