From b2fb4d0522de98730539316d01ddae2b707deb29 Mon Sep 17 00:00:00 2001 From: John Pignata Date: Wed, 23 Nov 2022 02:17:28 +0000 Subject: [PATCH] fix(appsync): fully qualify service principal In #22819, a feature flag was added to use standardized service principal names instead of using a database lookup. This reference wasn't updated which causes failures in new CDK applications that try to create AppSync resources. This change passes the fully qualified service principal when creating a service role for a new data source. fixes #23035 --- packages/@aws-cdk/aws-appsync/lib/data-source.ts | 4 +++- .../test/integ.api-import.js.snapshot/stack.template.json | 2 +- .../test/integ.api-import.js.snapshot/tree.json | 2 +- .../integ.appsync-lambda.js.snapshot/stack.template.json | 2 +- .../test/integ.appsync-lambda.js.snapshot/tree.json | 2 +- .../aws-appsync-integ.template.json | 2 +- .../test/integ.auth-apikey.js.snapshot/tree.json | 2 +- .../appsync-elasticsearch.template.json | 2 +- .../integ.graphql-elasticsearch.js.snapshot/tree.json | 2 +- .../aws-appsync-integ.template.json | 2 +- .../test/integ.graphql-iam.js.snapshot/tree.json | 2 +- .../appsync-opensearch.template.json | 2 +- .../test/integ.graphql-opensearch.js.snapshot/tree.json | 2 +- .../code-first-schema.template.json | 2 +- .../test/integ.graphql-schema.js.snapshot/tree.json | 2 +- .../aws-appsync-integ.template.json | 8 ++++---- .../aws-appsync/test/integ.graphql.js.snapshot/tree.json | 8 ++++---- 17 files changed, 25 insertions(+), 23 deletions(-) diff --git a/packages/@aws-cdk/aws-appsync/lib/data-source.ts b/packages/@aws-cdk/aws-appsync/lib/data-source.ts index 3351c6b18c14a..0ca273a78db8d 100644 --- a/packages/@aws-cdk/aws-appsync/lib/data-source.ts +++ b/packages/@aws-cdk/aws-appsync/lib/data-source.ts @@ -113,7 +113,9 @@ export abstract class BaseDataSource extends Construct { super(scope, id); if (extended.type !== 'NONE') { - this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { assumedBy: new ServicePrincipal('appsync') }); + this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { + assumedBy: new ServicePrincipal('appsync.amazonaws.com'), + }); } // Replace unsupported characters from DataSource name. The only allowed pattern is: {[_A-Za-z][_0-9A-Za-z]*} const name = (props.name ?? id); diff --git a/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/stack.template.json index 4088e158a6afc..dfc84cc9bf272 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/stack.template.json @@ -9,7 +9,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync.amazonaws.com" + "Service": "appsync" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/tree.json index 3bd70c3a25bfc..76c3964267e4e 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.api-import.js.snapshot/tree.json @@ -132,7 +132,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync.amazonaws.com" + "Service": "appsync" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/stack.template.json index e827e2bef4619..671bc197235a8 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/stack.template.json @@ -42,7 +42,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync.amazonaws.com" + "Service": "appsync" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/tree.json index 7bfcf564f00cc..c3677831af3a8 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.js.snapshot/tree.json @@ -94,7 +94,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync.amazonaws.com" + "Service": "appsync" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json index d7f6c20090494..08669bf3f0155 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json @@ -42,7 +42,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/tree.json index 267130fb25b3f..08fab54693665 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/tree.json @@ -94,7 +94,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.template.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.template.json index dcf0b78c8768e..028edef274be0 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.template.json @@ -90,7 +90,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/tree.json index 1cf9c3478a563..35a2d61f1ee63 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/tree.json @@ -177,7 +177,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.template.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.template.json index 1fca9f01ac741..1a4e761944b90 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.template.json @@ -74,7 +74,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/tree.json index ac1075e5a5b5a..fe282faa89525 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/tree.json @@ -137,7 +137,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.template.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.template.json index 979d38093b0c9..b6e627fd979cb 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.template.json @@ -87,7 +87,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/tree.json index 855d95425a282..65c899c9a5580 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/tree.json @@ -174,7 +174,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.template.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.template.json index d7a5b5aea3152..efa6773bdc04b 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.template.json @@ -42,7 +42,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/tree.json index 909aef613b2f5..afde7e6596daa 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/tree.json @@ -94,7 +94,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/aws-appsync-integ.template.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/aws-appsync-integ.template.json index 9fb7d256f9660..e61ff4d7d2c7a 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/aws-appsync-integ.template.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/aws-appsync-integ.template.json @@ -122,7 +122,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -420,7 +420,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -1233,7 +1233,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -1396,7 +1396,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/tree.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/tree.json index 6aa74eb3f57ae..776ab4196a33e 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql.js.snapshot/tree.json @@ -222,7 +222,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -714,7 +714,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -2057,7 +2057,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ], @@ -2316,7 +2316,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "appsync" + "Service": "appsync.amazonaws.com" } } ],