fix: disable trace logging

[rantoniuk]

No description provided.

[Copilot]

Pull Request Overview

This PR disables trace-level logging by changing the log level from 'trace' to 'info' in the NonInteractiveIoHost configuration.

• Changes the log level from 'trace' to 'info' to reduce verbosity

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[rantoniuk]

@corymhall ping

[corymhall]

Just curious as to why you want to update this? From my testing it didn't seem to be that verbose and added useful info to the logs.

[rantoniuk]

I think you are perfectly aware that trace is not a production log level - and yes, the logs from the execution are way too verbose cluttering the actual interesting output. If you find it useful for your purpose, please add a flag for this.

On top of that - no security review board would approve things to run with trace in production for security reasons ( leaking secrets, etc. )

[09:05:45] Starting Diff ...
[09:05:45] Retrieved account ID 123456789 from disk cache
[09:05:45] Retrieved account ID 123456789 from disk cache
[09:05:45] Assuming role 'arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2'.
[09:05:45] [SDK error] STS.AssumeRole({"RoleArn":"arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2","RoleSessionName":"aws-cdk-runner"}) -> AccessDenied: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2
[09:05:45] Assuming role failed: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2
[09:05:45] Could not assume role in target account using current credentials User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2', but are for the right account. Proceeding anyway.
[09:05:45] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:45] [SDK info] CloudFormation.DescribeStacks({"StackName":"Vpc-Stack"}) -> OK
[09:05:46] [SDK info] CloudFormation.GetTemplate({"StackName":"Vpc-Stack","TemplateStage":"Original"}) -> OK
[09:05:46] Retrieved account ID 123456789 from disk cache
[09:05:46] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:46] [SDK info] CloudFormation.DescribeStacks({"StackName":"Vpc-Stack"}) -> OK
[09:05:46] Retrieved account ID 123456789 from disk cache
[09:05:46] Assuming role 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2'.
[09:05:46] [SDK error] STS.AssumeRole({"RoleArn":"arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2","RoleSessionName":"aws-cdk-runner"}) -> AccessDenied: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2
[09:05:46] Assuming role failed: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2
[09:05:46] Could not assume role in target account using current credentials User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-us-west-2', but are for the right account. Proceeding anyway.
[09:05:46] [SDK error] SSM.GetParameter({"Name":"/cdk-bootstrap/hnb659fds/version"}) -> AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
[09:05:46] Waiting for stack CDKToolkit to finish creating or updating...
[09:05:46] [SDK info] CloudFormation.DescribeStacks({"StackName":"CDKToolkit"}) -> OK
[09:05:46] ToolkitError: Vpc-Stack: This CDK deployment requires bootstrap stack version '6', but during the confirmation via SSM parameter /cdk-bootstrap/hnb659fds/version the following error occurred: AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
[09:05:46] Retrieved account ID 123456789 from disk cache
[09:05:46] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:46] [SDK info] CloudFormation.DescribeStacks({"StackName":"GithubActionsOidc-Stack"}) -> OK
[09:05:46] [SDK info] CloudFormation.GetTemplate({"StackName":"GithubActionsOidc-Stack","TemplateStage":"Original"}) -> OK
[09:05:46] Retrieved account ID 123456789 from disk cache
[09:05:46] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:47] [SDK info] CloudFormation.DescribeStacks({"StackName":"GithubActionsOidc-Stack"}) -> OK
[09:05:47] Retrieved account ID 123456789 from disk cache
[09:05:47] [SDK error] SSM.GetParameter({"Name":"/cdk-bootstrap/hnb659fds/version"}) -> AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
[09:05:47] ToolkitError: GithubActionsOidc-Stack: This CDK deployment requires bootstrap stack version '6', but during the confirmation via SSM parameter /cdk-bootstrap/hnb659fds/version the following error occurred: AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
[09:05:47] Retrieved account ID 123456789 from disk cache
[09:05:47] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:47] [SDK info] CloudFormation.DescribeStacks({"StackName":"Aurora-Stack"}) -> OK
[09:05:47] [SDK info] CloudFormation.GetTemplate({"StackName":"Aurora-Stack","TemplateStage":"Original"}) -> OK
[09:05:47] Retrieved account ID 123456789 from disk cache
[09:05:47] Retrieved account ID 123456789 from disk cache
Lookup role arn:aws:iam::123456789:role/cdk-hnb659fds-lookup-role-123456789-us-west-2 was not assumed. Proceeding with default credentials.
[09:05:47] [SDK info] CloudFormation.DescribeStacks({"StackName":"Aurora-Stack"}) -> OK
[09:05:47] Retrieved account ID 123456789 from disk cache
[09:05:47] [SDK error] SSM.GetParameter({"Name":"/cdk-bootstrap/hnb659fds/version"}) -> AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
[09:05:47] ToolkitError: Aurora-Stack: This CDK deployment requires bootstrap stack version '6', but during the confirmation via SSM parameter /cdk-bootstrap/hnb659fds/version the following error occurred: AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/githubActionsDeployRole/github-infra-cdk-diff is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:123456789:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)

The above is only a part of the execution and it's absolutely useless to see 10 times the info about disk cache.

[rantoniuk]

Do you need anything from me in here?

[corymhall]

@rantoniuk sorry I missed this comment. Yes, can you run npx projen build to rebuild and checkin the dist directory?

[rantoniuk]

I can (and will do that this time) - but this is actually against the best practices of how releases should be done in CI/CD.

This can lead to actually breaking the release, because the environment I (the contributor) am using might be customised. For example, I can easily inject a malicious code into the library, that I will not commit (git add) into the PR, but yet I will include it in the dist/ compilation. That's just one example, out of many (library version differences, etc.)

If you're open for changes, I can open an issue with proposed GHA changes to your release workflow (or a PR for that matter).

[corymhall]

Sure you can create an issue for it. I'm not aware of a way to do this for github actions since they require you to check in the dist folder. Other popular actions do this as well see setup-node.

This repo does have a check in the PR build that re-builds everything and fails the build if there are any changes so it would prevent the scenario you mentioned.