Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(appconfig): environment deletion protection #32737

Merged

Conversation

badmintoncryer
Copy link
Contributor

Issue # (if applicable)

None

Reason for this change

AWS AppConfig environment supports deletion protection and this feature is not configurable from AWS CDK.

Description of changes

  • Add DeletionProtectionCheck enum
  • Add deletionProtectionCheck prop to EnvironmentOption

There are two entities, EnvironmentOptions and EnvironmentProps, where EnvironmentProps is designed as an extension of EnvironmentOptions with the addition of an application prop.

export interface EnvironmentProps extends EnvironmentOptions {
  /**
   * The application to be associated with the environment.
   */
  readonly application: IApplication;
}

abstract class ApplicationBase extends cdk.Resource implements IApplication, IExtensible {
  public addEnvironment(id: string, options: EnvironmentOptions = {}): IEnvironment {
    return new Environment(this, id, {
      application: this,
      ...options,
    });
  }

Therefore, the current argument addition has also been made to EnvironmentOptions.

Describe any new or updated permissions being added

None

Description of how you validated changes

Add both unit and integ test.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jan 4, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team January 4, 2025 12:47
Copy link

codecov bot commented Jan 4, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.52%. Comparing base (b670ba8) to head (cbb2b8a).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #32737   +/-   ##
=======================================
  Coverage   81.52%   81.52%           
=======================================
  Files         222      222           
  Lines       13717    13717           
  Branches     2417     2417           
=======================================
  Hits        11183    11183           
  Misses       2254     2254           
  Partials      280      280           
Flag Coverage Δ
suite.unit 81.52% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.98% <ø> (ø)
packages/aws-cdk-lib/core 82.09% <ø> (ø)

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 4, 2025
@badmintoncryer badmintoncryer changed the title feat(appconfig): deletion protection for AppConfig Environment feat(appconfig): deletion protection for an Environment Jan 4, 2025
@badmintoncryer badmintoncryer changed the title feat(appconfig): deletion protection for an Environment feat(appconfig): environment deletion protection Jan 5, 2025
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution.
I've left some comments.

I'm not very familiar with this property, so please correct me if I'm wrong.


You can enable [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) on the environment by setting the `deletionProtection` property.

- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very very nit:

Suggested change
- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand this sentence means the following, is that correct?

  • Use account-level settings when ACCOUNT_DEFAULT is set.
  • If users want to enable account-level deletion protection, they need to use the UpdateAccountSettings API via AWS CLI or another tool.

The current explanation seems to be taken from the docs, but I think an explanation like the one below would be clearer. What do you think?

The default setting, which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API.


- ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.
- APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. APPLY also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.
- BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, if deletion protection is applied to an environment, is the protected resource the environment itself or a configuration set?

I'm not sure if "configuration profile" is the correct term in this context.

@@ -141,6 +141,32 @@ abstract class EnvironmentBase extends Resource implements IEnvironment, IExtens
}
}

/**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my understanding, this enum is required for the configuration profile.

Therefore, I think it would be better to separate this enum into another file (e.g., util.ts).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 6, 2025
@badmintoncryer
Copy link
Contributor Author

@mazyu36 Thank you very much for your review! All of your comments are spot-on and provide appropriate feedback.

I've addressed all the discussions.

Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the modification.
Just two more comments.

packages/aws-cdk-lib/aws-appconfig/lib/private/util.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-appconfig/lib/private/util.ts Outdated Show resolved Hide resolved
@badmintoncryer
Copy link
Contributor Author

@mazyu36 Thank you for your reveiw! And I'm sorry for my rough edits.

Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 7, 2025
Copy link
Member

@godwingrs22 godwingrs22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @badmintoncryer for your contribution. LGTM. just left one nit comment.

@@ -96,6 +96,24 @@ const user = new iam.User(this, 'MyUser');
env.grantReadConfig(user);
```

### Deletion Protection Check

You can enable [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) on the environment by setting the `deletionProtection` property.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: seems typo. Are you referring to deletionProtectionCheck property

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thnak you for your review! I've fixed this typo.

Copy link
Contributor

mergify bot commented Jan 9, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 9, 2025
Copy link
Contributor

mergify bot commented Jan 9, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Copy link
Contributor

mergify bot commented Jan 9, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: cbb2b8a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Jan 9, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 393e5c0 into aws:main Jan 9, 2025
19 checks passed
Copy link

github-actions bot commented Jan 9, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants