feat(cli-plugin-contract): introduce a public contract between CLI and plugins #32111
Conversation
github-actions
bot
added
effort/medium
otaviomacedo
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
added
the
pr/needs-cli-test-run
otaviomacedo
added
the
pr-linter/exempt-integ-test
otaviomacedo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32111 +/- ##
==========================================
- Coverage 80.64% 80.64% -0.01%
==========================================
Files 107 107
Lines 6996 6994 -2
Branches 1290 1290
==========================================
- Hits 5642 5640 -2
Misses 1175 1175
Partials 179 179
Flags with carried forward coverage won't be shown. Click here to find out more.
|
otaviomacedo
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
| * | ||
| * Guaranteed to be called only if canProvideCredentails() returned true at some point. | ||
| */ | ||
| getProvider(accountId: string, mode: Mode): Promise<AwsCredentials>; |
There was a problem hiding this comment.
We change this to a strongly typed string, we can make this package types only.
| getProvider(accountId: string, mode: Mode): Promise<AwsCredentials>; | |
| getProvider(accountId: string, mode: 'ForReading' | 'ForWriting'): Promise<AwsCredentials>; |
There was a problem hiding this comment.
This would be a breaking change for plugins, which are expecting a number (ForReading = 0, ForWriting = 1).
There was a problem hiding this comment.
getProvider(accountId: string, mode: 0 | 1): Promise<AwsCredentials>;
getProviderEx(accountId: string, mode: 'ForReading' | 'ForWriting'): Promise<AwsCredentials>;?
otaviomacedo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
This reverts commit 16d3d4d.
otaviomacedo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
otaviomacedo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
otaviomacedo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
| /** | ||
| * A list of credential provider sources | ||
| */ | ||
| export interface CredentialProviderSourceRepository { |
There was a problem hiding this comment.
I'd happily rename this interface if someone has a better suggestion.
There was a problem hiding this comment.
PluginHost ?
It's technically also for lookup plugins, for example.
There was a problem hiding this comment.
If we call it PluginHost, what should we call the class that implements it in the CLI?
| getPromise?: () => Promise<void>; | ||
| } | ||
|
|
||
| export enum Mode { |
There was a problem hiding this comment.
I've considered making this a const enum but, given the documented pitfalls, I've decided against it. This value will probably be used only once during the execution of the plugin, which itself is part of much bigger CDK command execution. So the cost of additional indirection when accessing enum values is negligible.
There was a problem hiding this comment.
The goal of that was more to avoid having plugins take a runtime dependency on this package. They should be able to take only a devDependency on this package.
What is the concrete pitfall you're concerned about?
There was a problem hiding this comment.
All three of them. If you look at the approaches to avoid them, they boil down to "do not use this feature if an external package is going to consume this enum", which is exactly the case here.
The CLI immediately invokes credential *providers* to produce *credentials*, and passes the credentials around instead of the providers. This means that if short-lived credentials expire (like session credentials from roles), there is no way to refresh them. CLI calls will start to fail if that happens. To fix this, instead of resolving providers to credentials, pass providers around instead. Implications for auth plugins ------------- This widens the plugin protocol: the new plugin protocol *forced* a translation to V3 credentials, and had no way to return V3 providers. While it is now possible to return V3 Credential Providers from the plugin protocol, plugin writers cannot easily take advantage of that protocol because there have been ~8 CLI releases that only support V3 credentials and will fail at runtime of V3 providers are returned. To support this, pass a new options argument into `getProvider()`: this will indicate whether V3 Providers are supported or not. Plugins can return a provider if the CLI indicates that it supports V3 providers, and avoid doing that if the CLI indicates it won't. That way, plugins can be rewritten to take advantage of returning V3 providers without crashing on CLI versions `2.167.0..(this releases)`. This also affects #32111 in which the plugin contract is being moved.
The CLI immediately invokes credential *providers* to produce *credentials*, and passes the credentials around instead of the providers. This means that if short-lived credentials expire (like session credentials from roles), there is no way to refresh them. CLI calls will start to fail if that happens. To fix this, instead of resolving providers to credentials, pass providers around instead. Implications for auth plugins ------------- This widens the plugin protocol: the new plugin protocol *forced* a translation to V3 credentials, and had no way to return V3 providers. While it is now possible to return V3 Credential Providers from the plugin protocol, plugin writers cannot easily take advantage of that protocol because there have been ~8 CLI releases that only support V3 credentials and will fail at runtime of V3 providers are returned. To support this, pass a new options argument into `getProvider()`: this will indicate whether V3 Providers are supported or not. Plugins can return a provider if the CLI indicates that it supports V3 providers, and avoid doing that if the CLI indicates it won't. That way, plugins can be rewritten to take advantage of returning V3 providers without crashing on CLI versions `2.167.0..(this releases)`. This also affects #32111 in which the plugin contract is being moved. Closes #32287. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
rix0rrr
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
rix0rrr
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
rix0rrr
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
rix0rrr
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
rix0rrr
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
|
➡️ PR build request submitted to A maintainer must now check the pipeline and add the |
rix0rrr
added
the
pr-linter/cli-integ-tested
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
removed
the
pr/needs-cli-test-run
rix0rrr
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
The contract between the CLI and credential provider plugins is not publicly defined.
Extract the types involved in the CLI-plugin communication into a new package,
@aws-cdk/cli-plugin-contract, and update all references in the CLI code.Closes #32099, closes https://github.com/aws/aws-cdk-cli/issues/6, closes #19564
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license