Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): fix policy synthesizer logic for precreated roles #31710

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(core): fix policy synthesizer logic for precreated roles #31710

wants to merge 5 commits into from

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Oct 9, 2024
edited
Loading

Issue # (if applicable)

Closes #31653

Reason for this change

With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.

Description of changes

Intended behaviour

When customizeRoles is used, the iam-policy-report.txt report will contain a list
of IAM roles and associated permissions that would have been created. This report is
generated so that it attempts to resolve any references and replace with a more user
friendly value.

The following are some examples of the value that will appear in the report:

"Resource": {
      "Fn::GetAtt": [
           "SomeResource",
           "Arn"
       ]
}

The policy report will instead get:

"(Path/To/SomeResource.Arn)"

Current issues

There are two main issues here:

  1. Policy synthesizer (which is used for customizeRoles to generate report) is created with App scope. This caused the failure in the original issue Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found. because token resolution requires a Stack scope not an App scope.
  2. The policy synthesizer was using DefaultTokenResolver. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. ${Token[Token.X]}/index/* would be converted to (PhysicalId).Arn instead of "(Path/To/SomeResource.Arn)".
  3. Pseudo parameters like AWS::NoValue would be rendered as Tokens in the policy report which is not idea. Update it to make it output NOVALUE.

This PR addresses the above two issues.

Description of how you validated changes

New and existing tests pass.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@GavinZZ GavinZZ added the pr-linter/exempt-test The PR linter will not require test changes label Oct 9, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 9, 2024 23:15
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Oct 9, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 9, 2024
@GavinZZ GavinZZ marked this pull request as ready for review October 9, 2024 23:19
@GavinZZ GavinZZ force-pushed the yuanhaoz/customize-role-fix branch from 60ae7c1 to 1ce33ef Compare October 9, 2024 23:39
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 787b15b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

iam: Role.customizeRoles not work with dynamodb.Table.addGlobalSecondaryIndex
2 participants
@GavinZZ @aws-cdk-automation