search

iann0036 / AWSConsoleRecorder

Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates.
MIT License
1.42k stars 87 forks source link

Cloudformation IAM Role missing managed policies #10

Open tlelson opened 5 years ago

tlelson commented 5 years ago

Describe the bug I created an IAM Role with managed policies but the generated CFN did not contain them.

Related Mapping iam:AttacheRoleToPolicy

Related Language Cloudformation

To Reproduce Steps to reproduce the behavior:

  1. Go to IAM in console
  2. Create a role with managed policies
  3. Observe generated CFN

Expected behavior Expected CFN like this:

AWSTemplateFormatVersion: "2010-09-09"
Metadata:
  Generator: "console-recorder"
Description: ""
Resources:
  DevDataUser:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "DevDataUser"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "sts:AssumeRole"
            Principal:
              AWS: "XXXXXXXXXX"
            Condition:
              Bool:
                aws:MultiFactorAuthPresent: "true"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess

Actual behaviour Got CFN like this:

AWSTemplateFormatVersion: "2010-09-09"
Metadata:
    Generator: "console-recorder"
Description: ""
Resources:
        iamdea1b3b:
            Type: "AWS::IAM::Role"
            Properties:
            RoleName: "DevDataUser"
            AssumeRolePolicyDocument: 
                    Version: "2012-10-17"
                    Statement: 
                      - 
                            Effect: "Allow"
                            Action: "sts:AssumeRole"
                            Principal: 
                                AWS: "XXXXXXXXXX"
                            Condition: 
                                Bool: 
                                    aws:MultiFactorAuthPresent: "true"

Additional context

Interestingly, the SDK code all use the AttachRolePolicy method after creating the role. I did not test them but they look good. I suppose this is a nuance of Cloudformation that i imagine is a little harder to capture than with the REST APIs

iann0036 commented 5 years ago

Thanks for raising.

Issue is because the call happens after creation, so would be implemented by https://github.com/iann0036/AWSConsoleRecorder/issues/2

Will prioritise this issue when I start on that.