fix(core): respect host-stack permissions boundary for ref-time custom resource roles #33467
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The permissions boundary applied to a stack is not propagated to roles created by custom resources where these enter the assembly at reference-resolution time. Examples of this are cross-stack references and references to list values which must be JSON stringified. This change exposes the PB assigned to a stack and uses this to apply a custom resource's host stack PB to its roles.
github-actions
bot
added
beginning-contributor
aws-cdk-automation
previously requested changes
Feb 16, 2025
kaizencc
changed the title
kaizencc
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-maintainer-review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #30179
Reason for this change
The permissions boundary applied to a stack is not propagated to roles created by custom resources where these enter the assembly at reference-resolution time. Examples of this are cross-stack references and references to list values which must be JSON stringified.
Presently various custom-resource-backed CDK features cannot be deployed into environments which require a permissions boundary on workload-created roles.
Please see my comment on the issue for a bit more detail.
Description of changes
This change exposes the PB assigned to a stack and uses this to apply a custom resource's host stack PB to its roles.
The change is straightforward but it changes the API surface of
Stack, and as such I propose this as a solution sketch and do not expect it to be accepted in its current form. I am not sufficiently familiar with the design of the codebase to know where best to solve this, though, so would welcome contributor/maintainer views.Some thoughts:
PermissionsBoundaryis accepted byStackas a prop as it stands. Perhaps this could be returned from a public field onStackand plumbed into the proposed solution instead.Stackcould be factored out to somewhere else and used in both placesDescribe any new or updated permissions being added
None. Existing PB configuration now respected, however.
Description of how you validated changes
Simple unit tests added
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license