Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam: Role.customizeRoles not work with dynamodb.Table.addGlobalSecondaryIndex #31653

Open
1 task
konokenj opened this issue Oct 4, 2024 · 2 comments · May be fixed by #31710
Open
1 task

iam: Role.customizeRoles not work with dynamodb.Table.addGlobalSecondaryIndex #31653

konokenj opened this issue Oct 4, 2024 · 2 comments · May be fixed by #31710
Assignees
@GavinZZ
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@konokenj
Copy link
Contributor

konokenj commented Oct 4, 2024
edited
Loading

Describe the bug

With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.

Log with CDK_DEBUG=true:

Error: Resolution error: Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.
Object creation stack:
  at new Intrinsic (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/intrinsic.js:1:942)
  at new Reference (/path/to/repo//node_modules/aws-cdk-lib/core/lib/reference.js:1:599)
  at new <anonymous> (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4806)
  at mimicReference (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4802)
  at Table.getResourceArnAttribute (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4185)
  at new Table (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:19121)
  at Object.<anonymous> (/path/to/repo//bin/quick/contrib-customizeroles-2.ts:12:15)
  at Module._compile (node:internal/modules/cjs/loader:1358:14)
  at Module.m._compile (/path/to/repo//node_modules/ts-node/src/index.ts:1618:23)
  at Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
  at Object.require.extensions.<computed> [as .ts] (/path/to/repo//node_modules/ts-node/src/index.ts:1621:12)
  at Module.load (node:internal/modules/cjs/loader:1208:32)
  at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
  at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
  at phase4 (/path/to/repo//node_modules/ts-node/src/bin.ts:649:14)
  at bootstrap (/path/to/repo//node_modules/ts-node/src/bin.ts:95:10)
  at main (/path/to/repo//node_modules/ts-node/src/bin.ts:55:10)
  at Object.<anonymous> (/path/to/repo//node_modules/ts-node/src/bin.ts:800:3)
  at Module._compile (node:internal/modules/cjs/loader:1358:14)
  at Object.Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
  at Module.load (node:internal/modules/cjs/loader:1208:32)
  at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
  at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
  at node:internal/main/run_main_module:28:49.
Object creation stack:
  at Function.string (/path/to/repo//node_modules/aws-cdk-lib/core/lib/lazy.js:1:953)
  at Table.combinedGrant (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:13654)
  at Table.grantReadData (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:4379)
  at Object.<anonymous> (/path/to/repo//bin/quick/contrib-customizeroles-2.ts:28:7)
  at Module._compile (node:internal/modules/cjs/loader:1358:14)
  at Module.m._compile (/path/to/repo//node_modules/ts-node/src/index.ts:1618:23)
  at Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
  at Object.require.extensions.<computed> [as .ts] (/path/to/repo//node_modules/ts-node/src/index.ts:1621:12)
  at Module.load (node:internal/modules/cjs/loader:1208:32)
  at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
  at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
  at phase4 (/path/to/repo//node_modules/ts-node/src/bin.ts:649:14)
  at bootstrap (/path/to/repo//node_modules/ts-node/src/bin.ts:95:10)
  at main (/path/to/repo//node_modules/ts-node/src/bin.ts:55:10)
  at Object.<anonymous> (/path/to/repo//node_modules/ts-node/src/bin.ts:800:3)
  at Module._compile (node:internal/modules/cjs/loader:1358:14)
  at Object.Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
  at Module.load (node:internal/modules/cjs/loader:1208:32)
  at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
  at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
  at node:internal/main/run_main_module:28:49
    at _lookup (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:3005)
    at _lookup (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:3178)
    at Function.of (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:2736)
    at Object.produce (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4264)
    at Reference.resolve (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4877)
    at DefaultTokenResolver.resolveToken (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)
    at resolve (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2711)
    at Object.resolve [as mapToken] (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:1079)
    at TokenizedStringFragments.mapTokens (/path/to/repo//node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1475)
    at DefaultTokenResolver.resolveString (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resolvable.js:4:362)
Subprocess exited with error 1

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Successfully synthesize.

Current Behavior

Always throws error.

Reproduction Steps

const app = new App();
Role.customizeRoles(app, {
  usePrecreatedRoles: {
    'Stack/Role': 'my-precreated-role-name',
  },
});
const stack = new Stack(app, 'Stack');

const table = new Table(stack, 'Table', {
  partitionKey: {
    name: 'pk',
    type: AttributeType.STRING,
  },
});
table.addGlobalSecondaryIndex({
  indexName: 'gsi',
  partitionKey: {
    name: 'gsi-pk',
    type: AttributeType.STRING,
  },
});
const role = new Role(stack, 'Role', {
  assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
table.grantReadData(role);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.161.0 (build be5ad8b)

Framework Version

2.161.0

Node.js Version

v20.13.1

OS

macOS Sonoma

Language

TypeScript

Language Version

TypeScript v5.6.2

Other information

No response
@konokenj konokenj added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 4, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Oct 4, 2024
@pahud pahud self-assigned this Oct 4, 2024
@pahud
Copy link
Contributor

pahud commented Oct 4, 2024
edited
Loading

Reproducible.

I think the usage should be

iam.Role.customizeRoles(app, {
    usePrecreatedRoles: {
        'Role': 'my-existing-role-name',
    },
});

But I am getting the same error

% npx cdk diff
/Users/hunhsieh/repos/issue-triage/node_modules/constructs/src/construct.ts:214
throw new Error('Cannot set context after children have been added: ' + names.join(','));
^
Error: Cannot set context after children have been added: dummy-stack
at Node.setContext (/Users/hunhsieh/repos/issue-triage/node_modules/constructs/src/construct.ts:214:13)
at Function.customizeRoles (/Users/hunhsieh/repos/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:4467)
at Object. (/Users/hunhsieh/repos/issue-triage/bin/issue-triage.ts:42:10)
at Module._compile (node:internal/modules/cjs/loader:1233:14)
at Module.m._compile (/Users/hunhsieh/repos/issue-triage/node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1287:10)
at Object.require.extensions. [as .ts] (/Users/hunhsieh/repos/issue-triage/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1091:32)
at Function.Module._load (node:internal/modules/cjs/loader:938:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:83:12)

while if I use stack as the scope:

iam.Role.customizeRoles(stack, {
    usePrecreatedRoles: {
        'Role': 'my-existing-role-name',
    },
});

% npx cdk diff
/Users/hunhsieh/repos/issue-triage/node_modules/constructs/src/construct.ts:214
throw new Error('Cannot set context after children have been added: ' + names.join(','));
^
Error: Cannot set context after children have been added: Table,Role
at Node.setContext (/Users/hunhsieh/repos/issue-triage/node_modules/constructs/src/construct.ts:214:13)
at Function.customizeRoles (/Users/hunhsieh/repos/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:4467)
at Object. (/Users/hunhsieh/repos/issue-triage/bin/issue-triage.ts:43:10)
at Module._compile (node:internal/modules/cjs/loader:1233:14)
at Module.m._compile (/Users/hunhsieh/repos/issue-triage/node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1287:10)
at Object.require.extensions. [as .ts] (/Users/hunhsieh/repos/issue-triage/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1091:32)
at Function.Module._load (node:internal/modules/cjs/loader:938:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:83:12)

Subprocess exited with error 1

We'll bring this up to the team for inputs.

@pahud pahud added p2 p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. p2 labels Oct 4, 2024
@pahud pahud removed their assignment Oct 4, 2024
@konokenj
Copy link
Contributor Author

konokenj commented Oct 7, 2024

Thank you @pahud , I've added usePrecreatedRoles option to sample code. But I got same error which is described at first, not Error: Cannot set context after children have been added: dummy-stack.

Role.customizeRoles should be called on the app scope for multi-stack applications, I think. If called on the stack scope, the error you mentioned will occur: Error: Cannot set context after children have been added: dummy-stack.

@GavinZZ GavinZZ self-assigned this Oct 8, 2024
@GavinZZ GavinZZ linked a pull request Oct 9, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GavinZZ GavinZZ

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(core): fix policy synthesizer logic for precreated roles aws/aws-cdk
3 participants
@pahud @GavinZZ @konokenj