Add support for AWS::IoT::MitigationAction #15
Conversation
| ] | ||
| }, | ||
| "EnableIoTLoggingParams": { | ||
| "description": "Allows logging", |
There was a problem hiding this comment.
Let's use the descriptions from https://docs.aws.amazon.com/iot/latest/apireference/API_MitigationActionParams.html#iot-Type-MitigationActionParams and make sure to have one for every property.
| } | ||
| }, | ||
| "AddThingsToThingGroupParams": { | ||
| "description": "Allows adding things that triggered the mitigation action to thing groups", |
There was a problem hiding this comment.
Minor: let's stay consistent and add periods at the end of all descriptions.
| * - object translation to/from aws sdk | ||
| * - resource model construction for read/list handlers | ||
| */ | ||
|
|
There was a problem hiding this comment.
Minor: There seem to be some extra new lines and inconsistent indentation depths. Let's reformat all the files that need it.
| "ActionName": "CfnContractTest", | ||
| "RoleArn": "arn:aws:iam::072938559174:role/Admin", | ||
| "ActionParams": | ||
| { |
There was a problem hiding this comment.
Let's run pre-commit run --all-files, that should reformat all the json files to be consistent.
| import static org.mockito.ArgumentMatchers.eq; | ||
| import static org.mockito.Mockito.when; | ||
|
|
||
| import java.sql.Date; |
There was a problem hiding this comment.
Looks like an accidental import. Let's run "organize imports" for all files that need it.
| // TODO: replace all usage of SdkClient with your service client type, e.g; YourServiceAsyncClient | ||
| // import software.amazon.awssdk.services.yourservice.YourServiceAsyncClient; |
| software.amazon.awssdk.services.iot.model.PublishFindingToSnsParams.builder() | ||
| .topicArn("arn:aws:sns:us-east-1:072938559174:myTopic.fifo") | ||
| .build(); | ||
| protected static final software.amazon.awssdk.services.iot.model.MitigationActionParams SDK_ACTION_PARAMS2 = |
There was a problem hiding this comment.
Minor: IntelliJ pointed out to me that this one is unused. If there's no need for it, let's remove it.
| } | ||
|
|
||
| @Test | ||
| void translateActionParamsToSdkTest() { |
There was a problem hiding this comment.
- Let's verify conversion for all the mitigation actions, not just ReplaceDefaultPolicyVersion. Same below.
- Minor: it would be nice to keep the test naming convention as above.
| .collect(Collectors.toSet()); | ||
| } | ||
|
|
||
| static MitigationActionParams translateActionParamsToSdk(ActionParams actionParams) { |
There was a problem hiding this comment.
Consider a case where customer fills out all the actions (which is incorrect). Looks like this method will just fill out AddThingsToThingGroup and return. How about we pass the customer's template the way it is and let the service throw the right exception? If so, maybe drop the else in else ifs. And let's have a unit test to cover that.
There was a problem hiding this comment.
Makes sense. Done
| .addThingsToThingGroupParams(addThingsToThingGroupParams) | ||
| .addThingsToThingGroupParams(addThingsToThingGroupParams) |
There was a problem hiding this comment.
Looks like an accidental copy.
| } | ||
| else if (actionParams.enableIoTLoggingParams() != null) { | ||
| enableIoTLoggingParams = EnableIoTLoggingParams.builder() | ||
| .logLevel(actionParams.enableIoTLoggingParams().logLevel().toString()) |
There was a problem hiding this comment.
Minor: the SDK provides a method logLevelAsString, it's nice for this use case.
There was a problem hiding this comment.
Nice. Changed.
| ] | ||
| }, | ||
| "update": { | ||
| "permissions": [ |
There was a problem hiding this comment.
Let's add iam:PassRole here as well
| }, | ||
| "additionalProperties": false, | ||
| "required": [ | ||
| "ActionName", |
There was a problem hiding this comment.
Shouldn't the ActionName be optional for this schema? CreateHandler generates an ActionName if it's not provided.
There was a problem hiding this comment.
Good catch! Changed.
| @@ -1,239 +1,248 @@ | |||
| { | |||
There was a problem hiding this comment.
JSON files are showing big delta because of fixing indentation using pre-commit hook.
| } else if (e instanceof InvalidRequestException) { | ||
| return new CfnInvalidRequestException(e); | ||
| } else if (e instanceof LimitExceededException) { | ||
| return new CfnServiceLimitExceededException(e); |
There was a problem hiding this comment.
Minor: somehow the indentations in this file are size 2 instead of 4 like everywhere else
There was a problem hiding this comment.
Yeah. It is weird. Auto indentation did not work either.
Fixed it with this(In case we face again): "Settings | Editor | Code Style" -- try disabling "Detect and use existing file indents for editing" in case if you have it enabled (it is by default). NOTE: re-opening file in editor may be required.
| // Like most services, we don't require an explicit resource name in the template, | ||
| // and, if it's not provided, generate one based on the stack ID and logical ID. | ||
| if (StringUtils.isBlank(model.getActionName())) { | ||
| // TODO: include stack-id in the generated name. Will do it once the new release of the java plugin |
There was a problem hiding this comment.
Let's do this as part of this PR
There was a problem hiding this comment.
I did already made that change. Missed taking out the TODO. Removed now.
| "MitigationActionId": { | ||
| "type": "string" | ||
| }, | ||
| "CreationDate": { |
There was a problem hiding this comment.
As discussed, let's remove the CreationDate
| // Yet we should, otherwise the resource wouldn't equate the template. | ||
| Set<Tag> currentTags = listTags(proxy, resourceArn, logger); | ||
|
|
||
| // getDesiredResourceTags includes model+stack-level tags, reference: https://tinyurl.com/y2p8medk |
There was a problem hiding this comment.
Here's a better link https://tinyurl.com/y55mqrnc
| "typeName": "AWS::IoT::MitigationAction", | ||
| "description": "Mitigation actions can be used to take actions to mitigate issues that were found during an audit.", | ||
| "sourceUrl": "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-iot.git", | ||
| "definitions": { |
There was a problem hiding this comment.
Let's add "additionalProperties": false for all entries with type=object
| "RoleArn": "{{RoleForDeviceDefenderAuditArn}}", | ||
| "ActionParams": { | ||
| "PublishFindingToSnsParams": { | ||
| "TopicArn": "{{TopicForDeviceDefenderAuditCreateArn}}" |
| @@ -0,0 +1,15 @@ | |||
| { | |||
| "ActionName": "CfnContractTest", | |||
There was a problem hiding this comment.
It will be nice to have a test for every single action that we support, else how do you know that the definition of one of the actions isn't broken?
There was a problem hiding this comment.
Adding an integ test for them in the integ test package.
| public class HandlerUtils { | ||
|
|
||
| public static List<software.amazon.awssdk.services.iot.model.Tag> listTags( |
There was a problem hiding this comment.
It might be better to pull the common code to a common package, it would be painful for now but reduces the effort for future.
There was a problem hiding this comment.
Opened an issue about this with the cfn team: aws-cloudformation/cloudformation-cli-java-plugin#335
| @ExtendWith(MockitoExtension.class) | ||
| public class CreateHandlerTest { |
There was a problem hiding this comment.
Let's add tests for every single action that we support in both CREATE and UPDATE paths
There was a problem hiding this comment.
Nevermind, saw that you added tests for translator
| @@ -0,0 +1,253 @@ | |||
| { | |||
| "typeName": "AWS::IoT::MitigationAction", | |||
| "description": "Mitigation actions can be used to take actions to mitigate issues that were found during an audit.", | |||
There was a problem hiding this comment.
Mitigation Action isn't specific to Audit, now even ML Detect uses it. So lets paraphrase
| }, | ||
| "UpdateCACertificateParams": { | ||
| "type": "object", | ||
| "description": "Parameters to define a mitigation action that changes the state of the CA certificate to inactive.s", |
| @@ -0,0 +1,15 @@ | |||
| { | |||
| "ActionName": "CfnContractTest", | |||
| "RoleArn": "{{RoleForDeviceDefenderAuditArn}}", | |||
There was a problem hiding this comment.
Let's not use "Audit" in names of even the test resource. Reason being MitigationActions isn't specific to Audit anymore (it's a common resource to both Audit/Detect)
| "RoleArn": "{{RoleForDeviceDefenderAuditArn}}", | ||
| "ActionParams": { | ||
| "PublishFindingToSnsParams": { | ||
| "TopicArn": "{{TopicForDeviceDefenderAuditCreateArn}}" | ||
| } |
| @@ -0,0 +1,46 @@ | |||
| AWSTemplateFormatVersion: 2010-09-09 | |||
| Description: 'Resources for running the AccountAuditConfiguration contract tests' | |||
There was a problem hiding this comment.
This Description seems wrong. Should say "Mitigation Actions contract tests"
| Outputs: | ||
| RoleForDeviceDefenderAuditOutput: | ||
| Value: | ||
| Fn::GetAtt: [RoleForDeviceDefenderAudit, Arn] | ||
| Export: | ||
| Name: RoleForDeviceDefenderAuditArn | ||
| TopicForDeviceDefenderAuditCreateOutput: | ||
| Value: | ||
| Ref: TopicForDeviceDefenderAuditCreate | ||
| Export: | ||
| Name: TopicForDeviceDefenderAuditCreateArn | ||
| TopicForDeviceDefenderAuditUpdateOutput: | ||
| Value: | ||
| Ref: TopicForDeviceDefenderAuditUpdate | ||
| Export: | ||
| Name: TopicForDeviceDefenderAuditUpdateArn | ||
| AccountIdOutput: | ||
| Value: | ||
| Fn::Sub: "${AWS::AccountId}" | ||
| Export: |
There was a problem hiding this comment.
Same as above. It doesn't matter that much, but why not use a generic name that doesn't contain Audit.
|
|
||
| if (!StringUtils.isEmpty(model.getMitigationActionId())) { | ||
| logger.log(String.format("MitigationActionId is read-only, but the caller passed %s.", | ||
| model.getMitigationActionArn())); |
There was a problem hiding this comment.
Incorrect field name, should be MitigationActionId.
| @Test | ||
| public void handleRequest_HappyCase_VerifyRequestResponse() { |
There was a problem hiding this comment.
In all tests lets verify that no more interactions were made with the proxy mock.
| assertThat(submittedRequest.actionName().length() > 20).isTrue(); | ||
| } | ||
|
|
||
| // TODO: test system tags when the src code is ready |
There was a problem hiding this comment.
Remove this line I'd say. When we add support then it's possible we don't even look at this line and just forget about it. Hardly people check for TODOs in code.
…resource name case
Notes
Mitigation actions allow you to take actions for mitigating issues that were found during an audit. AWS IoT Device Defender provides predefined actions for the different audit checks. You configure those actions for your AWS account and then apply them to a set of findings.
Documentation for Mitigation actions can be found at https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-mitigation-actions.html
Most of the complications for this resources are around tagging (in handlers, we have to call separate tag management APIs).
This change includes: model, handlers, unit tests, inputs for contract tests.
Testing
Unit tests - 80%+ coverage.
All contract tests passed - except for the ones that failed due to known issues in the contract tests library.
Ran pre-commit run --all-files, mvn verify successfully.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.