(@aws-cdk/aws-dynamodb): Ability to customize role for autogenerated lambdas when setting up global table replication

newcomer commented 3 years ago

CDK creates lambdas and corresponding IAM roles/policies, when setting up replicationRegions in Table construct. We would like set customized role similar to customResourceRole for DnsValidatedCertificate.

Use Case

It's pretty hard and time consuming to perform security audit looking into many autogenerated roles, so it would great to have 1 custom role to review.

Proposed Solution

Add property to pass custom IAM role similar to customResourceRole for DnsValidatedCertificate.

Other

Examples of autogenerated roles:

storage-stack-xxxxxxxx-IsCompleteHandlerService-xxxxxxxx
storage-stack-xxxxxxxx-OnEventHandlerServiceRol-xxxxxxxx
storage-stack-xxxxxxxx-ProviderframeworkisCompl-xxxxxxxx
storage-stack-xxxxxxxx-ProviderframeworkonEvent-xxxxxxxx
storage-stack-xxxxxxxx-ProviderframeworkonTimeo-xxxxxxxx
storage-stack-xxxxxxxx-Providerwaiterstatemachi-xxxxxxxx
[ ] :wave: I may be able to implement this feature request
[ ] :warning: This feature might incur a breaking change

This is a :rocket: Feature Request

peterwoodworth commented 3 years ago

Sorry for the long wait here,

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

rix0rrr commented 1 year ago

This issue was for the existing Table construct, which used custom resources to implement table replication. We no longer recommend the use of the Table construct.

Instead, the TableV2 construct has been released in 2.95.1 (#27023) which maps to the AWS::DynamoDB::GlobalTable resource, has better support for replication and does not suffer from the issue described here.

Be aware that there are additional deployment steps involved in a migration from Table to TableV2. You need to do a RETAIN deployment, a delete deployment, then change the code to use TableV2 and then use cdk import. A link to a full guide will be posted once it is available.

Here are some other resources to get you started (using CfnGlobalTable instead of TableV2) if you want to get going on the migration:

Migrating from Table to CfnGlobalTable, by Samaneh Utter, an AWS Senior Solutions Architect
AWS CDK and Amazon DynamoDB Global Tables, by Wojciech Matuszewski from Stedi
Migrating from Table to CfnGlobalTable, by Sharon Diskin from CloudBit

ashishdhingra commented 4 months ago

@newcomer Good afternoon. Please confirm if the use of new TableV2 construct as suggested in https://github.com/aws/aws-cdk/issues/14576#issuecomment-1729267204 fixed your issue.

Thanks, Ashish

github-actions[bot] commented 4 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

newcomer commented 4 months ago

@ashishdhingra, thank you for following up, I'm no longer working in that project, so can't help with the answer

github-actions[bot] commented 4 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

aws / aws-cdk