Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): fix policy synthesizer logic for precreated roles #31710

Merged
merged 8 commits into from
Oct 22, 2024

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Oct 9, 2024

Issue # (if applicable)

Closes #31653

Reason for this change

With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.

Description of changes

Intended behaviour

When customizeRoles is used, the iam-policy-report.txt report will contain a list
of IAM roles and associated permissions that would have been created. This report is
generated so that it attempts to resolve any references and replace with a more user
friendly value.

The following are some examples of the value that will appear in the report:

"Resource": {
      "Fn::GetAtt": [
           "SomeResource",
           "Arn"
       ]
}

The policy report will instead get:

"(Path/To/SomeResource.Arn)"

Current issues

There are two main issues here:

  1. Policy synthesizer (which is used for customizeRoles to generate report) is created with App scope. This caused the failure in the original issue Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found. because token resolution requires a Stack scope not an App scope.
  2. The policy synthesizer was using DefaultTokenResolver. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. ${Token[Token.X]}/index/* would be converted to (PhysicalId).Arn instead of "(Path/To/SomeResource.Arn)".
  3. Pseudo parameters like AWS::NoValue would be rendered as Tokens in the policy report which is not idea. Update it to make it output NOVALUE.

This PR addresses the above two issues.

Description of how you validated changes

New and existing tests pass.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@GavinZZ GavinZZ added the pr-linter/exempt-test The PR linter will not require test changes label Oct 9, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 9, 2024 23:15
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Oct 9, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 9, 2024
@GavinZZ GavinZZ marked this pull request as ready for review October 9, 2024 23:19
@GavinZZ GavinZZ force-pushed the yuanhaoz/customize-role-fix branch from 60ae7c1 to 1ce33ef Compare October 9, 2024 23:39
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 10, 2024
Copy link
Member

@Leo10Gama Leo10Gama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall changes look good! Just a few minor comments from me.

packages/aws-cdk-lib/aws-iam/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-iam/README.md Outdated Show resolved Hide resolved
@Leo10Gama Leo10Gama added the pr/do-not-merge This PR should not be merged at this time. label Oct 16, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 16, 2024
@Leo10Gama Leo10Gama self-assigned this Oct 17, 2024
Copy link
Member

@Leo10Gama Leo10Gama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM! Will leave the do-not-merge label on for a second review from core to confirm changes are fine

@GavinZZ
Copy link
Contributor Author

GavinZZ commented Oct 22, 2024

Discussed with Kendra offline and she's fine to merge this. Removing do-not-merge.

@GavinZZ GavinZZ removed the pr/do-not-merge This PR should not be merged at this time. label Oct 22, 2024
Copy link
Contributor

mergify bot commented Oct 22, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: c77e869
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit aae03c9 into main Oct 22, 2024
12 checks passed
Copy link
Contributor

mergify bot commented Oct 22, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot deleted the yuanhaoz/customize-role-fix branch October 22, 2024 18:01
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

iam: Role.customizeRoles not work with dynamodb.Table.addGlobalSecondaryIndex
3 participants