Prevent role creating if context variable exists #22749
Assignees
Comments
4 tasks
mergify bot
pushed a commit
that referenced
this issue
Nov 4, 2022
…sis) (#22780) The `TreeMetadata` resource was being created as part of the `App` constructor, which meant that you could not add any context to the App node (you must add context _before_ any constructs are added). This moves the creation of `TreeMetadata` to be injected during `synthesis` similar to how we currently inject the metadata resource. A side effect of this change is that we will now include tree metadata for resources that are added in `Stack.synthesize()` methods. The [synthesizeTree](https://github.com/aws/aws-cdk/blob/95e9e0f54a1dfb628d5146bd9b69c292547cf090/packages/@aws-cdk/core/lib/private/synthesis.ts#L193-L210) function visits nodes in the order that they were added to the tree. Previously the `TreeMetadata` was the first node so the TreeMetadata was generated first. Then if any Stacks would call `Stack.synthesize()` and add additional constructs (e.g. `BootstrapVersion`) these would not be added to the tree. re #22749 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This was referenced Nov 9, 2022
mergify bot
pushed a commit
that referenced
this issue
Nov 11, 2022
Introduces a new static method `Role.customizeRoles` which allows customization of role creation behavior. By default this will prevent all IAM roles and policies from being created (they will not be synthesized in the template) and will generate a policy report (both human and machine readable versions) in the cloud assembly (i.e. cdk.out) with information on the roles that need to be created and their associated IAM policies. If `customizeRoles.preventSynthesis=true` then this will - prevent IAM roles (AWS::IAM::Role) from being created - prevent managed policies (AWS::IAM::ManagedPolicy) from being created - prevent IAM policies (AWS::IAM::Policy) from being created - Managed policies that are created and _not_ attached to a role will not be synthesized _and_ will not be added to the report. Errors are added using `Annotations.addError` so that the app will still synthesize to the `cdk.out` directory and the policy report will be generated. The policy report can be generated _without_ preventing resource synthesis by setting `customizeRoles.preventSynthesis=false`. I added an integration test `aws-lambda/test/integ.lambda-customize-roles.ts` that will only synthesize the snapshot. You can view the generated reports in the snapshot. refactored: - Moved the `Import` class that was created under the `fromRoleArn` to a separate private class (imported-role.ts). The implementation is the same (just moved). This also adds support for the role created as part of custom resources in `core`. closes #22749, closes #22862 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/aws/aws-cdk-rfcs/blob/master/text/0063-precreated-roles.md
customizeRoles will set a context key at the given scope.
new Role()will check for this context key. If found,new CfnRole()will not be called; A validation is added to the Role which will fail if no precreated name is assigned for it (meaning errors are reported as construct tree errors).Some of the logic will have to be reimplemented for the Custom Resource framework in @aws-cdk/core, which creates Roles but doesn't use iam.Role (but rather CfnResource).
customizeRoles takes either absolute or relative construct paths to the scope it's invoked on. This makes it possible to set it on production stacks but not development stacks (for example).
customizeRoles will throw if any of the paths it is invoked on already exist, or if no
iam.Rolecreation was prevented. This should help find instances of people calling it after application construction, instead of before.Tokens are not supported.
The text was updated successfully, but these errors were encountered: