Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(AWS Backup): Don't add AWSBackupServiceRolePolicyForBackup policy to role automatically #25669

Closed
2 tasks
delenamalan opened this issue May 22, 2023 · 2 comments
Closed
2 tasks

(AWS Backup): Don't add AWSBackupServiceRolePolicyForBackup policy to role automatically #25669

delenamalan opened this issue May 22, 2023 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-reproduction This issue needs reproduction. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@delenamalan
Copy link

delenamalan commented May 22, 2023
edited
Loading

Describe the feature

There should be an option to prevent BackupSelection from adding the AWSBackupServiceRolePolicyForBackup policy to the provided role.

Use Case

I'm enabling AWS Backup in multiple AWS accounts using cdk-stacksets.

First, I'm creating a role in each account for backup and attaching the AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForS3Backup policies.

Then, I'm importing this role using Role.from_role_name.

role = iam.Role.from_role_name("DailyBackupsRole")

Then I'm passing the role to add_selection:

        plan.add_selection(
            "DailyBackupsSelection",
            resources=[backup.BackupResource(resource="*")],  # all resources
            backup_selection_name="DailyBackupsSelection",
            role=role,
        )

When I run cdk synth, I get this error:

RuntimeError: TypeError: role.addManagedPolicy is not a function

The above error is caused by #8307.

Proposed Solution

Add a parameter to BackupSelection to make it optional for policies to be attached to a provided role. For example, attach_backup_policies=False.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.79.1

Environment details (OS name and version, etc.)

Mac OS 13.3.1 Python 3.7.13
@delenamalan delenamalan added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 22, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label May 22, 2023
@peterwoodworth
Copy link
Contributor

role = iam.Role.from_role_name("DailyBackupsRole")

Is this how you've specified this in your code? If so, I'm surprised this is compiling since you also need to define the scope and id of the construct. You should just be receiving a warning if addManagedPolicy is called on an imported role

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts

Lines 70 to 72 in bbdb16a

public addManagedPolicy(policy: IManagedPolicy): void {
Annotations.of(this).addWarning(`Not adding managed policy: ${policy.managedPolicyArn} to imported role: ${this.roleName}`);
}

Add a parameter to BackupSelection to make it optional for policies to be attached to a provided role. For example, attach_backup_policies=False.

There's already an option you can enable on your role when importing it: mutable

@peterwoodworth peterwoodworth added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. bug This issue is a bug. needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. feature-request A feature should be added or improved. labels May 22, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels May 24, 2023
@annguyen36 annguyen36 mentioned this issue Nov 8, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. needs-reproduction This issue needs reproduction. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@delenamalan @peterwoodworth