Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(custom-resources): provider framework will always log all data including confidential data #30689

Merged
merged 9 commits into from
Jul 16, 2024
Merged

fix(custom-resources): provider framework will always log all data including confidential data #30689

merged 9 commits into from
Jul 16, 2024

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Jun 26, 2024

Issue # (if applicable)

Closes #30275.

Reason for this change

When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.

Description of changes

Allow NoEcho fields to mask the data response to *****.

Description of how you validated changes

Integ test covering this and verifeid in the log stream that redacted is included in the message.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team June 26, 2024 20:08
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 labels Jun 26, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 26, 2024
@GavinZZ GavinZZ force-pushed the mask_output_in_provider_framework branch from 22df5ac to 8d38c20 Compare June 26, 2024 20:16
@GavinZZ GavinZZ marked this pull request as ready for review June 27, 2024 17:26
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jun 27, 2024
paulhcsun
paulhcsun reviewed Jun 27, 2024
View reviewed changes
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes, otherwise this looks good to me.

packages/aws-cdk-lib/custom-resources/README.md Show resolved Hide resolved
packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/cfn-response.ts Show resolved Hide resolved
paulhcsun
paulhcsun approved these changes Jun 28, 2024
View reviewed changes
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

noice @Mergifyio update

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@GavinZZ GavinZZ added the pr/do-not-merge This PR should not be merged at this time. label Jun 28, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jun 28, 2024
This was referenced Jul 1, 2024
Closed
Closed
@GavinZZ GavinZZ removed the pr/do-not-merge This PR should not be merged at this time. label Jul 2, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Jul 2, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@GavinZZ GavinZZ force-pushed the mask_output_in_provider_framework branch from e37dede to b5d694c Compare July 15, 2024 22:57
@mergify Mergify
Copy link
Contributor

mergify bot commented Jul 16, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 026c1a7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented Jul 16, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 9bd92da into main Jul 16, 2024
11 of 12 checks passed
@mergify mergify bot deleted the mask_output_in_provider_framework branch July 16, 2024 00:48
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@paulhcsun paulhcsun paulhcsun approved these changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

custom-resources: Provider logs Data from response with NoEcho: true
3 participants
@GavinZZ @aws-cdk-automation @paulhcsun