-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): stack.urlSuffix
is no longer scoped
#4011
Conversation
`stack.urlSuffix` used to be a scoped Token. By the use of roles defined in another stack (using a `ServicePrincipal` which uses a `urlSuffix` token), this could lead to unintentional stack references. Two changes here: * URL Suffix (seems to) only change when Partition changes. Since Partition is unscoped (cross-partition references won't work anyway), we might as well make URL Suffix unscoped too. * `ServicePrincipalToken` should not have used the stack's `urlSuffix`, but constructed an unscoped `URL_SUFFIX` itself, since it was never intended to potentially create a cross-stack reference. It couldn't have, since it doesn't know where it is being defined, it just knows where it's being used. Technically, the second change isn't necessary anymore after we apply the first, but I made both anyway since the bug is still resolved even if find out we need roll back the first change because of a future region build. Fixes #3970.
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we still need the methods partition()
and urlSuffix()
in the ScopedAws
class?
https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/core/lib/cfn-pseudo.ts#L58
You should expand on what you mean here, so we can record this for posterity on when someone is looking over why this change was made. I couldn't gather what's going on from the linked issue. |
I don't see a reason to remove them. It's something you might want.
Is that worth a provisional approval or would you like to see my rephrasing before you okay it? |
Thank you for contributing! Your pull request is now being automatically merged. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
stack.urlSuffix
used to be a scoped Token. By the use of roles definedin another stack (using a
ServicePrincipal
which uses aurlSuffix
token), this could lead to unintentional stack references.
Two changes here:
Partition is unscoped (cross-partition references won't work anyway),
we might as well make URL Suffix unscoped too.
ServicePrincipalToken
should not have used the stack'surlSuffix
,but constructed an unscoped
URL_SUFFIX
itself, since it wasnever intended to potentially create a cross-stack reference. It
couldn't have, since it doesn't know where it is being defined,
it just knows where it's being used.
Technically, the second change isn't necessary anymore after we
apply the first, but I made both anyway since the bug is still
resolved even if find out we need roll back the first change
because of a future region build.
Fixes #3970.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license