terraform-provider-awscc icon indicating copy to clipboard operation
terraform-provider-awscc copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Suprress resource without complete handler permissions on Cfn Registry

Open wellsiau-aws opened this issue 10 months ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Description

Certain AWS resources might not have a complete Read / List handler, for example AWS::SNS::TopicPolicy:

{
  "typeName" : "AWS::SNS::TopicPolicy",
  "description" : "Schema for AWS::SNS::TopicPolicy",
  "sourceUrl" : "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-sns.git",
  . . . 
  "handlers" : {
    "create" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "update" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "read" : {
      "permissions" : [ ]
    },
    "delete" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "list" : {
      "permissions" : [ ]
    }
  }
}

This is usually happened due to exception made by AWS / CCAPI for the resource.

As such, these resources are non provisionable in the AWSCC, for example #1164

New or Affected Resource(s)

  • awscc_sns_topic_policy

Potential Terraform Configuration

I wanted to propose another resource suppression rules that checks for the available permissions under each handlers. Resource schema without Read handler permissions for example should be suppressed.

References

  • Issue : #1164

wellsiau-aws avatar Apr 09 '24 23:04 wellsiau-aws

In https://github.com/hashicorp/terraform-provider-awscc/pull/1535 we have removed resources types with ProvisioningType = "NON_PROVISIONABLE" and there were two:

  • AWS::Batch::JobDefinition
  • AWS::SNS::TopicPolicy

I will do another pass checking for the conditions (no Read/List handler permissions) you have noticed.

ewbankkit avatar Apr 10 '24 20:04 ewbankkit

AWS::ECS::PrimaryTaskSet
  "handlers": {
    "create": {
      "permissions": [
        "ecs:DescribeTaskSets",
        "ecs:UpdateServicePrimaryTaskSet"
      ]
    },
    "read": {
      "permissions": []
    },
    "update": {
      "permissions": [
        "ecs:DescribeTaskSets",
        "ecs:UpdateServicePrimaryTaskSet"
      ]
    },
    "delete": {
      "permissions": []
    }
  }
AWS::S3::MultiRegionAccessPoint
  "handlers": {
    "update": {
      "permissions": [
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:DescribeMultiRegionAccessPointOperation"
      ]
    },
    "read": {
      "permissions": [
        "s3:GetMultiRegionAccessPointPolicy",
        "s3:GetMultiRegionAccessPointPolicyStatus"
      ]
    },
    "list": {
      "permissions": []
    },
    "delete": {
      "permissions": [
        "s3:GetMultiRegionAccessPointPolicy",
        "s3:GetMultiRegionAccessPoint"
      ]
    },
    "create": {
      "permissions": [
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:DescribeMultiRegionAccessPointOperation"
      ]
    }
  }
AWS::Shield::DRTAccess
  "handlers": {
    "create": {
      "permissions": [
        "shield:DescribeDRTAccess",
        "shield:AssociateDRTLogBucket",
        "shield:AssociateDRTRole",
        "iam:PassRole",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ]
    },
    "delete": {
      "permissions": [
        "shield:DescribeDRTAccess",
        "shield:DisassociateDRTLogBucket",
        "shield:DisassociateDRTRole",
        "iam:PassRole",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ]
    },
    "read": {
      "permissions": [
        "shield:DescribeDRTAccess"
      ]
    },
    "update": {
      "permissions": [
        "shield:DescribeDRTAccess",
        "shield:AssociateDRTLogBucket",
        "shield:AssociateDRTRole",
        "shield:DisassociateDRTLogBucket",
        "shield:DisassociateDRTRole",
        "iam:PassRole",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ]
    },
    "list": {
      "permissions": []
    }
  }

ewbankkit avatar Apr 11 '24 15:04 ewbankkit

thanks @ewbankkit , I dont have data point to tell if these resources are also non provisionable or just missing permissions for certain handler. I'll investigate more.

wellsiau-aws avatar Apr 11 '24 16:04 wellsiau-aws

@wellsiau-aws I'm pretty certain that the missing list handler permissions are equivalent to having no list handler as there are not list APIs for those resources. For AWS::ECS::PrimaryTaskSet there is a terraform-provider-aws PR https://github.com/hashicorp/terraform-provider-aws/pull/30839 and looking at that implementation it seems to be a layer on top of ECS Task Sets. Anyway, I will hold off the release until you get confirmation. Thanks.

ewbankkit avatar Apr 11 '24 16:04 ewbankkit