Issues porting MFA policy example to the CDK

[joelhegg]

• I'm submitting a ...

  • 📚 construct library gap

• Please tell us about your environment:

  • CDK CLI Version: 0.36.0
  • Module Version: 0.36.0
  • OS: [OSX Mojave]
  • Language: [Java]

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

I needed to use https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html in the CDK. I ran into a number of dead ends along the way. Some are known issues, some are new. I figured it would be useful to share this real world example that ties them all together.

1. Can't just port the policy to the CDK

Due to #964, there's no straight forward way to express NotAction in the CDK. Since I'm using Java, the "hack" one person gave would be more involved.

2. Unclear how to attach an inline policy through a CfnInclude

I ended up just putting the example policy in a .json file along withCfnInclude like so:

ObjectMapper mapper = new ObjectMapper();
new CfnInclude(this, "force-mfa", CfnIncludeProps.builder()
    .withTemplate((ObjectNode)mapper.readTree(this.getClass().getResourceAsStream("/force-mfa.json")))
    .build());

My initial inclination was to use Group.attachInlinePolicy, but I couldn't figure out how to go from the CfnInclude to an actual Policy object. It feels like there should be a straight forward way to deserialize a CloudFormation template into a CDK object to allow for better interop.

3. Difficulties using custom managed policies

Since inline policies weren't going to work for me, I switched to a custom managed policy by prepending the example json with this:

{
  "Resources": {
    "forcemfa": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "ManagedPolicyName": "force-mfa",
        "PolicyDocument": 

I ran into #2974 trying to use GroupProps.withManagedPolicyArns. I thought I might just adapt ManagedPolicy.fromAwsManagedPolicyName like so:

    IManagedPolicy fromCustomManagedPolicyName(String managedPolicyName) {
        return () -> Lazy.stringValue((IResolveContext ctx) -> {
            Stack stack = Stack.of(ctx.getScope());
            return stack.formatArn(ArnComponents.builder()
                    .withService("iam")
                    .withRegion("")
                    .withAccount(stack.getAccount())
                    .withResource("policy")
                    .withResourceName(managedPolicyName)
                    .build());
        });
    }

That gave me this error though. I'm sure there must be another step I'm not aware of to enable resolution with this code. It wasn't immediately clear from reading through the CDK code and documentation.

An exception occured while executing the Java class. Resolution error: Resolution error: Resolution error: Resolution error: JSII kernel assumption violated, undefined is not an object.
Object creation stack:
  at new LazyBase (.../node_modules/@aws-cdk/core/lib/lazy.js:30:44)
  at new LazyString (.../node_modules/@aws-cdk/core/lib/lazy.js:46:9)
  at Function.stringValue (.../node_modules/@aws-cdk/core/lib/lazy.js:13:39)

What ended up working is something like this:

Group group = new Group(this, "my-group", GroupProps.builder()
    .withGroupName("my-group")
    .withManagedPolicyArns(Arrays.asList(
        ManagedPolicy.fromAwsManagedPolicyName("AWSCodeCommitPowerUser"),
        (IManagedPolicy) () -> String.format("arn:aws:iam::%s:policy/force-mfa", this.getAccount())
    ))
    .build());

Incidentally, I think the cast usage makes that a little uglier than it should be. This seems to be caused by GroupProps using an Object/any where Group uses IManagedPolicy.

[NGL321]

Hi @joelhegg,

Thank you for posting this with so much detail. It seems that this is a fairly broad gap that is being encountered rather frequently, so due to the detail of this post I am going to mark this as the tracking issue for the policy handling gap.

[NGL321]

#3112 is also relevant here

[sdole]

Hello, I saw a blog saying that the cdk is now GA for Typescript and Python. Does it mean these gaps have been fixed?

[rix0rrr]

I believe all pain points have been addressed by now.