fix(stepfunctions-tasks): run task perm no longer valid #30788
Conversation
github-actions
bot
added
bug
|
@GavinZZ JFYI since you have the most context on this.. |
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
Exemption request: The related integrations tests already had this permission removed. |
aws-cdk-automation
added
pr-linter/exemption-requested
GavinZZ
added
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
removed
the
pr/needs-community-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
removed
the
pr/needs-community-review
### Issue # (if applicable) Closes aws#30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
| const policyStatements = [ | ||
| new iam.PolicyStatement({ | ||
| actions: ['ecs:RunTask'], | ||
| resources: [`${this.getTaskDefinitionFamilyArn()}:*`], |
There was a problem hiding this comment.
If I understand correctly, this.getTaskDefinitionFamilyArn() strips away the revision number from this.props.taskDefinition.taskDefinitionArn. I am curious, would the CDK user be able to specify specific revision of the task definition if they would like to scope this down for strictest security?
There was a problem hiding this comment.
Yes, that's correct understanding.
I am curious, would the CDK user be able to specify specific revision of the task definition if they would like to scope this down for strictest security
Not easily, they could use escape hatch to scope it down further to a specific revision number.
Issue # (if applicable)
Closes #30751.
Reason for this change
runTaskon${taskDefinitionFamilyArn}is no longer relevant (see validation errors in the linked issue.This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license