fix: custom resource upload should be namespaced by env#3998
fix: custom resource upload should be namespaced by env#3998mergify[bot] merged 6 commits intoaws:mainlinefrom
Conversation
iamhopaul123
requested review from
dannyrandall
and removed request for
a team
Codecov Report
@@ Coverage Diff @@
## mainline #3998 +/- ##
============================================
+ Coverage 68.64% 68.65% +0.01%
============================================
Files 248 248
Lines 35084 35067 -17
Branches 264 264
============================================
- Hits 24083 24076 -7
+ Misses 9807 9801 -6
+ Partials 1194 1190 -4
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
| // ZipAndUpload zips all files and uploads the zipped file to an S3 bucket under the specified key. | ||
| // Per s3's recommendation https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html: | ||
| // The bucket owner, in addition to the object owner, is granted full control. | ||
| func (s *S3) ZipAndUpload(bucket, key string, files ...NamedBinary) (string, error) { |
There was a problem hiding this comment.
yay! thank you for deleting dead code
|
|
||
| templateFS: template.New(), | ||
| s3: s3.New(envRegionSession), | ||
| s3: s3.New(envManagerSession), |
There was a problem hiding this comment.
I actually don't get why this issue is happening 
copilot-cli/internal/pkg/aws/s3/s3.go
Line 217 in 4b45d66
and the bucket allows all actions from the env accounts:
copilot-cli/internal/pkg/template/templates/app/cf.yml
Lines 74 to 82 in 4b45d66
Then why is there an access denied error? What am I missing? I'd have guessed that as long as the objects are uploaded with BucketOwnership then it wouldn't matter if they're overriden.
There was a problem hiding this comment.
thanks for fixing the session here!
|
OK I finally get what is going on The buckets are created by default with Everything gets fixed if we change the copilot-cli/internal/pkg/template/templates/app/cf.yml Lines 71 to 82 in 35772b4 My recommendation is instead of namespacing the custom resources, we should change the control ownership to be |
efekarakus
left a comment
efekarakus
left a comment
There was a problem hiding this comment.
Should we update the TemplateVersion: 'v1.1.0' field in the app template and deploy.LatestAppTemplateVersion to v1.2.0 ?
| f, err := w.Create(file.name) | ||
| if err != nil { | ||
| return fmt.Errorf("create zip file %q for custom resource %q: %v", file.name, cr.FunctionName(), err) | ||
| return fmt.Errorf("create zip file %q for custom resource %q: %v", file.name, cr.name, err) |
There was a problem hiding this comment.
nit: can we use .Name() instead to rely on the public interface of the type rather than the internal data structure
There was a problem hiding this comment.
Should we update the TemplateVersion: 'v1.1.0' field in the app template and deploy.LatestAppTemplateVersion to v1.2.0 ?
No we don't because it is not released yet.
iamhopaul123
force-pushed
the
acl-fix
branch
from
b6e30df to
a0a7e3b
Compare
| } | ||
| } | ||
|
|
||
| // ZipAndUpload zips all files and uploads the zipped file to an S3 bucket under the specified key. |
|
|
||
| templateFS: template.New(), | ||
| s3: s3.New(envRegionSession), | ||
| s3: s3.New(envManagerSession), |
There was a problem hiding this comment.
thanks for fixing the session here!
| if err != nil { | ||
| return nil, fmt.Errorf("create default: %w", err) | ||
| } | ||
| if err != nil { |
5 participants
Fixes #3984
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.