Open coding-jj opened 4 years ago
This Issues uses ASG as an Use Case, but ist much more general.
Just think of the default Roles:
Most users will create these Roles when clicking around and testing in AWS manually. For users not using KMS CMK these roles don't need other right.
If you use KMS CMK these Roles need to bee added to KMS CMK Key Policy and in this case the Policy will throw an error, if the Principal of the Policy Statement doesn't exit (Policy contains a statement with one or more invalid principals
).
The stacks in CDK should be reproducible, so ther must be a way to create Service Linked Roles with Custom Suffix on Roleout of a CDK Stack and these Roles should disappear, when the Stack is deleted.
@rix0rrr Any thoughts?
++
Actually, to do that I've created a custom resource with a "lambda.SingletonFunction" to create or revoke this Grant; not very integrated... Before that, you need to import the Arn of the CMK; and the Key only, the Grant can't be created with an Alias; so the other difficulty is to get the Arn of the CMK, created on another account.
No native solution for that too... Need to create an SSM Parameter from a "cdk [...] --outputs-file" before with the outputs wanted. Really need a feature like a "resolver" cross-accounts/stacks to do that in CDK core.
Service Linked Roles can't be created in a Stack format. They are created automatically by cdk if they don't exists, but you can't use them in other stacks.
Use Case
/aws-service-role/autoscaling.amazonaws.com/
with custom suffixOn Stack Deleting:
Proposed Solution