Customize default role names by using AWS CDK aspects and escape hatches
Created by SANDEEP SINGH (AWS) and James Jacob (AWS)
Code repository: cdk-aspects-override-example | Environment: Production | Technologies: Infrastructure; DevOps; Management & governance |
AWS services: AWS CDK; AWS CloudFormation; AWS Lambda |
Summary
This pattern demonstrates how to customize the default names of roles that are created by AWS Cloud Development Kit (AWS CDK) constructs. Customizing role names is often necessary if your organization has specific constraints based on naming conventions. For example, your organization might set AWS Identity and Access Management (IAM) permissions boundaries or service control policies (SCPs) that require a specific prefix in role names. In such cases, the default role names generated by AWS CDK constructs might not meet these conventions and might have to be altered. This pattern addresses those requirements by using escape hatches and aspects in the AWS CDK. You use escape hatches to define custom role names, and aspects to apply a custom name to all roles, to ensure adherence to your organization's policies and constraints.
Prerequisites and limitations
Prerequisites
An active AWS account
Prerequisites specified in the AWS CDK documentation
Limitations
Aspects filter resources based on resource types, so all roles share the same prefix. If you require different role prefixes for different roles, additional filtering based on other properties is necessary. For example, to assign different prefixes to roles that are associated with AWS Lambda functions, you could filter by specific role attributes or tags, and apply one prefix for Lambda-related roles and a different prefix for other roles.
IAM role names have a maximum length of 64 characters, so modified role names have to be trimmed to meet this restriction.
Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region
. For specific endpoints, see the Service endpoints and quotas page, and choose the link for the service.
Architecture
Target technology stack
AWS CDK
AWS CloudFormation
Target architecture
An AWS CDK app consists of one or more AWS CloudFormation stacks, which are synthesized and deployed to manage AWS resources.
To modify a property of an AWS CDK-managed resource that isn't exposed by a layer 2 (L2) construct, you use an escape hatch to override the underlying CloudFormation properties (in this case, the role name), and an aspect to apply the role to all resources in the AWS CDK app during the AWS CDK stack synthesis process.
Tools
AWS services
AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code.
AWS CDK Command Line Interface (AWS CDK CLI) (also referred to as the AWS CDK Toolkit) is a command line cloud development kit that helps you interact with your AWS CDK app. The CLI
cdkcommand is the primary tool for interacting with your AWS CDK app. It runs your app, interrogates the application model you defined, and produces and deploys the CloudFormation templates that are generated by the AWS CDK.AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
Code repository
The source code and templates for this pattern are available in the GitHub CDK Aspects Override
Best practices
See Best practices for using the AWS CDK in TypeScript to create IaC projects on the AWS Prescriptive Guidance website.
Epics
| Task | Description | Skills required |
|---|---|---|
Install the AWS CDK CLI. | To install the AWS CDK CLI globally, run the command:
| AWS DevOps |
Verify the version. | Run the command:
Confirm that you’re using version 2 of the AWS CDK CLI. | AWS DevOps |
Bootstrap the AWS CDK environment. | Before you deploy the AWS CloudFormation templates, prepare the account and AWS Region that you want to use. Run the command:
For more information, see AWS CDK bootstrapping in the AWS documentation. | AWS DevOps |
| Task | Description | Skills required |
|---|---|---|
Set up the project. |
| AWS DevOps |
Deploy stacks with default role names assigned by the AWS CDK. | Deploy two CloudFormation stacks (
The code doesn’t explicitly pass role properties, so the role names will be constructed by the AWS CDK. For example output, see the Additional information section. | AWS DevOps |
Deploy stacks with aspects. | In this step, you apply an aspect that enforces a role name convention by adding a prefix to all IAM roles that are deployed in the AWS CDK project. The aspect is defined in the
For example output, see the Additional information section. | AWS DevOps |
| Task | Description | Skills required |
|---|---|---|
Delete your AWS CloudFormation stacks. | After you finish using this pattern, run the following command to clean up resources to avoid incurring additional costs:
| AWS DevOps |
Troubleshooting
| Issue | Solution |
|---|---|
You encounter problems using the AWS CDK. | See Troubleshooting common AWS CDK issues in the AWS CDK documentation. |
Related resources
Additional information
Role names created by AWS CloudFormation without aspects
Outputs: ExampleStack1WithoutAspects.Function1RoleName = example-stack1-without-as-Function1LambdaFunctionSe-y7FYTY6FXJXA ExampleStack1WithoutAspects.Function2RoleName = example-stack1-without-as-Function2LambdaFunctionSe-dDZV4rkWqWnI ... Outputs: ExampleStack2WithoutAspects.Function3RoleName = example-stack2-without-as-Function3LambdaFunctionSe-ygMv49iTyMq0
Role names created by AWS CloudFormation with aspects
Outputs: ExampleStack1WithAspects.Function1RoleName = dev-unicorn-Function1LambdaFunctionServiceRole783660DC ExampleStack1WithAspects.Function2RoleName = dev-unicorn-Function2LambdaFunctionServiceRole2C391181 ... Outputs: ExampleStack2WithAspects.Function3RoleName = dev-unicorn-Function3LambdaFunctionServiceRole4CAA721C
