fix(cognito-identitypool-alpha): remove RoleAttachment construct
#33305
Conversation
github-actions
bot
added
bug
This reverts commit ba97306.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #33305 +/- ##
=======================================
Coverage 80.92% 80.92%
=======================================
Files 236 236
Lines 14256 14256
Branches 2491 2491
=======================================
Hits 11537 11537
Misses 2434 2434
Partials 285 285
Flags with carried forward coverage won't be shown. Click here to find out more.
|
aws-cdk-automation
added
the
pr/needs-maintainer-review
Leo10Gama
changed the title
RoleAttachment constructRoleAttachment construct
Leo10Gama
changed the title
RoleAttachment constructRoleAttachment construct
There was a problem hiding this comment.
The logic for creating a default role attachment has been altered to create the L1 instead of the L2. This will trigger redeployments for all users of the IdentityPool construct.
Can you elaborate on this decision to replace the L2 with the L1?
Overall looks good, just a few clarifying questions.
packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts
Outdated
Show resolved
Hide resolved
| /** | ||
| * Configures role mappings for the Identity Pool Role Attachment | ||
| */ | ||
| private configureRoleMappings( |
There was a problem hiding this comment.
Is this method the exact same implementation as the old one or were there any modifications made?
There was a problem hiding this comment.
It's directly copy-pasted from the old IdentityPoolRoleAttachment class, so all the logic is preserved.
…ool.ts Co-authored-by: paulhcsun <[email protected]>
Previously, the "role attachment" that links authenticated and unauthenticated roles to the identity pool were their own construct. The L1s exist separately, but since only one role attachment can exist for a given identity pool, the L2 is effectively useless, since we already create one by default. The |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #23449
Reason for this change
What we had assumed was a bug from the service team had been investigated and revealed to be expected behaviour: an
IdentityPoolcan only have a singleIdentityPoolRoleAttachmentattached to it. This went against our initial assumptions that were supported by previously-written code, which was that multiple of these attachments could be created. As such, to ensure clarity and prevent ambiguity, this library will be updated to abstract away the role attachment, as one is already created by default.Description of changes
identitypool-role-attachment.ts, moving or deleting its contents:IdentityPoolRoleAttachmentclassIdentityPoolRoleAttachment.configureRoleMappings()function has been moved inside ofIdentityPoolIIdentityPoolRoleAttachmentandIdentityPoolRoleAttachmentPropsinterfacesIdentityPoolRoleMapping,RoleMatchingMatchType, andRoleMappingRuletolib/identitypool.tsIdentityPool'sprivate roleAttachmentCountattribute has been removed, as it never should have been there to begin withIdentityPool.addRoleMappings()method has been removedIdentityPoolconstruct.Describe any new or updated permissions being added
N/A
Description of how you validated changes
yarn testruns and the integ test snapshot was updated viayarn integ.Checklist
BREAKING CHANGE: The
IdentityPoolRoleAttachmentconstruct andIdentityPool.addRoleMappings()function will no longer exist. This is to disambiguate that only one role attachment can exist per Identity Pool. If you need to add role mappings, please do so when theIdentityPoolis created.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license