iam-floyd icon indicating copy to clipboard operation
iam-floyd copied to clipboard

Published 20 hours ago verified publisher icon udondan

PolicyStatements not compatible with CDK

Open kernwig opened this issue 3 years ago • 7 comments

I'm using the package

  • [ ] iam-floyd
  • [x] cdk-iam-floyd

I'm using the package in language

  • [x] TypeScript/JavaScript (npm)
  • [ ] Python (pip)

Describe the problem A clear and concise description of what the bug is.

The statements generated by this library v03.11.0 aren't compatible with CDK v2 PolicyStatement - perhaps because you are generating your own PolicyStatement base classes rather than using the ones from the CDK library? Strict type checking is failing.

I had to write this helper function to convert:

import * as iam from "aws-cdk-lib/aws-iam";
import * as iamFloyd from "cdk-iam-floyd";

/**
 * Convert iam-floyd statements to standard CDK PolicyStatements
 */
export function toPermissions(...statements: iamFloyd.PolicyStatement[]): iam.PolicyStatement[] {
  return statements.map((floydStatement) => iam.PolicyStatement.fromJson(floydStatement.toJSON()));
}

kernwig avatar Jan 26 '22 20:01 kernwig

Hi Adam,

I cannot reproduce this. We have multiple stacks based on different 2.x CDK versions and no issues. I just tested again with cdk lib 2.8.0 and 2.9.0.

perhaps because you are generating your own PolicyStatement base classes rather than using the ones from the CDK library?

No, this is not the case. The base class is the PolicyStatement from the cdk-lib. Otherweise this library wouldn't make any sense.

Can you provide more details? Maybe this is related to some specific setting in your tsconfig or how the dependencies/devDependencies/overrides are defiend in your package.json.

Cheers, Daniel

udondan avatar Jan 27 '22 09:01 udondan

Hmm. When I dug into the multiple layers of PolicyStatement classes, it looked like I was still in iam-floyd, but it's easy to get lost in node_modules. I'm using Serverless Stack on top of CDK, so maybe they can help narrow it down.

kernwig avatar Jan 27 '22 16:01 kernwig

Just to make sure... you're really using the package cdk-iam-floyd and not iam-floyd? The latter indeed does not extend the original PolicyStatement class. That's the main difference between them.

udondan avatar Jan 27 '22 17:01 udondan

Confirmed @udondan .

kernwig avatar Jan 27 '22 18:01 kernwig

@kernwig how are you using the statements? I ran into some issues at times but it was user error on how we were handling combining arrays.

ryansidebottom avatar Jan 27 '22 23:01 ryansidebottom

I have the same issue:

import * as statement from 'cdk-iam-floyd';
import { ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';

const commonLambdaExecutionRole = new Role(...);

// TS2345: Argument of type 'Appsync' is not assignable to parameter of type 'PolicyStatement'.   Property 'actions' is protected in type 'Appsync' but public in type 'PolicyStatement'.
commonLambdaExecutionRole.addToPolicy(new statement.Appsync().allow().allActions().onAllResources());

  "dependencies": {
    "aws-cdk": "^2.15.0",
    "aws-cdk-lib": "^2.15.0",
    "constructs": "^10.0.0",
    "@aws-cdk/aws-appsync-alpha": "^2.15.0-alpha.0",
    "@aws-cdk/aws-cognito-identitypool-alpha": "^2.15.0-alpha.0",
    "cdk-iam-floyd": "^0.376.0",
  }

artyom-melnikov avatar Jun 01 '22 08:06 artyom-melnikov

@artyom-melnikov your problem is #149

udondan avatar Jun 01 '22 15:06 udondan

Going to close this. We have dozens of stacks in our company using this construct and no issues. If this still persists, please provide a repo I can check out where the problem can be reproduced.

udondan avatar Feb 17 '24 09:02 udondan