(aws_iam): ManagedPolicy.attachToRole should prevent adding to same role multiple times #28101

Rouby · 2023-11-22T12:39:55Z

Describe the bug

Currently attachToRole checks for object equality.

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts

Line 293 in 70f66c7

if (this.roles.find(r => r === role)) { return; }

This does not work if a Role is imported e.g. via aws_iam.Role.fromRoleArn as these are unique objects.

Expected Behavior

attachToRole should skip if a role is already added to the list, so that no Roles: array items are not unique is encounted on deployments.

Current Behavior

attachToRole adds the same role (different objects) twice, which results in a validation error.

Reproduction Steps

import a role
import the same role at another points
create a ManagedPolicy
attach both roles to the policy

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.102.0

Framework Version

No response

Node.js Version

18

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2023-11-22T17:50:59Z

Yes we should improve that. I'm making it a p2 and any pull requests are appreciated.

#28129) Fixes `attachToUser`, `attachToRole`, and `attachToGroup` for `Policy` and `ManagedPolicy` to use ARNs as a discriminant for resource equality to prevent duplicates on imported resources. Closes #28101. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2023-12-05T01:04:09Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

aws#28129) Fixes `attachToUser`, `attachToRole`, and `attachToGroup` for `Policy` and `ManagedPolicy` to use ARNs as a discriminant for resource equality to prevent duplicates on imported resources. Closes aws#28101. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Rouby added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 22, 2023

github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Nov 22, 2023

pahud added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 22, 2023

lpizzinidev mentioned this issue Nov 24, 2023

fix(iam): attaching a policy is not idempotent with imported resources #28129

Merged

github-actions bot mentioned this issue Dec 1, 2023

Monthly Issue metrics report - November 2023 #28211

Closed

vinayak-kukreja added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 4, 2023

Merge branch 'main' into awsgh-28101

bb68407

mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 5, 2023

Merge branch 'main' into awsgh-28101

3def470

mergify bot closed this as completed in #28129 Dec 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws_iam): ManagedPolicy.attachToRole should prevent adding to same role multiple times #28101

(aws_iam): ManagedPolicy.attachToRole should prevent adding to same role multiple times #28101

Rouby commented Nov 22, 2023

pahud commented Nov 22, 2023

github-actions bot commented Dec 5, 2023