WIP: OCPBUGS-96892: move snapshot actions to unscoped#1054
Conversation
|
@rhrmo: This pull request references Jira Issue OCPBUGS-96892, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughReclassifies ChangesEC2 snapshot action reclassification
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rhrmo The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/aws/utils.go`:
- Around line 177-179: The snapshot permission grouping in the AWS utilities is
too broad: `ec2:DeleteSnapshot` must remain in the scoped permissions path
because it supports `aws:ResourceTag` and should keep the cluster-ownership
guard. Update the permission map in `utils.go` so `ec2:DeleteSnapshot` is
handled separately from the unscoped snapshot bucket, and only adjust
`ec2:CreateSnapshot` independently if needed; use the existing AWS permission
grouping around the snapshot entries to locate the fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8982687e-9b57-474d-879a-77b38492cae5
📒 Files selected for processing (2)
pkg/aws/utils.gopkg/aws/utils_test.go
| // EC2 — Create/Delete snapshots | ||
| "ec2:CreateSnapshot": true, | ||
| "ec2:DeleteSnapshot": true, |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the relevant file and nearby helpers.
git ls-files pkg/aws/utils.go
wc -l pkg/aws/utils.go
sed -n '130,240p' pkg/aws/utils.go
# Find where these maps are consumed.
rg -n "infraResourceTagUnscopedActions|CreateSnapshot|DeleteSnapshot|SupportsInfraResourceTagCondition|ResourceTag" pkg/awsRepository: openshift/cloud-credential-operator
Length of output: 10905
pkg/aws/utils.go:177-179 — Keep ec2:DeleteSnapshot scoped. ec2:DeleteSnapshot supports aws:ResourceTag, so moving it into the unscoped bucket drops the cluster-ownership guard for snapshot deletion. ec2:CreateSnapshot may need separate handling, but it shouldn’t force deletion into the same bucket.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pkg/aws/utils.go` around lines 177 - 179, The snapshot permission grouping in
the AWS utilities is too broad: `ec2:DeleteSnapshot` must remain in the scoped
permissions path because it supports `aws:ResourceTag` and should keep the
cluster-ownership guard. Update the permission map in `utils.go` so
`ec2:DeleteSnapshot` is handled separately from the unscoped snapshot bucket,
and only adjust `ec2:CreateSnapshot` independently if needed; use the existing
AWS permission grouping around the snapshot entries to locate the fix.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1054 +/- ##
=======================================
Coverage 47.28% 47.28%
=======================================
Files 97 97
Lines 12631 12631
=======================================
Hits 5973 5973
Misses 6001 6001
Partials 657 657
🚀 New features to boost your workflow:
|
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@rhrmo: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary by CodeRabbit