New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ECR Repo policy eternally updating #701
Conversation
Resolves a couple of issues around detecting changes on the ECR RepositoryPolicy type: 1. Converts `awsAccountId` principals that were not specified as an ARN into the ARN format, as AWS always returns in this format from the API. 2. Makes sure to sort string slices within the policy document during comparison, to avoid issues where AWS returns values in a different order. Fixes crossplane-contrib#700 Signed-off-by: Ben Agricola <bagricola@squiz.co.uk>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking into this @benagricola !
Previous implementation would panic if the user (or AWS for that matter) inputted a non-string into an ECR RepositoryPolicy. Rather than panic, we should simply return false (i.e. no change to sort order). This may mean that slices containing unknown types are not sorted correctly, but that is better than panicing. This also adds a single test that confirms the behaviour - numbers are not sorted while the strings are, and no panic is observed. Signed-off-by: Ben Agricola <bagricola@squiz.co.uk>
@muvaf latest commit conditionally sorts or returns false based on whether the interfaces can be converted to string or not. I've only implemented string as I believe it is the only valid format, but again - this is an assumption made based on the doco, not knowledge 🙂 |
Instead of detecting the lack of an ARN prefix, we now detect AWS account ID's by trying to decode a 64 bit integer from the input value. By doing this, we avoid accidentally formatting values that do not only contain an account ID but do not match the ARN prefix format we were positively checking for previously. Signed-off-by: Ben Agricola <bagricola@squiz.co.uk>
@muvaf I think this is good to go - I've left all the changes in, as I think @chlunde planned on using this as a base for merging the policy code from ECR and S3 (and maybe others?). Any chance we can merge this before #704 is implemented as it should at least fix the underlying issue for ECR repos 😃 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @benagricola !
…-package Rename family parent package from provider-aws-config to provider-family-aws
Description of your changes
Resolves a couple of issues around detecting changes on the ECR
RepositoryPolicy
type:awsAccountId
principals that were not specified as anARN into the ARN format, as AWS always returns in this format from
the API.
comparison, to avoid issues where AWS returns values in a different
order.
Fixes #700
Signed-off-by: Ben Agricola bagricola@squiz.co.uk
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
Additional test added to compare policies with defined principals as a string slice, that tests both of these cases.
That test fails without the fixes applied.