fix(roles): add UUID to service linked role to prevent accidental del…

…etion due to cloudformation
awslabs · Jul 18, 2023 · 5854321 · 5854321
1 parent 330a5a2
commit 5854321
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 0 deletions.
diff --git a/source/packages/@aws-accelerator/accelerator/test/__snapshots__/accounts-stack.test.ts.snap b/source/packages/@aws-accelerator/accelerator/test/__snapshots__/accounts-stack.test.ts.snap
@@ -325,6 +325,7 @@ exports[`AccountsStack us-east-1 Construct(AccountsStack):  Snapshot Test 1`] =
         },
         "roleName": "AWSServiceRoleForAccessAnalyzer",
         "serviceName": "access-analyzer.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -1286,6 +1287,7 @@ exports[`AccountsStack us-east-1 Construct(AccountsStack):  Snapshot Test 1`] =
         "description": "A service-linked role required for Amazon GuardDuty to access your resources. ",
         "roleName": "AWSServiceRoleForAmazonGuardDuty",
         "serviceName": "guardduty.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -1550,6 +1552,7 @@ exports[`AccountsStack us-east-1 Construct(AccountsStack):  Snapshot Test 1`] =
         },
         "roleName": "AWSServiceRoleForAmazonMacie",
         "serviceName": "macie.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -2079,6 +2082,7 @@ exports[`AccountsStack us-east-1 Construct(AccountsStack):  Snapshot Test 1`] =
         "description": "A service-linked role required for AWS Security Hub to access your resources.",
         "roleName": "AWSServiceRoleForSecurityHub",
         "serviceName": "securityhub.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/source/packages/@aws-accelerator/accelerator/test/__snapshots__/logging-stack.test.ts.snap b/source/packages/@aws-accelerator/accelerator/test/__snapshots__/logging-stack.test.ts.snap
@@ -270,6 +270,7 @@ exports[`LoggingStack Construct(LoggingStack):  Snapshot Test 1`] = `
         "description": "Service linked role for AWS Cloud9",
         "roleName": "AWSServiceRoleForAWSCloud9",
         "serviceName": "cloud9.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -1459,6 +1460,7 @@ exports[`LoggingStack Construct(LoggingStack):  Snapshot Test 1`] = `
         "description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
         "roleName": "AWSServiceRoleForAutoScaling",
         "serviceName": "autoscaling.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -3783,6 +3785,7 @@ exports[`LoggingStackOuTargets Construct(LoggingStackOuTargets):  Snapshot Test
         "description": "Service linked role for AWS Cloud9",
         "roleName": "AWSServiceRoleForAWSCloud9",
         "serviceName": "cloud9.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -5049,6 +5052,7 @@ exports[`LoggingStackOuTargets Construct(LoggingStackOuTargets):  Snapshot Test
         "description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
         "roleName": "AWSServiceRoleForAutoScaling",
         "serviceName": "autoscaling.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/...s-accelerator/accelerator/test/__snapshots__/network-associations-gwlb-stack.test.ts.snap b/...s-accelerator/accelerator/test/__snapshots__/network-associations-gwlb-stack.test.ts.snap
@@ -916,6 +916,7 @@ exports[`NetworkAssociationsGwlbStack Construct(NetworkAssociationsGwlbStack):
         "description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
         "roleName": "AWSServiceRoleForAutoScaling",
         "serviceName": "autoscaling.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/...packages/@aws-accelerator/accelerator/test/__snapshots__/organizations-stack.test.ts.snap b/...packages/@aws-accelerator/accelerator/test/__snapshots__/organizations-stack.test.ts.snap
@@ -2103,6 +2103,7 @@ exports[`MultiOuOrganizationsStack Construct(OrganizationsStack):  Snapshot Test
         },
         "roleName": "AWSServiceRoleForFMS",
         "serviceName": "fms.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",
@@ -7590,6 +7591,7 @@ exports[`delegatedAdminStack Construct(OrganizationsStack):  Snapshot Test 1`] =
         },
         "roleName": "AWSServiceRoleForFMS",
         "serviceName": "fms.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/source/packages/@aws-accelerator/accelerator/test/__snapshots__/pipeline-stack.test.ts.snap b/source/packages/@aws-accelerator/accelerator/test/__snapshots__/pipeline-stack.test.ts.snap
@@ -1140,6 +1140,7 @@ exports[`PipelineStack Construct(PipelineStack):  Snapshot Test 1`] = `
         "description": "Allows AWS CodeStar Notifications to access Amazon CloudWatch Events on your behalf",
         "roleName": "AWSServiceRoleForCodeStarNotifications",
         "serviceName": "codestar-notifications.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/source/packages/@aws-accelerator/constructs/lib/aws-iam/service-linked-role.ts b/source/packages/@aws-accelerator/constructs/lib/aws-iam/service-linked-role.ts
@@ -13,6 +13,7 @@
 
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
+import { v4 as uuidv4 } from 'uuid';
 import * as path from 'path';
 /**
  * Initialized ServiceLinkedRoleProps properties
@@ -90,6 +91,7 @@ export class ServiceLinkedRole extends Construct {
         serviceName: props.awsServiceName,
         description: props.description,
         roleName: props.roleName,
+        uuid: uuidv4(), // Generates a new UUID to force the resource to update
       },
     });
 

diff --git a/...rator/constructs/test/aws-autoscaling/__snapshots__/create-autoscaling-group.test.ts.snap b/...rator/constructs/test/aws-autoscaling/__snapshots__/create-autoscaling-group.test.ts.snap
@@ -331,6 +331,7 @@ exports[`AutoscalingGroup Construct(AutoscalingGroup):  Snapshot Test 1`] = `
         "description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
         "roleName": "AWSServiceRoleForAutoScaling",
         "serviceName": "autoscaling.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/...packages/@aws-accelerator/constructs/test/aws-ec2/__snapshots__/firewall-asg.test.ts.snap b/...packages/@aws-accelerator/constructs/test/aws-ec2/__snapshots__/firewall-asg.test.ts.snap
@@ -304,6 +304,7 @@ exports[`LaunchTemplate Construct(FirewallAutoScalingGroup):  Snapshot Test 1`]
         "description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
         "roleName": "AWSServiceRoleForAutoScaling",
         "serviceName": "autoscaling.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",

diff --git a/...s/@aws-accelerator/constructs/test/aws-iam/__snapshots__/service-linked-role.test.ts.snap b/...s/@aws-accelerator/constructs/test/aws-iam/__snapshots__/service-linked-role.test.ts.snap
@@ -304,6 +304,7 @@ exports[`ServiceLinkedRole Construct(CreateServiceLinkedRole):  Snapshot Test 1`
         "description": "some description",
         "roleName": "AWSServiceRoleForAwesomeService",
         "serviceName": "awesomeService.amazonaws.com",
+        "uuid": "REPLACED-UUID",
       },
       "Type": "Custom::CreateServiceLinkedRole",
       "UpdateReplacePolicy": "Delete",