Skip to content

fix(signer): not correctly passing signingProfileName to CfnSigningProfile #35033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 13, 2025
Merged

fix(signer): not correctly passing signingProfileName to CfnSigningProfile #35033

merged 5 commits into from
Aug 13, 2025

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Jul 22, 2025
edited
Loading

Issue # (if applicable)

Closes #35030.

Reason for this change

The signingProfileName property set in the AWS CDK's Signer module L2 construct is not being properly propagated to the generated L1 CloudFormation template. This causes AWS Signer profiles to be created without the specified name, which leads to unexpected behavior and difficulty in managing resources.

Description of changes

  • Modified the SigningProfile class constructor to pass this.physicalName to the L1 CfnSigningProfile resource's profileName property
  • Updated unit tests to explicitly verify that the ProfileName property is correctly included in the CloudFormation template when signingProfileName is provided, and absent when not provided

These changes ensure that when a user specifies a signingProfileName, it will be included in the generated CloudFormation template as the ProfileName property. The fix maintains backward compatibility and doesn't introduce any breaking changes to the API.

Describe any new or updated permissions being added

No new or updated IAM permissions are needed for this change.

Description of how you validated changes

  • Updated existing unit tests to verify the fix
  • Verified that the existing integration test for SigningProfile with a name works correctly
  • Manually tested with a simple test application that uses SigningProfile with signingProfileName

Why we need a FF to avoid BC

If we had specified a signingProfileName in their SigningProfile construct, the CloudFormation template will now include this name as the ProfileName property.

Previously, this name was ignored in the CloudFormation template, causing CloudFormation to auto-generate a name for the signing profile.

Upon deployment with the updated CDK version, CloudFormation will detect this as a change and will:
Create a new signing profile with the specified name.

Delete the old signing profile that had an auto-generated name

This replacement of the signing profile can break existing references to the profile and disrupt workflows that depend on the existing profile hence this PR introduced a FF to avoid this.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team July 22, 2025 16:55
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Jul 22, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jul 22, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Jul 22, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud pahud changed the title fix(aws-signer): Not correctly passing signingProfileName to CfnSigningProfile fix(signer): not correctly passing signingProfileName to CfnSigningProfile Jul 22, 2025
@pahud pahud marked this pull request as ready for review July 22, 2025 16:58
@aws-cdk-automation aws-cdk-automation dismissed their stale review July 22, 2025 16:58

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@pahud pahud marked this pull request as draft July 22, 2025 17:04
@pahud pahud temporarily deployed to test-pipeline July 22, 2025 17:39 — with GitHub Actions Inactive
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: ce7367b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud pahud marked this pull request as ready for review July 22, 2025 21:49
@github-actions github-actions bot mentioned this pull request Aug 1, 2025
Closed
@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@aemada-aws aemada-aws added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Aug 12, 2025
@aemada-aws
Copy link
Contributor

@Mergifyio requeue

@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 13, 2025

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 13, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 13, 2025

This pull request has been removed from the queue for the following reason: checks failed.

The merge conditions cannot be satisfied due to failing checks.

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 13, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit aaaa9cc into aws:main Aug 13, 2025
17 of 18 checks passed
@github-actions GitHub Actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 13, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@aemada-aws aemada-aws aemada-aws approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p2 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(signer): signing profile name in L2 is not present in generated L1 template
3 participants
@pahud @aws-cdk-automation @aemada-aws