Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] - autoclosed #2599

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 20, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aws-cdk-lib 2.3.0 -> 2.80.0 age adoption passing confidence

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

GitHub Vulnerability Alerts

CVE-2023-35165

If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading.

Impact

The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters. eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy.

The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest, HelmChart, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.

The second, referred to as the default MastersRole, is provisioned only if the mastersRole property isn't provided and has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.

Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole permissions on Resource: "*".

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-* 

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

Patches

The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
  ... 
  mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
}); 

References

https://github.com/aws/aws-cdk/issues/25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.


Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.80.0

Compare Source

⚠ BREAKING CHANGES
  • eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.
Features
Bug Fixes

Alpha modules (2.80.0-alpha.0)

v2.79.1

Compare Source

Bug Fixes
  • bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25272) (4c4014e)

Alpha modules (2.79.1-alpha.0)

v2.79.0

Compare Source

Features
Bug Fixes

Alpha modules (2.79.0-alpha.0)

Bug Fixes
  • servicecatalogappregistry: Revert deprecated method to keep deprecated method in alpha version (b20b123)
  • batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25250) (b3d0d57)

v2.78.0

Compare Source

Features
Bug Fixes

Alpha modules (2.78.0-alpha.0)

v2.77.0

Compare Source

Features
Bug Fixes

Alpha modules (2.77.0-alpha.0)

v2.76.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
  • servicecatalogappregistry: this change will deprecated associateStack and associateAttributeGroup in Application Construct.
    The user who are using these two method need to update to use alternative method.
    For associateStack, the alternative method is associateApplicationWithStack
    For associateAttributeGroup, the alternative method is AttributeGroup.associateWith

The user who are using these two method need to update to use alternative method. For associateStack, the alternative method is associateApplicationWithStack For associateAttributeGroup, the alternative method is AttributeGroup.associateWith

Purpose of this PR:

we need to remove deprecated resource before we moving into stable version The method that we remove is: associateStack and associateAttributeGroup

CHANGES:

  1. in lib/application.ts, we remove these two methods and update their corresponding interface
  2. in test/ application.test.ts & test/integ.application.ts, we update application.test.ts and integ.application.ts to remove these two methods' related test

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Features
Bug Fixes

Alpha modules (2.76.0-alpha.0)

v2.75.1

Compare Source

Reverts
  • "fix(core): Add stage prefix to stack name shortening process #​24443

Alpha modules (2.75.1-alpha.0)

v2.75.0

Compare Source

Features
  • aws-lambda: Add AWS Lambda runtime python3.10 (08fb3cd)

Alpha modules (2.75.0-alpha.0)

v2.74.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
  • batch: ComputeEnvironment has been removed and replaced by ManagedEc2EcsComputeEnvironment, ManagedEc2EksComputeEnvironment, and UnmanagedComputeEnvironment.

JobDefinition has been removed and replaced by EcsJobDefinition, EksJobDefinition, and MultiNodeJobDefinition

Features
Bug Fixes

Alpha modules (2.74.0-alpha.0)

v2.73.0

Compare Source

Features
Bug Fixes

Alpha modules (2.73.0-alpha.0)

v2.72.1

Compare Source


Alpha modules (2.72.1-alpha.0)

v2.72.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
  • cdk-lib: The return type of aws-cdk-lib.aws_ec2.SecurityGroup.determineRuleScope was changed from a tuple ([SecurityGroupBase, string]) to a struct with the same values, because tuple types are not supported over the jsii interoperability layer, but jsii@v1 was incorrectly allowing this to be represented as the JSON primitive type. This made the API unusable in non-JS languages. The type of the metadata property of aws-cdk-lib.aws_s3_deployment.BucketDeploymentProps was changed from an index-only struct to an inline map, because jsii@v1 silently ignored the index signature (which is otherwise un-supported), resulting in an empty object in non-JS/TS languages. As a consequence, the values of that map can no longer be undefined (as jsii does not currently support nullable elements in collections).
Features
Bug Fixes
Miscellaneous Chores

Alpha modules (2.72.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
  • servicecatalogappregistry: This commit involves share replacement during the deployment of ApplicationAssociator due to share construct id update. After this change, frequent share replacements due to structural change in Application construct should be avoided. Application.shareApplication starts to require construct id (first argument) and share name (added in ShareOption) as input.
  • ivs: Renamed ChannelProps.name to ChannelProps.channelName
  • Renamed PlaybackKeyPairProps.name to PlaybackKeyPairProps.playbackKeyPairName
  • Channel now generates a physical name if one is not provided
  • PlaybackKeyPair now generates a physical name if one is not provided
Bug Fixes
  • integ-runner: update workflow doesn't support resource replacement (#​24720) (07d3aa7)
  • ivs: Not a standard physical name pattern (#​24706) (7d17fe3)
  • servicecatalogappregistry: RAM Share is replaced on every change to Application (#​24760) (8977d0d)

v2.71.0

Compare Source

Features
Bug Fixes

Alpha modules (2.71.0-alpha.0)

v2.70.0

Compare Source

Features
Bug Fixes

Alpha modules (2.70.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
  • servicecatalogappregistry: This commit contains destructive changes to the RAM Share.
    Since the application RAM share name is calculated by the application construct, where one method is added. Integration test detects a breaking change where RAM share will be created. Integration test snapshot is updated to cater this destructive change.
Features
  • servicecatalogappregistry: add attribute groups to an application (#​24672) (7baffa2)

v2.69.0

Compare Source

Features
Bug Fixes
  • custom-resource: custom resources fail with data containing multi-byte utf8 chars ([#​24501](https://togithub.c

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate-approve[bot]
renovate-approve bot previously approved these changes Jun 20, 2023
@slsnextbot
Copy link
Collaborator

slsnextbot commented Jun 20, 2023

Handler Size Report

No changes to handler sizes.

Base Handler Sizes (kB) (commit e6367b5)

{
    "Lambda": {
        "Default Lambda": {
            "Standard": 1578,
            "Minified": 692
        },
        "Image Lambda": {
            "Standard": 1543,
            "Minified": 831
        }
    },
    "Lambda@Edge": {
        "Default Lambda": {
            "Standard": 1588,
            "Minified": 698
        },
        "Default Lambda V2": {
            "Standard": 1580,
            "Minified": 694
        },
        "API Lambda": {
            "Standard": 634,
            "Minified": 318
        },
        "Image Lambda": {
            "Standard": 1551,
            "Minified": 835
        },
        "Regeneration Lambda": {
            "Standard": 1233,
            "Minified": 566
        },
        "Regeneration Lambda V2": {
            "Standard": 1307,
            "Minified": 596
        }
    }
}

New Handler Sizes (kB) (commit fe5e460)

{
    "Lambda": {
        "Default Lambda": {
            "Standard": 1578,
            "Minified": 692
        },
        "Image Lambda": {
            "Standard": 1543,
            "Minified": 831
        }
    },
    "Lambda@Edge": {
        "Default Lambda": {
            "Standard": 1588,
            "Minified": 698
        },
        "Default Lambda V2": {
            "Standard": 1580,
            "Minified": 694
        },
        "API Lambda": {
            "Standard": 634,
            "Minified": 318
        },
        "Image Lambda": {
            "Standard": 1551,
            "Minified": 835
        },
        "Regeneration Lambda": {
            "Standard": 1233,
            "Minified": 566
        },
        "Regeneration Lambda V2": {
            "Standard": 1307,
            "Minified": 596
        }
    }
}

@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from bcf4b76 to 35a868a Compare June 29, 2023 09:46
renovate-approve[bot]
renovate-approve bot previously approved these changes Jun 29, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 35a868a to 82f895c Compare July 6, 2023 14:39
renovate-approve[bot]
renovate-approve bot previously approved these changes Jul 6, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 82f895c to cf88693 Compare July 9, 2023 09:18
renovate-approve[bot]
renovate-approve bot previously approved these changes Jul 9, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from cf88693 to 30f2470 Compare July 27, 2023 16:49
renovate-approve[bot]
renovate-approve bot previously approved these changes Jul 27, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 30f2470 to 8d26a5f Compare August 1, 2023 14:51
renovate-approve[bot]
renovate-approve bot previously approved these changes Aug 1, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 8d26a5f to 5eefd9f Compare August 9, 2023 15:28
renovate-approve[bot]
renovate-approve bot previously approved these changes Aug 9, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 5eefd9f to a246d5c Compare August 22, 2023 18:30
renovate-approve[bot]
renovate-approve bot previously approved these changes Aug 22, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from a246d5c to 6051993 Compare August 27, 2023 09:19
renovate-approve[bot]
renovate-approve bot previously approved these changes Aug 27, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 6051993 to f28a955 Compare September 19, 2023 11:43
renovate-approve[bot]
renovate-approve bot previously approved these changes Sep 19, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from f28a955 to 92ce86e Compare September 26, 2023 16:01
renovate-approve[bot]
renovate-approve bot previously approved these changes Sep 26, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 92ce86e to 3846a50 Compare September 28, 2023 12:52
renovate-approve[bot]
renovate-approve bot previously approved these changes Sep 28, 2023
@renovate renovate bot force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from 3846a50 to fe5e460 Compare October 1, 2023 07:39
@renovate renovate bot changed the title chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] - autoclosed Oct 2, 2023
@renovate renovate bot closed this Oct 2, 2023
@renovate renovate bot deleted the renovate/npm-aws-cdk-lib-vulnerability branch October 2, 2023 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant