Skip to content

Commit 8951d01

Browse files
turenarturenar
authored
fix(iam): PrincipalWithConditions.addCondition fails with a new key (#23782)
fixes #23781 This pr makes PrincipalWithConditions.addCondition bypass validations on the existing condition object if missing. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 9d23cad commit 8951d01

11 files changed

+479
-0
lines changed

packages/@aws-cdk/aws-iam/lib/principals.ts

+1
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,7 @@ export class PrincipalWithConditions extends PrincipalAdapter {
273273
const existingValue = this.additionalConditions[key];
274274
if (!existingValue) {
275275
this.additionalConditions[key] = value;
276+
return;
276277
}
277278
validateConditionObject(existingValue);
278279

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.assets.json

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "29.0.0",
3+
"files": {
4+
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
5+
"source": {
6+
"path": "PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.template.json

+36
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"Parameters": {
3+
"BootstrapVersion": {
4+
"Type": "AWS::SSM::Parameter::Value<String>",
5+
"Default": "/cdk-bootstrap/hnb659fds/version",
6+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
7+
}
8+
},
9+
"Rules": {
10+
"CheckBootstrapVersion": {
11+
"Assertions": [
12+
{
13+
"Assert": {
14+
"Fn::Not": [
15+
{
16+
"Fn::Contains": [
17+
[
18+
"1",
19+
"2",
20+
"3",
21+
"4",
22+
"5"
23+
],
24+
{
25+
"Ref": "BootstrapVersion"
26+
}
27+
]
28+
}
29+
]
30+
},
31+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
32+
}
33+
]
34+
}
35+
}
36+
}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/cdk.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"version":"29.0.0"}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/integ-principal-with-conditions.assets.json

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "29.0.0",
3+
"files": {
4+
"e190312aaf9fec4bd55ff6f059f2bf5d7453c4ade33a3d922bfd6ff0a61d3a62": {
5+
"source": {
6+
"path": "integ-principal-with-conditions.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "e190312aaf9fec4bd55ff6f059f2bf5d7453c4ade33a3d922bfd6ff0a61d3a62.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/integ-principal-with-conditions.template.json

+64
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"Resources": {
3+
"TestRole6C9272DF": {
4+
"Type": "AWS::IAM::Role",
5+
"Properties": {
6+
"AssumeRolePolicyDocument": {
7+
"Statement": [
8+
{
9+
"Action": "sts:AssumeRole",
10+
"Condition": {
11+
"StringLike": {
12+
"aws:username": "foo-*",
13+
"aws:PrincipalTag/owner": "foo"
14+
},
15+
"Bool": {
16+
"aws:MultiFactorAuthPresent": "true"
17+
}
18+
},
19+
"Effect": "Allow",
20+
"Principal": {
21+
"AWS": "*"
22+
}
23+
}
24+
],
25+
"Version": "2012-10-17"
26+
}
27+
}
28+
}
29+
},
30+
"Parameters": {
31+
"BootstrapVersion": {
32+
"Type": "AWS::SSM::Parameter::Value<String>",
33+
"Default": "/cdk-bootstrap/hnb659fds/version",
34+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
35+
}
36+
},
37+
"Rules": {
38+
"CheckBootstrapVersion": {
39+
"Assertions": [
40+
{
41+
"Assert": {
42+
"Fn::Not": [
43+
{
44+
"Fn::Contains": [
45+
[
46+
"1",
47+
"2",
48+
"3",
49+
"4",
50+
"5"
51+
],
52+
{
53+
"Ref": "BootstrapVersion"
54+
}
55+
]
56+
}
57+
]
58+
},
59+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
60+
}
61+
]
62+
}
63+
}
64+
}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/integ.json

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{
2+
"version": "29.0.0",
3+
"testCases": {
4+
"PrincipalWithCondition/DefaultTest": {
5+
"stacks": [
6+
"integ-principal-with-conditions"
7+
],
8+
"assertionStack": "PrincipalWithCondition/DefaultTest/DeployAssert",
9+
"assertionStackName": "PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9"
10+
}
11+
}
12+
}

packages/@aws-cdk/aws-iam/test/integ.principal-with-conditions.js.snapshot/manifest.json

+111
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
{
2+
"version": "29.0.0",
3+
"artifacts": {
4+
"integ-principal-with-conditions.assets": {
5+
"type": "cdk:asset-manifest",
6+
"properties": {
7+
"file": "integ-principal-with-conditions.assets.json",
8+
"requiresBootstrapStackVersion": 6,
9+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
10+
}
11+
},
12+
"integ-principal-with-conditions": {
13+
"type": "aws:cloudformation:stack",
14+
"environment": "aws://unknown-account/unknown-region",
15+
"properties": {
16+
"templateFile": "integ-principal-with-conditions.template.json",
17+
"validateOnSynth": false,
18+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
19+
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e190312aaf9fec4bd55ff6f059f2bf5d7453c4ade33a3d922bfd6ff0a61d3a62.json",
21+
"requiresBootstrapStackVersion": 6,
22+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
23+
"additionalDependencies": [
24+
"integ-principal-with-conditions.assets"
25+
],
26+
"lookupRole": {
27+
"arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
28+
"requiresBootstrapStackVersion": 8,
29+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
30+
}
31+
},
32+
"dependencies": [
33+
"integ-principal-with-conditions.assets"
34+
],
35+
"metadata": {
36+
"/integ-principal-with-conditions/TestRole/Resource": [
37+
{
38+
"type": "aws:cdk:logicalId",
39+
"data": "TestRole6C9272DF"
40+
}
41+
],
42+
"/integ-principal-with-conditions/BootstrapVersion": [
43+
{
44+
"type": "aws:cdk:logicalId",
45+
"data": "BootstrapVersion"
46+
}
47+
],
48+
"/integ-principal-with-conditions/CheckBootstrapVersion": [
49+
{
50+
"type": "aws:cdk:logicalId",
51+
"data": "CheckBootstrapVersion"
52+
}
53+
]
54+
},
55+
"displayName": "integ-principal-with-conditions"
56+
},
57+
"PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.assets": {
58+
"type": "cdk:asset-manifest",
59+
"properties": {
60+
"file": "PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.assets.json",
61+
"requiresBootstrapStackVersion": 6,
62+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
63+
}
64+
},
65+
"PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9": {
66+
"type": "aws:cloudformation:stack",
67+
"environment": "aws://unknown-account/unknown-region",
68+
"properties": {
69+
"templateFile": "PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.template.json",
70+
"validateOnSynth": false,
71+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
72+
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
73+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
74+
"requiresBootstrapStackVersion": 6,
75+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
76+
"additionalDependencies": [
77+
"PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.assets"
78+
],
79+
"lookupRole": {
80+
"arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
81+
"requiresBootstrapStackVersion": 8,
82+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
83+
}
84+
},
85+
"dependencies": [
86+
"PrincipalWithConditionDefaultTestDeployAssertA4D5A2E9.assets"
87+
],
88+
"metadata": {
89+
"/PrincipalWithCondition/DefaultTest/DeployAssert/BootstrapVersion": [
90+
{
91+
"type": "aws:cdk:logicalId",
92+
"data": "BootstrapVersion"
93+
}
94+
],
95+
"/PrincipalWithCondition/DefaultTest/DeployAssert/CheckBootstrapVersion": [
96+
{
97+
"type": "aws:cdk:logicalId",
98+
"data": "CheckBootstrapVersion"
99+
}
100+
]
101+
},
102+
"displayName": "PrincipalWithCondition/DefaultTest/DeployAssert"
103+
},
104+
"Tree": {
105+
"type": "cdk:tree",
106+
"properties": {
107+
"file": "tree.json"
108+
}
109+
}
110+
}
111+
}

0 commit comments

Comments
 (0)