Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(custom-resource-handlers): do not allow unauthorized connection for iam OIDC connection (under feature flag) #32921

Merged
merged 7 commits into from
Jan 16, 2025
Merged

fix(custom-resource-handlers): do not allow unauthorized connection for iam OIDC connection (under feature flag) #32921

merged 7 commits into from
Jan 16, 2025

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Jan 14, 2025

Issue # (if applicable)

Closes #32920

Reason for this change

Follow security best practices to disable allow unauthorized connection

Description of changes

Create a new feature flag that starting in the new feature, we will disable unauthorized connections

Describe any new or updated permissions being added

N/A

Description of how you validated changes

New integ and unit tests. Updated old tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 14, 2025 20:40
@github-actions github-actions bot added bug This issue is a bug. p1 labels Jan 14, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 14, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 14, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.48%. Comparing base (9d8a7e2) to head (472bc7e).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #32921   +/-   ##
=======================================
  Coverage   81.48%   81.48%           
=======================================
  Files         226      226           
  Lines       13768    13768           
  Branches     2416     2416           
=======================================
  Hits        11219    11219           
  Misses       2271     2271           
  Partials      278      278
Flag Coverage Δ
suite.unit 81.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.89% <ø> (ø)
packages/aws-cdk-lib/core 82.10% <ø> (ø)

gracelu0
gracelu0 requested changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@gracelu0 gracelu0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ty! Left a few comments, mostly typos

packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/cx-api/lib/features.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts Show resolved Hide resolved
@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mrgrain
Copy link
Contributor

mrgrain commented Jan 16, 2025

@Mergifyio dequeue

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

This pull request has been removed from the queue for the following reason: pull request dequeued.

Pull request #32921 has been dequeued by a dequeue command

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

dequeue

✅ The pull request has been removed from the queue default-squash

@mrgrain
Copy link
Contributor

mrgrain commented Jan 16, 2025

@GavinZZ Dequeued this because the conflicts prevent it from merging and it's blocking the queue

@GavinZZ GavinZZ force-pushed the yuanhaoz/reject-unauthorized branch from f5c6311 to 472bc7e Compare January 16, 2025 21:45
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 472bc7e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 3e4f377 into main Jan 16, 2025
18 of 19 checks passed
@mergify mergify bot deleted the yuanhaoz/reject-unauthorized branch January 16, 2025 22:16
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gracelu0 gracelu0 gracelu0 approved these changes

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

custom-resource-handlers: IAM OIDC Provider reject unauthorized connection
4 participants
@GavinZZ @mrgrain @aws-cdk-automation @gracelu0