constructor()

in lib/role.ts [158:241]

• 48 lines of code
• 7 McCabe index (conditional complexity)

    constructor(scope: Construct, id: string, props: RoleProps) {
        super(scope, id, {
            physicalName: props.roleName,
        });

        this.managedPolicies.push(...props.managedPolicies || []);
        this.permissionsBoundary = props.permissionsBoundary;
        const maxSessionDuration = props.maxSessionDuration && props.maxSessionDuration.toSeconds();
        validateMaxSessionDuration(maxSessionDuration);
        const description = (props.description && props.description?.length > 0) ? props.description : undefined;

        if (description && description.length > 1000) {
            throw new Error('Role description must be no longer than 1000 characters.');
        }

        if (!Role.fn) {
            Role.fn = new Function(scope, 'IAMRoleForK8SSvcAcctCustomResource', {
                code: Code.fromAsset(path.resolve(__dirname, '..', 'lambda-packages', 'role_handler')),
                handler: 'index.handler',
                runtime: Runtime.NODEJS_12_X,
                timeout: Duration.minutes(15),
            });
            Role.fn.addToRolePolicy(new PolicyStatement({
                actions: [
                    'eks:DescribeCluster',
                    'iam:AttachRolePolicy',
                    'iam:CreateRole',
                    'iam:DeleteRole',
                    'iam:DeleteRolePolicy',
                    'iam:DescribeRole',
                    'iam:DetachRolePolicy',
                    'iam:GetRole',
                    'iam:ListAttachedRolePolicies',
                    'iam:ListRoles',
                    'iam:PutRolePermissionsBoundary',
                    'iam:PutRolePolicy',
                    'iam:TagRole',
                    'iam:UntagRole',
                    'iam:UpdateAssumeRolePolicy',
                    'iam:UpdateRole',
                    'sts:GetCallerIdentity'],
                resources: ['*']
            }));
        }

        const role = new CustomResource(this, 'Resource', {
            provider: CustomResourceProvider.fromLambda(Role.fn),
            resourceType: 'Custom::IamRoleForServiceAccount',
            properties: {
                ClusterName: props.clusterName,
                Namespace: props.namespace || 'default',
                ServiceAccount: props.serviceAccount,
                ManagedPolicyArns: Lazy.listValue({ produce: () => this.managedPolicies.map(p => p.managedPolicyArn) }, { omitEmpty: true }),
                Policies: _flatten(props.inlinePolicies),
                Path: props.path,
                PermissionsBoundary: this.permissionsBoundary ? this.permissionsBoundary.managedPolicyArn : undefined,
                RoleName: this.physicalName,
                MaxSessionDuration: maxSessionDuration,
                Description: description,
            }
        })

        this.roleId = Token.asString(role.getAtt('RoleId'));
        this.roleArn = this.getResourceArnAttribute(Token.asString(role.getAtt('Arn')), {
            region: '', // IAM is global in each partition
            service: 'iam',
            resource: 'role',
            resourceName: this.physicalName,
        });
        this.roleName = this.getResourceNameAttribute(role.ref);
        this.policyFragment = new ArnPrincipal(this.roleArn).policyFragment;

        function _flatten(policies?: { [name: string]: PolicyDocument }) {
            if (policies == null || Object.keys(policies).length === 0) {
                return undefined;
            }
            const result = new Array<CfnRole.PolicyProperty>();
            for (const policyName of Object.keys(policies)) {
                const policyDocument = policies[policyName];
                result.push({ policyName, policyDocument });
            }
            return result;
        }
    }