Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent role creation for resources created with CfnResource #22862

Closed
corymhall opened this issue Nov 10, 2022 · 1 comment · Fixed by #22856
Closed

Prevent role creation for resources created with CfnResource #22862

corymhall opened this issue Nov 10, 2022 · 1 comment · Fixed by #22856
Assignees
@corymhall

Comments

@corymhall
Copy link
Contributor

Follow up to #22749.

There are some IAM resources that are created using the CfnResource L0 which we need to also prevent creation of.
@corymhall corymhall self-assigned this Nov 10, 2022
@corymhall corymhall mentioned this issue Nov 10, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #22856 Nov 11, 2022
mergify bot pushed a commit that referenced this issue Nov 11, 2022
@corymhall
feat(iam): customize IAM role creation behavior (#22856)
b25e526 
Introduces a new static method `Role.customizeRoles` which allows customization of role creation behavior. By default this will prevent all IAM roles and policies from being created (they will not be synthesized in the template) and will generate a policy report (both human and machine readable versions) in the
cloud assembly (i.e. cdk.out) with information on the roles that need to be created and their associated IAM policies.

If `customizeRoles.preventSynthesis=true` then this will
- prevent IAM roles (AWS::IAM::Role) from being created
- prevent managed policies (AWS::IAM::ManagedPolicy) from being created
- prevent IAM policies (AWS::IAM::Policy) from being created
- Managed policies that are created and _not_ attached to a role will not be synthesized _and_ will not be added to the report.

Errors are added using `Annotations.addError` so that the app will still synthesize to the `cdk.out` directory and the policy report will be generated.

The policy report can be generated _without_ preventing resource synthesis by setting `customizeRoles.preventSynthesis=false`.

I added an integration test
`aws-lambda/test/integ.lambda-customize-roles.ts` that will only synthesize the snapshot. You can view the generated reports in the snapshot.

refactored:
- Moved the `Import` class that was created under the `fromRoleArn` to a separate private class (imported-role.ts). The implementation is the same (just moved).

This also adds support for the role created as part of custom resources in `core`.

closes #22749, closes #22862


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(iam): customize IAM role creation behavior
1 participant
@corymhall