fix(iam): permissions boundary aspect doesn't always recognize roles (#…

…16154) Using `instanceof` does not seem to work in all scenarios. Instead, use the `CfnResource.isCfnResource` method to find the L1 constructs. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 7, 2021 · c8bfcf6 · c8bfcf6
1 parent 492d33b
commit c8bfcf6
Showing 1 changed file with 4 additions and 8 deletions.
diff --git a/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts b/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts
@@ -33,10 +33,8 @@ export class PermissionsBoundary {
   public apply(boundaryPolicy: IManagedPolicy) {
     Node.of(this.scope).applyAspect({
       visit(node: IConstruct) {
-        if (node instanceof CfnRole || node instanceof CfnUser) {
-          node.permissionsBoundary = boundaryPolicy.managedPolicyArn;
-        } else if (
-          node instanceof CfnResource &&
+        if (
+          CfnResource.isCfnResource(node) &&
             (node.cfnResourceType == CfnRole.CFN_RESOURCE_TYPE_NAME || node.cfnResourceType == CfnUser.CFN_RESOURCE_TYPE_NAME)
         ) {
           node.addPropertyOverride('PermissionsBoundary', boundaryPolicy.managedPolicyArn);
@@ -51,10 +49,8 @@ export class PermissionsBoundary {
   public clear() {
     Node.of(this.scope).applyAspect({
       visit(node: IConstruct) {
-        if (node instanceof CfnRole || node instanceof CfnUser) {
-          node.permissionsBoundary = undefined;
-        } else if (
-          node instanceof CfnResource &&
+        if (
+          CfnResource.isCfnResource(node) &&
             (node.cfnResourceType == CfnRole.CFN_RESOURCE_TYPE_NAME || node.cfnResourceType == CfnUser.CFN_RESOURCE_TYPE_NAME)
         ) {
           node.addPropertyDeletionOverride('PermissionsBoundary');