-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: missing security-impacting changes from cdk diff "scrutiny report" #1299
Comments
Here's a known list of resources that are not currently included in the diff:
|
I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great. A flag like --accept-scrutiny-report would be really helpful for me. |
@insanitybit |
That looks like it'd be exactly what I want, thanks. |
Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not. |
"CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:" My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ): I like seeing the changes in console using oups - just noticed this has been closed ... |
Still relevant. Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us? Although the issue is closed, the conversation is not locked. |
Using CfnInclude with template |
It is not @gmiretti .... would you mind opening us a separate issue about this? |
Bug reported as #8683 |
Thanks! |
Is this still an issue? I'm always seeing the warning, but not sure if it's kept updated. |
yeah please remove the warning if its not relevant, PLEASE |
CDK Deploy gives a warning that implies there are known issues preventing IAM policy diffs from showing up in the confirmation prompt, and directs users to read this issue for more information. However, this issue reads like you know there is an issue, but you don't know what it is. There is no information on this page. Why is it necessary for developers to consult this page on every deployment? It seems unnecessary. Should I assume that all similar warnings from the CDK are equally irrelevant? Please consider what action you are requesting from developers when they deploy, and then reword the known issue warning to make it clear, or remove it if there is no action required from developers. |
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack. This change allows us to run: ```bash npm -w cdk run diff:code ``` to yield something like this: ```console Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue) Creating a change set, this may take a while... IAM Policy Changes ┌───┬─────────────────────────────────────┬────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼─────────────────────────────────────┼────────────────────────────────────────┤ │ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │ └───┴─────────────────────────────────────┴────────────────────────────────────────┘ (NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299) Resources [~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379 └─ [-] ManagedPolicyArns └─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"] [~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace └─ [~] ContainerDefinitions (requires replacement) └─ @@ -11,7 +11,7 @@ [ ] "App": "service-catalogue" [ ] }, [ ] "Essential": true, [-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2", [+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1", [ ] "LogConfiguration": { [ ] "LogDriver": "awsfirelens", [ ] "Options": { ✨ Number of stacks with differences: 1 ```
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack. This change allows us to run: ```bash npm -w cdk run diff:code ``` to yield something like this: ```console Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue) Creating a change set, this may take a while... IAM Policy Changes ┌───┬─────────────────────────────────────┬────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼─────────────────────────────────────┼────────────────────────────────────────┤ │ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │ └───┴─────────────────────────────────────┴────────────────────────────────────────┘ (NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299) Resources [~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379 └─ [-] ManagedPolicyArns └─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"] [~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace └─ [~] ContainerDefinitions (requires replacement) └─ @@ -11,7 +11,7 @@ [ ] "App": "service-catalogue" [ ] }, [ ] "Essential": true, [-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2", [+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1", [ ] "LogConfiguration": { [ ] "LogDriver": "awsfirelens", [ ] "Options": { ✨ Number of stacks with differences: 1 ```
Is this still relevant? I am seeing this issue linked in |
I'm using CDK version 2.158.0 and for me this message still appears. |
Guys I am now at |
Summary
CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:
Request for comments
Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?
The text was updated successfully, but these errors were encountered: