Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(redshift): IAM roles can be attached to a cluster, post creation #23791

Merged
merged 27 commits into from
Feb 10, 2023
Merged
Changes from 1 commit
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
a7f5330
Adding custom resource, tests
Rizxcviii Jan 18, 2023
39a43bd
modification: using interface instead
Rizxcviii Jan 23, 2023
adbfa48
removing console.log
Rizxcviii Jan 23, 2023
88c5bb2
modification: changing custom resource type
Rizxcviii Jan 23, 2023
fab283d
addition: generating integ test snapshot
Rizxcviii Jan 23, 2023
d6d377e
addition: updating README.md
Rizxcviii Jan 23, 2023
400fd22
modification: MD047/single-trailing-newline
Rizxcviii Jan 24, 2023
63cfe78
another test
Rizxcviii Jan 24, 2023
5fcd84f
diffAssets
Rizxcviii Jan 26, 2023
4dd83dc
removing test
Rizxcviii Jan 30, 2023
ff9900c
testing again
Rizxcviii Jan 30, 2023
18d2da9
line break EOF
Rizxcviii Jan 30, 2023
e48cf82
modification: preventing install of latest sdk, uses 2 or 3 version a…
Rizxcviii Jan 30, 2023
7abd3f5
Merge branch 'main' into feature/add-iam-role-after-declaration
Rizxcviii Feb 1, 2023
b647db6
modification: specifying role arn that is already attached
Rizxcviii Feb 1, 2023
9de8013
removal: test for max roles. Will let cloudformation take over as rol…
Rizxcviii Feb 1, 2023
dd9a42b
modification: lazy evaluation using private readonly constant
Rizxcviii Feb 2, 2023
ac08152
modification: using roleArns variable
Rizxcviii Feb 2, 2023
13a38ab
modification: removed custom resource
Rizxcviii Feb 2, 2023
69bd204
addition: importing Lazy module
Rizxcviii Feb 2, 2023
3b18cb4
addition, removal
Rizxcviii Feb 2, 2023
fa1b4fa
change in integ test
Rizxcviii Feb 2, 2023
83052d3
modification: reverting change in installLatestAwsSdk
Rizxcviii Feb 2, 2023
4967340
modification: cleanup, max roles are nott 10, but subject to a quota
Rizxcviii Feb 9, 2023
ddc5ff8
modification: eslint import order
Rizxcviii Feb 9, 2023
1b8d104
modification: changing to use private iam.IRole list instead of strin…
Rizxcviii Feb 9, 2023
8ec3caf
Merge branch 'main' into feature/add-iam-role-after-declaration
mergify[bot] Feb 10, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
diffAssets
Rizxcviii committed Jan 26, 2023
commit 5fcd84ff446a606c9c6e7f0cfff66510859a4399
Original file line number Diff line number Diff line change
@@ -5,6 +5,7 @@
"stacks": [
"redshift-iamrole-integ"
],
"diffAssets": true,
"assertionStack": "IamRoleInteg/DefaultTest/DeployAssert",
"assertionStackName": "IamRoleIntegDefaultTestDeployAssertBEF20992"
}
Original file line number Diff line number Diff line change
@@ -17,7 +17,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6035d2777d8aeb95ba80e06333d6e26f89087f242e2a859011c969eb2293a3c3.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/62416b81b75b2f3e2aaef03c6ebb06cbc9c9643581cb32402fc66b56d05e79d1.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
@@ -171,16 +171,16 @@
"data": "VPCVPCGW99B986DC"
}
],
"/redshift-iamrole-integ/Role2/Resource": [
"/redshift-iamrole-integ/RoleA/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "Role291939BC6"
"data": "RoleA3119C8FE"
}
],
"/redshift-iamrole-integ/Role1/Resource": [
"/redshift-iamrole-integ/RoleB/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "Role13A5C70C1"
"data": "RoleB318292C8"
}
],
"/redshift-iamrole-integ/Cluster/Subnets/Default": [
@@ -213,16 +213,16 @@
"data": "ClusterEB0386A7"
}
],
"/redshift-iamrole-integ/Cluster/add-role-Role2/Resource/Default": [
"/redshift-iamrole-integ/Cluster/add-role-RoleA/Resource/Default": [
{
"type": "aws:cdk:logicalId",
"data": "ClusteraddroleRole2CCF96C23"
"data": "ClusteraddroleRoleAA2FB3227"
}
],
"/redshift-iamrole-integ/Cluster/add-role-Role2/CustomResourcePolicy/Resource": [
"/redshift-iamrole-integ/Cluster/add-role-RoleA/CustomResourcePolicy/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "ClusteraddroleRole2CustomResourcePolicyFE1C6F0D"
"data": "ClusteraddroleRoleACustomResourcePolicyB2DE8E3F"
}
],
"/redshift-iamrole-integ/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource": [
@@ -254,33 +254,6 @@
"type": "aws:cdk:logicalId",
"data": "CheckBootstrapVersion"
}
],
"Role1ABCC5F0": [
{
"type": "aws:cdk:logicalId",
"data": "Role1ABCC5F0",
"trace": [
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
]
}
],
"ClusteraddroleRoleAA246548": [
{
"type": "aws:cdk:logicalId",
"data": "ClusteraddroleRoleAA246548",
"trace": [
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
]
}
],
"ClusteraddroleRoleCustomResourcePolicy9F03684E": [
{
"type": "aws:cdk:logicalId",
"data": "ClusteraddroleRoleCustomResourcePolicy9F03684E",
"trace": [
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
]
}
]
},
"displayName": "redshift-iamrole-integ"
Original file line number Diff line number Diff line change
@@ -14,15 +14,15 @@
}
}
},
"6035d2777d8aeb95ba80e06333d6e26f89087f242e2a859011c969eb2293a3c3": {
"62416b81b75b2f3e2aaef03c6ebb06cbc9c9643581cb32402fc66b56d05e79d1": {
"source": {
"path": "redshift-iamrole-integ.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "6035d2777d8aeb95ba80e06333d6e26f89087f242e2a859011c969eb2293a3c3.json",
"objectKey": "62416b81b75b2f3e2aaef03c6ebb06cbc9c9643581cb32402fc66b56d05e79d1.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Original file line number Diff line number Diff line change
@@ -391,7 +391,7 @@
}
}
},
"Role291939BC6": {
"RoleA3119C8FE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
@@ -408,7 +408,7 @@
}
}
},
"Role13A5C70C1": {
"RoleB318292C8": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
@@ -521,7 +521,7 @@
"IamRoles": [
{
"Fn::GetAtt": [
"Role13A5C70C1",
"RoleB318292C8",
"Arn"
]
}
@@ -540,7 +540,7 @@
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClusteraddroleRole2CCF96C23": {
"ClusteraddroleRoleAA2FB3227": {
"Type": "Custom::ModifyClusterIamRoles",
"Properties": {
"ServiceToken": {
@@ -560,14 +560,14 @@
"\",\"AddIamRoles\":[\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
"\"]},\"physicalResourceId\":{\"id\":\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
@@ -590,14 +590,14 @@
"\",\"AddIamRoles\":[\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
"\"]},\"physicalResourceId\":{\"id\":\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
@@ -620,14 +620,14 @@
"\",\"RemoveIamRoles\":[\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
"\"]},\"physicalResourceId\":{\"id\":\"",
{
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
},
@@ -642,12 +642,12 @@
"InstallLatestAwsSdk": true
},
"DependsOn": [
"ClusteraddroleRole2CustomResourcePolicyFE1C6F0D"
"ClusteraddroleRoleACustomResourcePolicyB2DE8E3F"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClusteraddroleRole2CustomResourcePolicyFE1C6F0D": {
"ClusteraddroleRoleACustomResourcePolicyB2DE8E3F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
@@ -660,7 +660,7 @@
],
"Version": "2012-10-17"
},
"PolicyName": "ClusteraddroleRole2CustomResourcePolicyFE1C6F0D",
"PolicyName": "ClusteraddroleRoleACustomResourcePolicyB2DE8E3F",
"Roles": [
{
"Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
@@ -709,7 +709,7 @@
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
}
Original file line number Diff line number Diff line change
@@ -651,21 +651,21 @@
"version": "0.0.0"
}
},
"Role2": {
"id": "Role2",
"path": "redshift-iamrole-integ/Role2",
"RoleA": {
"id": "RoleA",
"path": "redshift-iamrole-integ/RoleA",
"children": {
"ImportRole2": {
"id": "ImportRole2",
"path": "redshift-iamrole-integ/Role2/ImportRole2",
"ImportRoleA": {
"id": "ImportRoleA",
"path": "redshift-iamrole-integ/RoleA/ImportRoleA",
"constructInfo": {
"fqn": "@aws-cdk/core.Resource",
"version": "0.0.0"
}
},
"Resource": {
"id": "Resource",
"path": "redshift-iamrole-integ/Role2/Resource",
"path": "redshift-iamrole-integ/RoleA/Resource",
"attributes": {
"aws:cdk:cloudformation:type": "AWS::IAM::Role",
"aws:cdk:cloudformation:props": {
@@ -694,21 +694,21 @@
"version": "0.0.0"
}
},
"Role1": {
"id": "Role1",
"path": "redshift-iamrole-integ/Role1",
"RoleB": {
"id": "RoleB",
"path": "redshift-iamrole-integ/RoleB",
"children": {
"ImportRole1": {
"id": "ImportRole1",
"path": "redshift-iamrole-integ/Role1/ImportRole1",
"ImportRoleB": {
"id": "ImportRoleB",
"path": "redshift-iamrole-integ/RoleB/ImportRoleB",
"constructInfo": {
"fqn": "@aws-cdk/core.Resource",
"version": "0.0.0"
}
},
"Resource": {
"id": "Resource",
"path": "redshift-iamrole-integ/Role1/Resource",
"path": "redshift-iamrole-integ/RoleB/Resource",
"attributes": {
"aws:cdk:cloudformation:type": "AWS::IAM::Role",
"aws:cdk:cloudformation:props": {
@@ -908,7 +908,7 @@
"iamRoles": [
{
"Fn::GetAtt": [
"Role13A5C70C1",
"RoleB318292C8",
"Arn"
]
}
@@ -930,25 +930,25 @@
"version": "0.0.0"
}
},
"add-role-Role2": {
"id": "add-role-Role2",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2",
"add-role-RoleA": {
"id": "add-role-RoleA",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA",
"children": {
"Provider": {
"id": "Provider",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2/Provider",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA/Provider",
"constructInfo": {
"fqn": "@aws-cdk/aws-lambda.SingletonFunction",
"version": "0.0.0"
}
},
"Resource": {
"id": "Resource",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2/Resource",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA/Resource",
"children": {
"Default": {
"id": "Default",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2/Resource/Default",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA/Resource/Default",
"constructInfo": {
"fqn": "@aws-cdk/core.CfnResource",
"version": "0.0.0"
@@ -962,11 +962,11 @@
},
"CustomResourcePolicy": {
"id": "CustomResourcePolicy",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2/CustomResourcePolicy",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA/CustomResourcePolicy",
"children": {
"Resource": {
"id": "Resource",
"path": "redshift-iamrole-integ/Cluster/add-role-Role2/CustomResourcePolicy/Resource",
"path": "redshift-iamrole-integ/Cluster/add-role-RoleA/CustomResourcePolicy/Resource",
"attributes": {
"aws:cdk:cloudformation:type": "AWS::IAM::Policy",
"aws:cdk:cloudformation:props": {
@@ -980,7 +980,7 @@
],
"Version": "2012-10-17"
},
"policyName": "ClusteraddroleRole2CustomResourcePolicyFE1C6F0D",
"policyName": "ClusteraddroleRoleACustomResourcePolicyB2DE8E3F",
"roles": [
{
"Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
@@ -1083,7 +1083,7 @@
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Role291939BC6",
"RoleA3119C8FE",
"Arn"
]
}
5 changes: 3 additions & 2 deletions packages/@aws-cdk/aws-redshift/test/integ.cluster-iamrole.ts
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ class RedshiftEnv extends Stack {
super(scope, id, props);

const vpc = new ec2.Vpc(this, 'VPC');
const role = new iam.Role(this, 'Role2', {
const role = new iam.Role(this, 'RoleA', {
assumedBy: new iam.ServicePrincipal('redshift.amazonaws.com'),
});

@@ -23,7 +23,7 @@ class RedshiftEnv extends Stack {
masterUser: {
masterUsername: 'admin',
},
roles: [new iam.Role(this, 'Role1', {
roles: [new iam.Role(this, 'RoleB', {
assumedBy: new iam.ServicePrincipal('redshift.amazonaws.com'),
})],
removalPolicy: RemovalPolicy.DESTROY,
@@ -37,6 +37,7 @@ const app = new App();

new integ.IntegTest(app, 'IamRoleInteg', {
testCases: [new RedshiftEnv(app, 'redshift-iamrole-integ')],
diffAssets: true,
});

app.synth();