feat(iam): customer managed policies #3578
Conversation
|
Build is failing due to the change in signature of the protected constructor of the placeholder class that was there before. Will defer to someone with more domain knowledge as to the correct path forward. |
eladb
changed the title
| public static fromManagedPolicyName(scope: Construct, id: string, managedPolicyName: string): IManagedPolicy { | ||
| class Import extends Resource implements IManagedPolicy { | ||
| public readonly managedPolicyArn = Lazy.stringValue({ | ||
| produce(ctx: IResolveContext) { |
There was a problem hiding this comment.
Why does this have to be a lazy string and not just:
const stack = Stack.of(scope);
class Import extends Resource implements IManagedPolicy {
public readonly managedPolicyArn = stack.formatArn({...});
...
}
There was a problem hiding this comment.
Doesn't the ARN consists of the path plus the name? path is not even a parameter here.
There was a problem hiding this comment.
I used the fromAwsManagedPolicyName function as a reference. If we want to change stuff I can do that. For the path thing, I think you're right. I'll update it
There was a problem hiding this comment.
Doesn't the ARN consists of the path plus the name?
pathis not even a parameter here.
So for the import class I'm not sure if it needs to be a separate parameter on this function or if you can just pass the whole thing in as the managedPolicyName. Similarly to how fromAwsManagedPolicyName accepts the service-role prefix as part of the managedPolicyName.
There was a problem hiding this comment.
Looking at other Principals that can have a path, the Group class uses the ARN for lookup with a fromGroupArn method, the User class doesn't have a lookup. Perhaps we should make this lookup fromPolicyArn so that it's consistent with Group?
| Lazy.stringValue({ produce: () => generatePolicyName(scope, resource.logicalId) }), | ||
| }); | ||
|
|
||
| this.managedPolicyName = this.physicalName; |
There was a problem hiding this comment.
You need to use this.getResourceNameAttribute
There was a problem hiding this comment.
This was also based off Policy, does that need to be changed too?
| @@ -82,5 +82,11 @@ | |||
| "engines": { | |||
| "node": ">= 8.10.0" | |||
| }, | |||
| "awslint": { | |||
| "exclude": [ | |||
| "construct-interface-extends-iconstruct:@aws-cdk/aws-iam.IManagedPolicy", | |||
There was a problem hiding this comment.
we really need a way to add comments here
|
Aha, looks like we made a mistake in the past, so we're going to need to override the breaking change detector: |
|
EDIT: Nevermind, wrong PR. |
|
@IainCole |
Just because I was following what Policy was doing, but it seems like the name is required for that |
Closes #2974
Adds support for customer managed IAM policies.
This was a little weird because the ManagedPolicy class works for both AWS and Customer managed policies, with the latter being something the user can create and the former being something they can only look up. I tried to emulate Policy/IPolicy as much as seemed appropriate.
The only way I could see to get this working without changing the signature of the fromAwsManagedPolicyName function was to disable the construct-interface-extends-iconstruct and resource-interface-extends-resource lint rules and implement it like this.