Fix aws bundle allowlisting#763
Conversation
4cc43d3 to
5497a50
Compare
5497a50 to
e5298a2
Compare
| .serviceName(awsServiceName); | ||
| //If nothing is specified then default to only readOnlyOperations. | ||
| if (allowedApis != null) { | ||
| // User explicitly specified allowed APIs - use only those |
There was a problem hiding this comment.
Sorry just noticed this PR. I had previously designed the feature so that you could easily additionally include a small number of write APIs (or read APIs that don't follow the common naming scheme e.g. 'Query' and 'Scan' in DDB) without having to re-specify the entire list of read-only operations. With this change, you you need to individually allow every read API if you also want to use a single write API.
There was a problem hiding this comment.
So the existing code didn't respect a users allowedApis flag, unless they explicitly pass a --include-write-apis=false . And if they don't pass it it automatically includes all APIs irrespective of the allowlist. TBH I think includeWriteApis is a poor choice of input. We should instead have had --readOnlyApis which adds all readOnlyApis and then --allowed lets you add more APIs and we can assume --readOnlyApis to be true by default if nothing is passed.
Issue #, if available:
Description of changes:
The current bundling mechanism doesn't respect if allowedApis/blockedApis are provided. Changing to default to only readOnly if no allowlist is provided.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.