Skip to content

Fix aws bundle allowlisting#763

Merged
adwsingh merged 1 commit into
mainfrom
adwsingh/aws-bundler-fix-allowlisting
Jun 10, 2025
Merged

Fix aws bundle allowlisting#763
adwsingh merged 1 commit into
mainfrom
adwsingh/aws-bundler-fix-allowlisting

Conversation

@adwsingh

Copy link
Copy Markdown
Contributor

Issue #, if available:

Description of changes:

The current bundling mechanism doesn't respect if allowedApis/blockedApis are provided. Changing to default to only readOnly if no allowlist is provided.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@adwsingh
adwsingh force-pushed the adwsingh/aws-bundler-fix-allowlisting branch from 4cc43d3 to 5497a50 Compare June 10, 2025 20:25
@adwsingh
adwsingh requested a review from rhernandez35 June 10, 2025 20:26
@adwsingh
adwsingh requested a review from shwdean June 10, 2025 20:26
@adwsingh
adwsingh force-pushed the adwsingh/aws-bundler-fix-allowlisting branch from 5497a50 to e5298a2 Compare June 10, 2025 20:27
@adwsingh
adwsingh merged commit e61eabf into main Jun 10, 2025
2 checks passed
@adwsingh
adwsingh deleted the adwsingh/aws-bundler-fix-allowlisting branch June 10, 2025 20:32
.serviceName(awsServiceName);
//If nothing is specified then default to only readOnlyOperations.
if (allowedApis != null) {
// User explicitly specified allowed APIs - use only those

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry just noticed this PR. I had previously designed the feature so that you could easily additionally include a small number of write APIs (or read APIs that don't follow the common naming scheme e.g. 'Query' and 'Scan' in DDB) without having to re-specify the entire list of read-only operations. With this change, you you need to individually allow every read API if you also want to use a single write API.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the existing code didn't respect a users allowedApis flag, unless they explicitly pass a --include-write-apis=false . And if they don't pass it it automatically includes all APIs irrespective of the allowlist. TBH I think includeWriteApis is a poor choice of input. We should instead have had --readOnlyApis which adds all readOnlyApis and then --allowed lets you add more APIs and we can assume --readOnlyApis to be true by default if nothing is passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants