Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(appconfig): environment deletion protection #32737

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat(appconfig): environment deletion protection #32737

wants to merge 10 commits into from
+143 −75

Conversation

badmintoncryer
Copy link
Contributor

Issue # (if applicable)

None

Reason for this change

AWS AppConfig environment supports deletion protection and this feature is not configurable from AWS CDK.

Description of changes

  • Add DeletionProtectionCheck enum
  • Add deletionProtectionCheck prop to EnvironmentOption

There are two entities, EnvironmentOptions and EnvironmentProps, where EnvironmentProps is designed as an extension of EnvironmentOptions with the addition of an application prop.

export interface EnvironmentProps extends EnvironmentOptions {
  /**
   * The application to be associated with the environment.
   */
  readonly application: IApplication;
}

abstract class ApplicationBase extends cdk.Resource implements IApplication, IExtensible {
  public addEnvironment(id: string, options: EnvironmentOptions = {}): IEnvironment {
    return new Environment(this, id, {
      application: this,
      ...options,
    });
  }

Therefore, the current argument addition has also been made to EnvironmentOptions.

Describe any new or updated permissions being added

None

Description of how you validated changes

Add both unit and integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jan 4, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team January 4, 2025 12:47
@codecov Codecov
Copy link

codecov bot commented Jan 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.96%. Comparing base (dd6a2f4) to head (a076e34).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #32737   +/-   ##
=======================================
  Coverage   66.96%   66.96%           
=======================================
  Files         329      329           
  Lines       18667    18667           
  Branches     3260     3260           
=======================================
  Hits        12501    12501           
  Misses       5839     5839           
  Partials      327      327
Flag Coverage Δ
suite.unit 66.96% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.71% <ø> (ø)
packages/aws-cdk-lib/core 82.09% <ø> (ø)

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 4, 2025
@badmintoncryer badmintoncryer changed the title feat(appconfig): deletion protection for AppConfig Environment feat(appconfig): deletion protection for an Environment Jan 4, 2025
@badmintoncryer badmintoncryer changed the title feat(appconfig): deletion protection for an Environment feat(appconfig): environment deletion protection Jan 5, 2025
mazyu36
mazyu36 suggested changes Jan 6, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution.
I've left some comments.

I'm not very familiar with this property, so please correct me if I'm wrong.

packages/aws-cdk-lib/aws-appconfig/README.md Outdated

You can enable [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) on the environment by setting the `deletionProtection` property.

- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very very nit:

Suggested change
- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand this sentence means the following, is that correct?

  • Use account-level settings when ACCOUNT_DEFAULT is set.
  • If users want to enable account-level deletion protection, they need to use the UpdateAccountSettings API via AWS CLI or another tool.

The current explanation seems to be taken from the docs, but I think an explanation like the one below would be clearer. What do you think?

The default setting, which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API.

packages/aws-cdk-lib/aws-appconfig/README.md Outdated

- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
- APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. APPLY also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.
- BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, if deletion protection is applied to an environment, is the protected resource the environment itself or a configuration set?

I'm not sure if "configuration profile" is the correct term in this context.

packages/aws-cdk-lib/aws-appconfig/lib/environment.ts Outdated
@@ -141,6 +141,32 @@ abstract class EnvironmentBase extends Resource implements IEnvironment, IExtens
}
}

/**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my understanding, this enum is required for the configuration profile.

Therefore, I think it would be better to separate this enum into another file (e.g., util.ts).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 6, 2025
@badmintoncryer
Copy link
Contributor Author

@mazyu36 Thank you very much for your review! All of your comments are spot-on and provide appropriate feedback.

I've addressed all the discussions.

mazyu36
mazyu36 suggested changes Jan 6, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the modification.
Just two more comments.

packages/aws-cdk-lib/aws-appconfig/lib/private/util.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-appconfig/lib/private/util.ts Outdated Show resolved Hide resolved
@badmintoncryer
Copy link
Contributor Author

@mazyu36 Thank you for your reveiw! And I'm sorry for my rough edits.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 4a6f4ca
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mazyu36
mazyu36 approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mazyu36 mazyu36 mazyu36 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@badmintoncryer @aws-cdk-automation @mazyu36