Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(step-functions):no longer attempt to modify cloudwatch logs permissions for state machines #1090

Merged
merged 1 commit into from
Feb 29, 2024
Merged

fix(step-functions):no longer attempt to modify cloudwatch logs permissions for state machines #1090

merged 1 commit into from
Feb 29, 2024

Conversation

biffgaut
Copy link
Contributor

@biffgaut biffgaut commented Feb 29, 2024
edited
Loading

Issue #, if available:
Fixes #1089

Description of changes:
We originally attempted to reduce the default permissions assigned by the CDK to a State Machine by limiting the resource by region and account for 3 Cloudwatch actions. Trying to do this via the escape hatch is problematic.

Looking deeper at the changes we were making, Cloudwatch Logs are regional so processes can't write log groups in different regions and accounts anyway - so our IAM modifications provided no tangible benefit. Since they were providing no benefit and were breaking client code, we've just removed them.

This approach is supported by Step Functions documentation - https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html#cloudwatch-iam-policy

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: a986491
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

georgebearden
georgebearden approved these changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@georgebearden georgebearden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

@biffgaut biffgaut merged commit 94285eb into main Feb 29, 2024
7 of 8 checks passed
@biffgaut biffgaut deleted the Issue1089 branch February 29, 2024 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@georgebearden georgebearden georgebearden approved these changes

@hayesry hayesry Awaiting requested review from hayesry hayesry is a code owner

@mobri2a mobri2a Awaiting requested review from mobri2a mobri2a is a code owner

@emcfins emcfins Awaiting requested review from emcfins emcfins is a code owner

@mickychetta mickychetta Awaiting requested review from mickychetta

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Version 2.53.0 - It is removing the permissions granted by other resources to StateMachines
3 participants
@biffgaut @aws-solutions-constructs-team @georgebearden