fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results…

… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
paulhcsun · Jan 5, 2024 · 22e0659 · 22e0659
1 parent ed4589f
commit 22e0659
Show file tree

Hide file tree

Showing 17 changed files with 33,779 additions and 1,289 deletions.
diff --git a/.../test/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.assets.json b/.../test/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.assets.json
diff --git a/...est/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.template.json b/...est/aws-iam/test/integ.imported-role.js.snapshot/ImportedRoleTestAssertions.template.json
@@ -1,6 +1,6 @@
 {
  "Resources": {
-  "AwsApiCallIAMlistRolePolicies": {
+  "AwsApiCallIAMlistRolePoliciese15a421383f9698f4159fca8713990e6": {
    "Type": "Custom::DeployAssert@SdkCallIAMlistRolePolicies",
    "Properties": {
     "ServiceToken": {
@@ -11,18 +11,30 @@
     },
     "service": "IAM",
     "api": "listRolePolicies",
-    "expected": "{\"$StringLike\":\"^Policyintegiamimportedrole2Role.{8}$\"}",
-    "actualPath": "PolicyNames.1",
+    "expected": "{\"$StringLike\":\"^Policyintegiamimportedrole2Roley+.{8}$\"}",
+    "actualPath": "PolicyNames.3",
     "parameters": {
      "RoleName": {
-      "Fn::ImportValue": "integ-iam-imported-role-role-stack:ExportsOutputRefTestRole6C9272DF9DD89F08"
+      "Fn::Join": [
+       "",
+       [
+        "\"",
+        {
+         "Fn::ImportValue": "integ-iam-imported-role-role-stack:ExportsOutputRefTestRole6C9272DF9DD89F08"
+        },
+        "\""
+       ]
+      ]
      }
     },
     "flattenResponse": "true",
     "outputPaths": [
-     "PolicyNames.1"
+     "PolicyNames.0",
+     "PolicyNames.1",
+     "PolicyNames.2",
+     "PolicyNames.3"
     ],
-    "salt": "1676338905652"
+    "salt": "1697413484207"
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
@@ -71,12 +83,12 @@
   "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
    "Type": "AWS::Lambda::Function",
    "Properties": {
-    "Runtime": "nodejs14.x",
+    "Runtime": "nodejs18.x",
     "Code": {
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "73c20a669c041469f7fc3fc03d574b093b5b97e7c716f76c1e8117e6163e4dc4.zip"
+     "S3Key": "c91921c142e824b74d06797a2be74eab5d0dd0453e753549f5182ac7a02f556b.zip"
     },
     "Timeout": 120,
     "Handler": "index.handler",
@@ -90,10 +102,10 @@
   }
  },
  "Outputs": {
-  "AssertionResultsAwsApiCallIAMlistRolePolicies": {
+  "AssertionResultsAwsApiCallIAMlistRolePoliciese15a421383f9698f4159fca8713990e6": {
    "Value": {
     "Fn::GetAtt": [
-     "AwsApiCallIAMlistRolePolicies",
+     "AwsApiCallIAMlistRolePoliciese15a421383f9698f4159fca8713990e6",
      "assertion"
     ]
    }