(aws-s3): supply custom role when adding bucket notifications #13241
Description
Hello Team. I am working on a customer engagement , which is attempting to leverage cdk to help deploy a series of Lambda functions . One of behaviors that we noticed, when we added an S3 event source to a lamda cdk definition, it auto generates BucketNotificationsHandler IAM role and policy . Our customer has a unique corporate policy that prevents the role used to deploy the application stack from changing/creating any IAM resources. Any insight in how we can suppress the auto creation of the following role when the cdk is synthesized. Below is the code snippet we are using to initialize our lambda function . Your assistance is greatly appreciate , and let me know if you need additional details .
lambda_.Function(
self,
"TestLambda",
runtime=lambda_.Runtime.PYTHON_3_8,
code=lambda_.Code.from_asset(
"code_dir"
),
handler="index.lambda_handler",
timeout=core.Duration.seconds(30),
events=[
lambda_event_sources.S3EventSource(
bucket=input_bucket,
events=[s3.EventType.OBJECT_CREATED],
)
],
role=iam.Role.from_role_arn(
self,
id="Testlambda",
role_arn= “role_arn”,
mutable = False,
),
)This exact same situation happens with EKS cluster . In which a cluster creator role and IAM role is created . Due to our unique corporate policy we need to suppress the auto creation of roles in CDK .
Reproduction Steps
Create a Lamda function in cdk with the following event specified .
events=[
lambda_event_sources.S3EventSource(
bucket=input_bucket,
events=[s3.EventType.OBJECT_CREATED],
)What did you expect to happen?
If a role is defined and provided as input to a module, another role would not be created by cdk .
Stop the auto creation of IAM role and policies .
What actually happened?
The roles are still created even though a role is provided in the input .
Environment
- **CDK CLI Version :**1.88
- Framework Version:
- Node.js Version:
- **OS :**MacOS
- Language (Version): Python 3.8.2
Other
This is 🐛 Bug Report