search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.51k stars 3.86k forks source link

aws-iam: Make IAM.Role.defaultPolicy public #26611

Open mainframenzo opened 1 year ago

mainframenzo commented 1 year ago

Describe the feature

I am trying to modify the defaultPolicy in the IAM.Role construct. The default policy is a great feature - I don't have to worry too much about base permissions when instantiating constructs that manage them, etc. However, I should be able to modify any CloudFormation that gets created by the CDK easily, and I can't seem to with defaultPolicy being private. Please make this public!

Use Case

As one use-case, I'm trying to add Cfn metadata (not CDK Cfn metadata) because I want to use cfn_nag and not CDK nag to remediate some issues in a CICD scanning step (note that below is not possible today):

const cfnPolicy = buildProject.role?.defaultPolicy?.node.defaultChild as IAM.CfnPolicy;
cfnPolicy.addMetadata('cfn_nag', {
  'rules_to_suppress': [...]
});

For this particular use-case, I assign some additional permissions to a CodeBuild project, then try to cfn_nag remediate the role of the CodeBuild project permissions:

const buildProject = new CodeBuild.PipelineProject(this, 'action', ...);
buildProject.addToRolePolicy(...); 

const cfnRole = buildProject.role?.node.defaultChild as IAM.CfnRole;
cfnRole.addMetadata('cfn_nag', {
  'rules_to_suppress': [..]
});

The CloudFormation template has my new permissions under the defaultPolicy, but my metadata shows up under a referenced role, which cfn_nag doesn't seem to care for as remediating, which is just one reason I want access to the defaultPolicy:

stacknamemyroleconstructIAMRole4AA71546:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          ...
      ManagedPolicyArns:
        ...
    Metadata:
      aws:cdk:path: stack-name/root-construct/my-role-construct/IAMRole/Resource
      cfn_nag:
        rules_to_suppress:
          - ...
  stacknamemyroleconstructIAMRoleDefaultPolicyC3A13125:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          ...
      PolicyName: stacknamemyroleconstructIAMRoleDefaultPolicyC3A13125
      Roles:
        - Ref: stacknamemyroleconstructIAMRole4AA71546
    Metadata:
      aws:cdk:path: stack-name/root-construct/my-role-construct/IAMRole/DefaultPolicy/Resource

Proposed Solution

Just make the private defaultPolicy field public. It's my template, darn it! :)

Other Information

Open to other work-arounds.

Acknowledgements

CDK version used

2.89.0

Environment details (OS name and version, etc.)

All

meniluca commented 10 months ago

I am in a desperate need of this. Currently when enabling logRetention in lambdas cfn constructs, a default policy is created for the role (even if you provide one with the logRetentionRole parameter) with the following:

"PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "logs:DeleteRetentionPolicy",
        "logs:PutRetentionPolicy"
       ],
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },

Which is breaking the cdk-nag rule set on my project. There is no way I can add a suppression to that policy without having that field public.