Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-lambda: managed policies for deadLetterTopic #26918

Closed
2 tasks
bitowaqr opened this issue Aug 29, 2023 · 3 comments
Closed
2 tasks

aws-cdk-lib/aws-lambda: managed policies for deadLetterTopic #26918

bitowaqr opened this issue Aug 29, 2023 · 3 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@bitowaqr
Copy link

Describe the feature

When setting a deadLetterTopic in lambda.Function, an inline policy is created. From buildDeadLetterQueue:

if (props.deadLetterTopic) {
      deadLetterQueue = props.deadLetterTopic;
      this.addToRolePolicy(new iam.PolicyStatement({
        actions: ['sns:Publish'],
        resources: [deadLetterQueue.topicArn],
      }));

Some compliance packages require using managed policies only.

Use Case

Building hipaa compliant applications requires using managed policies only. It also requires using dead letter queues. I can't seem to make the two work at the same time.

Proposed Solution

Let me define a role in sns.ITopic

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.90.0

Environment details (OS name and version, etc.)

na
@bitowaqr bitowaqr added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 29, 2023
@peterwoodworth
Copy link
Contributor

The role this policy is being added to is the Lambda service role

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function.ts

Line 716 in 724bd01

this.role = props.role || new iam.Role(this, 'ServiceRole', {
.

You have a couple options. You can provide your own role to the function while calling withoutPolicyUpdates to ensure the role won't have any more policies attached to it. This is the official solution for when undesired policies are added to a role

Alternatively, you could modify this role with escape hatches to remove any policies like so:

    fn.role?.node.tryRemoveChild('DefaultPolicy');

Let me know if both of these solutions are lacking and a feature request is still desired

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2023
@bitowaqr
Copy link
Author

Sorry, my mistake. I must have used withoutPolicyUpdates wrong somehow. Now it suddenly works fine ...Thanks so much for the quick response!

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bitowaqr @peterwoodworth