Skip to content

Commit

Permalink
fix(cdk): allow bootstrap with policy names with a path (#26378)
Browse files Browse the repository at this point in the history
Policy names with slashes (`/`) are not allowed when bootstrapping.

For example:
```
cdk bootstrap --custom-permissions-boundary aaa/bbb
```
Would fail:
```
Error: The permissions boundary name aaa/bbb does not match the IAM conventions.
```

This fix allows to specify paths in the policy name.

Closes #26320.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
lpizzinidev authored Jul 21, 2023
1 parent 9d9daba commit 1820fc9
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,17 @@ integTest('can use the custom permissions boundary to bootstrap', withoutBootstr
expect(template).toContain('permission-boundary-name');
}));

integTest('can use the custom permissions boundary (with slashes) to bootstrap', withoutBootstrap(async (fixture) => {
let template = await fixture.cdkBootstrapModern({
// toolkitStackName doesn't matter for this particular invocation
toolkitStackName: fixture.bootstrapStackName,
showTemplate: true,
customPermissionsBoundary: 'permission-boundary-name/with/path',
});

expect(template).toContain('permission-boundary-name/with/path');
}));

integTest('can remove customPermissionsBoundary', withoutBootstrap(async (fixture) => {
const bootstrapStackName = fixture.bootstrapStackName;
const policyName = `${bootstrapStackName}-pb`;
Expand Down
4 changes: 3 additions & 1 deletion packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,9 @@ export class Bootstrapper {

private validatePolicyName(permissionsBoundary: string) {
// https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
const regexp: RegExp = /[\w+=,.@-]+/;
// Added support for policy names with a path
// See https://github.com/aws/aws-cdk/issues/26320
const regexp: RegExp = /[\w+\/=,.@-]+/;
const matches = regexp.exec(permissionsBoundary);
if (!(matches && matches.length === 1 && matches[0] === permissionsBoundary)) {
throw new Error(`The permissions boundary name ${permissionsBoundary} does not match the IAM conventions.`);
Expand Down
22 changes: 22 additions & 0 deletions packages/aws-cdk/test/api/bootstrap2.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,28 @@ describe('Bootstrapping v2', () => {
]));
});

test('adding permission boundary with path in policy name', async () => {
mockTheToolkitInfo({
Parameters: [
{
ParameterKey: 'InputPermissionsBoundary',
ParameterValue: '',
},
],
});
await bootstrapper.bootstrapEnvironment(env, sdk, {
parameters: {
customPermissionsBoundary: 'permissions-boundary-name/with/path',
},
});

expect(stderrMock.mock.calls).toEqual(expect.arrayContaining([
expect.arrayContaining([
expect.stringMatching(/Adding new permissions boundary permissions-boundary-name\/with\/path/),
]),
]));
});

test('passing trusted accounts without CFN managed policies results in an error', async () => {
await expect(bootstrapper.bootstrapEnvironment(env, sdk, {
parameters: {
Expand Down

0 comments on commit 1820fc9

Please sign in to comment.