-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: disable searchable nodeToNode encryption unless it is already deployed to mitigate impact from enabling or disabling. #1152
Conversation
e63f1a1
to
0283602
Compare
packages/amplify-category-api/src/graphql-transformer/transformer-factory.ts
Show resolved
Hide resolved
await amplifyPush(projRoot); | ||
|
||
appSyncClient = getAppSyncClientFromProj(projRoot); | ||
await runAndValidateQuery('test1', 'test1', 10, 2); // Expect two records |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, shouldn't the search domain be re-created? Since, now we're turning the encryption off. How does getting back 2 records test that, sorry if I missed something here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Behavior of the systems is such that we will maintain the current state of nodeToNode (either on or off), so there should be no loss of data. The explicit flag is being removed to test the state that "previous deployment had it, I don't care how, now I'm doing a normal deploy"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The approach looks good if this code is the minimum api version used by customer. The rollback will not flip the value as false. Still I have some concerns as following.
- How do we prevent the user to use previous version of CLI (version < 10.6 in particular)? If the older version is used when they encounter other issues (not related to search) and decide to downgrade, they will finally have the false value forcefully as the code in this PR does not exist in the previous version.
In this case, I think we should provide some warning message to the user. If we detect the search domain is provisioned and the nodeToNode is true, we should warn the user not to downgrade to version less than 10.6 which will force the false value and delete the original instance.
- I see several searchable-related e2e tests are added. I think this is a two bladed sword as it ensures the safety while increasing the pipeline load since the provisioning and deletion of search domain consume plenty of time and will have trouble when the tests fail and when many concurrent cloud e2e runs.
I suggest if the nodeToNode value is the only thing that matters here we might not need e2e tests (or we can simplify into fewer cases). We just need to check if that value is resolved to the correct value in different scenarios. If the data loss is a consideration in the e2e test, I think it is enough to test false
=> true
not causing the data loss. It is not necessary to test true
=> false
causing replacement of domain as it is already acknowledged in the CFN docs.
const searchableStackPath = path.join(projRoot, 'amplify', 'backend', 'api', projectName, 'build', 'stacks', 'SearchableStack.json'); | ||
|
||
// Initial Deploy with no flag set | ||
setTransformConfigValue(projRoot, projectName, 'NodeToNodeEncryption', true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this line a conflict with the comment above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I think that comment is stale, I'll update.
…ployed to mitigate impact from enabling or disabling.
0283602
to
75578fb
Compare
deleteProjectDir(projRoot); | ||
}); | ||
|
||
it('if previous deployment had no NodeToNodeEncryption, and flag is enabled on subsequent push, deploy, there should be no data loss', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a migration test?
For example:
- init an amplify project with CLI 9.x, add api with searchable directive, insert data.
- Make schema change and push with the latest CLI.
- Query the searchable data and make sure the data is present.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll mark this as work in progress, but may not want to block this release on it, since we've manually run migration smoke testing.
… NodeToNodeEncryption enabled
d420407
Description of changes
Mitigate impact from enabling nodeToNodeEncryption, by allow enabling it by default if it is already set in the
#current-cloud-backend
directory at the time of gql compilation.Also add support for a
NodeToNodeEncryption
param that can be set intransform.conf.json
to facilitate overrides and manual testing. This isn't modeled as a PARAM like the rest of the params to ensure we're not looking at TOKENs in CFN make making the decision on whether to enable the flag.So if
NodeToNodeEncryption
is set in thetransform.conf.json
file, that will be respected primarily.If that flag is not set, and
NodeToNodeEncryption
is found in the#current-cloud-backend
then enable on the next deployment.If no occurrence is found, then return false. Fall back to false in case that some part of this process fails.
Issue #, if available
N/A
Description of how you validated changes
Added unit tests for core logic, and e2e tests to confirm behavior in the following cases:
NodeToNodeEncryption
set totrue
in thetransform.conf.json
NodeToNodeEncryption
set tofalse
in thetransform.conf.json
transform.conf.json
flag set, and previous deployment state hasNodeToNodeEncryption
true stays true, there is no data loss.transform.conf.json
flag set, and previous deployment state hasNodeToNodeEncryption
false stays false, there is no data loss.true
tofalse
will rebuild Searchable instance, there will be data loss.Checklist
yarn test
passesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.