fix(codebuild): cannot use immutable roles for Project #5608
Conversation
Immutably imported `Role`s could not be used for CodeBuild `Project`s, because they would create a policy but be unable to attach it to the Role. That leaves an unattached Policy, which is invalid. Fix this by making `Policy` objects only render to an `AWS::IAM::Policy` resource if they actually have any effect. It is perfectly allowed to create new unattached Policy objects, or have empty Policy objects. Only if and when they actually need to mutate the policy of an IAM identity will they render themselves to the CloudFormation template. Being able to abstract away these kinds of concerns is exactly the value of a higher-level programming model. To allow for the rare cases where an empty Policy object would be considered a programming error, we still have the flag `mustCreate` which triggers the legacy behavior of alwyas creating the `AWS::IAM::Policy` resource which must have a statement and be attached to an identity.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| private get shouldExist() { | ||
| return this.mustCreate || this.referenceTaken || (!this.document.isEmpty && this.isAttached); | ||
| } |
There was a problem hiding this comment.
since this is temporal (i.e. only relevant after the tree has been fully initialized) and used only in one place, I think this code should just be part of prepare to avoid accidentally using it in the future from the wrong context.
| * | ||
| * It is not an error if a child with the given name does not exist. | ||
| */ | ||
| public removeChild(childName: string) { |
There was a problem hiding this comment.
Maybe rename to tryRemoveChild to indicate it won't throw, and return a boolean indicating if the child was actually removed or not.
I am a bit worried by potential abuse of this API. Maybe we can make it a bit safer and only allow this during "prepare" somehow? What do you think? Can you please also mark this as @experimental?
This also resolves #1408
There was a problem hiding this comment.
I'm not too worried about misuse. The methods on node are pretty much "plumbing sticking out" anyway, not sure they're part of people's day-to-day operations with the API.
I would hope that people venturing there will be aware they're messing with internals which can do what they want, or have unintentional effects they themselves will be responsible for cleaning up. Not sure that limiting to prepare() is necessary.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| * | ||
| * @default false | ||
| */ | ||
| readonly mustCreate?: boolean; |
There was a problem hiding this comment.
I still don't love this name... I proposed changing it to lazy?: boolean in the previous PR, but I'm also open to other suggestions 🙂
There was a problem hiding this comment.
forceResource?
mustExist?
There was a problem hiding this comment.
I feel "lazy" is usually used to communicate something else.
There was a problem hiding this comment.
I was considering force, slightly on the fence but I also don't have a better alternative. I can do force.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| protected validate(): string[] { | ||
| const result = new Array<string>(); | ||
|
|
||
| // validate that the policy document is not empty | ||
| if (this.document.isEmpty) { | ||
| result.push('Policy is empty. You must add statements to the policy'); | ||
| if (this.force) { | ||
| result.push('Policy created with mustCreate=true is empty. You must add statements to the policy'); |
There was a problem hiding this comment.
References old property name.
| result.push('Policy created with mustCreate=true is empty. You must add statements to the policy'); | ||
| } | ||
| if (!this.force && this.referenceTaken) { | ||
| result.push('Policy name has been read of empty policy. You must add statements to the policy so it can exist.'); |
| result.push(`Policy created with mustCreate=true must be attached to at least one principal: user, group or role`); | ||
| } | ||
| if (!this.force && this.referenceTaken) { | ||
| result.push('Policy name has been read of unattached policy. Attach to at least one principal: user, group or role.'); |
There was a problem hiding this comment.
See here: #5569 (comment)
| result.push(`Policy must be attached to at least one principal: user, group or role`); | ||
| if (!this.isAttached) { | ||
| if (this.force) { | ||
| result.push(`Policy created with mustCreate=true must be attached to at least one principal: user, group or role`); |
There was a problem hiding this comment.
References old property name.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
Commit Message
fix(codebuild): cannot use immutable roles for Project
Immutably imported
Roles could not be used for CodeBuildProjects, because they would create a policy but be unableto attach it to the Role. That leaves an unattached Policy,
which is invalid.
Fix this by making
Policyobjects only render to anAWS::IAM::Policyresource if they actually have any effect. It is perfectly allowed to
create new unattached Policy objects, or have empty Policy objects.
Only if and when they actually need to mutate the policy of an IAM
identity will they render themselves to the CloudFormation template.
Being able to abstract away these kinds of concerns is exactly the value
of a higher-level programming model.
To allow for the rare cases where an empty Policy object would be
considered a programming error, we still have the flag
mustCreatewhich triggers the legacy behavior of alwyas creating the
AWS::IAM::Policyresource which must have a statement and beattached to an identity.
Fixes #1408.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license