fix(iam): Role.addManagedPolicy() does not work for imported roles IRole #8307

[stm29]

Issue #8307

Closes #8307

Reason for this change

• This addManagedPolicy() just does nothing, neither throws warning nor fails.

Description of changes

• This implements addManagedPolicy() for ImportedRole
• This throws Error, when IRole is used with IManagedPolicy, due to constrains

Approaches decided

• we can't change addManagedPolicy(policy: IManagedPolicy) to addManagedPolicy(policy: ManagedPolicy) (i.e., to ManagedPolicy) , like how attachInlinePolicy(policy: Policy), it will break for almost many customers.

  • aws-cdk/packages/aws-cdk-lib/aws-iam/lib/identity-base.ts

    Lines 17 to 21 in 823ff6e

    	/**
    	* Attaches a managed policy to this principal.
    	* @param policy The managed policy
    	*/
    	addManagedPolicy(policy: IManagedPolicy): void;

  • So, we need to handle this gracefully when accepting only ManagedPolicy.
• We can't use IRole & IManagedPolicy to do the work at the same time, so we need to allow ManagedPolicy in params, and throw Error when IManagedPolicy is being sent, because of how attachToRole() will be used by addManagedPolicy()

• This PR Implements follows,

  • enables addManagedPolicy()
  • Accepts ManagedPolicy
  • Throws understandable Error, when IRole is used with IManagedPolicy.

Description of how you validated changes

• unit & integration tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[epoctic]

Changes seem reasonable to me.

[stm29]

Can I get one more community review?

[stm29]

Communicated in #contributing channel. waiting for one more community review.

[tmokmss]

Thank you for the fix! I left some comments :)

[tmokmss]

Throwing an error from this function is also a breaking change. Can we just add a warning as the previous behavior?

[stm29]

Done.

[tmokmss]

We can add more information like ${policy.managedPolicyArn} to imported role: ${this.roleName} as in the original code to make it clearer why and where the warning is emitted. So that we do not have to add another warning from a caller.

[stm29]

Corrected with One Common message.

[tmokmss]

LGTM, thanks!

[Leo10Gama]

Hi @stm29 thanks for your contribution! Reading through the changes, I'm trying to understand the nature of the changes being made. The PR description mentions you're adding functionality to IRole, but it looks like you're adding it to ImportedRole. Could you please update the description to better reflect this?

I also did some digging through the rest of the codebase, and it seems like some of the other extensions of IRole have other implementations of addManagedPolicy(), like here:

  public addManagedPolicy(policy: IManagedPolicy): void {
    this.managedPolicies.push(policy);
  }

Would a change like this work instead of the more complex logic?

It also looks like the changes in the S3 notifications resource are minor, so I would agree that moving that change to another PR and opening a separate issue would be best, as long as the tests that currently exist for it still pass with this change. Though I'm not quite sure what the issue is in this case. It seems like a few other libraries already call on the addManagedPolicy() method, so is there something specific to S3 in this regard?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.67%. Comparing base (f4c19c7) to head (36deb38).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #31212   +/-   ##
=======================================
  Coverage   78.67%   78.67%           
=======================================
  Files         107      107           
  Lines        7237     7237           
  Branches     1329     1329           
=======================================
  Hits         5694     5694           
  Misses       1357     1357           
  Partials      186      186           

Flag	Coverage Δ
suite.unit	78.67% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	78.67% <ø> (ø)

[stm29]

@Leo10Gama , Thanks for the review.

I'm trying to understand the nature of the changes being made. The PR description mentions you're adding functionality to IRole, but it looks like you're adding it to ImportedRole. Could you please update the description to better reflect this?

Updated this with correct ImportedRole

---

Would a change like this work instead of the more complex logic?

Indeed Logic is simple, following is the working Logic which adds Policy to the Role. and this is same as how other Implementations are already in place.

policy.attachToRole(this);

Other if ... else and type predicate is to make sure Implementation is working as expected.

---

It seems like a few other libraries already call on the addManagedPolicy() method, so is there something specific to S3 in this regard?

Sorry for the confusion, There is no change in notifications-resource-handler.ts file, I have reverted to main.

Quick Question: Should we need to add Unit Tests in all the possible occurrence of IManagedPolicy with IRole, or Just UnitTests in packages/aws-cdk-lib/aws-iam/test/imported-role.test.ts is sufficient?
If UnitTests in imported-role.test.ts is sufficient, then notification.test.ts can also be reverted to main

---

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 36deb38
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.