How to avoid zillions of conditional policy statements?
See original GitHub issue❓ General Issue
The Question
I’m using CDK to create a stack with:
- one SQS
Queue
- numerous CloudWatch
Rule
s with cron schedules that send a message to that one queue
The AWS::SQS::QueuePolicy
ends up having one policy Statement
per rule, each having an ArnEquals
condition allowing the given rule to access/send to the queue.
This results in an OverLimit
error when trying to deploy the stack, due to Submitted policy is over max allowed size.
Which makes complete sense, given how many statements there end up being.
I’ve been trying to find a way to “collapse” all of the policy statements into a single one. I did manage to add a policy statement that would cover it, but CDK still adds all the individual statements as well. I can’t figure out how to prevent the addition of those policy statements.
Any advice? Thanks in advance!
Environment
- CDK CLI Version: 1.36.1 (build 4df7dac)
- Module Version: 1.36.1
- OS: OSX Catalina
- Language: Java
Other information
A couple of extra notes:
-
I noticed in the doc that
Queue
supposedly hasautoCreatePolicy
. First of all, this appears to be read-only in Java, since there’s only a documented getter, no setter. Secondly, this method isn’t even public, it’s protected. It looked tantalizingly promising, but inaccessible. I’m temped to subclassQueue
and override it, but that feels like a rabbit hole down which I shouldn’t be going. -
I also noticed
IPostProcessor
and got excited, thinking I might be able to post-process the stack & strip out the unwanted policy statements. But I don’t see anywhere in the Java API where I could tap into this. I assume this is a core CDK concept.
Anyway, the ability to post-process during the synth would be amazing, if there’s no other way to achieve what I’m after.
Thanks!
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:9 (3 by maintainers)
Top GitHub Comments
Woohoo! Success!
@dcheckoway this is a good workaround, appreciate the example. Making constructs more aware of limits in policy size seems like a good feature for the future so I’m gonna keep this open for now.
grant*
methods could track principals/arns assigned to various permissions and merge them together.Something like this could potentially touch constructs in aws-iam as well.