Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ConnectionManager's call() method is too easy to misuse by not passing enough variables. #1299

Closed
jfalkenstein opened this issue Feb 4, 2023 · 2 comments
Closed

ConnectionManager's call() method is too easy to misuse by not passing enough variables. #1299

jfalkenstein opened this issue Feb 4, 2023 · 2 comments
Assignees
@jfalkenstein

Comments

@jfalkenstein
Copy link
Contributor

Subject of the issue

The ConnectionManager is used by many hooks, plugins, and template managers. It is essential for interacting with AWS using the StackConfig's values. However, as a result of how it operates, it can (and often is) misused accidentally.

The source of the issue is here:
image

The problem is that this code assumes that if someone wants to use the Stack default configurations, one would pass None for region, profile, and sceptre_role. If all three are None, it is assumed that the stack values ought to be utilized. But if any one of those is not None, then it is assumed that all three have been specified and all three are used.

The result of this is we end up with outdated hooks and resolvers (such as the SSM Resolver) that are passing the profile and region, but not the sceptre_role (aka iam_role). Since region is always specified (by necessity), it will mean the iam_role parameter is overridden and set to None.

Fundamentally, the issue is that there isn't here a distinction between setting a value to None to nullify a setting (meaning "don't use any iam_role") and setting a value to None to retain the stack's configuration.

The solution to this is set the default values for call() to a third constant that is interpreted as the Stack default, similar to how the new get_session() method operates:

image
@jfalkenstein jfalkenstein self-assigned this Feb 4, 2023
This was referenced Feb 5, 2023
Merged
Closed
@SpyderDave
Copy link

This is awesome. Thanks for this!
Will this go right into the next release of sceptre 3.2.XXX. ?

@jfalkenstein
Copy link
Contributor Author

@SpyderDave, I'm working to get this into the v4 release. It's a major version, as there are some potentially breaking changes for a few edge cases. However, it'll be pretty feature-packed. You can see the current changelog here: https://github.com/Sceptre/sceptre/pull/1292/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4ed. This will get included there once I can get #1300 merged.

jfalkenstein added a commit that referenced this issue Feb 11, 2023
@jfalkenstein
Releasing v4.0.0 (#1292)
b8d6319 
## 4.0.0 (2023.02.08)

### Added
 - [Resolve #1283] Introducing `sceptre_role`, `cloudformation_service_role` (#1295)
   - These are just iam_role and role_arn renamed to be a lot clearer. See "Deprecations" below.


### Changed
 - [Resolve #1299] Making the ConnectionManager a more "friendly" interface for hooks, resolvers,
   and template handlers (#1287, #1300)
   - This creates adds the public `get_session()` and
     `create_session_environment_variables()` methods to make AWS interactions
     easier and more consistent with individual stack configurations for
     iam_role, profile, and region configurations.
   - The `call()` method now properly distinguishes between default stack
     configurations for profile, region, and `sceptre_role` and setting those to
     `None` to nullify them.
 - Preventing Duplicate Deprecation Warnings from being emitted (#1297)

#### _Potentially_ Breaking Changes
 - The !cmd hook now invokes the passed command using the AWS environment
   variables that correspond with the stack's IAM configurations (i.e. iam_role,
   profile, region). This means that the hook will operate the same as every
   other part of Sceptre and regard how the stack is configured. This should make
   it easier to invoke other tools like AWS CLI with your hooks. However, if
   your project is setting environment variables with the intent to change how
   the command authenticates with AWS (such as a different token, profile, or
   region), these environment variables will be overridden. To maintain the same
   functionality, you should prefix your command with
   `export AWS_SESSION_TOKEN={{environment_variable.AWS_SESSION_TOKEN}} &&` (or
   whatever other environment variable(s) you need to explicitly set).

### Deprecations
 - [Resolve #1283] Deprecating `iam_role`, `role_arn`, and `template_path` (#1295)
   - `iam_role` and `role_arn` have been aliased to `sceptre_role` and
      `cloudformation_service_role`. Using these fields will result in a
      DeprecationWarning.
   - `template_path` has actually been slated for removal since v2.7. `template`
      should be used instead. Using `template_path` will result in a
      DeprecationWarning.
   - All three deprecated StackConfig fields will be removed in v5.0.0.

## 3.3.0 (2023.02.06)

### Added
 - [Resolve #1261] Add coloured differ (#1260)
   - Implements coloured diffs for the diff (difflib) command. Responds to --no-color.
 - [Resolves #1271] Extend stack colourer to include "IMPORT" states (#1272)
 - [Resolves #1179] cloudformation disable-rollback option (#1282)
   - Allow user to disable a cloudformation rollback on a sceptre deployment.

### Changed
 - [Resolve #1098] Deploy docker container to sceptreorg repo (#1265)
   - Deploy sceptre docker images to dockerhub sceptreorg repo instead of cloudreach repo
 - Updating Setuptools and wheel versions to avert security issues
 - [Resolve #1293] Improve the Stack Config Jinja Syntax Error Message to include the Stack Name (#1294)
 - [Resolves #1267] Improve the Stack Config Jinja Error Message to include the Stack Name (#1269)

### Fixed
 - [Resolve #1273] Events start from response time (#1275)
   - Resolves #1273 by starting event filtering from the timestamp returned in
     the AWS response headers rather than relying on the workstation clock.
 - [Resolve #1253] Failed downloads raise error (#1277)
   - Throwing an informative error when the template fails to download instead
     of passing the error message to CloudFormation.
 - [Resolves #1179] Changed disable-rollback default to None (#1288)
   - We want the default value to be None to represent "Do whatever's configured
     in the StackConfig" and True/False will override the StackConfig.

### Nonfunctional
 - Add tweet-release to CircleCI config (#1259)
 - [Resolves #1276] Adopt Black Auto-formatter (#1278)
   - Reformatting all Python files using the Black code formatter. This also
     delivers a new function for generating `__repr__` methods which was needed
     to deal with a line-too-long issue in Template. Per discussion in #1276 this
     PR also disables E203 in flake8.
 - Update sceptre-circleci docker image (#1284)
   - Update to build and test with a docker image that's based on the official
     circleci python docker image.
 - [Resolve #1264] Updating the CDK docs to point to the new sceptre-cdk-handler
   (#1285)
   - This updates our docs to no longer reference the old CDK approach (which
     didn't work with CDK assets). In its place, it references the new
     sceptre-cdk-handler package that covers that functionality.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jfalkenstein jfalkenstein

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SpyderDave @jfalkenstein