search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

aws_iam: CfnServiceLinkedRole not adding policy to role #1800

Open cjhelloletsgo opened 1 year ago

cjhelloletsgo commented 1 year ago

Name of the resource

AWS::IAM::ServiceLinkedRole

Resource Name

No response

Issue Description

I made an issue #27203 in the aws-cdk github repo but they told me this was a more appropriate place to report.

When creating a lexv2 bot with a built-in intent type of AMAZON.KendraSearchIntent a policy with permissions to query Kendra should be generated but it isn't. The policy is automatically generated and attached to the service linked role in the AWS console but it is not added if the bot is created though the cdk (and therefore cloudformation).

In the CfnServiceLinkedRole docs it says: To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.

Lex doesn't have any provisions for modifying service linked roles that I see, it says in the service linked role docs for lex that if a bot is configured to use the KendraSearchIntent intent then the service linked role should allow the actions for the specified resource.

Link to CfnServiceLinkedRole docs: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_iam/CfnServiceLinkedRole.html

Link to LexV2 Service linked role docs: https://docs.aws.amazon.com/lexv2/latest/dg/using-service-linked-roles.html

Relevant cdk code snippet:

lex_role = iam.CfnServiceLinkedRole(
            self,
            "Lex Role",
            aws_service_name="lexv2.amazonaws.com",
            description="Service Linked Role for Lex Bots deployed by cdk stack",
            custom_suffix="test",
        )

menu_bot = lex.CfnBot(
    self,
    "Menu Bot",
    data_privacy={"ChildDirected": False},
    idle_session_ttl_in_seconds=60,
    name="MenuBot",
    role_arn=f"arn:aws:iam::{account}:role/aws-service-role/lexv2.amazonaws.com/{lex_role.attr_role_name}",
    bot_locales=[
        lex.CfnBot.BotLocaleProperty(
            locale_id="en_US",
            description="Locale for Kendra",
            nlu_confidence_threshold=0.90,
            intents=[
                lex.CfnBot.IntentProperty(
                    name="RequiredIntent",
                    description="Intent required for bot to build",
                    sample_utterances=[
                        lex.CfnBot.SampleUtteranceProperty(
                            utterance="Do not use this ever"
                        )
                    ],
                ),
                lex.CfnBot.IntentProperty(
                    name="KendraSearchIntent",
                    description="Intent to ask a question. This intent searches a Kendra index for an answer to the question.",
                    kendra_configuration=lex.CfnBot.KendraConfigurationProperty(
                        kendra_index=kendra_index.attr_arn,
                    ),
                    parent_intent_signature="AMAZON.KendraSearchIntent",
                    fulfillment_code_hook=lex.CfnBot.FulfillmentCodeHookSettingProperty(
                        enabled=False,
                        is_active=True,
                        post_fulfillment_status_specification=lex.CfnBot.PostFulfillmentStatusSpecificationProperty(
                            success_response=lex.CfnBot.ResponseSpecificationProperty(
                                allow_interrupt=True,
                                message_groups_list=[
                                    lex.CfnBot.MessageGroupProperty(
                                        message=lex.CfnBot.MessageProperty(
                                            plain_text_message=lex.CfnBot.PlainTextMessageProperty(
                                                value="I found a link to a document that could help you: ((x-amz-lex:kendra-search-response-document-link-1"
                                            )
                                        ),
                                    )
                                ],
                            )
                        ),
                    ),
                ),
                lex.CfnBot.IntentProperty(
                    name="FallbackIntent",
                    description="Default intent when no other intent matches",
                    parent_intent_signature="AMAZON.FallbackIntent",
                ),
            ],
        )
    ],
    auto_build_bot_locales=True,
    description="Draft Version",
    bot_tags=[env_tag, project_tag],
)

Expected Behavior

A policy allowing access to Kendra from Lex should be generated so lex can use the built-in AMAZON.KendraSearchIntent intent.

Observed Behavior

The policy is not generated, access is blocked image

Test Cases

Create Lex bot with AMAZON.KendraSearchIntent, test the bot and it should have permissions to access Kendra.

Other Details

No response