Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom DomainHard fail on IAM permission error #649

Merged
merged 1 commit into from May 25, 2023
Merged

Custom DomainHard fail on IAM permission error #649

merged 1 commit into from May 25, 2023

Conversation

tongueroo
Copy link
Collaborator

@tongueroo tongueroo commented May 25, 2023
edited

This is a 🐞 bug fix.

This is a 🧐 documentation change.

  • I've added tests (if it's a bug, feature or enhancement)
  • I've adjusted the documentation (if it's a feature or enhancement)
  • The test suite passes (run bundle exec rspec to verify this)

Summary

Fixes #557

Know, it's 99% of the time bad to rescue Exception πŸ˜” It's a bummer it cause issues for the users who were kind enough to provide detailed issue reports. Vaguely remember that was mentally spent from working on Custom Domain and Custom CloudFormation resources and used the rescue Exception. πŸ€¦πŸ»β€β™‚οΈ It's been removed and using more targeted rescues now.

Related: Also, wanted to note: #640 Made some important hardening improvements to Custom Domain Custom CloudFormation Resource Lambda Function that handles the custom domain. This takes rollback times down from 3 hours to 3 minutes. This should save everyone time from these related issues.

Context

How to Test

  1. Deploy without custom domain
  2. Make sure you have an IAM user that does not have cloudformation.describe_stack_resource IAM permission
  3. Add custom domain and deploy again

Tested by adding a Deny policy, something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "cloudformation:DescribeStackResource"
            ],
            "Resource": "*"
        }
    ]
}

Note: Did not Deny the cloudformation:DescribeStackResources also because that is already failing hard in newer code where Jets checks for changed routes.

The jets deploy command should fail hard with an IAM permission error.

$ jets deploy
        12: from ../jets/lib/jets/cfn/builders/api_gateway_builder.rb:83:in `existing_domain_name_on_stack?'
        11: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/memoist-0.16.2/lib/memoist.rb:169:in `api_gateway_physical_resource_id'
        10: from ../jets/lib/jets/cfn/builders/api_gateway_builder.rb:104:in `api_gateway_physical_resource_id'
        9: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-cloudformation-1.77.0/lib/aws-sdk-cloudformation/client.rb:2702:in `describe_stack_resource'
        8: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/seahorse/client/request.rb:72:in `send_request'
        7: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/seahorse/client/plugins/response_target.rb:24:in `call'
        6: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
        5: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
        4: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
        3: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
        2: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:16:in `call'
        1: from /home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/aws-sdk-core/plugins/checksum_algorithm.rb:111:in `call'
/home/ubuntu/.rbenv/versions/2.7.7/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.173.1/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': User: arn:aws:iam::536766270177:user/tung-custom-domain-issue is not authorized to perform: cloudformation:DescribeStackResource on resource: arn:aws:cloudformation:us-west-2:536766270177:stack/demo-dev/a6205820-fb26-11ed-bbd6-06acdc1d8ef5 with an explicit deny in an identity-based policy (Aws::CloudFormation::Errors::AccessDenied)

Version Changes

Patch

@tongueroo tongueroo force-pushed the custom-domain-hard-fail-on-iam-permission-error branch from 29a2fd2 to e072190 Compare May 25, 2023 18:42
@tongueroo tongueroo merged commit e32ab19 into master May 25, 2023
@tongueroo tongueroo deleted the custom-domain-hard-fail-on-iam-permission-error branch May 25, 2023 18:42
@tongueroo tongueroo mentioned this pull request May 25, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Custom domain: Hard Fail on Permission Error
1 participant
@tongueroo