Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to provide custom role for aws-events-targets #8255

Closed
2 tasks
tmo-trustpilot opened this issue May 28, 2020 · 4 comments · Fixed by #10551
Closed
2 tasks

Ability to provide custom role for aws-events-targets #8255

tmo-trustpilot opened this issue May 28, 2020 · 4 comments · Fixed by #10551
Assignees
@shivlaks
Labels
@aws-cdk/aws-events-targets effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p1

Comments

@tmo-trustpilot
Copy link

Currently if you wish to use a SfnStateMachine target from CloudWatch events it will generate a new Role and Policy document for executing the state machine. I believe this also applies for the other target types as well.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-events-targets/lib/state-machine.ts#L34-L37

I would like to be able to provide or override the role used.

Use Case

Our organisational controls don't allow for arbitrary new roles and policies to be added like this. We have predetermined roles we can use for our services, and if new permissions are required they are handled centrally.

Being able to provide the execution role here allows our security team to retain control of IAM roles and policies.

Proposed Solution

Add an override or optional parameter for passing an existing role to the AWS::Events::Rule that it will use.

Other

It would probably make sense to add this override for all of the event targets for consistency.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@tmo-trustpilot tmo-trustpilot added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 28, 2020
@tmo-trustpilot
Copy link
Author

I've attempted to work around this temporarily by copying the SfnStateMachine class locally with a modification to pass in the IRole, and I've discovered the RunLambdaTask class generates policy statements on the role.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts#L89

Because I'm passing in the same role that is declared on the lambda, this policy document causes a circular dependency in the CloudFormation.

@tmo-trustpilot
Copy link
Author

The StateMachine class will also produce policy documents and attempt to attach them to the role if you enable logging:

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-stepfunctions/lib/state-machine.ts#L202-L215

@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 1, 2020

Duplicate of #7859 and of #5865

@rix0rrr rix0rrr added p2 p1 and removed p2 labels Jun 1, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Jun 2, 2020
@rix0rrr rix0rrr closed this as completed Jun 3, 2020
@rix0rrr rix0rrr reopened this Jun 3, 2020
@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md and removed p1 labels Jun 3, 2020
@rix0rrr rix0rrr added the p1 label Aug 12, 2020
@SomayaB SomayaB assigned shivlaks and unassigned rix0rrr Aug 20, 2020
@ayush987goyal ayush987goyal mentioned this issue Sep 26, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Sep 29, 2020
@mergify mergify bot closed this as completed in #10551 Sep 30, 2020
mergify bot pushed a commit that referenced this issue Sep 30, 2020
@ayush987goyal
feat(events-targets): option to provide an existing role to use with …
b96efd8 
…the StepFunctions State Machine target (#10551)

Add option to use existing role for SfnStateMachine

closes #8255

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@tmo-trustpilot
Copy link
Author

@ayush987goyal and @shivlaks, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivlaks shivlaks

Labels
@aws-cdk/aws-events-targets effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
4 participants
@rix0rrr @tmo-trustpilot @SomayaB @shivlaks