Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

aws-iam: Role.customizeRoles does not work with constructs that calls applyRemovalPolicy internally #31651

Closed
1 task
konokenj opened this issue Oct 4, 2024 · 2 comments · Fixed by #31652 or softwaremill/tapir#4137 · May be fixed by NOUIY/aws-solutions-constructs#135, NOUIY/aws-solutions-constructs#136 or bensullivan2002/photo-website#3
Closed
1 task

aws-iam: Role.customizeRoles does not work with constructs that calls applyRemovalPolicy internally #31651

konokenj opened this issue Oct 4, 2024 · 2 comments · Fixed by #31652 or softwaremill/tapir#4137 · May be fixed by NOUIY/aws-solutions-constructs#135, NOUIY/aws-solutions-constructs#136 or bensullivan2002/photo-website#3
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. p2

Comments

@konokenj
Copy link
Contributor

konokenj commented Oct 4, 2024

Describe the bug

Role.customizeRoles throws an Error if there is a construct that calls applyRemovalPolicy internally. This means users cannot use with some constructs like RestApi.

Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.

Based on the unit test code, this appears to be the intended behavior by design. However, in practice, it is difficult for users to check whether customizeRoles has been called when using Role and avoid calling applyRemovalPolicy.

aws-cdk/packages/aws-cdk-lib/aws-iam/test/role.test.ts

Lines 250 to 252 in 18eb3eb

expect(() => {
role.applyRemovalPolicy(RemovalPolicy.DESTROY);
}).toThrow(/Cannot apply RemovalPolicy/);

For example, RestApi calls applyRemovalPolicy internally.

aws-cdk/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts

Line 592 in 18eb3eb

role.applyRemovalPolicy(cloudWatchRoleRemovalPolicy);

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Ensure that the cloud assembly synthesis succeeds even if Role.applyRemovalPolicy is called.

Current Behavior

Throws error:

Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.

Reproduction Steps

const app = new App();
Role.customizeRoles(app);
const stack = new Stack(app, 'Stack');
new RestApi(stack, 'RestApi');

and synthesize it.

Possible Solution

While it might be possible to fix RestApi, there could be other constructs within aws-cdk-lib that also call Role.applyRemovalPolicy. Moreover, it's nearly impossible to make library users aware of this.

Since Role implements the IResource interface, it has the responsibility to respond to the applyRemovalPolicy call. Therefore, I think it would be good to override applyRemovalPolicy in the Role class.

Additional Information/Context

No response

CDK CLI Version

2.161.0 (build be5ad8b)

Framework Version

2.161.0

Node.js Version

v20.13.1

OS

macOS Sonoma

Language

TypeScript

Language Version

TypeScript v5.6.2

Other information

No response
@konokenj konokenj added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 4, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Oct 4, 2024
@konokenj konokenj mentioned this issue Oct 4, 2024
Merged
1 task
@ashishdhingra ashishdhingra self-assigned this Oct 4, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 4, 2024
@mergify mergify bot closed this as completed in #31652 Oct 8, 2024
@mergify mergify bot closed this as completed in 35ed5c6 Oct 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 8, 2024
@ashishdhingra ashishdhingra removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Oct 8, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
2 participants
@ashishdhingra @konokenj