Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(servicecatalogappregistry): add sharing of applications and attribute groups #20850

Merged
merged 29 commits into from
Aug 22, 2022

Conversation

mackalex
Copy link
Contributor

@mackalex mackalex commented Jun 23, 2022

This PR adds sharing capability to the Application and Attribute Group constructs for Service Catalog AppRegistry. Users who have enabled AWS Organizations in their AWS account can now share their AppRegistry Application and Attribute Groups with accounts in their organization, organizational units (OUs), IAM roles, and IAM users. This provides CDK parity with the support of cross-account sharing of Applications and Attribute Groups which was released as an AppRegistry feature.


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license


Co-authored by: Aidan Crank

@gitpod-io
Copy link

gitpod-io bot commented Jun 23, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team June 23, 2022 14:52
@github-actions github-actions bot added the p2 label Jun 23, 2022
@arcrank
Copy link
Contributor

arcrank commented Jun 23, 2022

need update table of contents.

public shareResource(shareOptions: ShareOptions): void {
const principals = getPrincipalsforSharing(shareOptions);
const shareName = `RAMShare${hashValues(this.node.addr, ...principals)}`;
new CfnResourceShare(this, shareName, {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could consider since we have hash for resource name we can either throw an error if someone tries to add same share twice or ignore it, like we do in other SC resources.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will think about this one a bit more. I think some logic to ignore it may be sufficient.

}

/**
* Generates a unique hash identfifer using SHA256 encryption algorithm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Generates a unique hash identfifer using SHA256 encryption algorithm
* Generates a unique hash identfifer using SHA256 encryption algorithm.

@mackalex mackalex marked this pull request as ready for review June 29, 2022 18:43
Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great PR! A few comments and we should be able to get this merged.

*
* @default true
*/
readonly allowExternalPrincipals?: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if this should be true be default...pinging @rix0rrr for advice

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depends on what this flag does.

  • As currently stated, it automatically shares your app with everyone. That doesn't seem great... what's the thought behind that @arcrank ?
  • If the actual behavior is, this turns on the possibility of calling some other method later which shares, then it's fine, but also the documentation is completely failing to explain that.

Also, the docstring says "Explicitly" but proceeds to turn on the flag implicitly, which makes that word pretty redundant.

I'd suggest rewriting the docstring to be clear and specific and actionable.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is default behavior, all it means is that you can share with accounts not in your AWS Org. Since this is really AWS Org specific (this flag is meaningless if the caller account itself is not in an aws org) maybe we can rename it align with that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I revised the docstring to be more clear on this. +1 to @arcrank on this. The default behavior is explained further in step 8 of RAM's resource sharing getting started guide: https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would further explain the behavior in these docs to address @rix0rrr's second point; is there a method that must be called to actually share this resource? This docstring should tell the user not only that this sharing can happen, but how it happens.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the behavior relates to the organization, why don't we call it allowPrincipalsOutsideOrganization ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the discussion on this. After conferring with the team, this property has been removed from ShareOptions as it is always set to false in AppRegistry's sharing experience with RAM and not surfaced to the customer.

@mergify mergify bot dismissed comcalvi’s stale review July 1, 2022 23:05

Pull request has been modified.

@mergify mergify bot dismissed comcalvi’s stale review August 3, 2022 23:38

Pull request has been modified.

Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is very close to being perfect! Just need a test case added and we're ready to ship it.

@mergify mergify bot dismissed comcalvi’s stale review August 10, 2022 16:34

Pull request has been modified.

Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting this back into changes requested to reflect the status.

@TheRealAmazonKendra TheRealAmazonKendra changed the title feat(servicecatalogappregistry): Add sharing of Applications and Attribute Groups feat(servicecatalogappregistry): add sharing of applications and attribute groups Aug 10, 2022
@TheRealAmazonKendra
Copy link
Contributor

@mackalex When you merge from live, please use @Mergifyio update instead of the update branch button. The mergify command doesn't dismiss reviews so we can more easily tell when changes have been made that are ready for a new review.

Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! Thanks for the contribution, well done.

@mackalex
Copy link
Contributor Author

Putting this back into changes requested to reflect the status.

@TheRealAmazonKendra Hi Kendra, I'm looking for an additional approval or signoff on the requested changes so I can go ahead and merge this in. Thanks in advance!

@TheRealAmazonKendra
Copy link
Contributor

Apologies for neglecting this one. I'll take another look on Monday.

@mergify
Copy link
Contributor

mergify bot commented Aug 22, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Aug 22, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 19a87dc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit cf3bb6e into aws:main Aug 22, 2022
josephedward pushed a commit to josephedward/aws-cdk that referenced this pull request Aug 30, 2022
…ibute groups (aws#20850)

This PR adds sharing capability to the Application and Attribute Group constructs for Service Catalog AppRegistry. Users who have enabled AWS Organizations in their AWS account can now share their AppRegistry Application and Attribute Groups with accounts in their organization, organizational units (OUs), IAM roles, and IAM users. This provides CDK parity with the support of cross-account sharing of Applications and Attribute Groups which was [released as an AppRegistry feature](https://aws.amazon.com/about-aws/whats-new/2022/06/aws-service-catalogs-application-registry-cross-account-applications/).

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---

Co-authored by: Aidan Crank
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants