I have a cluster in which several filters are applied and I want to make sure that one of them is the first one to run.
For now this filter has this definition:
patch:
operation: INSERT_BEFORE
value:
name: filterName
typed_config:
"#type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode:
....
I tried changing the words "INSERT_BEFORE" to "INSERT_FIRST" but then requests began to crash.
How am I supposed to apply the "INSERT_FIRST" correctly?
Related
I have the following step function in my AWS SAM template, it was defined using the syntax in the documentation. I'm using intrinsic functions to get some pseudoparameters but something is going wrong with them.
SfdcOrderEventsStepFunction:
Type: AWS::Serverless::StateMachine
Properties:
DefinitionSubstitutions:
Region: !Ref "AWS::Region"
AccountId: !Ref "AWS::AccountId"
EventBusPublishTarget: "order-events"
DefinitionUri: sfn-definition.asl.yml
Events:
EventBridgeEvent:
Type: EventBridgeRule
Properties:
EventBusName: sfdc-events
Pattern:
# TODO: Update pattern when the salesforce service is ready
source:
- prefix: salesforce.com
detail-type:
- Order
detail:
Payload__c:
attributes:
type:
- order
InputPath: $.detail
Name: sfdc-order-events
Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/stepfunction_execution_role'
Tracing:
Enabled: true
when I try to deploy it shows me the following error:
Resource template validation failed for resource
SfdcOrderEventsStepFunction as the template has invalid properties.
Please refer to the resource documentation to fix the template.
Properties validation failed for resource SfdcOrderEventsStepFunction
with message:
#/De finitionSubstitutions/ AccountId: 2 subschemas matched instead of one
#/DefinitionSubstitutions/AccountId: expected type: Boolean, found: String
At the end it deploys without problems. The step function and all of its components run as expected and without errors, but I wanted to know if there if something I can do to fix the template.
I am trying to create a list in my Cloudformation template.
Inspired by this post: Sub and Join on Comma-Delimited List I have gotten to this idea but it doesnt work as the !Sub line has to be a string...
Error is:
Error: Failed to create changeset for the stack: STACKNAME, ex: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "FAILED" Status: FAILED. Reason: Template error: every Fn::Join object requires two parameters, (1) a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined.
Any thoughts? Is this even possible?
Accounts:
Type: CommaDelimitedList
Default: Acc1,Acc2,Acc3
pRedshiftUser:
Type: String
Default: arn:redshiftperson
...
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Split
- ','
- !Sub
- '${pRedshiftUser}/${user}'
- user: !Join
- !Sub ',${pRedshiftUser}/'
- Ref: "Accounts"
The idea being I'm trying to create this as the output:
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
- arn:redshiftperson/user1
- arn:redshiftperson/user2
Sadly you can't do this. Delimiter in Join must be explicit string.
For the Fn::Join delimiter, you can't use any functions. You must specify a string value.
So you can't use Sub in Delimiter.
The only way would to create a custom macro or a custom resource in CloudFormation. In both ways, you would need to develop a lambda function to handle the transformation of your data to desired format.
I have 2 templates those I have taken from the AWS::Athena::WorkGroup - AWS CloudFormation documentation.
The first template athena_create.yaml works as expected. The second template needs to modify the workgroup created in the first template. But I get an error:
MyCustomWorkGroup already exists in stack
arn:aws:cloudformation:us-east-1:XXX:stack/a1/7cc670a0-8d19-11ea-872c-12217e59f19f
Here is the code. create template works correctly.
athena_create.yaml
Resources:
MyAthenaWorkGroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyCustomWorkGroup
Description: My WorkGroup
State: ENABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfiguration:
BytesScannedCutoffPerQuery: 200000000
EnforceWorkGroupConfiguration: false
PublishCloudWatchMetricsEnabled: false
RequesterPaysEnabled: true
ResultConfiguration:
OutputLocation: s3://path/to/my/bucket/
athena_update.yaml
Resources:
MyAthenaWorkGroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyCustomWorkGroup
Description: My WorkGroup Updated
State: DISABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfigurationUpdates:
BytesScannedCutoffPerQuery: 10000000
EnforceWorkGroupConfiguration: true
PublishCloudWatchMetricsEnabled: true
RequesterPaysEnabled: false
ResultConfigurationUpdates:
EncryptionConfiguration:
EncryptionOption: SSE_S3
OutputLocation: s3://path/to/my/bucket/updated/
The update template mentioned above does not work as expected.
The reason for the error is that the two templates were used to create two independent stacks. This didn't work because they two Athena WorkGroups of same Name: MyCustomWorkGroup.
The correct way to perform create and update the MyCustomWorkGroup is as follows:
Create a stack using athena_create.yaml file.
Once the stack is created, use its Update option to upload athena_update.yaml which is going to update the stack.
I'm trying to create a Stackdriver alert policy with a Deployment Manager configuration. The same configuration first creates a resource group and a notification channel and then a policy based on those:
resources:
- name: test-group
type: gcp-types/monitoring-v3:projects.groups
properties:
displayName: A test group
filter: >-
resource.metadata.cloud_account="aproject-id" AND
resource.type="gce_instance" AND
resource.metadata.tag."managed"="yes"
- name: test-email-notification
type: gcp-types/monitoring-v3:projects.notificationChannels
properties:
displayName: A test email channel
type: email
labels:
email_address: incidents#example.com
- name: test-alert-policy
type: gcp-types/monitoring-v3:projects.alertPolicies
properties:
enabled: true
displayName: A test alert policy
documentation:
mimeType: text/markdown
content: "Test incident"
notificationChannels:
- $(ref.test-email-notification.name)
combiner: OR
conditions:
- conditionAbsent:
aggregations:
- alignmentPeriod: 60s
perSeriesAligner: ALIGN_RATE
duration: 300s
filter: metric.type="compute.googleapis.com/instance/uptime" group.id="$(ref.test-group.id)"
trigger:
count: 1
displayName: The instance is down
The policy's only condition has a filter based on the resource group, i.e. only the members of the group could trigger this alert.
I'm trying to use a reference to the group's ID, but it doesn't work - "The reference 'id' is invalid, reason: The field 'id' does not exists on the reference schema.
Also when I try to use $(ref.test-group.selfLink) I get The reference 'selfLink' is invalid, reason: The field 'selfLink' does not exists on the reference schema.
I could get the group's name (e.g. "projects/aproject-id/groups/3691870619975147604") but the filters only accept group IDs (e.g. only the "3691870619975147604" part):
'{"ResourceType":"gcp-types/monitoring-v3:projects.alertPolicies","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Field
alert_policy.conditions[0].condition_absent.filter had an invalid value of \"metric.type=\"compute.googleapis.com/instance/uptime\"
group.id=\"projects/aproject-id/groups/3691870619975147604\"\":
must specify a restriction on \"resource.type\" in the filter; see \"https://cloud.google.com/monitoring/api/resources\"
for a list of available resource types.","status":"INVALID_ARGUMENT","statusMessage":"Bad
Request","requestPath":"https://monitoring.googleapis.com/v3/projects/aproject-id/alertPolicies","httpMethod":"POST"}}'
Try replacing your alert policy with the following:
- name: test-alert-policy
type: gcp-types/monitoring-v3:projects.alertPolicies
properties:
enabled: true
displayName: A test alert policy
documentation:
mimeType: text/markdown
content: "Test incident"
notificationChannels:
- $(ref.test-email-notification.name)
combiner: OR
conditions:
- conditionAbsent:
aggregations:
- alignmentPeriod: 60s
perSeriesAligner: ALIGN_RATE
duration: 300s
filter: metric.type="compute.googleapis.com/instance/uptime" $(ref.test-group.filter)
trigger:
count: 1
displayName: The instance is down
metadata:
dependsOn:
- test-group
This adds 1) an explicit dependency to test-group using a dependsOn clause and 2) $(ref.test-group.filter) to the metric filter so that it, while not strictly linked to test-group, ends up containing all the same resources as test-group.
As Deployment Manager resources are ran in parallel its necessary to use dependsOn to ensure test-group is instantiated before attempting to create test-alert-policy; apparently Deployment Manager isn't quite smart enough to reason this just by the references.
I have a service with AuthenticationPolicy and Istio RBAC enabled (authorization context is set to use groups from JWT claim) However, it seems istio does not take into account the groups attribute from JWT claim when a call is being made.
As an IDP I use dex and I have set corresponding AuthnPolicy for it.
I have set Authorization context as following :
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: requestcontext
namespace: istio-system
spec:
subject:
user: source.user | request.auth.claims["email"] | ""
groups: request.auth.claims["groups"] | ""
properties:
namespace: source.namespace | ""
service: source.service | ""
iss: request.auth.claims["iss"] | ""
sub: request.auth.claims["sub"] | ""
action:
namespace: destination.namespace | ""
service: destination.service | ""
method: request.method | ""
path: request.path | ""
properties:
version: request.headers["version"] | ""
I have enabled RBAC and created ServiceRole. I've added ServiceRoleBinding with subject set to a specific group called "admins" :
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: service-admin-binding
spec:
subjects:
- group: "admins"
roleRef:
kind: ServiceRole
name: "service-admin"
When a call is made without a token AuthnPolicy works, 401 with proper message is returned. Call with valid JWT results in 403 permission denied as the group was not matched. It works fine when I change subject to "all" users instead of a group( - user: "*")
Groups claim in fetched JWT after decoding is just an array of strings :
"groups": [
"admins"
]
If I add in the authorization context a first non empty operator with hardcoded value "admins" - groups: request.auth.claims["groups"] | "admins") it works ofc, but indicates groups are empty on mixer adapter resolving phase?
If I set in the authorization context groups to be taken from request.auth.token["groups"] like it's mentioned in the docu
mixer fails with an error :
(...)'requestcontext.authorization.istio-system': failed to evaluate expression for field 'Subject'; failed to evaluate expression for field 'Subject.Groups': unknown attribute request.auth.token'.
When I took a look at attribute vocabulary docu it does not mention token attribute on request.auth and I could find it in the code neither. However, there is request.auth.claims which I'm trying to use.
How can I setup authentication policy together with RBAC to let it be working with groups from JWT? Additionally, is it possible to log/debug mixer while resolving the authorization phase, to see what's exactly evaluated?
Answered by Piotr Mścichowski in comments:
I got a response on google groups mentioning that groups as an array of strings are not supported yet as well as groups in the subject of role binding (could be workaround by properties):
Yangmin Zhu
We're currently working adding more documents in Istio 1.0, if you're
using the most recent daily release, you could try it with the
following steps:
1) We introduced a new global custom resource to control the RBAC
behavior in the mesh: RbacConfig. You could apply one like
this to enable RBAC for the "default" namespace,
2) We made some changes to the ServiceRole.Constraints and
ServiceRoleBinding.Properties about what keys are supported. See
this PR for an overview of the supported keys. Regarding your
ServiceRoleBinding, you could use the following config to check
against the claim from the JWT (Note: the group field is not used and
not supported, instead you could specify it in properties):
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: service-admin-binding
spec:
subjects:
- properties:
request.auth.claims[groups]: "admins"
roleRef:
kind: ServiceRole
name: "service-admin"
I think you don't need special setting to make the authentication
policy work with RBAC, if you could successfully finish this
task, it should work with RBAC automatically.
You could turn on the debug logging of the envoy proxy of your
service. For rbac, there is a specific logging group named "rbac" in
envoy, you could access the enovy admin page locally (by default it's
http://127.0.0.1:15000/logging).
Limin Wang:
We currently haven't supported JWT claims that are non-strings. If your JWT group claim is set to a single string
(instead of an array), it will just work.
"group": "admin"
Also "group" under "subject" is not supported at the moment. But as
Yangmin suggested, you can use custom "properties" instead.
subjects:
- properties:
request.auth.claims[groups]: "admins"
Thanks for bring this issue to our attention, we plan to make
improvement to support such use case in future releases.