[CodeBuild] resource imported without a role error

[reisingerf]

I am hitting this error, a version of which seems to have been reported before in #4613 and was fixed by @skinny85 .
This might be a regression, as reverting back to version 1.58 of CDK seems to solve it.

cc @brainstorm @victorskl

In my scenario I have two stacks, one (cicd) to deploy a CodeBuild project and one (slack) to deploy a SNS topic and Lambda to send messages (from CodeBuild events) to Slack.
The second one uses cb.Project.from_project_name to load the deployed CodeBuild project from the first stack to grant publish permissions.

This second stack is now giving me issues with the import error preventing even a simple cdk list.

Reproduction Steps

Our CDK code is hosted here:
https://github.com/umccr/infrastructure/tree/master/cdk/apps/umccrise

Things to note:
These stacks were initially deployed a while ago and have been working well without any issues. We've since updated CDK to its latest version and I now tried to make small changes.
The cicd stack has since also drifted and the role that is causing the error has gained an additional policy (not sure yet from where), now having two policies attached as opposed to the initial single one.

What did you expect to happen?

The cdk list to list the stacks.

What actually happened?

The error below.

Environment

• CLI Version : 1.62.0 (build 8c2d7fc)
• Framework Version:
• Node.js Version: v14.9.0
• OS : MacOs 10.15.6 (Catalina)
• Language (Version): Python 3.8

Other

The full error

% cdk list
jsii.errors.JavaScriptError:
  Error: Cannot get policy fragment of umccrise-codebuild-slack-dev/UmccriseCodeBuildProject, resource imported without a role
      at UnknownPrincipal.get policyFragment [as policyFragment] (/private/var/folders/9z/v3psv7dn2634_7gjzf5rn5dh0000gn/T/jsii-kernel-05tHku/node_modules/@aws-cdk/aws-iam/lib/unknown-principal.js:23:15)
      at PolicyStatement.addPrincipals (/private/var/folders/9z/v3psv7dn2634_7gjzf5rn5dh0000gn/T/jsii-kernel-05tHku/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:118:40)
      at new PolicyStatement (/private/var/folders/9z/v3psv7dn2634_7gjzf5rn5dh0000gn/T/jsii-kernel-05tHku/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:41:14)
      at Function.addToPrincipalOrResource (/private/var/folders/9z/v3psv7dn2634_7gjzf5rn5dh0000gn/T/jsii-kernel-05tHku/node_modules/@aws-cdk/aws-iam/lib/grant.js:59:27)
      at Topic.grantPublish (/private/var/folders/9z/v3psv7dn2634_7gjzf5rn5dh0000gn/T/jsii-kernel-05tHku/node_modules/@aws-cdk/aws-sns/lib/topic-base.js:59:26)
      at /usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7756:51
      at Kernel._wrapSandboxCode (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8420:19)
      at /usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7756:25
      at Kernel._ensureSync (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8393:20)
      at Kernel.invoke (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7755:26)
      at KernelHost.processRequest (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7456:28)
      at KernelHost.run (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7394:14)
      at Immediate._onImmediate (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7397:37)
      at processImmediate (internal/timers.js:461:21)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "app.py", line 115, in <module>
    CodeBuildLambdaStack(
  File "/usr/local/lib/python3.8/site-packages/jsii/_runtime.py", line 69, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/Users/freisinger/Devel/projects/github/UMCCR/infrastructure/cdk/apps/umccrise/stacks/slack.py", line 66, in __init__
    sns_topic.grant_publish(cb_project)
  File "/usr/local/lib/python3.8/site-packages/aws_cdk/aws_sns/__init__.py", line 2542, in grant_publish
    return jsii.invoke(self, "grantPublish", [grantee])
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 121, in wrapped
    return _recursize_dereference(kernel, fn(kernel, *args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 311, in invoke
    response = self.provider.invoke(
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 351, in invoke
    return self._process.send(request, InvokeResponse)
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 321, in send
    raise JSIIError(resp.error) from JavaScriptError(resp.stack)
jsii.errors.JSIIError: Cannot get policy fragment of umccrise-codebuild-slack-dev/UmccriseCodeBuildProject, resource imported without a role
Subprocess exited with error 1

---

This is 🐛 Bug Report

[skinny85]

Hey @reisingerf ,

thanks for the report. I tried running cdk synth in the cdk/apps/umccrise directory, but I got an error:

Traceback (most recent call last):
  File "app.py", line 15, in <module>
    ro_bucket_names = ssm_client.get_parameter(Name='/cdk/umccrise/batch/ro_buckets')['Parameter']['Value'].split(',')
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/client.py", line 663, in _make_api_call
    operation_model, request_dict, request_context)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/client.py", line 682, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/signers.py", line 162, in sign
    auth.add_auth(request)
  File "/Users/adamruka/workplace/cdk/on-call/resource-imported-without-role/cdk/apps/umccrise/.env/lib/python3.7/site-packages/botocore/auth.py", line 357, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

Can you try to minimize the reproduction steps a little bit? I'm very curious of this error, but it's hard for me to tell you more about it without being able to reproduce it locally.

Thanks,
Adam

[reisingerf]

Hi @skinny85,

I have tried to remove all non-essential parts and our custom resources. I pushed the result into a new independent repo: https://github.com/reisingerf/cdk-cross-stack-ref-error

After cloning that repo, I run the usual:

python3 -m venv .env
source .env/bin/activate
pip install -r requirements.txt
cdk list

Which results in the same resource imported without a role error.

I am still on cdk version: 1.62.0 (build 8c2d7fc)

I hope that helps!
Florian

p.s. note that as @victorskl mentioned above, switching to object references, rather than by name, solved our issue.

[skinny85]

@reisingerf since the problem is fixed, and the issue is that you previously imported a Project that didn't have a Role specified, is there anything else you'd like our assistance on?

Thanks,
Adam

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.