Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iam): duplicate PolicyStatements lead to too many overflow policies #20767

Merged
merged 1 commit into from
Jun 16, 2022
Merged

fix(iam): duplicate PolicyStatements lead to too many overflow policies #20767

merged 1 commit into from
Jun 16, 2022

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Jun 16, 2022
edited
Loading

Historically, policy statement deduplicating was done during policy
rendering. There could be a 100 statements in a policy, but if they
were all the same it would only render as 1 statement.

When we introduced policy splitting, those 100 equal statements would
first be divided into Overflow policies before being deduplicated
(potentially leading to too many policies being created, hitting limits).

Especially CDK Pipelines takes heavy advantage of the deduplicating
behavior, and adds the same policies over and over again, leading
to overflows.

When the minimizePolicies feature flag is turned on, duplicate
elimitation is implicitly performed (because equal statements
count as mergeable), but when the feature flag is off we
hit the bad behavior.

As a fix, do deduplication even if merging is turned off.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix(iam): duplicate PolicyStatements lead to too many overflow policies
2997433 
Historically, policy statement deduplicating was done during policy
rendering.  There could be a 100 statements in a policy, but if they
were all the same it would only render as 1 statement.

When we introduced policy splitting, those 100 equal statements would
*first* be divided into Overflow policies before being deduplicated
(potentially leading to too many policies being created, hitting limits).

Especially CDK Pipelines takes heavy advantage of the deduplicating
behavior, and adds the same policies over and over again, leading
to overflows.

When the `minimizePolicies` feature flag is turned on, duplicate
elimitation is implicitly performed (because equal statements
count as mergeable), but when the feature flag is off we
hit the bad behavior.

As a fix, do deduplication even if merging is turned off.
@rix0rrr rix0rrr requested a review from a team June 16, 2022 17:55
@rix0rrr rix0rrr self-assigned this Jun 16, 2022
@gitpod-io
Copy link

gitpod-io bot commented Jun 16, 2022

@rix0rrr rix0rrr marked this pull request as ready for review June 16, 2022 17:55
@github-actions github-actions bot added the p2 label Jun 16, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team June 16, 2022 17:55
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 16, 2022
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 2997433
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jun 16, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit e692ad2 into main Jun 16, 2022
@mergify mergify bot deleted the huijbers/iam-statement-merging branch June 16, 2022 19:53
@udondan udondan mentioned this pull request Jun 28, 2022
Closed
4 tasks
@gshpychka gshpychka mentioned this pull request Jun 29, 2022
Closed
daschaa pushed a commit to daschaa/aws-cdk that referenced this pull request Jul 9, 2022
@rix0rrr @daschaa
fix(iam): duplicate PolicyStatements lead to too many overflow polici…
7489af4 
…es (aws#20767)

Historically, policy statement deduplicating was done during policy
rendering.  There could be a 100 statements in a policy, but if they
were all the same it would only render as 1 statement.

When we introduced policy splitting, those 100 equal statements would
*first* be divided into Overflow policies before being deduplicated
(potentially leading to too many policies being created, hitting limits).

Especially CDK Pipelines takes heavy advantage of the deduplicating
behavior, and adds the same policies over and over again, leading
to overflows.

When the `minimizePolicies` feature flag is turned on, duplicate
elimitation is implicitly performed (because equal statements
count as mergeable), but when the feature flag is off we
hit the bad behavior.

As a fix, do deduplication even if merging is turned off.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corymhall corymhall corymhall approved these changes

Assignees

@rix0rrr rix0rrr

Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rix0rrr @aws-cdk-automation @corymhall