Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to avoid zillions of conditional policy statements?

See original GitHub issue

❓ General Issue

The Question

I’m using CDK to create a stack with:

one SQS Queue
numerous CloudWatch Rules with cron schedules that send a message to that one queue

The AWS::SQS::QueuePolicy ends up having one policy Statement per rule, each having an ArnEquals condition allowing the given rule to access/send to the queue.

This results in an OverLimit error when trying to deploy the stack, due to Submitted policy is over max allowed size. Which makes complete sense, given how many statements there end up being.

I’ve been trying to find a way to “collapse” all of the policy statements into a single one. I did manage to add a policy statement that would cover it, but CDK still adds all the individual statements as well. I can’t figure out how to prevent the addition of those policy statements.

Any advice? Thanks in advance!

Environment

CDK CLI Version: 1.36.1 (build 4df7dac)
Module Version: 1.36.1
OS: OSX Catalina
Language: Java

Other information

A couple of extra notes:

I noticed in the doc that Queue supposedly has autoCreatePolicy. First of all, this appears to be read-only in Java, since there’s only a documented getter, no setter. Secondly, this method isn’t even public, it’s protected. It looked tantalizingly promising, but inaccessible. I’m temped to subclass Queue and override it, but that feels like a rabbit hole down which I shouldn’t be going.
I also noticed IPostProcessor and got excited, thinking I might be able to post-process the stack & strip out the unwanted policy statements. But I don’t see anywhere in the Java API where I could tap into this. I assume this is a core CDK concept.

Anyway, the ability to post-process during the synth would be amazing, if there’s no other way to achieve what I’m after.

Thanks!

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:9 (3 by maintainers)

Top GitHub Comments

2reactions

dcheckowaycommented, May 1, 2020

Woohoo! Success!

        // Since we created the queue with autoCreatePolicy=false, we still need to allow the rules to send
        // messages to the queue.  This creates a policy with one statement, one compound condition.
        QueuePolicy.Builder.create(this, "scheduled-task-invocation-queue-policy")
                .queues(Arrays.asList(q))
                .build()
                .getDocument().addStatements(PolicyStatement.Builder.create()
                .resources(Arrays.asList(q.getQueueArn()))
                .effect(Effect.ALLOW)
                .actions(Arrays.asList(
                        "sqs:GetQueueAttributes",
                        "sqs:GetQueueUrl",
                        "sqs:SendMessage"
                ))
                .principals(Arrays.asList(ServicePrincipal.Builder.create("events").build()))
                .conditions(ImmutableMap.of("ArnEquals", ImmutableMap.of("aws:SourceArn",
                        rules.stream().map(Rule::getRuleArn).collect(Collectors.toList()))))
                .build());

1reaction

MrArnoldPalmercommented, May 6, 2020

@dcheckoway this is a good workaround, appreciate the example. Making constructs more aware of limits in policy size seems like a good feature for the future so I’m gonna keep this open for now. grant* methods could track principals/arns assigned to various permissions and merge them together.

Something like this could potentially touch constructs in aws-iam as well.

Top Results From Across the Web

IAM JSON policy elements: Condition

Describes the Condition element of the IAM JSON policy language. ... Not present – If the requester made a request using their IAM...

Rules - ESLint - Pluggable JavaScript Linter

Enforce return statements in callbacks of array methods. Categories: ✓ Extends ... Disallow assignment operators in conditional expressions. Categories:.

Iterate through raster in R and apply conditional statements

I'm not sure how to access each raster value in a for loop and apply my conditional statements. If something isn't clear let...

Conditional inline_policy in aws_iam_role

but it's not possible use count in that place data "aws_iam_policy_document" "ecs_tasks_execution_role" { statement { actions ...

Recommended C Style and Coding Standards

The scope is coding style, not functional organization. ... C programmers or code written by experienced C programmers (preferably following these rules).