Bug: `ApprovalRuleTemplateRepositoryAssociation` creates only one `CustomResourceProviderRole`
kadishmal opened this issue · 0 comments
kadishmal commented
"@aws-cdk/core": "1.102.0",
"@cloudcomponents/cdk-pull-request-approval-rule": "1.35.0",
Bug: ApprovalRuleTemplateRepositoryAssociation creates only one CustomResourceProviderRole. while it should create one separate for each instance.
Reproduction steps:
I created a construct called CodeCommitPRApprovers that creates the approval rule template and its association:
export class CodeCommitPRApprovers extends Construct {
constructor(scope: Construct, id: string, { repo }: CodeCommitPRApproversProps) {
super(scope, id);
// At the moment Esen will be required to approve all the pull requests.
const userARN = User.fromUserName(this, 'user', 'user').userArn;
const { approvalRuleTemplateName } = new ApprovalRuleTemplate(this, `${id}ApprovalRuleTemplate`, {
approvalRuleTemplateName: `master-branch-required-approvers-for-${id}`,
template: {
approvers: {
approvalPoolMembers: [userARN],
numberOfApprovalsNeeded: 1
},
branches: ['master']
}
});
new ApprovalRuleTemplateRepositoryAssociation(this, `${id}ApprovalRuleTemplateRepositoryAssociation`, {
approvalRuleTemplateName,
repository: repo,
});
}
}
Then in a stack I instantiate this construct twice, one for each repository as follows:
export class DevStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const infrastructureRepository = new Repository(this, 'InfrastructureRepository', {
repositoryName: 'infrastructure',
description: 'The CodeCommit repository for the infrastructure code.',
});
new CodeCommitPRApprovers(this, 'InfrastructurePRApprovers', {
repo: infrastructureRepository
});
const websiteRepo = new Repository(this, 'WebRepository', {
repositoryName: 'web',
description: "The CodeCommit repository for the Web application code.",
});
new CodeCommitPRApprovers(this, 'WebsitePRApprovers', {
repo: websiteRepo
});
The generated CloudFormation template includes only one CustomResourceProviderRole:
"CustomApprovalRuleTemplateRepositoryAssociationCustomResourceProviderRoleD1B94887": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"ManagedPolicyArns": [
{
"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"Policies": [
{
"PolicyName": "Inline",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:AssociateApprovalRuleTemplateWithRepository",
"codecommit:DisassociateApprovalRuleTemplateFromRepository"
],
"Resource": {
"Fn::GetAtt": [
"WebRepository0EB245C6",
"Arn"
]
}
}
]
}
}
]
},
"Metadata": {
"aws:cdk:path": "DevStack/Custom::ApprovalRuleTemplateRepositoryAssociationCustomResourceProvider/Role"
}
},
The same CustomResourceProviderRole is not created for the infrastructure CodeCommit repository which means Lambda will have permissions to perform operations only to the specified Web repository.
Am I using this correctly?