fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27548
Conversation
github-actions
bot
added
the
beginning-contributor
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
yamoyamoto
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-maintainer-review
There was a problem hiding this comment.
Looks good @yamoyamoto. Sorry it took us so long to get to this PR
| ? `${prefix}${Names.uniqueId(this)}` | ||
| : prefix; | ||
| if (defaultDefaultPolicyName.length > MAX_POLICY_NAME_LEN) { | ||
| defaultDefaultPolicyName = `Policy${Names.uniqueResourceName(this, { maxLength: MAX_POLICY_NAME_LEN - prefix.length })}`; |
There was a problem hiding this comment.
I think making "Policy" its on var was kind of overkill, but if we're doing that then we should use it on line 54 also.
There was a problem hiding this comment.
Indeed, it does become a bit difficult to read. However, we need prefix.length to subtract the length of 'Policy' from the policy name limit when using Names.uniqueResourceName(), so it seems reasonable to keep it as a variable.
but if we're doing that then we should use it on line 54 also.
My apologies, it was a simple oversight. I have now used the prefix variable.
| @@ -78,6 +78,21 @@ describe('IAM Role.fromRoleArn', () => { | |||
| expect(stack2PolicyNameCapture.asString()).toMatch(/PolicyRoleStack2ImportedRole.*/); | |||
| }); | |||
|
|
|||
| test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () =>{ | |||
There was a problem hiding this comment.
| test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () =>{ | |
| test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () => { |
There was a problem hiding this comment.
Sorry, I updated this.
| const defaultDefaultPolicyName = useUniqueName | ||
| ? `Policy${Names.uniqueId(this)}` | ||
| : 'Policy'; | ||
| const prefix = 'Policy'; |
There was a problem hiding this comment.
can we add a comment here on why we are doing it this way (to hopefully preserve existing policy names)
There was a problem hiding this comment.
I added comment. I would appreciate it if you could confirm.
aws-cdk-automation
removed
the
pr/needs-maintainer-review
mergify
bot
dismissed
kaizencc’s stale review
Pull request has been modified.
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
kaizencc’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within
aws_iam.ImportedRole.addToPrincipalPolicy()changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated usingNames.uniqueResourceName().Previously, the
Names.UniqueId()method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten usingNames.uniqueResourceName()—a function that allows for length specification.I considered replacing
Names.UniqueId()entirely withNames.uniqueResourceName(). However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods.Closes #27409 , #24441
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license