Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): customize IAM role creation behavior #22856

Merged
merged 6 commits into from Nov 11, 2022
Merged

feat(iam): customize IAM role creation behavior #22856

merged 6 commits into from Nov 11, 2022

Conversation

corymhall
Copy link
Contributor

@corymhall corymhall commented Nov 9, 2022
edited

Introduces a new static method Role.customizeRoles which allows customization of role creation behavior. By default this will prevent all IAM roles and policies from being created (they will not be synthesized in the template) and will generate a policy report (both human and machine readable versions) in the
cloud assembly (i.e. cdk.out) with information on the roles that need to be created and their associated IAM policies.

If customizeRoles.preventSynthesis=true then this will

  • prevent IAM roles (AWS::IAM::Role) from being created
  • prevent managed policies (AWS::IAM::ManagedPolicy) from being created
  • prevent IAM policies (AWS::IAM::Policy) from being created
  • Managed policies that are created and not attached to a role will not be synthesized and will not be added to the report.

Errors are added using Annotations.addError so that the app will still synthesize to the cdk.out directory and the policy report will be generated.

The policy report can be generated without preventing resource synthesis by setting customizeRoles.preventSynthesis=false.

I added an integration test
aws-lambda/test/integ.lambda-customize-roles.ts that will only synthesize the snapshot. You can view the generated reports in the snapshot.

refactored:

  • Moved the Import class that was created under the fromRoleArn to a separate private class (imported-role.ts). The implementation is the same (just moved).

This also adds support for the role created as part of custom resources in core.

closes #22749, closes #22862

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@corymhall
feat(iam): customize IAM role creation behavior
fec8ffb 
Introduces a new static method `Role.customizeRoles` which allows
customization of role creation behavior. By default this will prevent
all IAM roles and policies from being created (they will not be
synthesized in the template) and will generate a policy report (both
human and machine readable versions) in the
cloud assembly (i.e. cdk.out) with information on the roles that need to
be created and their associated IAM policies.

If `customizeRoles.preventSynthesis=true` then this will
- prevent IAM roles (AWS::IAM::Role) from being created
- prevent managed policies (AWS::IAM::ManagedPolicy) from being created
- prevent IAM policies (AWS::IAM::Policy) from being created
- Managed policies that are created and _not_ attached to a role will
  not be synthesized _and_ will not be added to the report.

Errors are added using `Annotations.addError` so that the app will still
synthesize to the `cdk.out` directory and the policy report will be generated.

The policy report can be generated _without_ preventing resource
synthesis by setting `customizeRoles.preventSynthesis=false`.

I added an integration test
`aws-lambda/test/integ.lambda-customize-roles.ts` that will only
synthesize the snapshot. You can view the generated reports in the
snapshot.

refactored:
- Moved the `Import` class that was created under the `fromRoleArn` to
  a separate private class (imported-role.ts). The implementation is the
  same (just moved).

closes #22749
@gitpod-io
Copy link

gitpod-io bot commented Nov 9, 2022

@github-actions github-actions bot added the p2 label Nov 9, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team November 9, 2022 20:59
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 9, 2022
Naumel
Naumel reviewed Nov 10, 2022
View reviewed changes
packages/@aws-cdk/aws-iam/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-iam/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-iam/README.md Show resolved Hide resolved
packages/@aws-cdk/aws-iam/lib/private/imported-role.ts Show resolved Hide resolved
@corymhall corymhall added the pr/do-not-merge This PR should not be merged at this time. label Nov 10, 2022
@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Nov 10, 2022
@Naumel Naumel added the pr/do-not-merge This PR should not be merged at this time. label Nov 11, 2022
@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Nov 11, 2022
@mergify
Copy link
Contributor

mergify bot commented Nov 11, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 3b3c3f7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit b25e526 into aws:main Nov 11, 2022
@mergify
Copy link
Contributor

mergify bot commented Nov 11, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iamgiolaga iamgiolaga iamgiolaga left review comments

@Naumel Naumel Naumel approved these changes

@rix0rrr rix0rrr Awaiting requested review from rix0rrr

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Milestone
No milestone
4 participants
@corymhall @aws-cdk-automation @iamgiolaga @Naumel