Skip to content

refactor(snapshot): address nits #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 9, 2023
Merged

refactor(snapshot): address nits #59

merged 1 commit into from
Mar 9, 2023

Conversation

jta
Copy link

@jta jta commented Mar 8, 2023

This commit addresses nits uncovered in #58 which were also applicable to the snapshot module.

@jta jta requested review from bendrucker and aping1 as code owners March 8, 2023 04:29
bendrucker
bendrucker approved these changes Mar 8, 2023
View reviewed changes
modules/snapshot/main.tf Outdated
@@ -23,13 +28,13 @@ resource "aws_iam_policy" "this" {
}

resource "aws_iam_role_policy_attachment" "this" {
role = local.role_name
role = trimprefix(data.aws_arn.role.resource, "role/")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is still going to fail for roles with a path. As I understand it, the idea behind paths is that you can craft broad but safe rules with wildcards. Whereas use of wildcards in names is considered an anti-pattern.

Good:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/engineering/*"
  }
}

Bad:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/engineering*"
  }
}

The non-path wildcard may match unexpectedly on partial words, whereas paths are very explicitly hierarchical.

But paths are a weird half-embraced feature and don't factor into uniqueness. A role name must still be unique. And I'm pretty sure the parameter here is always the role name, without the path.

https://stackoverflow.com/a/46325139

This is a mildly contrived issue as the role typically being passed in here doesn't have a path. But strictly speaking, that's a loose dependency, and according to the input type (object) there's an edge case bug here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I had to read that stackoverflow twice and your explanation is actually clearer. When you originally brought the issue up, I misinterpreted it as being a case of inadvertent pattern matching (i.e. what happens if path includes ends in role).

The behavior where path is not part of the identity, but is just a grouping key is a bit uninituive, and we probably need to review how we model IAM in OPAL.

@jta jta force-pushed the joao/snapshot-fixes branch from 7b8c54e to 5893641 Compare March 8, 2023 20:21
refactor(snapshot): address nits
942534f 
This commit addresses nits uncovered in #58 which were also applicable
to the snapshot module.
@jta jta force-pushed the joao/snapshot-fixes branch from 5893641 to 942534f Compare March 8, 2023 20:37
@jta jta requested a review from bendrucker March 8, 2023 20:37
@jta jta merged commit 71e1983 into main Mar 9, 2023
@jta jta deleted the joao/snapshot-fixes branch March 9, 2023 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bendrucker bendrucker bendrucker approved these changes

@aping1 aping1 Awaiting requested review from aping1

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jta @bendrucker