Skip to content

serviceCatalog: Incorrect service in arn generation #20849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
joostvdwsd opened this issue Jun 23, 2022 · 3 comments · Fixed by #21770
Closed

serviceCatalog: Incorrect service in arn generation #20849

joostvdwsd opened this issue Jun 23, 2022 · 3 comments · Fixed by #21770
Assignees
@rix0rrr
Labels
@aws-cdk/aws-servicecatalog Related to AWS Service Catalog @aws-cdk/cfnspec bug This issue is a bug. p1 service-api This issue is due to a problem in a service API

Comments

@joostvdwsd
Copy link

Describe the bug

The generated portfolio arn is using service "servicecatalog". However, arns of service catalog have the service "catalog":
arn:aws:catalog:<>:<>:portfolio/<>

aws-cdk/packages/@aws-cdk/aws-servicecatalog/lib/portfolio.ts

Line 331 in 2f6dd37

this.portfolioArn = cdk.Stack.of(this).formatArn({

Expected Behavior

Use the correct service in the generated arn

Current Behavior

Incorrect generated arn resulting in permission errors i.e. when used in a policy statement

Reproduction Steps

const portfolio = new servicecatalog.Portfolio(this, 'Portfolio', {
displayName: 'My Portfolio',
providerName: 'AWS',
});

console.log(portfolio.portfolioArn)

Possible Solution

aws-cdk/packages/@aws-cdk/aws-servicecatalog/lib/portfolio.ts

Line 331 in 2f6dd37

this.portfolioArn = cdk.Stack.of(this).formatArn({

change into:
cdk.Stack.of(this).formatArn({
service: 'catalog',
resource: 'portfolio',
resourceName: this.portfolioId,
})

Additional Information/Context

No response

CDK CLI Version

latest

Framework Version

No response

Node.js Version

any

OS

any

Language

Typescript

Language Version

No response

Other information

No response
@joostvdwsd joostvdwsd added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 23, 2022
@github-actions github-actions bot added the @aws-cdk/aws-servicecatalog Related to AWS Service Catalog label Jun 23, 2022
@mackalex
Copy link
Contributor

Hi @joostvdwsd, thank you for raising this issue. This is certainly a valid bug and I will reproduce it locally and determine the most appropriate next steps. Based on your included possible solution, I suspect that this will be a relatively trivial fix.

@indrora
Copy link
Contributor

indrora commented Aug 25, 2022

There are two ARN services that are defined in Service Catalog - both servicecatalog and catalog. Why? Who knows.

It's documented where each is used in different places: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html#awsservicecatalog-resources-for-iam-policies

@indrora indrora added p1 @aws-cdk/cfnspec service-api This issue is due to a problem in a service API and removed needs-triage This issue or PR still needs to be triaged. labels Aug 25, 2022
@edyl-berkeley edyl-berkeley mentioned this issue Aug 25, 2022
Merged
3 tasks
@mergify mergify bot closed this as completed in #21770 Aug 29, 2022
mergify bot pushed a commit that referenced this issue Aug 29, 2022
@edyl-berkeley
fix(servicecatalog): incorrect service in portfolio arn generation (#…

Verified

This commit was signed with the committer’s verified signature.
Doctor-wu Doctor Wu
GPG key ID: 7D1412F015912FB2
Verified
Learn about vigilant mode
f9ca639 
…21770)

Portfolio construct code uses the incorrect service name when generating the ARN for the portfolio. The ARN generated uses the service name "servicecatalog" instead of "catalog". CLI documentation confirms ARN should use catalog instead of servicecatalog: https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/create-portfolio.html

Added a single unit test to check arn formatting.

fixes #20849
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link
Contributor

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

josephedward pushed a commit to josephedward/aws-cdk that referenced this issue Aug 30, 2022
@edyl-berkeley @josephedward
fix(servicecatalog): incorrect service in portfolio arn generation (a…
839865d 
…ws#21770)

Portfolio construct code uses the incorrect service name when generating the ARN for the portfolio. The ARN generated uses the service name "servicecatalog" instead of "catalog". CLI documentation confirms ARN should use catalog instead of servicecatalog: https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/create-portfolio.html

Added a single unit test to check arn formatting.

fixes aws#20849
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-servicecatalog Related to AWS Service Catalog @aws-cdk/cfnspec bug This issue is a bug. p1 service-api This issue is due to a problem in a service API
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(servicecatalog): incorrect service in portfolio arn generation edyl-berkeley/aws-cdk
4 participants
@indrora @rix0rrr @mackalex @joostvdwsd