Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role.fromRoleArn(mutable: false) creates constructs with the wrong ID #7255

Closed
rix0rrr opened this issue Apr 8, 2020 · 5 comments · Fixed by #20497
Closed

Role.fromRoleArn(mutable: false) creates constructs with the wrong ID #7255

rix0rrr opened this issue Apr 8, 2020 · 5 comments · Fixed by #20497
Assignees
@corymhall
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Apr 8, 2020

This PR:

#6920

Broke the following piece of code:

    const existingRole = scope.node.tryFindChild(id) as iam.IRole;
    if (existingRole) {return existingRole; }
   return iam.Role.fromRoleArn(scope, id, arn, { mutable: false });

One would expect the second execution of this code to return the same immutable role that was created on the first go-around.

But in fact, because we create 2 constructs, the mutable one of which has the ID the user requested, the first go-around will return the immutable role as desired, but the second go-around will return the inner, mutable role object, leading to policies being added to a supposedly immutable role.

This is 🐛 Bug Report
@rix0rrr rix0rrr added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2020
@eladb
Copy link
Contributor

eladb commented Apr 9, 2020

Wow, that's pretty hairy! Any suggestions on how to fix?

@eladb
Copy link
Contributor

eladb commented Apr 12, 2020

@rix0rrr do you think this should also work:

const role = stack.node.findChild(uid) as iam.Role ?? new iam.Role(this, uid).withoutPolicyUpdates();

If that's the case, we will need a deeper refactor. If it's only for the fromRoleArn use case, we can probably hack something a bit simpler.

@eladb eladb added the p1 label Apr 12, 2020
@rix0rrr
Copy link
Contributor Author

rix0rrr commented May 18, 2020

Seems to me that a simple fix would be to reverse the IDs assigned to the Import and the ImmutableRole here: https://github.com/aws/aws-cdk/pull/6920/files#diff-a1dcc3d014e6654b6527e0a2e24d7812R238

@rix0rrr
Copy link
Contributor Author

rix0rrr commented May 18, 2020

Ideally ImmutableRole wouldn't have been made a Construct in #6920 but the consumer side would have been fixed, but I haven't looked into the triggering issue enough to know whether that was even feasible or not.

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label May 19, 2020
@eladb eladb assigned rix0rrr and unassigned skinny85 and eladb Aug 4, 2020
@rix0rrr rix0rrr added @aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort labels Aug 10, 2020
@corymhall corymhall self-assigned this May 25, 2022
@corymhall corymhall mentioned this issue May 25, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #20497 Jun 1, 2022
mergify bot pushed a commit that referenced this issue Jun 1, 2022
@corymhall
fix(iam): referencing the same immutable role twice makes it mutable (#…
264c02e 
…20497)

The solution I went with in this PR was to try and keep the provided id
set on the `ImmutableRole` instead of the `Import` role. This should
also keep backwards compatibility by only changing the id of the
`Import` role if we are returning an `ImmutableRole`.

fixes #7255


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jun 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(iam): referencing the same immutable role twice makes it mutable
5 participants
@skinny85 @rix0rrr @eladb @SomayaB @corymhall