fix(iam): role/group/user's path not included in ARN (#13258)

Solution to #13156 


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-iam/lib/group.ts

@@ -197,7 +197,8 @@ export class Group extends GroupBase {
       region: '', // IAM is global in each partition
       service: 'iam',
       resource: 'group',
-      resourceName: this.physicalName,
+      // Removes leading slash from path
+      resourceName: `${props.path ? props.path.substr(props.path.charAt(0) === '/' ? 1 : 0) : ''}${this.physicalName}`,
     });
   }
 

packages/@aws-cdk/aws-iam/lib/role.ts

@@ -371,7 +371,8 @@ export class Role extends Resource implements IRole {
       region: '', // IAM is global in each partition
       service: 'iam',
       resource: 'role',
-      resourceName: this.physicalName,
+      // Removes leading slash from path
+      resourceName: `${props.path ? props.path.substr(props.path.charAt(0) === '/' ? 1 : 0) : ''}${this.physicalName}`,
     });
     this.roleName = this.getResourceNameAttribute(role.ref);
     this.policyFragment = new ArnPrincipal(this.roleArn).policyFragment;

packages/@aws-cdk/aws-iam/lib/user.ts

@@ -276,7 +276,8 @@ export class User extends Resource implements IIdentity, IUser {
       region: '', // IAM is global in each partition
       service: 'iam',
       resource: 'user',
-      resourceName: this.physicalName,
+      // Removes leading slash from path
+      resourceName: `${props.path ? props.path.substr(props.path.charAt(0) === '/' ? 1 : 0) : ''}${this.physicalName}`,
     });
 
     this.policyFragment = new ArnPrincipal(this.userArn).policyFragment;

packages/@aws-cdk/aws-iam/test/group.test.ts

@@ -1,5 +1,5 @@
 import { Template } from '@aws-cdk/assertions';
-import { App, Stack } from '@aws-cdk/core';
+import { App, CfnResource, Stack } from '@aws-cdk/core';
 import { Group, ManagedPolicy, User } from '../lib';
 
 describe('IAM groups', () => {
@@ -74,3 +74,32 @@ describe('IAM groups', () => {
     });
   });
 });
+
+test('cross-env group ARNs include path', () => {
+  const app = new App();
+  const groupStack = new Stack(app, 'group-stack', { env: { account: '123456789012', region: 'us-east-1' } });
+  const referencerStack = new Stack(app, 'referencer-stack', { env: { region: 'us-east-2' } });
+  const group = new Group(groupStack, 'Group', {
+    path: '/sample/path/',
+    groupName: 'sample-name',
+  });
+  new CfnResource(referencerStack, 'Referencer', {
+    type: 'Custom::GroupReferencer',
+    properties: { GroupArn: group.groupArn },
+  });
+
+  Template.fromStack(referencerStack).hasResourceProperties('Custom::GroupReferencer', {
+    GroupArn: {
+      'Fn::Join': [
+        '',
+        [
+          'arn:',
+          {
+            Ref: 'AWS::Partition',
+          },
+          ':iam::123456789012:group/sample/path/sample-name',
+        ],
+      ],
+    },
+  });
+});

packages/@aws-cdk/aws-iam/test/role.test.ts

@@ -1,6 +1,6 @@
 import { Template } from '@aws-cdk/assertions';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
-import { Duration, Stack, App } from '@aws-cdk/core';
+import { Duration, Stack, App, CfnResource } from '@aws-cdk/core';
 import { AnyPrincipal, ArnPrincipal, CompositePrincipal, FederatedPrincipal, ManagedPolicy, PolicyStatement, Role, ServicePrincipal, User, Policy, PolicyDocument } from '../lib';
 
 describe('IAM role', () => {
@@ -569,4 +569,34 @@ test('managed policy ARNs are deduplicated', () => {
       },
     ],
   });
-});
+});
+
+test('cross-env role ARNs include path', () => {
+  const app = new App();
+  const roleStack = new Stack(app, 'role-stack', { env: { account: '123456789012', region: 'us-east-1' } });
+  const referencerStack = new Stack(app, 'referencer-stack', { env: { region: 'us-east-2' } });
+  const role = new Role(roleStack, 'Role', {
+    assumedBy: new ServicePrincipal('sns.amazonaws.com'),
+    path: '/sample/path/',
+    roleName: 'sample-name',
+  });
+  new CfnResource(referencerStack, 'Referencer', {
+    type: 'Custom::RoleReferencer',
+    properties: { RoleArn: role.roleArn },
+  });
+
+  Template.fromStack(referencerStack).hasResourceProperties('Custom::RoleReferencer', {
+    RoleArn: {
+      'Fn::Join': [
+        '',
+        [
+          'arn:',
+          {
+            Ref: 'AWS::Partition',
+          },
+          ':iam::123456789012:role/sample/path/sample-name',
+        ],
+      ],
+    },
+  });
+});

packages/@aws-cdk/aws-iam/test/user.test.ts

@@ -1,5 +1,5 @@
 import { Template } from '@aws-cdk/assertions';
-import { App, SecretValue, Stack, Token } from '@aws-cdk/core';
+import { App, CfnResource, SecretValue, Stack, Token } from '@aws-cdk/core';
 import { Group, ManagedPolicy, Policy, PolicyStatement, User } from '../lib';
 
 describe('IAM user', () => {
@@ -289,3 +289,32 @@ describe('IAM user', () => {
     });
   });
 });
+
+test('cross-env user ARNs include path', () => {
+  const app = new App();
+  const userStack = new Stack(app, 'user-stack', { env: { account: '123456789012', region: 'us-east-1' } });
+  const referencerStack = new Stack(app, 'referencer-stack', { env: { region: 'us-east-2' } });
+  const user = new User(userStack, 'User', {
+    path: '/sample/path/',
+    userName: 'sample-name',
+  });
+  new CfnResource(referencerStack, 'Referencer', {
+    type: 'Custom::UserReferencer',
+    properties: { UserArn: user.userArn },
+  });
+
+  Template.fromStack(referencerStack).hasResourceProperties('Custom::UserReferencer', {
+    UserArn: {
+      'Fn::Join': [
+        '',
+        [
+          'arn:',
+          {
+            Ref: 'AWS::Partition',
+          },
+          ':iam::123456789012:user/sample/path/sample-name',
+        ],
+      ],
+    },
+  });
+});