Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM: better support for managed policies #621

Closed
rix0rrr opened this issue Aug 23, 2018 · 1 comment
Closed

IAM: better support for managed policies #621

rix0rrr opened this issue Aug 23, 2018 · 1 comment

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 23, 2018

role.attachManagedPolicy() has a poor signature. It accepts any, but in fact it should accept only Arns (until we have modeled ManagedPolicies)

We had a user try to put a PolicyStatement in there, which led to the following error:

Exception in thread "main" software.amazon.jsii.JsiiException: While synthesizing hello-cdk/source-import-queue-reader/Resource: Trying to resolve() a Construct at /managedPolicyArns/0/Resource�  
While synthesizing hello-cdk/source-import-queue-reader/Resource: Trying to resolve() a Construct at /managedPolicyArns/0/Resource�
rix0rrr pushed a commit that referenced this issue Aug 27, 2018
fix: restrict allowable types in IAM libraries
8794552 
A number methods were allowing 'any's in places where they easily lead
to passing the wrong object.

- `role.attachManagedPolicy`
- Various methods on `PolicyStatement`.

By restrictinig the types to what we actually expect (or `string`s)
these mistakes will be harder to make.

Fixes #622, doesn't completely resolve but helps with #621.
@rix0rrr rix0rrr mentioned this issue Aug 27, 2018
Merged
rix0rrr added a commit that referenced this issue Aug 27, 2018
@rix0rrr
BREAKING CHANGE: narrow types in IAM libraries (#629)
c1bb851 
A number methods were allowing `any`s in places where they easily led
to passing the wrong object.

- `role.attachManagedPolicy()`, expected an `Arn` but it was possible to
  pass it a `Policy` object by mistake.
- Various methods on `PolicyStatement`. Notably: `addResource()` which
  is supposed to take an `Arn` but it was too easy to pass it a
  resource object by mistake.

By restrictinig the types to what we actually expect these mistakes will
be harder to make (at the expense of slightly more code when passing raw
strings).

Most likely breakage consumers will see:

- `addResource("*")`, replace with `addAllResources()`.
- `addResource("some-arn")`, replace with `new Arn("some-arn")`.
- `new ServicePrincipal(new FnConcat(...))`, replace with 
  `new ServicePrincipal(new FnConcat(...).toString())`.

Fixes #622, doesn't completely resolve but helps with #621.
@rix0rrr
Copy link
Contributor Author

rix0rrr commented Aug 27, 2018

This can be closed for now; modeling of ManagedPolicies can be deferred to another ticket.

@rix0rrr rix0rrr closed this as completed Aug 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rix0rrr