-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add KmsKeyId to LogGroup #27
Conversation
Not super important, but you can do 'Draft' PRs to signal WIP. We can review them entirely, but they're not merge-able. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm inclined to use the inline kmsKeyId
argument for CreateLogGroup in the CreateHandler
and then use Associate/Disassociate in the Update handler.
"description": "The Amazon Resource Name (ARN) of the CMK to use when encrypting log data.", | ||
"type": "string", | ||
"maxLength": 256, | ||
"pattern": "^arn:[a-z0-9-]+:kms:[a-z0-9-]+:\\d{12}:(key|alias)/.+\\Z" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will want to come back to this so we can $ref an AWS::KMS::Key
resource's Arn
property when that's available.
If you merge from master, you'll get a Travis build for this PR from now on. 👍 Also, to be consistent with other repos, I updated the space indenting for JSON files from 4-->2 so you'll need to run |
@ikben how's this PR going? |
I didn't get to pulling in the recent changes yet, hopefully I will have some time to look at it in the next few days |
Does not play nice with precommit
- Add missing PutRetentionPolicy to permissions - Remove extra space from LogGroupName description - Make formatting consitent with surrounding code
I think this is what the implementation would look like. Please note:
|
@@ -28,6 +30,15 @@ | |||
putRetentionPolicy(proxy, request, logger); | |||
} | |||
|
|||
// It can take up to five minutes for the (dis)associate operation to take effect | |||
// It's unclear from the documentation if that state can be checked via the API. | |||
// https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we emitting ProgressEvents with IN_PROGRESS
to check on the status or it seems like that's not actually discoverable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does the 5 mins come from? As far as I see there is no such status in the log group. It may take some time for data plane to take effect, but from control plane perspective, it's done once API call successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The docs say "After you associate or disassociate a CMK from a log group, it can take up to five minutes for the operation to take effect." To me that sounds like the data plane needing some time, like Wenbing described,and what I assumed when writing the code. There is no separate API call to check on the status and it's hard to test because "it is immediately present when I do a read call", still falls into the "up to 5 minutes" bucket.
@@ -28,6 +30,15 @@ | |||
putRetentionPolicy(proxy, request, logger); | |||
} | |||
|
|||
// It can take up to five minutes for the (dis)associate operation to take effect | |||
// It's unclear from the documentation if that state can be checked via the API. | |||
// https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does the 5 mins come from? As far as I see there is no such status in the log group. It may take some time for data plane to take effect, but from control plane perspective, it's done once API call successful.
return ResourceModel.builder() | ||
.arn(logGroupArn) | ||
.logGroupName(logGroupName) | ||
.retentionInDays(retentionInDays) | ||
.kmsKeyId(kmsKeyId) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the contract: "A read request SHOULD NOT return properties that have null values.".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, I followed the code above (lines 69-73), that also breaks that rule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I might need some java help here. I'd assume the rpdk would take care of that, since all the properties are properties of the ResourceModel class
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. I don't think the rpdk is checking this. @rjlohan do you have any recommendations here? Other than checking for null
before building the model's properties?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rjlohan Do you have any feedback on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The real reason for this is to disambiguate these scenarios;
- property not set/present
- property explicitly set to null/empty
It's not a strict requirement, hence it's a SHOULD NOT
rather than a MUST NOT
. I'm ok to proceed as is, as it's not strictly a relevant distinction in this case.
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Outdated
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Outdated
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Outdated
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Outdated
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Outdated
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Show resolved
Hide resolved
aws-logs-loggroup/src/main/java/software/amazon/logs/loggroup/UpdateHandler.java
Show resolved
Hide resolved
Co-authored-by: Maria Ines Parnisari <mparnisa@amazon.com>
(suggestion from code review) Co-authored-by: Maria Ines Parnisari <mparnisa@amazon.com>
Co-authored-by: Maria Ines Parnisari <mparnisa@amazon.com>
I rewrote a few if statements and added a bunch of tests to get the required coverage. The issue about having model properties that can be |
Thanks for the implementation! We've just tested this out and it seems not to be in production as of yet. A bit of topic, but important nonethelss: Is there a way to get notified or keep track of changes like these as they make their way through quality assurance and to production? As far as I'm aware, the only way right now is trial and error, which is quite frustrating. |
@OfficialTermi
|
CmkAlias: | ||
Type: "AWS::KMS::Alias" | ||
Properties: | ||
AliasName: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/${AWS::StackName}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miparnisari Thanks for the fix. Yours does follow what's in the documentation.
At the time of writing, it did deploy though (I checked the deleted stack in my account, it has the long !Sub). So make sure that it's not the StackName that is causing the failure.
This is a Work in Progress, if that's better as an issue, let me know.I tried to tackle the difficult parts first, which for me besides the whole of Java is writing test. I haven't started writing code yet. Assistance with both parts is very welcome.
I'm opening this PR mainly to get feedback on the approach. Currently I have the following questions related to the work already in here:
I also have question for the work that isn't in here yet:
We should probably decide on the best approach before writing the code.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.