-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role.fromRoleArn(mutable: false) creates constructs with the wrong ID #7255
Comments
Wow, that's pretty hairy! Any suggestions on how to fix? |
@rix0rrr do you think this should also work: const role = stack.node.findChild(uid) as iam.Role ?? new iam.Role(this, uid).withoutPolicyUpdates(); If that's the case, we will need a deeper refactor. If it's only for the |
Seems to me that a simple fix would be to reverse the IDs assigned to the Import and the ImmutableRole here: https://github.com/aws/aws-cdk/pull/6920/files#diff-a1dcc3d014e6654b6527e0a2e24d7812R238 |
Ideally |
…20497) The solution I went with in this PR was to try and keep the provided id set on the `ImmutableRole` instead of the `Import` role. This should also keep backwards compatibility by only changing the id of the `Import` role if we are returning an `ImmutableRole`. fixes #7255 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This PR:
#6920
Broke the following piece of code:
One would expect the second execution of this code to return the same immutable role that was created on the first go-around.
But in fact, because we create 2 constructs, the mutable one of which has the ID the user requested, the first go-around will return the immutable role as desired, but the second go-around will return the inner, mutable role object, leading to policies being added to a supposedly immutable role.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: