Skip to content

Commit c78ef1b

Browse files
stm29paulhcsunGavinZZ
authored
fix(iam): Role.addManagedPolicy() does not work for imported roles IRole #8307 (#31212)
### Issue #8307 Closes #8307 ### Reason for this change - This addManagedPolicy() just does nothing, neither throws warning nor fails. ### Description of changes - This implements **addManagedPolicy()** for **ImportedRole** - This throws Error, when `IRole` is used with `IManagedPolicy`, due to constrains ### Approaches decided - we can't change **addManagedPolicy(policy: IManagedPolicy)** to **addManagedPolicy(policy: ManagedPolicy)** (i.e., to ManagedPolicy) , like how **attachInlinePolicy(policy: Policy)**, it will break for almost many customers. - https://github.com/aws/aws-cdk/blob/823ff6e03899f790a4cb1c43f92a02cc906ac356/packages/aws-cdk-lib/aws-iam/lib/identity-base.ts#L17-L21 - So, we need to handle this gracefully when accepting only **ManagedPolicy**. - We can't use IRole & IManagedPolicy to do the work at the same time, so we need to allow ManagedPolicy in params, and throw Error when IManagedPolicy is being sent, because of how **attachToRole()** will be used by **addManagedPolicy()** - #### This PR Implements follows, - enables **addManagedPolicy()** - Accepts **ManagedPolicy** - Throws understandable Error, when `IRole` is used with `IManagedPolicy`. ### Description of how you validated changes - unit & integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: paulhcsun <[email protected]> Co-authored-by: GZ <[email protected]>
1 parent f4c19c7 commit c78ef1b

File tree

17 files changed

+24662
-54758
lines changed

17 files changed

+24662
-54758
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.assets.json

+6-6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.template.json

+189-3
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
"PolicyNames.2",
3535
"PolicyNames.3"
3636
],
37-
"salt": "1697413484207"
37+
"salt": "1729447009370"
3838
},
3939
"UpdateReplacePolicy": "Delete",
4040
"DeletionPolicy": "Delete"
@@ -73,6 +73,15 @@
7373
"Resource": [
7474
"*"
7575
]
76+
},
77+
{
78+
"Action": [
79+
"iam:ListAttachedRolePolicies"
80+
],
81+
"Effect": "Allow",
82+
"Resource": [
83+
"*"
84+
]
7685
}
7786
]
7887
}
@@ -83,12 +92,20 @@
8392
"SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
8493
"Type": "AWS::Lambda::Function",
8594
"Properties": {
86-
"Runtime": "nodejs18.x",
95+
"Runtime": {
96+
"Fn::FindInMap": [
97+
"LatestNodeRuntimeMap",
98+
{
99+
"Ref": "AWS::Region"
100+
},
101+
"value"
102+
]
103+
},
87104
"Code": {
88105
"S3Bucket": {
89106
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
90107
},
91-
"S3Key": "c91921c142e824b74d06797a2be74eab5d0dd0453e753549f5182ac7a02f556b.zip"
108+
"S3Key": "e77649078c9dea5bbb707b7fe68014cfa5d919a38d31b467f6a205b51ea63a83.zip"
92109
},
93110
"Timeout": 120,
94111
"Handler": "index.handler",
@@ -99,6 +116,43 @@
99116
]
100117
}
101118
}
119+
},
120+
"AwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be": {
121+
"Type": "Custom::DeployAssert@SdkCallIAMlistAttachedRolePolicies",
122+
"Properties": {
123+
"ServiceToken": {
124+
"Fn::GetAtt": [
125+
"SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
126+
"Arn"
127+
]
128+
},
129+
"service": "IAM",
130+
"api": "listAttachedRolePolicies",
131+
"expected": "{\"$StringLike\":\"^MyCustomManagedPolicy[0-9]$\"}",
132+
"actualPath": "AttachedPolicies.1.PolicyName",
133+
"parameters": {
134+
"RoleName": {
135+
"Fn::Join": [
136+
"",
137+
[
138+
"\"",
139+
{
140+
"Fn::ImportValue": "integ-iam-imported-role-3:ExportsOutputRefroleToBeImportedCAC1213CDE38D2C6"
141+
},
142+
"\""
143+
]
144+
]
145+
}
146+
},
147+
"flattenResponse": "true",
148+
"outputPaths": [
149+
"AttachedPolicies.0.PolicyName",
150+
"AttachedPolicies.1.PolicyName"
151+
],
152+
"salt": "1729447009371"
153+
},
154+
"UpdateReplacePolicy": "Delete",
155+
"DeletionPolicy": "Delete"
102156
}
103157
},
104158
"Outputs": {
@@ -109,6 +163,138 @@
109163
"assertion"
110164
]
111165
}
166+
},
167+
"AssertionResultsAwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be": {
168+
"Value": {
169+
"Fn::GetAtt": [
170+
"AwsApiCallIAMlistAttachedRolePolicies7b6e565f3b40bc5c7faa65c17a68f5be",
171+
"assertion"
172+
]
173+
}
174+
}
175+
},
176+
"Mappings": {
177+
"LatestNodeRuntimeMap": {
178+
"af-south-1": {
179+
"value": "nodejs20.x"
180+
},
181+
"ap-east-1": {
182+
"value": "nodejs20.x"
183+
},
184+
"ap-northeast-1": {
185+
"value": "nodejs20.x"
186+
},
187+
"ap-northeast-2": {
188+
"value": "nodejs20.x"
189+
},
190+
"ap-northeast-3": {
191+
"value": "nodejs20.x"
192+
},
193+
"ap-south-1": {
194+
"value": "nodejs20.x"
195+
},
196+
"ap-south-2": {
197+
"value": "nodejs20.x"
198+
},
199+
"ap-southeast-1": {
200+
"value": "nodejs20.x"
201+
},
202+
"ap-southeast-2": {
203+
"value": "nodejs20.x"
204+
},
205+
"ap-southeast-3": {
206+
"value": "nodejs20.x"
207+
},
208+
"ap-southeast-4": {
209+
"value": "nodejs20.x"
210+
},
211+
"ap-southeast-5": {
212+
"value": "nodejs20.x"
213+
},
214+
"ap-southeast-7": {
215+
"value": "nodejs20.x"
216+
},
217+
"ca-central-1": {
218+
"value": "nodejs20.x"
219+
},
220+
"ca-west-1": {
221+
"value": "nodejs20.x"
222+
},
223+
"cn-north-1": {
224+
"value": "nodejs18.x"
225+
},
226+
"cn-northwest-1": {
227+
"value": "nodejs18.x"
228+
},
229+
"eu-central-1": {
230+
"value": "nodejs20.x"
231+
},
232+
"eu-central-2": {
233+
"value": "nodejs20.x"
234+
},
235+
"eu-isoe-west-1": {
236+
"value": "nodejs18.x"
237+
},
238+
"eu-north-1": {
239+
"value": "nodejs20.x"
240+
},
241+
"eu-south-1": {
242+
"value": "nodejs20.x"
243+
},
244+
"eu-south-2": {
245+
"value": "nodejs20.x"
246+
},
247+
"eu-west-1": {
248+
"value": "nodejs20.x"
249+
},
250+
"eu-west-2": {
251+
"value": "nodejs20.x"
252+
},
253+
"eu-west-3": {
254+
"value": "nodejs20.x"
255+
},
256+
"il-central-1": {
257+
"value": "nodejs20.x"
258+
},
259+
"me-central-1": {
260+
"value": "nodejs20.x"
261+
},
262+
"me-south-1": {
263+
"value": "nodejs20.x"
264+
},
265+
"mx-central-1": {
266+
"value": "nodejs20.x"
267+
},
268+
"sa-east-1": {
269+
"value": "nodejs20.x"
270+
},
271+
"us-east-1": {
272+
"value": "nodejs20.x"
273+
},
274+
"us-east-2": {
275+
"value": "nodejs20.x"
276+
},
277+
"us-gov-east-1": {
278+
"value": "nodejs18.x"
279+
},
280+
"us-gov-west-1": {
281+
"value": "nodejs18.x"
282+
},
283+
"us-iso-east-1": {
284+
"value": "nodejs18.x"
285+
},
286+
"us-iso-west-1": {
287+
"value": "nodejs18.x"
288+
},
289+
"us-isob-east-1": {
290+
"value": "nodejs18.x"
291+
},
292+
"us-west-1": {
293+
"value": "nodejs20.x"
294+
},
295+
"us-west-2": {
296+
"value": "nodejs20.x"
297+
}
112298
}
113299
},
114300
"Parameters": {

0 commit comments

Comments
 (0)