Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(ec2): update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals #29512

Merged
merged 3 commits into from
Mar 21, 2024

Conversation

7e11
Copy link
Contributor

@7e11 7e11 commented Mar 15, 2024

VpcEndpointService has the member allowedPrincipals which is of type ArnPrincipal[]. However, ServicePrincipal is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the allowedPrincipals.

Issue #29478

Closes #29478

Reason for this change

VpcEndpointService has the member allowedPrincipals which is of type ArnPrincipal[]. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type ServicePrincipal in allowedPrincipals in CDK. This is a feature gap.

I brought this up in #29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation.

Description of changes

Documentation update for the aws-ec2 module which includes a workaround for including service principals in the allowedPrincipals.

Description of how you validated changes

N/A - minor documentation changes only

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

…ncipal in VPCEService `allowedPrincipals`

`VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`.
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Mar 15, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team March 15, 2024 23:47
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@7e11 7e11 changed the title Update aws-ec2 README to include workaround for using a service pri… docs(ec2): Update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals (#29478) Mar 15, 2024
@7e11 7e11 changed the title docs(ec2): Update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals (#29478) docs(ec2): update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals Mar 15, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review March 15, 2024 23:54

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Mar 16, 2024
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍
Can you please add test coverage for this scenario for both unit and integration tests?

Comment on lines 1055 to 1056
To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts
You can also include a service principal in the `allowedPrincipals` property by specifying it as a parameter to the `ArnPrincipal` constructor.
The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll make this change in the revision that includes the tests.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Mar 16, 2024
@7e11
Copy link
Contributor Author

7e11 commented Mar 16, 2024

Will do

Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same feedback on the test coverage. Otherwise happy to approve it.

Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 19, 2024
GavinZZ
GavinZZ previously approved these changes Mar 20, 2024
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Copy link
Contributor

mergify bot commented Mar 20, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 20, 2024
Copy link
Contributor

mergify bot commented Mar 20, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@paulhcsun
Copy link
Contributor

@Mergifyio update

Copy link
Contributor

mergify bot commented Mar 21, 2024

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/request-cli-integ-test.yml without workflows permission

@mergify mergify bot dismissed GavinZZ’s stale review March 21, 2024 17:22

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 2079b16
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 21, 2024
Copy link
Contributor

mergify bot commented Mar 21, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 07ce8ec into aws:main Mar 21, 2024
14 checks passed
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 21, 2024
@7e11 7e11 deleted the patch-1 branch March 21, 2024 21:41
jun1-t pushed a commit to jun1-t/aws-cdk that referenced this pull request Mar 23, 2024
…service principal in VPCEService `allowedPrincipals` (aws#29512)

`VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`.

### Issue aws#29478

Closes aws#29478

### Reason for this change

`VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap.

I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation.

### Description of changes

Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`.

### Description of how you validated changes

N/A - minor documentation changes only

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
ahammond pushed a commit to ahammond/aws-cdk that referenced this pull request Mar 26, 2024
…service principal in VPCEService `allowedPrincipals` (aws#29512)

`VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`.

### Issue aws#29478

Closes aws#29478

### Reason for this change

`VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap.

I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation.

### Description of changes

Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`.

### Description of how you validated changes

N/A - minor documentation changes only

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
5 participants