fix(core): fix policy synthesizer logic for precreated roles #31710
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #31653
Reason for this change
With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.
Description of changes
Intended behaviour
When
customizeRoles
is used, theiam-policy-report.txt
report will contain a listof IAM roles and associated permissions that would have been created. This report is
generated so that it attempts to resolve any references and replace with a more user
friendly value.
The following are some examples of the value that will appear in the report:
The policy report will instead get:
"(Path/To/SomeResource.Arn)"
Current issues
There are two main issues here:
App
scope. This caused the failure in the original issueResolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.
because token resolution requires a Stack scope not an App scope.DefaultTokenResolver
. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e.${Token[Token.X]}/index/*
would be converted to(PhysicalId).Arn
instead of"(Path/To/SomeResource.Arn)"
.AWS::NoValue
would be rendered asTokens
in the policy report which is not idea. Update it to make it outputNOVALUE
.This PR addresses the above two issues.
Description of how you validated changes
New and existing tests pass.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license