Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iam): support adding permissions to imported roles #2805

Merged
merged 1 commit into from
Jun 17, 2019
Merged

fix(iam): support adding permissions to imported roles #2805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions packages/@aws-cdk/aws-iam/lib/role.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,13 +116,21 @@ export class Role extends Resource implements IRole {
public readonly roleArn = roleArn;
public readonly roleName = Stack.of(scope).parseArn(roleArn).resourceName!;

public addToPolicy(_statement: PolicyStatement): boolean {
// Statement will be added to resource instead
return false;
private readonly attachedPolicies = new AttachedPolicies();
private defaultPolicy?: Policy;

public addToPolicy(statement: PolicyStatement): boolean {
if (!this.defaultPolicy) {
this.defaultPolicy = new Policy(this, 'Policy');
this.attachInlinePolicy(this.defaultPolicy);
}
this.defaultPolicy.addStatement(statement);
return true;
}

public attachInlinePolicy(_policy: Policy): void {
// FIXME: Add warning that we're ignoring this
public attachInlinePolicy(policy: Policy): void {
this.attachedPolicies.attach(policy);
policy.attachToRole(this);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The methods addToPolicy and attachInlinePolicy are the same as in the Role class. I wonder whether we could use inheritance here to remove the duplication.

}

public attachManagedPolicy(_arn: string): void {
Expand Down
27 changes: 27 additions & 0 deletions packages/@aws-cdk/aws-iam/test/test.role.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,5 +260,32 @@ export = {
test.deepEqual(importedRole.roleArn, 'arn:aws:iam::123456789012:role/S3Access');
test.deepEqual(importedRole.roleName, 'S3Access');
test.done();
},

'add policy to imported role'(test: Test) {
// GIVEN
const stack = new Stack();
const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/MyRole');

// WHEN
importedRole.addToPolicy(new PolicyStatement()
.addAction('s3:*')
.addResource('xyz'));

// THEN
expect(stack).to(haveResource('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: "s3:*",
Effect: "Allow",
Resource: "xyz"
}
],
Version: "2012-10-17"
},
Roles: [ "MyRole" ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this test. Where does the Role with the logical ID MyRole come from?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wait, is this the physical name of the Role? Does that work in CFN?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CFN is just doing a put-role-policy call with this parameter.

}));
test.done();
}
};