Update permissions, fix nondeterminism in edge operational rules

Author: gordon-klotho

create_test.sh

@@ -38,4 +38,5 @@ fi
 [ -e "$out_dir/iac-topology.yaml" ] && cp "$out_dir/iac-topology.yaml" "$test_dir/$name.iac-viz.yaml"
 [ -e "$out_dir/error_details.json" ] && cp "$out_dir/error_details.json" "$test_dir/$name.err.json"
 [ -e "$out_dir/deployment_permissions_policy.json" ] && cp "$out_dir/deployment_permissions_policy.json" "$test_dir/$name.deployment-policy.json"
+
 rm -rf $out_dir

pkg/construct/graph_io.go

@@ -197,3 +197,14 @@ func (e SimpleEdge) ToEdge() Edge {
 		Target: e.Target,
 	}
 }
+
+func EdgeKeys[V any](m map[SimpleEdge]V) []SimpleEdge {
+	keys := make([]SimpleEdge, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Slice(keys, func(i, j int) bool {
+		return keys[i].Less(keys[j])
+	})
+	return keys
+}

pkg/engine/operational_eval/debug.go

@@ -11,6 +11,7 @@ import (
 	"github.com/dominikbraun/graph"
 	"github.com/klothoplatform/klotho/pkg/dot"
 	"go.uber.org/zap"
+	"gopkg.in/yaml.v3"
 )
 
 const (
@@ -88,3 +89,34 @@ func writeGraph(eval *Evaluator, filename string, toDot func(*Evaluator, io.Writ
 	defer svgFile.Close()
 	fmt.Fprint(svgFile, svgContent)
 }
+
+func (eval *Evaluator) writeExecOrder() {
+	path := "exec-order.yaml"
+	if debugDir := os.Getenv("KLOTHO_DEBUG_DIR"); debugDir != "" {
+		path = filepath.Join(debugDir, path)
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		zap.S().Errorf("could not create debug directory %s: %v", filepath.Dir(path), err)
+		return
+	}
+
+	f, err := os.Create(path)
+	if err != nil {
+		zap.S().Errorf("could not create file %s: %v", path, err)
+		return
+	}
+	defer f.Close()
+
+	order := make([][]string, len(eval.evaluatedOrder))
+	for i, group := range eval.evaluatedOrder {
+		order[i] = make([]string, len(group))
+		for j, key := range group {
+			order[i][j] = key.String()
+		}
+	}
+
+	err = yaml.NewEncoder(f).Encode(order)
+	if err != nil {
+		zap.S().Errorf("could not write exec order to file %s: %v", path, err)
+	}
+}

pkg/engine/operational_eval/dot.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 
 	"github.com/klothoplatform/klotho/pkg/dot"
@@ -89,7 +90,7 @@ func toRanks(eval *Evaluator) ([]evalRank, error) {
 			var noDeps []Key
 			var onlyDownstream []Key
 			var hasUpstream []Key
-			for key := range keys {
+			for _, key := range keys {
 				switch {
 				case len(pred[key]) == 0 && len(adj[key]) == 0:
 					noDeps = append(noDeps, key)
@@ -115,14 +116,14 @@ func toRanks(eval *Evaluator) ([]evalRank, error) {
 				}
 			}
 		} else {
-			rank.SubRanks = [][]Key{keys.ToSlice()}
+			rank.SubRanks = [][]Key{keys}
 		}
 	}
 	var unevaluated []Key
 	for key := range pred {
 		evaluated := false
 		for _, keys := range eval.evaluatedOrder {
-			if keys.Contains(key) {
+			if slices.Contains(keys, key) {
 				evaluated = true
 				break
 			}
@@ -240,7 +241,7 @@ func graphToDOT(eval *Evaluator, out io.Writer) error {
 
 	evalOrder := make(map[Key]int)
 	for i, keys := range eval.evaluatedOrder {
-		for key := range keys {
+		for _, key := range keys {
 			evalOrder[key] = i
 		}
 	}

pkg/engine/operational_eval/eval.go

@@ -9,12 +9,12 @@ import (
 	"github.com/dominikbraun/graph"
 	construct "github.com/klothoplatform/klotho/pkg/construct"
 	"github.com/klothoplatform/klotho/pkg/graph_addons"
-	"github.com/klothoplatform/klotho/pkg/set"
 	"go.uber.org/zap"
 )
 
 func (eval *Evaluator) Evaluate() error {
 	defer eval.writeGraph("property_deps")
+	defer eval.writeExecOrder()
 	for {
 		size, err := eval.unevaluated.Order()
 		if err != nil {
@@ -26,8 +26,7 @@ func (eval *Evaluator) Evaluate() error {
 
 		// add to evaluatedOrder so that in popReady it has the correct group number
 		// which is based on `len(eval.evaluatedOrder)`
-		evaluated := make(set.Set[Key])
-		eval.evaluatedOrder = append(eval.evaluatedOrder, evaluated)
+		eval.evaluatedOrder = append(eval.evaluatedOrder, []Key{})
 
 		ready, err := eval.pollReady()
 		if err != nil {
@@ -52,7 +51,7 @@ func (eval *Evaluator) Evaluate() error {
 				continue
 			}
 			log.Debugf("Evaluating %s", k)
-			evaluated.Add(k)
+			eval.evaluatedOrder[len(eval.evaluatedOrder)-1] = append(eval.evaluatedOrder[len(eval.evaluatedOrder)-1], k)
 			eval.currentKey = &k
 			errs = errors.Join(errs, graph_addons.RemoveVertexAndEdges(eval.unevaluated, v.Key()))
 			err = v.Evaluate(eval)

pkg/engine/operational_eval/evaluator.go

@@ -23,7 +23,7 @@ type (
 
 		unevaluated Graph
 
-		evaluatedOrder []set.Set[Key]
+		evaluatedOrder [][]Key
 		errored        set.Set[Key]
 
 		currentKey *Key
@@ -185,6 +185,10 @@ func (r ReadyPriority) String() string {
 	}
 }
 
+func (eval *Evaluator) EvalutedOrder() [][]Key {
+	return eval.evaluatedOrder
+}
+
 func (eval *Evaluator) Log() *zap.SugaredLogger {
 	if eval.log == nil {
 		eval.log = zap.S().Named("engine.opeval")
@@ -501,15 +505,14 @@ func (eval *Evaluator) UpdateId(oldId, newId construct.ResourceId) error {
 	}
 
 	for i, keys := range eval.evaluatedOrder {
-		for key := range keys {
+		for j, key := range keys {
 			oldKey := key
 			if key.Ref.Resource == oldId {
 				key.Ref.Resource = newId
 			}
 			key.Edge = UpdateEdgeId(key.Edge, oldId, newId)
 			if key != oldKey {
-				eval.evaluatedOrder[i].Remove(oldKey)
-				eval.evaluatedOrder[i].Add(key)
+				eval.evaluatedOrder[i][j] = key
 			}
 		}
 	}

pkg/engine/operational_eval/vertex_property.go

@@ -63,7 +63,9 @@ func (prop *propertyVertex) Dependencies(eval *Evaluator, propCtx dependencyCapt
 			current_edges[k] = v
 		}
 
-		for edge, rule := range prop.EdgeRules {
+		for _, edge := range construct.EdgeKeys(prop.EdgeRules) {
+			rule := prop.EdgeRules[edge]
+
 			edgeData := knowledgebase.DynamicValueData{
 				Resource: prop.Ref.Resource,
 				Edge:     &construct.Edge{Source: edge.Source, Target: edge.Target},
@@ -337,8 +339,8 @@ func (v *propertyVertex) evaluateEdgeOperational(
 ) error {
 	oldId := v.Ref.Resource
 	var errs error
-	for edge, rules := range v.EdgeRules {
-		for _, rule := range rules {
+	for _, edge := range construct.EdgeKeys(v.EdgeRules) {
+		for _, rule := range v.EdgeRules[edge] {
 			// In case one of the previous rules changed the ID, update it
 			edge = UpdateEdgeId(edge, oldId, res.ID)
 
@@ -365,8 +367,9 @@ func (v *propertyVertex) evaluateTransforms(
 ) error {
 	var errs error
 	oldId := v.Ref.Resource
-	for edge, rules := range v.TransformRules {
-		for _, rule := range rules.ToSlice() {
+	for _, edge := range construct.EdgeKeys(v.TransformRules) {
+		rules := v.TransformRules[edge].ToSlice()
+		for _, rule := range rules {
 			// In case one of the previous rules changed the ID, update it
 			edge = UpdateEdgeId(edge, oldId, res.ID)
 			opCtx.SetData(knowledgebase.DynamicValueData{
@@ -502,7 +505,7 @@ func addConfigurationRuleToPropertyVertex(
 				))
 			}
 			continue
-		} else if err != nil {
+		} else if unevalErr != nil {
 			errs = errors.Join(errs, fmt.Errorf("could not get existing unevaluated vertex for %s: %w", ref, err))
 			continue
 		}

pkg/engine/testdata/2_routes.deployment-policy.json

@@ -44,8 +44,7 @@
                 "lambda:TagResource",
                 "lambda:UntagResource",
                 "lambda:UpdateFunctionConfiguration",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy"
             ],
             "Effect": "Allow",

pkg/engine/testdata/delete_api_to_lambda_edge.deployment-policy.json

@@ -42,8 +42,7 @@
                 "lambda:TagResource",
                 "lambda:UntagResource",
                 "lambda:UpdateFunctionConfiguration",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy"
             ],
             "Effect": "Allow",

pkg/engine/testdata/delete_namespace_resource.deployment-policy.json

@@ -24,8 +24,7 @@
                 "lambda:TagResource",
                 "lambda:UntagResource",
                 "lambda:UpdateFunctionConfiguration",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy"
             ],
             "Effect": "Allow",

pkg/engine/testdata/delete_resource_and_iacdeps.deployment-policy.json

@@ -20,8 +20,7 @@
                 "apigateway:UpdateResource",
                 "apigateway:UpdateRestApi",
                 "apigateway:UpdateStage",
-                "ecs:*Cluster",
-                "ecs:*Clusters",
+                "ecs:*Cluster*",
                 "ecs:ListTagsForResource",
                 "ecs:TagResource",
                 "ecs:UntagResource",

pkg/engine/testdata/ecs_rds.deployment-policy.json

@@ -18,8 +18,7 @@
                 "ec2:*Route",
                 "ec2:*RouteTable*",
                 "ec2:*SecurityGroup*",
-                "ec2:*Subnet",
-                "ec2:*Subnets",
+                "ec2:*Subnet*",
                 "ec2:*Tags",
                 "ec2:*Vpc",
                 "ec2:*Vpc*",
@@ -30,7 +29,6 @@
                 "ec2:DescribeRegions",
                 "ec2:DisassociateRouteTable",
                 "ec2:ModifySecurityGroupRules",
-                "ec2:ModifySubnetAttribute",
                 "ec2:ModifyVpcAttribute",
                 "ec2:ReplaceRouteTableAssociation",
                 "ec2:RevokeSecurityGroupEgress",
@@ -42,8 +40,7 @@
                 "ecr:Get*",
                 "ecr:List*",
                 "ecr:TagResource",
-                "ecs:*Cluster",
-                "ecs:*Clusters",
+                "ecs:*Cluster*",
                 "ecs:*Service",
                 "ecs:*TaskDefinition",
                 "ecs:Describe*",
@@ -61,8 +58,7 @@
                 "iam:UntagRole",
                 "iam:Update*",
                 "kms:RetireGrant",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy",
                 "rds:*DBInstance",
                 "rds:AddTagsToResource",

pkg/engine/testdata/ecs_rds.expect.yaml

@@ -129,42 +129,42 @@ resources:
                   Properties:
                     Annotations:
                         Alarms:
-                            - aws:cloudwatch_alarm:ecs_service_0-RunningTaskCount#Arn
+                            - aws:cloudwatch_alarm:ecs_service_0-CPUUtilization#Arn
                     Region: aws:region:region-0#Name
                   Type: metric
                   Width: 6
                 - Height: 6
                   Properties:
                     Alarms:
-                        - aws:cloudwatch_alarm:ecs_service_0-RunningTaskCount#Arn
+                        - aws:cloudwatch_alarm:ecs_service_0-CPUUtilization#Arn
                   Type: alarm
                   Width: 6
                 - Height: 6
                   Properties:
                     Annotations:
                         Alarms:
-                            - aws:cloudwatch_alarm:ecs_service_0-CPUUtilization#Arn
+                            - aws:cloudwatch_alarm:ecs_service_0-MemoryUtilization#Arn
                     Region: aws:region:region-0#Name
                   Type: metric
                   Width: 6
                 - Height: 6
                   Properties:
                     Alarms:
-                        - aws:cloudwatch_alarm:ecs_service_0-CPUUtilization#Arn
+                        - aws:cloudwatch_alarm:ecs_service_0-MemoryUtilization#Arn
                   Type: alarm
                   Width: 6
                 - Height: 6
                   Properties:
                     Annotations:
                         Alarms:
-                            - aws:cloudwatch_alarm:ecs_service_0-MemoryUtilization#Arn
+                            - aws:cloudwatch_alarm:ecs_service_0-RunningTaskCount#Arn
                     Region: aws:region:region-0#Name
                   Type: metric
                   Width: 6
                 - Height: 6
                   Properties:
                     Alarms:
-                        - aws:cloudwatch_alarm:ecs_service_0-MemoryUtilization#Arn
+                        - aws:cloudwatch_alarm:ecs_service_0-RunningTaskCount#Arn
                   Type: alarm
                   Width: 6
     aws:ecr_image:ecs_service_0-ecs_service_0:

pkg/engine/testdata/extend_graph.deployment-policy.json

@@ -47,8 +47,7 @@
                 "lambda:TagResource",
                 "lambda:UntagResource",
                 "lambda:UpdateFunctionConfiguration",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy"
             ],
             "Effect": "Allow",

pkg/engine/testdata/idempotent_constraints.deployment-policy.json

@@ -18,8 +18,7 @@
                 "ec2:*Route",
                 "ec2:*RouteTable*",
                 "ec2:*SecurityGroup*",
-                "ec2:*Subnet",
-                "ec2:*Subnets",
+                "ec2:*Subnet*",
                 "ec2:*Tags",
                 "ec2:*Vpc",
                 "ec2:*Vpc*",
@@ -30,7 +29,6 @@
                 "ec2:DescribeRegions",
                 "ec2:DisassociateRouteTable",
                 "ec2:ModifySecurityGroupRules",
-                "ec2:ModifySubnetAttribute",
                 "ec2:ModifyVpcAttribute",
                 "ec2:ReplaceRouteTableAssociation",
                 "ec2:RevokeSecurityGroupEgress",
@@ -42,8 +40,7 @@
                 "ecr:Get*",
                 "ecr:List*",
                 "ecr:TagResource",
-                "ecs:*Cluster",
-                "ecs:*Clusters",
+                "ecs:*Cluster*",
                 "ecs:*Service",
                 "ecs:*TaskDefinition",
                 "ecs:Describe*",
@@ -61,8 +58,7 @@
                 "iam:UntagRole",
                 "iam:Update*",
                 "kms:RetireGrant",
-                "logs:*LogGroup",
-                "logs:*LogGroups",
+                "logs:*LogGroup*",
                 "logs:PutRetentionPolicy",
                 "rds:*DBInstance",
                 "rds:AddTagsToResource",