Replies: 4 comments 2 replies
-
Why not use and aproach like policy templates? For me the syntaxes is more simpler, the code is more compact and easy to follow. Also the connector is declared in the policy section, made more sense (for me) than declare the policy in another part of the template.
|
Beta Was this translation helpful? Give feedback.
-
I like how succinct the syntax is, but unsure how beneficial it is if we merge #2772. If this RFC gets implemented and #2772 gets merged, there'll be essentially 4 ways of specifying the same connections:
One concern is the potential added cognitive load in having to understand and choose one of the alternatives above. For example, assume the following connector: Foo:
Type: AWS::Serverless::Connector
Properties:
Source:
- Id: Foo
Destination:
- Id: Bar
- Id: Egg
Permissions:
- Read If we then want to also give If we only support #2772, it requires writing more lines, but potentially improves clarity and consistency (and diffs in changes are purely additive). |
Beta Was this translation helpful? Give feedback.
-
Starting a bit off topic- One thing I don't like with both PolicyTemplates and Connectors is that developers have to rely on documentation to understand what IAM policy it generates, but I can see beyond that and appreciate simplifying IAM anyway :-) However - the I suggest introducting a new Could the following make that a bit simpler?
In this example, |
Beta Was this translation helpful? Give feedback.
-
We have decided to move forward with part of this RFC. We will implement the ability to define multiple destinations for a single connector. We are still considering the developer experience implications of supporting multi-source connector definitions. |
Beta Was this translation helpful? Give feedback.
-
Status: Closed
We will move forward with part of this RFC. Soon, you will be able to define multiple destinations in a single connector with a single set of permissions.Problem
SAM connectors currently need to be defined once for each relationship in your stack. This promotes verbosity, bloated SAM templates, and templates that are difficult to quickly understand and maintain. If you were to draw connectors as arrows on a whiteboard signifying how data and events flow between two resources, the only type of relationship that can be expressed is a one-to-one mapping.For example, the template below demonstrates two connections between a single Lambda and two SQS queues. The connections all require identical Read/Write permissions and all have the same source resource. The connectors take up the majority of the template’s lines of code.
Similarly, your application may require multiple SAM functions reading and writing to a single DynamoDB. Again, the connectors make up the majority of the template’s lines of code.
Proposed Solution
Allow connector resources to define either multiple sources for a single destination and single set of Read/Write permissions, or define multiple destinations for a single source and single set of Read/Write permissions. Conceptually, relationships where a one-to-many or many-to-one relationship exists should be expressed as a single connector.One-to-many relationship
Many-to-one relationship
To use the first example in the Problem section above, the proposed connector definition would look like this:
For the second example in the Problem section above, the proposed connector definition would look like this:Pros/Cons
2) Easier to quickly understand
3) Expanding a one-to-many or many-to-one relationship is easy
2) If an existing resource in a one-to-many or many-to-one relationship needs to be updated to require different permissions than the other resources in the relationship, it must be refactored out of the existing connector and into a new connector. Again, this makes sense because it is a new type of relationship.
FAQ
Why not allow both multiple sources and multiple destinations simultaneously?It promotes misuse of connectors. SAM connectors are intended to simplify architecting an application by describing how resources interact. Permissions are automatically generated from the relationships defined by connectors. If the defined interactions become too obscure, it defeats the purpose of connectors. If three sources interact with multiple destinations, it is unclear if each possible relationship is actually needed for the application to function properly. In short, allowing both multiple sources and multiple destinations to be defined in the same connector promotes authoring code that is difficult to understand and maintain over time.
Can different sets of permissions be applied to different sources/destinations in the same connector?
No. Ideally, connectors are used to easily model how resources in your application interact. Each connector models one type of interaction. By limiting each connector to defining a single type of interaction, SAM code is easier to read and understand how resources interact with each other.
Beta Was this translation helpful? Give feedback.
All reactions