aws · HBobertz · Jan 31, 2023 · Jan 4, 2023 · Jan 4, 2023 · Jan 4, 2023
diff --git a/packages/@aws-cdk/aws-redshift/lib/cluster.ts b/packages/@aws-cdk/aws-redshift/lib/cluster.ts
@@ -4,6 +4,7 @@ import * as kms from '@aws-cdk/aws-kms';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import { Duration, IResource, RemovalPolicy, Resource, SecretValue, Token } from '@aws-cdk/core';
+import { AwsCustomResource, PhysicalResourceId, AwsCustomResourcePolicy } from '@aws-cdk/custom-resources';
 import { Construct } from 'constructs';
 import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
@@ -304,6 +305,13 @@ export interface ClusterProps {
    */
   readonly roles?: iam.IRole[];
 
+  /**
+   * A single AWS Identity and Access Management (IAM) role to be used as the default role for the cluster.
+   *
+   * @default - No default role is attached to the cluster.
+   */
+  readonly defaultRole?: iam.IRole;
+
   /**
    * Name of a database which is automatically created inside the cluster
    *
@@ -575,6 +583,11 @@ export class Cluster extends ClusterBase {
 
     const defaultPort = ec2.Port.tcp(this.clusterEndpoint.port);
     this.connections = new ec2.Connections({ securityGroups, defaultPort });
+
+    // Add default role if specified
+    if (props.defaultRole) {
+      this.addDefaultIamRole(props.defaultRole);
+    }
   }
 
   /**
@@ -662,4 +675,31 @@ export class Cluster extends ClusterBase {
       throw new Error('Cannot add a parameter to an imported parameter group.');
     }
   }
+
+  /**
+   * Adds default IAM role to cluster
+   *
+   * @param defaultIamRole the IAM role to be set as the default role
+   */
+  public addDefaultIamRole(defaultIamRole: iam.IRole): void {
+    const defaultRoleCustomeResource = new AwsCustomResource(this, 'default-role', {
+      onUpdate: {
+        service: 'Redshift',
+        action: 'modifyClusterIamRoles',
+        parameters: {
+          ClusterIdentifier: this.cluster.ref,
+          AddIamRoles: [defaultIamRole.roleArn],
+          DefaultIamRoleArn: defaultIamRole.roleArn,
+        },
+        physicalResourceId: PhysicalResourceId.of(
+          `${defaultIamRole.roleArn}-${this.cluster.ref}`,
+        ),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+      }),
+    });
+
+    defaultIamRole.grantPassRole(defaultRoleCustomeResource.grantPrincipal);
+  }
 }
diff --git a/...defaultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.assets.json b/...defaultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "22.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...faultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.template.json b/...faultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/....snapshot/asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476/index.js b/....snapshot/asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476/index.js
diff --git a/packages/@aws-cdk/aws-redshift/test/integ.cluster-defaultiamrole.js.snapshot/cdk.out b/packages/@aws-cdk/aws-redshift/test/integ.cluster-defaultiamrole.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"22.0.0"}
diff --git a/packages/@aws-cdk/aws-redshift/test/integ.cluster-defaultiamrole.js.snapshot/integ.json b/packages/@aws-cdk/aws-redshift/test/integ.cluster-defaultiamrole.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "22.0.0",
+  "testCases": {
+    "DefaultIamRoleInteg/DefaultTest": {
+      "stacks": [
+        "redshift-defaultiamrole-integ"
+      ],
+      "assertionStack": "DefaultIamRoleInteg/DefaultTest/DeployAssert",
+      "assertionStackName": "DefaultIamRoleIntegDefaultTestDeployAssert161B8D72"
+    }
+  }
+}