Topic merge: Reputation alarms, rename resources, use FIPS endpoints #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also automatically add recipient emails that bounce or complain to the suppression list for the configuration set
Further preparation for SES and updater packages.
Changes: - Create the platform notifications topic subscription in the helper deployment - Create new package and handler for brokerpak-specific functionality - Create WIP handler for SNS notifications There are several outstanding TODOs, but I wanted to make a commit: - The endpoint is untested with SNS, just unit tests - The endpoint does not verify the SNS request, so anyone can send requests to it - The endpoint does not yet confirm the SNS subscription, which it must do: https://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.confirm.html
- Implement unmarshaller interface, which is more idiomatic - Create SNS client for confirming topic subscription
This commit implements and tests the full SNS endpoint, which can confirm the subscription and act on notifications. It includes a tested implementation of SNS signature verification. It also includes one experimental fuzz test for the SNS verification. There's currently no CI infrastructure for running tests at all, let alone fuzzing, but I've run them locally and they pass.
rcgottlieb
reviewed
Feb 12, 2025
rcgottlieb
previously approved these changes
Feb 12, 2025
- Inline the CSB and Helper routes to their app resources - Each app resource only supports one route, so drop the /docs route for now - Related to issue: cloudfoundry/terraform-provider-cloudfoundry#126
Calling sns.Client.Options().BaseEndpoint was not the correct way to get the base endpoint if that endpoint was automatically populated -- only if it was set manually. The correct method is now used in main.go: Use NewDefaultEndpointResolver in the service package (e.g `service/sns`). As of this commit the code passes the test locally, using a local server.
- CI terraform jobs should use FIPS endpoints - Correct envvar is AWS_USE_FIPS_ENDPOINT, not _ENDPOINTS plural; fix CSB - FIPS usage in Helper TBD
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this pull request:
Things to check
INFOand debugging statements are written withlog.debugor similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.Security considerations
None.