aws-cdk: Immutable roles cannot be used as constructs
Hi!
After upgrading to CDK 1.29.0 we are seeing the following error:
Error: construct does not have an associated node
at Function.of (/node_modules/constructs/lib/construct.ts:31:13)
at new Node (/node_modules/constructs/lib/construct.ts:74:12)
at new ConstructNode (/node_modules/@aws-cdk/core/lib/construct-compat.ts:260:24)
at Object.createNode (/node_modules/@aws-cdk/core/lib/construct-compat.ts:69:11)
at new Construct (/node_modules/constructs/lib/construct.ts:541:26)
at new Construct (/node_modules/@aws-cdk/core/lib/construct-compat.ts:66:5)
at new SingletonPolicy (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:517:5)
at Function.forRole (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:507:42)
at CloudFormationCreateUpdateStackAction.bound (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:300:21)
at CloudFormationCreateUpdateStackAction.bound (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:436:32)
Reproduction Steps
A full repro here https://github.com/markusl/temp-aws-issue-repro
Environment
- CLI Version : 0.30.0
- Framework Version: 0.30.0
- OS : Macbook
- Language : TypeScript
This is 🐛 Bug Report
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 3
- Comments: 37 (32 by maintainers)
Commits related to this issue
- fix(dam): immutable role cannot be used as a construct Due to a change in how `ConstructNode`s are associated with `Construct`s in 1.29.0, `ImmutableRole`'s "impersonation to a construct" -- by refle... — committed to aws/aws-cdk by deleted user 4 years ago
- fix: cryptic error message in Node.of() When `Node.of()` is called with an object that does not really extend `Construct`, we can't find the associated construct node. This change improves the error ... — committed to aws/constructs by deleted user 4 years ago
- fix: cryptic error message in Node.of() (#17) When `Node.of()` is called with an object that does not really extend `Construct`, we can't find the associated construct node. This change improves the ... — committed to aws/constructs by deleted user 4 years ago
- fix(iam): immutable role cannot be used as a construct (#6920) * fix(dam): immutable role cannot be used as a construct Due to a change in how `ConstructNode`s are associated with `Construct`s in 1.... — committed to aws/aws-cdk by deleted user 4 years ago
Got it. This is indeed a bug!
The IAM role you are importing is from a different account. Therefore,
Role.fromArnreturns anIRolethat is backed by anImmutableRoleobject (because there is no way for you to mutate a role in a different account). So far so good.The culprit is that
SingletonPolicyinside codepipeline-actions assumes theIRolepassed to it is aConstructby performing an explicit downcast (role as unknown as cdk.Construct). This worked in the past becauseImmutableRoleexposesnodeproperty which allowed it to implementIConstruct.https://github.com/aws/aws-cdk/blob/4501b8ba566ac776042fc97435d4db96fc421e0b/packages/%40aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts#L517
In 1.29.0, due to some constraints when we extracted constructs into an outside library, we had to change the way nodes are associated with constructs and therefore it is now impossible to downcast objects that implement
IConstructtoConstruct.