Immutable roles cannot be used as constructs
See original GitHub issueHi!
After upgrading to CDK 1.29.0 we are seeing the following error:
Error: construct does not have an associated node
at Function.of (/node_modules/constructs/lib/construct.ts:31:13)
at new Node (/node_modules/constructs/lib/construct.ts:74:12)
at new ConstructNode (/node_modules/@aws-cdk/core/lib/construct-compat.ts:260:24)
at Object.createNode (/node_modules/@aws-cdk/core/lib/construct-compat.ts:69:11)
at new Construct (/node_modules/constructs/lib/construct.ts:541:26)
at new Construct (/node_modules/@aws-cdk/core/lib/construct-compat.ts:66:5)
at new SingletonPolicy (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:517:5)
at Function.forRole (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:507:42)
at CloudFormationCreateUpdateStackAction.bound (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:300:21)
at CloudFormationCreateUpdateStackAction.bound (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts:436:32)
Reproduction Steps
A full repro here https://github.com/markusl/temp-aws-issue-repro
Environment
- CLI Version : 0.30.0
- Framework Version: 0.30.0
- OS : Macbook
- Language : TypeScript
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:37 (32 by maintainers)
Top Results From Across the Web
class Role (construct) · AWS CDK
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries....
Read more >Immutable objects
An attribute holds a value that cannot be changed after the owning object is created. The name “attribute” is used to intentionally distinguish...
Read more >Secure Coding Constructs
First, be very clear what you mean by immutable. It's contextual. An immutable variable cannot be reassigned; an immutable object cannot have any...
Read more >Introduction to Immutables - Baeldung
... Immutables library - used to generate immutable objects via the use of annotations. ... As this artifact is not required during runtime, ......
Read more >Using Jackson with immutable class with private Builder
InvalidDefinitionException : Cannot construct instance of ... How can I get Jackson to use the AttributeValue.builder() factory function?
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Got it. This is indeed a bug!
The IAM role you are importing is from a different account. Therefore,
Role.fromArn
returns anIRole
that is backed by anImmutableRole
object (because there is no way for you to mutate a role in a different account). So far so good.The culprit is that
SingletonPolicy
inside codepipeline-actions assumes theIRole
passed to it is aConstruct
by performing an explicit downcast (role as unknown as cdk.Construct
). This worked in the past becauseImmutableRole
exposesnode
property which allowed it to implementIConstruct
.https://github.com/aws/aws-cdk/blob/4501b8ba566ac776042fc97435d4db96fc421e0b/packages/%40aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts#L517
In 1.29.0, due to some constraints when we extracted constructs into an outside library, we had to change the way nodes are associated with constructs and therefore it is now impossible to downcast objects that implement
IConstruct
toConstruct
.ImmutableRole should never have been a construct, but because this is now law and because of backwards compatibility, we can’t undo this anymore.