Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix(iam): override Role.applyRemovalPolicy for customizeRoles #31652

Merged

Conversation

konokenj
Copy link
Contributor

@konokenj konokenj commented Oct 4, 2024

Issue # (if applicable)

Closes #31651

Reason for this change

Role.customizeRoles throws an Error if there is a construct that calls applyRemovalPolicy internally. This means users cannot use with some constructs like RestApi.

Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.

This can be reproduced with:

const app = new App();
Role.customizeRoles(app);
const stack = new Stack(app, 'Stack');
new RestApi(stack, 'RestApi');

Or explicitly:

const app = new App();
Role.customizeRoles(app);
const stack = new Stack(app, 'Stack');
const role = new Role(stack, 'Role', { assumedBy: new ServicePrincipal('sns.amazonaws.com') });
role.applyRemovalPolicy(RemovalPolicy.DESTROY);

Description of changes

While it might be possible to fix RestApi, there could be other constructs within aws-cdk-lib that also call Role.applyRemovalPolicy. Moreover, it's nearly impossible to make library users aware of this.

Since Role implements the IResource interface, it has the responsibility to respond to the applyRemovalPolicy call. Therefore, I think it would be good to override applyRemovalPolicy in the Role class.

Description of how you validated changes

Fixed the existing unit test to change behavior.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Oct 4, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 4, 2024 13:28
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@konokenj
Copy link
Contributor Author

konokenj commented Oct 4, 2024

Exemption Request

I've run integ tests in aws-iam, but no changes.

❯ yarn integ aws-iam/test/integ.*.js                     
yarn run v1.22.22
$ integ-runner --language javascript aws-iam/test/integ.access-key.js aws-iam/test/integ.composite-principal.js aws-iam/test/integ.condition-with-ref.js aws-iam/test/integ.group.js aws-iam/test/integ.imported-role.js aws-iam/test/integ.instance-profile.js aws-iam/test/integ.managed-policy.js aws-iam/test/integ.oidc-provider.js aws-iam/test/integ.permissions-boundary.js aws-iam/test/integ.policy.js aws-iam/test/integ.principal-with-conditions-and-tags.js aws-iam/test/integ.principal-with-conditions.js aws-iam/test/integ.role.js aws-iam/test/integ.saml-provider.js aws-iam/test/integ.user-import.js aws-iam/test/integ.user.js aws-iam/test/integ.users-and-groups.js

Verifying integration test snapshots...

   Waiting for 17 more
  UNCHANGED  aws-iam/test/integ.user-import 59.019s
  UNCHANGED  aws-iam/test/integ.user 59.137s
  UNCHANGED  aws-iam/test/integ.group 59.023s
  UNCHANGED  aws-iam/test/integ.access-key 59.138s
  UNCHANGED  aws-iam/test/integ.composite-principal 59.218s
  UNCHANGED  aws-iam/test/integ.saml-provider 59.55s
  UNCHANGED  aws-iam/test/integ.principal-with-conditions-and-tags 59.556s
  UNCHANGED  aws-iam/test/integ.role 59.752s
  UNCHANGED  aws-iam/test/integ.principal-with-conditions 59.846s
  UNCHANGED  aws-iam/test/integ.condition-with-ref 59.864s
  UNCHANGED  aws-iam/test/integ.permissions-boundary 59.885s
  UNCHANGED  aws-iam/test/integ.instance-profile 59.814s
  UNCHANGED  aws-iam/test/integ.imported-role 60.011s
  UNCHANGED  aws-iam/test/integ.managed-policy 60.09s
  UNCHANGED  aws-iam/test/integ.policy 60.352s
  UNCHANGED  aws-iam/test/integ.oidc-provider 60.714s
  UNCHANGED  aws-iam/test/integ.users-and-groups 15.874s

Snapshot Results: 

Tests:    17 passed, 17 total
✨  Done in 80.46s.

@aws-cdk-automation aws-cdk-automation added pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 4, 2024
GavinZZ
GavinZZ previously approved these changes Oct 7, 2024
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice fix!

@GavinZZ GavinZZ dismissed their stale review October 7, 2024 23:25

Dismissing it to verify one more thing

@GavinZZ
Copy link
Contributor

GavinZZ commented Oct 7, 2024

@konokenj thanks for raising the PR. I think the changes look good, but I would still like to request to update an existing/add a new integration under aws-cdk-lib/aws-iam to test the example you described, where using Role.customizeRoles(stack) and create an RestAPI resource.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 8, 2024 01:07

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@konokenj
Copy link
Contributor Author

konokenj commented Oct 8, 2024

Copy link
Contributor

mergify bot commented Oct 8, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 8, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 9caa849
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 35ed5c6 into aws:main Oct 8, 2024
12 checks passed
Copy link
Contributor

mergify bot commented Oct 8, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Copy link

github-actions bot commented Oct 8, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 8, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2 pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-iam: Role.customizeRoles does not work with constructs that calls applyRemovalPolicy internally
3 participants