(aws-s3): aspects not applying to the resources that are created when enabling autoDeleteObjects on Bucket

[dannysteenman]

What is the problem?

When I enable the prop autoDeleteObjects on the Bucket construct it automatically creates a custom resource with lambda and an IAM role.

However, I have an aspect that adds an override to all "AWS::IAM::Role" resources to include a permission boundary.

The problem is that it won't override the resources that are created when autoDeleteObjects is set to 'true'.

Reproduction Steps

This is the bucket:

new s3.Bucket(this, 'exampleBucket', {
  autoDeleteObjects: true,
  removalPolicy: cdk.RemovalPolicy.DESTROY,
});

The aspect:

export class examplePermissionBoundary implements cdk.IAspect {
  private readonly permissionsBoundaryArn: string;

  constructor(permissionBoundaryArn: string) {
    this.permissionsBoundaryArn = permissionBoundaryArn;
  }
  public visit(node: cdk.IConstruct): void {
    if (node instanceof iam.CfnRole) {
      node.addPropertyOverride('PermissionsBoundary', this.permissionsBoundaryArn);
    }
  }
}

When I run cdk synth, the IAM role resource looks like this:

"CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          }
        }
      ]
    },
    "ManagedPolicyArns": [
      {
        "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      }
    ]
  },
  "Metadata": {
    "aws:cdk:path": "dev-frontend-feat-frontend-v1/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role"
  }
},

The same applies to tagging. The resources are not being tagged, whilst other resources are tagged.

What did you expect to happen?

Aspects should override properties on resources that are generated as part of a construct.

What actually happened?

The aspect didn't override the property of the resource.

CDK CLI Version

1.136.0

Framework Version

No response

Node.js Version

v16.13.1

OS

MacOS

Language

Typescript

Language Version

TypeScript 4.5.4

Other information

As a workaround I'm currently using this 3rd party construct: https://www.npmjs.com/package/@mobileposse/auto-delete-bucket

Here the aspects do override the properties of the generated resources.

[joel-aws]

Try using something like:

def visit(self, node: core.IConstruct):
    if (
        core.CfnResource.is_cfn_resource(node)
        and node.cfn_resource_type == "AWS::IAM::Role"
    ):
        pass

Credit to @robertd #13310 (comment)

//EDIT: Have you tried using iam.PermissionsBoundary.of(this).apply(boundary);?

[dannysteenman]

Try using something like:

def visit(self, node: core.IConstruct):
    if (
        core.CfnResource.is_cfn_resource(node)
        and node.cfn_resource_type == "AWS::IAM::Role"
    ):
        pass

Credit to @robertd #13310 (comment)

//EDIT: Have you tried using iam.PermissionsBoundary.of(this).apply(boundary);?

Thanks for sending the link, I was able to fix it! Would be great if we can find some exceptions to overrides somewhere in the docs.

[chandoo1986]

Hi @dannysteenman im trying to use this in my permission boundary (CDK V2 Python) where I have custom resources auto generated by cdk I need to override IAM permission boundary and prefix, but im not able to rename iam role. Have you used the above code in version2?

[comcalvi]

Looks like there's room for discussion here, but that the issue itself has been resolved. Converting to discussion.