-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27548
fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27548
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @yamoyamoto. Sorry it took us so long to get to this PR
? `${prefix}${Names.uniqueId(this)}` | ||
: prefix; | ||
if (defaultDefaultPolicyName.length > MAX_POLICY_NAME_LEN) { | ||
defaultDefaultPolicyName = `Policy${Names.uniqueResourceName(this, { maxLength: MAX_POLICY_NAME_LEN - prefix.length })}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think making "Policy"
its on var was kind of overkill, but if we're doing that then we should use it on line 54 also.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, it does become a bit difficult to read. However, we need prefix.length to subtract the length of 'Policy' from the policy name limit when using Names.uniqueResourceName(), so it seems reasonable to keep it as a variable.
but if we're doing that then we should use it on line 54 also.
My apologies, it was a simple oversight. I have now used the prefix variable.
@@ -78,6 +78,21 @@ describe('IAM Role.fromRoleArn', () => { | |||
expect(stack2PolicyNameCapture.asString()).toMatch(/PolicyRoleStack2ImportedRole.*/); | |||
}); | |||
|
|||
test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () =>{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () =>{ | |
test('Policy name is truncated to a maximum length of 128 characters when the original name exceeds this limit', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I updated this.
const defaultDefaultPolicyName = useUniqueName | ||
? `Policy${Names.uniqueId(this)}` | ||
: 'Policy'; | ||
const prefix = 'Policy'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we add a comment here on why we are doing it this way (to hopefully preserve existing policy names)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added comment. I would appreciate it if you could confirm.
Pull request has been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @yamoyamoto!
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Pull request has been modified.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within
aws_iam.ImportedRole.addToPrincipalPolicy()
changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated usingNames.uniqueResourceName()
.Previously, the
Names.UniqueId()
method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten usingNames.uniqueResourceName()
—a function that allows for length specification.I considered replacing
Names.UniqueId()
entirely withNames.uniqueResourceName()
. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods.Closes #27409 , #24441
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license