feat(appsync): add L2 constructs for AWS AppSync Events #32505
Conversation
Appsync events bricep
github-actions
bot
added
effort/medium
github-actions
bot
added
the
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
kwwendt
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
packages/aws-cdk-lib/aws-appsync/test/appsync-channel-namespace.test.ts
Outdated
Show resolved
Hide resolved
mergify
bot
dismissed
godwingrs22’s stale review
Pull request has been modified.
gracelu0
removed
the
pr/needs-maintainer-review
aws-cdk-automation
added
the
pr/needs-maintainer-review
godwingrs22
added
the
needs-security-review
There was a problem hiding this comment.
Thanks @kwwendt for addressing the comments. Your effort on this L2 construct is greatly appreciated, and I'm looking forward to seeing it in action. I've left a few additional comments related to the grant methods, particularly regarding their implementation and testing.
There was a problem hiding this comment.
I appreciate the unit tests we have for the grantConnect(), grantPublish(), and grantSubscribe() methods on the channel namespace level. However, to ensure these methods work as expected in a real-world scenario, it would be beneficial to update this integration tests.
Specifically, I recommend updating this integ test that tests the whole event api. The test could include:
- Using
api.grantConnect()to allow connection to the API - Using
namespace.grantPublish()to permit publishing events to specific channel namespace - Using
namespace.grantSubscribe()to allow subscribing to events in a specific channel namespace - Using
namespace.grantPublishAndSubscribe()to allow publishing and subscribing to events
After granting these permissions, the test could attempt to connect to the API, publish test events, and subscribe to receive events. This would provide a more comprehensive validation of the constructs in a practical context.
Let me know if it doesn't makes sense.
| const defaultNamespace = api.addChannelNamespace('default'); | ||
| const namespace1 = api.addChannelNamespace('namespace1'); | ||
|
|
||
| defaultNamespace.grantPublish(func); |
There was a problem hiding this comment.
Does grantPublish and grantSubscribe applicable to both channel namespace and event api? I noticed that the test cases only demonstrate granting publish and subscribe access at the channel namespace level, and I couldn't find test cases for granting these permissions to the whole event API.
Additionally, the IAM console descriptions state as follows
EventPublish - Grants permission to publish events to a channel namespace
EventSubscribe - Grants permission to subscribe to a channel namespace
This makes me wonder about the necessity and functionality of the following methods in eventapi.ts, given that we have similar methods in channel-namespace.ts
public grantPublish(grantee: IGrantable)
public grantSubscribe(grantee: IGrantable)
public grantPublishAndSubscribe(grantee: IGrantable)
If these grant methods are indeed applicable to the event API as a whole, it would be beneficial to have unit tests and integration tests that cover these methods, similar to how we test the grant methods for channel namespaces.
There was a problem hiding this comment.
The methods for defined in eventapi.ts would grant either publish, subscribe, or both for all channel namespaces associated with the API. This is called out in the doc strings for each method. Example below for grantPublish:
/**
* Adds an IAM policy statement for EventPublish access to this EventApi to an IAM
* principal's policy. This grants publish permission for all channels within the API.
*
* @param grantee The principal
*/
That's a good catch on missing unit tests there. I will add those in. Thanks!
There was a problem hiding this comment.
Noted. Thanks for the clarification.
| defaultNamespace.grantSubscribe(func); | ||
| namespace1.grantSubscribe(func); |
There was a problem hiding this comment.
Can we have unit test and integ test similar that tests namespace1.grantPublishAndSubscribe() grant method?
There was a problem hiding this comment.
Implemented in this new unit test: Appsync Event API channel namespace - grant publish and subscribe from channel in appsync-channel-namespace.test.ts.
mergify
bot
dismissed
godwingrs22’s stale review
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #32004
Reason for this change
This is in support of AWS AppSync Events.
Description of changes
EventApiandChannelNamespaceto support AWS AppSync Events.EventApiandGraphqlApiconstructs.EventApiandGraphqlApiconstructs.Description of how you validated changes
Added both unit and integration tests for AWS AppSync Event API changes.
Contributors
@mazyu36 @onlybakam @kwwendt
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license