aws-iam: Nested Stacks provide different Policies with equal, therefore conflicting names #23957
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
documentation
This is a problem with documentation.
effort/medium
Medium work item – several days of effort
p2
Describe the bug
When CDK creates IAM Policies within different instances of the same nested stack, the PolicyNames are equal. Thus attaching these policies to a role in the parent stack, one policy replaces another. As a result only one policy becomes attached to the role. This is despite the instances of the nested stack class have disjunct construct id's.
Expected Behavior
Policies created within a nested stack should have distinct hashed appended to their name, depending on the construct id of the nested stack.
Current Behavior
Given a nested stack class with an IAM policy inside, each instance of the nested stack will provide a policy with equal names.
On deployment Cloud Formation does not care about the equal names and replaces one policy by another, when they were attached to the same IAM role.
Reproduction Steps
The following example can be downloaded and reproduced from:
https://gitlab.com/codexamples/aws-iam-policy-bug
The cdk.out folder is already pushed to this repository, so that no
cdk synth
is required to see the input source code as well as the output manifests.This example stack (source link) ...
... creating two instances of this nested stack (source link) ...
... will create two different policies with identical names ...
cdk.out/AwsIamPolicyBugStacksub1C2BE4621.nested.template.json
cdk.out/AwsIamPolicyBugStacksub25BE75079.nested.template.json
Possible Solution
Involving the nested stacks id when creating the hash postfix of the policies (resource) name should fix the problem.
Maybe there is more to consider than just including the nested stacks id. I assume CDK maintainers would know.
Additional Information/Context
I could imagine the current (buggy) behaviour also affects other resources. Especially when those resources are used within the parent stack, as the policy in the example given.
CDK CLI Version
2.55.1
Framework Version
No response
Node.js Version
v16.19.0
OS
MacOS Darwin 22.3.0
Language
Python
Language Version
3.10
Other information
No response
The text was updated successfully, but these errors were encountered: