Skip to content

Commit 3a4fe33

Browse files
rix0rrrrix0rrr
authored
fix(iam): IAM Policies are too large to deploy (#19114)
The policies we generate sometimes have a lot of duplication between statements. This duplication can lead to the policy going over the size limit an IAM policy (either 2k, 6k or 10k bytes, depending on the resource type). This change combines multiple statements together, as long as it doesn't change the meaning of the final policy. Because doing so for all existing stacks will probably provoke minor heart attacks in operators everywhere, the new behavior is gated behind a feature flag. It can be retroactively switched on by people currently being bit by the size issues: ``` @aws-cdk/aws-iam:minimizePolicies ``` We will merge 2 statements if their effects are the same, and they are otherwise exactly the same apart from their `Action`, `Resource` or `Principal` declarations. We will not merge `NotXxx` statements, because doing so will change the meaning of the statement (`not A or not B ≠ not (A or B)`). There may be multiple possible merges that apply and we are not guaranteed to find the smallest merging, nor do we take effort to find all possible merges and do simplifications like `*`-subsumption. This is a starting point that should help out in the common case. Fixes #18774, fixes #16350, fixes #18457, fixes #18564, fixes #19276. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 2f01bf0 commit 3a4fe33

File tree

244 files changed

+6180
-7166
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

244 files changed

+6180
-7166
lines changed

packages/@aws-cdk-containers/ecs-service-extensions/test/integ.all-service-addons.expected.json

+93-165
Original file line numberDiff line numberDiff line change
@@ -941,8 +941,8 @@
941941
{
942942
"Action": [
943943
"ecr:BatchCheckLayerAvailability",
944-
"ecr:GetDownloadUrlForLayer",
945-
"ecr:BatchGetImage"
944+
"ecr:BatchGetImage",
945+
"ecr:GetDownloadUrlForLayer"
946946
],
947947
"Effect": "Allow",
948948
"Resource": {
@@ -972,30 +972,12 @@
972972
]
973973
}
974974
},
975-
{
976-
"Action": "ecr:GetAuthorizationToken",
977-
"Effect": "Allow",
978-
"Resource": "*"
979-
},
980975
{
981976
"Action": [
982-
"logs:CreateLogStream",
983-
"logs:PutLogEvents"
984-
],
985-
"Effect": "Allow",
986-
"Resource": {
987-
"Fn::GetAtt": [
988-
"nametaskdefinitionenvoyLogGroup258B673B",
989-
"Arn"
990-
]
991-
}
992-
},
993-
{
994-
"Action": [
995-
"ecr:GetAuthorizationToken",
996977
"ecr:BatchCheckLayerAvailability",
997-
"ecr:GetDownloadUrlForLayer",
998-
"ecr:BatchGetImage"
978+
"ecr:BatchGetImage",
979+
"ecr:GetAuthorizationToken",
980+
"ecr:GetDownloadUrlForLayer"
999981
],
1000982
"Effect": "Allow",
1001983
"Resource": "*"
@@ -1006,38 +988,32 @@
1006988
"logs:PutLogEvents"
1007989
],
1008990
"Effect": "Allow",
1009-
"Resource": {
1010-
"Fn::GetAtt": [
1011-
"nametaskdefinitionfirelensLogGroup80DDA60F",
1012-
"Arn"
1013-
]
1014-
}
1015-
},
1016-
{
1017-
"Action": [
1018-
"logs:CreateLogStream",
1019-
"logs:PutLogEvents"
1020-
],
1021-
"Effect": "Allow",
1022-
"Resource": {
1023-
"Fn::GetAtt": [
1024-
"nametaskdefinitionxrayLogGroup4AF4CA37",
1025-
"Arn"
1026-
]
1027-
}
1028-
},
1029-
{
1030-
"Action": [
1031-
"logs:CreateLogStream",
1032-
"logs:PutLogEvents"
1033-
],
1034-
"Effect": "Allow",
1035-
"Resource": {
1036-
"Fn::GetAtt": [
1037-
"nametaskdefinitioncloudwatchagentLogGroup78DDC685",
1038-
"Arn"
1039-
]
1040-
}
991+
"Resource": [
992+
{
993+
"Fn::GetAtt": [
994+
"nametaskdefinitioncloudwatchagentLogGroup78DDC685",
995+
"Arn"
996+
]
997+
},
998+
{
999+
"Fn::GetAtt": [
1000+
"nametaskdefinitionenvoyLogGroup258B673B",
1001+
"Arn"
1002+
]
1003+
},
1004+
{
1005+
"Fn::GetAtt": [
1006+
"nametaskdefinitionfirelensLogGroup80DDA60F",
1007+
"Arn"
1008+
]
1009+
},
1010+
{
1011+
"Fn::GetAtt": [
1012+
"nametaskdefinitionxrayLogGroup4AF4CA37",
1013+
"Arn"
1014+
]
1015+
}
1016+
]
10411017
}
10421018
],
10431019
"Version": "2012-10-17"
@@ -1814,8 +1790,8 @@
18141790
{
18151791
"Action": [
18161792
"ecr:BatchCheckLayerAvailability",
1817-
"ecr:GetDownloadUrlForLayer",
1818-
"ecr:BatchGetImage"
1793+
"ecr:BatchGetImage",
1794+
"ecr:GetDownloadUrlForLayer"
18191795
],
18201796
"Effect": "Allow",
18211797
"Resource": {
@@ -1845,30 +1821,12 @@
18451821
]
18461822
}
18471823
},
1848-
{
1849-
"Action": "ecr:GetAuthorizationToken",
1850-
"Effect": "Allow",
1851-
"Resource": "*"
1852-
},
1853-
{
1854-
"Action": [
1855-
"logs:CreateLogStream",
1856-
"logs:PutLogEvents"
1857-
],
1858-
"Effect": "Allow",
1859-
"Resource": {
1860-
"Fn::GetAtt": [
1861-
"greetingtaskdefinitionenvoyLogGroup6556AC35",
1862-
"Arn"
1863-
]
1864-
}
1865-
},
18661824
{
18671825
"Action": [
1868-
"ecr:GetAuthorizationToken",
18691826
"ecr:BatchCheckLayerAvailability",
1870-
"ecr:GetDownloadUrlForLayer",
1871-
"ecr:BatchGetImage"
1827+
"ecr:BatchGetImage",
1828+
"ecr:GetAuthorizationToken",
1829+
"ecr:GetDownloadUrlForLayer"
18721830
],
18731831
"Effect": "Allow",
18741832
"Resource": "*"
@@ -1879,38 +1837,32 @@
18791837
"logs:PutLogEvents"
18801838
],
18811839
"Effect": "Allow",
1882-
"Resource": {
1883-
"Fn::GetAtt": [
1884-
"greetingtaskdefinitionfirelensLogGroupD7A398A7",
1885-
"Arn"
1886-
]
1887-
}
1888-
},
1889-
{
1890-
"Action": [
1891-
"logs:CreateLogStream",
1892-
"logs:PutLogEvents"
1893-
],
1894-
"Effect": "Allow",
1895-
"Resource": {
1896-
"Fn::GetAtt": [
1897-
"greetingtaskdefinitionxrayLogGroupD25C072D",
1898-
"Arn"
1899-
]
1900-
}
1901-
},
1902-
{
1903-
"Action": [
1904-
"logs:CreateLogStream",
1905-
"logs:PutLogEvents"
1906-
],
1907-
"Effect": "Allow",
1908-
"Resource": {
1909-
"Fn::GetAtt": [
1910-
"greetingtaskdefinitioncloudwatchagentLogGroupCEF72742",
1911-
"Arn"
1912-
]
1913-
}
1840+
"Resource": [
1841+
{
1842+
"Fn::GetAtt": [
1843+
"greetingtaskdefinitioncloudwatchagentLogGroupCEF72742",
1844+
"Arn"
1845+
]
1846+
},
1847+
{
1848+
"Fn::GetAtt": [
1849+
"greetingtaskdefinitionenvoyLogGroup6556AC35",
1850+
"Arn"
1851+
]
1852+
},
1853+
{
1854+
"Fn::GetAtt": [
1855+
"greetingtaskdefinitionfirelensLogGroupD7A398A7",
1856+
"Arn"
1857+
]
1858+
},
1859+
{
1860+
"Fn::GetAtt": [
1861+
"greetingtaskdefinitionxrayLogGroupD25C072D",
1862+
"Arn"
1863+
]
1864+
}
1865+
]
19141866
}
19151867
],
19161868
"Version": "2012-10-17"
@@ -2810,8 +2762,8 @@
28102762
{
28112763
"Action": [
28122764
"ecr:BatchCheckLayerAvailability",
2813-
"ecr:GetDownloadUrlForLayer",
2814-
"ecr:BatchGetImage"
2765+
"ecr:BatchGetImage",
2766+
"ecr:GetDownloadUrlForLayer"
28152767
],
28162768
"Effect": "Allow",
28172769
"Resource": {
@@ -2841,30 +2793,12 @@
28412793
]
28422794
}
28432795
},
2844-
{
2845-
"Action": "ecr:GetAuthorizationToken",
2846-
"Effect": "Allow",
2847-
"Resource": "*"
2848-
},
2849-
{
2850-
"Action": [
2851-
"logs:CreateLogStream",
2852-
"logs:PutLogEvents"
2853-
],
2854-
"Effect": "Allow",
2855-
"Resource": {
2856-
"Fn::GetAtt": [
2857-
"greetertaskdefinitionenvoyLogGroup6E10B93E",
2858-
"Arn"
2859-
]
2860-
}
2861-
},
28622796
{
28632797
"Action": [
2864-
"ecr:GetAuthorizationToken",
28652798
"ecr:BatchCheckLayerAvailability",
2866-
"ecr:GetDownloadUrlForLayer",
2867-
"ecr:BatchGetImage"
2799+
"ecr:BatchGetImage",
2800+
"ecr:GetAuthorizationToken",
2801+
"ecr:GetDownloadUrlForLayer"
28682802
],
28692803
"Effect": "Allow",
28702804
"Resource": "*"
@@ -2875,38 +2809,32 @@
28752809
"logs:PutLogEvents"
28762810
],
28772811
"Effect": "Allow",
2878-
"Resource": {
2879-
"Fn::GetAtt": [
2880-
"greetertaskdefinitionfirelensLogGroupD5BAAC35",
2881-
"Arn"
2882-
]
2883-
}
2884-
},
2885-
{
2886-
"Action": [
2887-
"logs:CreateLogStream",
2888-
"logs:PutLogEvents"
2889-
],
2890-
"Effect": "Allow",
2891-
"Resource": {
2892-
"Fn::GetAtt": [
2893-
"greetertaskdefinitionxrayLogGroupBC1558B6",
2894-
"Arn"
2895-
]
2896-
}
2897-
},
2898-
{
2899-
"Action": [
2900-
"logs:CreateLogStream",
2901-
"logs:PutLogEvents"
2902-
],
2903-
"Effect": "Allow",
2904-
"Resource": {
2905-
"Fn::GetAtt": [
2906-
"greetertaskdefinitioncloudwatchagentLogGroupE7EAF327",
2907-
"Arn"
2908-
]
2909-
}
2812+
"Resource": [
2813+
{
2814+
"Fn::GetAtt": [
2815+
"greetertaskdefinitioncloudwatchagentLogGroupE7EAF327",
2816+
"Arn"
2817+
]
2818+
},
2819+
{
2820+
"Fn::GetAtt": [
2821+
"greetertaskdefinitionenvoyLogGroup6E10B93E",
2822+
"Arn"
2823+
]
2824+
},
2825+
{
2826+
"Fn::GetAtt": [
2827+
"greetertaskdefinitionfirelensLogGroupD5BAAC35",
2828+
"Arn"
2829+
]
2830+
},
2831+
{
2832+
"Fn::GetAtt": [
2833+
"greetertaskdefinitionxrayLogGroupBC1558B6",
2834+
"Arn"
2835+
]
2836+
}
2837+
]
29102838
}
29112839
],
29122840
"Version": "2012-10-17"

0 commit comments

Comments
 (0)