8000 fix(core): fix policy synthesizer logic for precreated roles (#31710) · aws/aws-cdk@aae03c9 · GitHub
[go: up one dir, main page]
Skip to content

Commit aae03c9

Browse files
GavinZZGavinZZ
authored
fix(core): fix policy synthesizer logic for precreated roles (#31710)
### Issue # (if applicable) Closes #31653 ### Reason for this change With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles. ### Description of changes #### Intended behaviour When `customizeRoles` is used, the `iam-policy-report.txt` report will contain a list of IAM roles and associated permissions that would have been created. This report is generated so that it attempts to resolve any references and replace with a more user friendly value. The following are some examples of the value that will appear in the report: ```json "Resource": { "Fn::GetAtt": [ "SomeResource", "Arn" ] } ``` The policy report will instead get: ```json "(Path/To/SomeResource.Arn)" ``` #### Current issues There are two main issues here: 1. Policy synthesizer (which is used for customizeRoles to generate report) is created with `App` scope. This caused the failure in the original issue `Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.` because token resolution requires a Stack scope not an App scope. 2. The policy synthesizer was using `DefaultTokenResolver`. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. `${Token[Token.X]}/index/*` would be converted to `(PhysicalId).Arn` instead of `"(Path/To/SomeResource.Arn)"`. 3. Pseudo parameters like `AWS::NoValue` would be rendered as `Tokens` in the policy report which is not idea. Update it to make it output `NOVALUE`. This PR addresses the above two issues. ### Description of how you validated changes New and existing tests pass. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent f656308 commit aae03c9

26 files changed

+1637
-6
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdk-table-with-customized-role.assets.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdk-table-with-customized-role.template.json

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
{
2+
"Resources": {
3+
"TableCD117FA1": {
4+
"Type": "AWS::DynamoDB::Table",
5+
"Properties": {
6+
"AttributeDefinitions": [
7+
{
8+
"AttributeName": "pk",
9+
"AttributeType": "S"
10+
},
11+
{
12+
"AttributeName": "gsi-pk",
13+
"AttributeType": "S"
14+
}
15+
],
16+
"GlobalSecondaryIndexes": [
17+
{
18+
"IndexName": "gsi",
19+
"KeySchema": [
20+
{
21+
"AttributeName": "gsi-pk",
22+
"KeyType": "HASH"
23+
}
24+
],
25+
"Projection": {
26+
"ProjectionType": "ALL"
27+
},
28+
"ProvisionedThroughput": {
29+
"ReadCapacityUnits": 5,
30+
"WriteCapacityUnits": 5
31+
}
32+
}
33+
],
34+
"KeySchema": [
35+
{
36+
"AttributeName": "pk",
37+
"KeyType": "HASH"
38+
}
39+
],
40+
"ProvisionedThroughput": {
41+
"ReadCapacityUnits": 5,
42+
"WriteCapacityUnits": 5
43+
}
44+
},
45+
"UpdateReplacePolicy": "Retain",
46+
"DeletionPolicy": "Retain"
47+
}
48+
},
49+
"Parameters": {
50+
"BootstrapVersion": {
51+
"Type": "AWS::SSM::Parameter::Value<String>",
52+
"Default": "/cdk-bootstrap/hnb659fds/version",
53+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
54+
}
55+
},
56+
"Rules": {
57+
"CheckBootstrapVersion": {
58+
"Assertions": [
59+
{
60+
"Assert": {
61+
"Fn::Not": [
62+
{
63+
"Fn::Contains": [
64+
[
65+
"1",
66+
"2",
67+
"3",
68+
"4",
69+
"5"
70+
],
71+
{
72+
"Ref": "BootstrapVersion"
73+
}
74+
]
75+
}
76+
]
77+
},
78+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
79+
}
80+
]
81+
}
82+
}
83+
}

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdk-table-with-customized-role2.assets.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdk-table-with-customized-role2.template.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"Resources": {
3+
"TableCD117FA1": {
4+
"Type": "AWS::DynamoDB::Table",
5+
"Properties": {
6+
"AttributeDefinitions": [
7+
{
8+
"AttributeName": "pk",
9+
"AttributeType": "S"
10+
}
11+
],
12+
"KeySchema": [
13+
{
14+
"AttributeName": "pk",
15+
"KeyType": "HASH"
16+
}
17+
],
18+
"ProvisionedThroughput": {
19+
"ReadCapacityUnits": 5,
20+
"WriteCapacityUnits": 5
21+
}
22+
},
23+
"UpdateReplacePolicy": "Retain",
24+
"DeletionPolicy": "Retain"
25+
}
26+
},
27+
"Parameters": {
28+
"BootstrapVersion": {
29+
"Type": "AWS::SSM::Parameter::Value<String>",
30+
"Default": "/cdk-bootstrap/hnb659fds/version",
31+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
32+
}
33+
},
34+
"Rules": {
35+
"CheckBootstrapVersion": {
36+
"Assertions": [
37+
{
38+
"Assert": {
39+
"Fn::Not": [
40+
{
41+
"Fn::Contains": [
42+
[
43+
"1",
44+
"2",
45+
"3",
46+
"4",
47+
"5"
48+
],
49+
{
50+
"Ref": "BootstrapVersion"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
57+
}
58+
]
59+
}
60+
}
61+
}

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdk.out

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdkdynamodbcustomizedroleintegDefaultTestDeployAssertD6C925FC.assets.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/cdkdynamodbcustomizedroleintegDefaultTestDeployAssertD6C925FC.template.json

Lines changed: 36 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.table-with-customized-role.js.snapshot/iam-policy-report.json

Lines changed: 90 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
0