Skip to content

Commit

Permalink
fix(iam): Role.addManagedPolicy() does not work for imported roles …
Browse files Browse the repository at this point in the history
…`IRole` #8307 (#31212)

### Issue #8307

Closes #8307

### Reason for this change
- This addManagedPolicy() just does nothing, neither throws warning nor
fails.

### Description of changes
- This implements **addManagedPolicy()** for **ImportedRole**
- This throws Error, when `IRole` is used with `IManagedPolicy`, due to
constrains

### Approaches decided
- we can't change **addManagedPolicy(policy: IManagedPolicy)** to
**addManagedPolicy(policy: ManagedPolicy)** (i.e., to ManagedPolicy) ,
like how **attachInlinePolicy(policy: Policy)**, it will break for
almost many customers.
-
https://github.com/aws/aws-cdk/blob/823ff6e03899f790a4cb1c43f92a02cc906ac356/packages/aws-cdk-lib/aws-iam/lib/identity-base.ts#L17-L21
- So, we need to handle this gracefully when accepting only
**ManagedPolicy**.
- We can't use IRole & IManagedPolicy to do the work at the same time,
so we need to allow ManagedPolicy in params, and throw Error when
IManagedPolicy is being sent, because of how **attachToRole()** will be
used by **addManagedPolicy()**
- #### This PR Implements follows,
  - enables **addManagedPolicy()**
  - Accepts **ManagedPolicy**
- Throws understandable Error, when `IRole` is used with
`IManagedPolicy`.

### Description of how you validated changes
- unit & integration tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

---------

Co-authored-by: paulhcsun <[email protected]>
Co-authored-by: GZ <[email protected]>
  • Loading branch information
3 people authored Dec 6, 2024
1 parent f4c19c7 commit c78ef1b
Show file tree
Hide file tree
Showing 17 changed files with 24,662 additions and 54,758 deletions.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"PolicyNames.2",
"PolicyNames.3"
],
"salt": "1697413484207"
"salt": "1729447009370"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
Expand Down Expand Up @@ -73,6 +73,15 @@
"Resource": [
"*"
]
},
{
"Action": [
"iam:ListAttachedRolePolicies"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
Expand All @@ -83,12 +92,20 @@
"SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Runtime": "nodejs18.x",
"Runtime": {
"Fn::FindInMap": [
"LatestNodeRuntimeMap",
{
"Ref": "AWS::Region"
},
"value"
]
},
"Code": {
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "c91921c142e824b74d06797a2be74eab5d0dd0453e753549f5182ac7a02f556b.zip"
"S3Key": "e77649078c9dea5bbb707b7fe68014cfa5d919a38d31b467f6a205b51ea63a83.zip"
},
"Timeout": 120,
"Handler": "index.handler",
Expand All @@ -99,6 +116,43 @@
]
}
}
},
"AwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be": {
"Type": "Custom::DeployAssert@SdkCallIAMlistAttachedRolePolicies",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
"Arn"
]
},
"service": "IAM",
"api": "listAttachedRolePolicies",
"expected": "{\"$StringLike\":\"^MyCustomManagedPolicy[0-9]$\"}",
"actualPath": "AttachedPolicies.1.PolicyName",
"parameters": {
"RoleName": {
"Fn::Join": [
"",
[
"\"",
{
"Fn::ImportValue": "integ-iam-imported-role-3:ExportsOutputRefroleToBeImportedCAC1213CDE38D2C6"
},
"\""
]
]
}
},
"flattenResponse": "true",
"outputPaths": [
"AttachedPolicies.0.PolicyName",
"AttachedPolicies.1.PolicyName"
],
"salt": "1729447009371"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
}
},
"Outputs": {
Expand All @@ -109,6 +163,138 @@
"assertion"
]
}
},
"AssertionResultsAwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be": {
"Value": {
"Fn::GetAtt": [
"AwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be",
"assertion"
]
}
}
},
"Mappings": {
"LatestNodeRuntimeMap": {
"af-south-1": {
"value": "nodejs20.x"
},
"ap-east-1": {
"value": "nodejs20.x"
},
"ap-northeast-1": {
"value": "nodejs20.x"
},
"ap-northeast-2": {
"value": "nodejs20.x"
},
"ap-northeast-3": {
"value": "nodejs20.x"
},
"ap-south-1": {
"value": "nodejs20.x"
},
"ap-south-2": {
"value": "nodejs20.x"
},
"ap-southeast-1": {
"value": "nodejs20.x"
},
"ap-southeast-2": {
"value": "nodejs20.x"
},
"ap-southeast-3": {
"value": "nodejs20.x"
},
"ap-southeast-4": {
"value": "nodejs20.x"
},
"ap-southeast-5": {
"value": "nodejs20.x"
},
"ap-southeast-7": {
"value": "nodejs20.x"
},
"ca-central-1": {
"value": "nodejs20.x"
},
"ca-west-1": {
"value": "nodejs20.x"
},
"cn-north-1": {
"value": "nodejs18.x"
},
"cn-northwest-1": {
"value": "nodejs18.x"
},
"eu-central-1": {
"value": "nodejs20.x"
},
"eu-central-2": {
"value": "nodejs20.x"
},
"eu-isoe-west-1": {
"value": "nodejs18.x"
},
"eu-north-1": {
"value": "nodejs20.x"
},
"eu-south-1": {
"value": "nodejs20.x"
},
"eu-south-2": {
"value": "nodejs20.x"
},
"eu-west-1": {
"value": "nodejs20.x"
},
"eu-west-2": {
"value": "nodejs20.x"
},
"eu-west-3": {
"value": "nodejs20.x"
},
"il-central-1": {
"value": "nodejs20.x"
},
"me-central-1": {
"value": "nodejs20.x"
},
"me-south-1": {
"value": "nodejs20.x"
},
"mx-central-1": {
"value": "nodejs20.x"
},
"sa-east-1": {
"value": "nodejs20.x"
},
"us-east-1": {
"value": "nodejs20.x"
},
"us-east-2": {
"value": "nodejs20.x"
},
"us-gov-east-1": {
"value": "nodejs18.x"
},
"us-gov-west-1": {
"value": "nodejs18.x"
},
"us-iso-east-1": {
"value": "nodejs18.x"
},
"us-iso-west-1": {
"value": "nodejs18.x"
},
"us-isob-east-1": {
"value": "nodejs18.x"
},
"us-west-1": {
"value": "nodejs20.x"
},
"us-west-2": {
"value": "nodejs20.x"
}
}
},
"Parameters": {
Expand Down
Loading

0 comments on commit c78ef1b

Please sign in to comment.