chore(aws-config): fix failing integration tests#37072
chore(aws-config): fix failing integration tests#37072aemada-aws wants to merge 1 commit intomainfrom
Conversation
Add AWS Config prerequisites (Configuration Recorder, Delivery Channel, S3 bucket with proper bucket policy) to all three aws-config integ tests. - integ.custompolicy: add Config prerequisites, fix invalid Guard policy text - integ.rule: add Config prerequisites, fix stack name collision, remove 'cannot be deployed' warning - integ.rule-evaluation-mode: add Config prerequisites, fix unsupported PROACTIVE evaluation modes, change managed rule to EIP_ATTACHED
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ The title scope of the pull request should omit 'aws-' from the name of modified packages. Use 'config' instead of 'aws-config'.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
|
|
||||||||||||||
|
|
||||||||||||||
Issue # (if applicable)
N/A — Fixing failing integration tests for
aws-configmodule.Reason for this change
Three
aws-configintegration tests were failing because:NoAvailableConfigurationRecorder: AWS Config requires a Configuration Recorder and Delivery Channel to exist before Config Rules can be created. The CDK
aws-configL2 constructs (CustomRule,CustomPolicy,ManagedRule,CloudFormationStackDriftDetectionCheck) createAWS::Config::ConfigRuleresources but do NOT create these prerequisites. The test account had no Configuration Recorders.NAME_COLLISION:
integ.rule.tsused the same stack name (aws-cdk-config-custompolicy) asinteg.custompolicy.ts, causing conflicts when running in parallel.Invalid Guard policy:
integ.custompolicy.tsusedpolicyText: 'lazy-create-test'which is not valid Guard syntax and was never deployable.Unsupported evaluation modes:
integ.rule-evaluation-mode.tsusedPROACTIVEevaluation mode for rule types that don't support it (Lambda custom rules,API_GW_XRAY_ENABLEDmanaged rule). Per AWS docs, onlyeip-attachedsupports proactive evaluation for managed rules.Original errors:
integ.custompolicy:Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"integ.rule:Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"integ.rule-evaluation-mode:Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"Description of changes
All three tests — Added AWS Config prerequisites to each test stack:
config.amazonaws.comwithAWS_ConfigRolemanaged policyCfnConfigurationRecorderwith the IAM role and scoped recording groupremovalPolicy: DESTROY,autoDeleteObjects: true) for the delivery channelconfig.amazonaws.comthes3:GetBucketAcl,s3:ListBucket, ands3:PutObjectpermissions (per AWS docs)CfnDeliveryChannelpointing to the S3 bucketDependsOnfrom all Config Rule constructs to both the recorder and delivery channelinteg.rule.ts — Additional fixes:
aws-cdk-config-custompolicytoaws-cdk-config-rule(collision with integ.custompolicy.ts)integ.custompolicy.ts — Additional fix:
'lazy-create-test'with valid Guard rule'rule check_iam_user { resourceType == "AWS::IAM::User" }'integ.rule-evaluation-mode.ts — Additional fixes:
CustomRule(Lambda-based) evaluation mode fromPROACTIVEtoDETECTIVE(Lambda custom rules don't support proactive evaluation)ManagedRulefromAPI_GW_XRAY_ENABLEDwithDETECTIVE_AND_PROACTIVEtoEIP_ATTACHEDwithDETECTIVE(API_GW_XRAY_ENABLEDdoesn't support proactive; per AWS docs onlyeip-attachedsupports proactive for managed rules)CustomPolicy(Guard) evaluation mode toDETECTIVEDescribe any new or updated permissions being added
Each test stack now creates:
config.amazonaws.comwith theAWS_ConfigRolemanaged policy (required for Configuration Recorder)config.amazonaws.comservice principals3:GetBucketAcl,s3:ListBucket, ands3:PutObjectpermissions (required for Delivery Channel)autoDeleteObjects: true)These are test-only resources, not library changes.
Description of how you validated changes
All 3 tests pass. Snapshots updated via integ-runner
--update-on-failed.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license