[custom-resources] allow for no policy to be specified #13232
Description
I do not have the ability to modify roles and the CDK assumes I do for an AwsCustomResource. I can specify the execution role for the custom resource Lambda, but I have to specify a policy, and cdk deploy fails for me because I don't have access to modify the execution role with the new policy. I would expect for policy to be optional if role is specified. I am in a corporate setting where permissions are "locked down" and roles exist but can not be modified.
Reproduction Steps
export class ExistingS3BucketEventSource extends CDK.Construct {
constructor(scope: CDK.Construct, id: string, props: S3NotificationLambdaProps) {
super(scope, id);
new CR.AwsCustomResource(scope, id + 'CustomResource', {
onCreate: {
...
},
onDelete: {
...
},
policy: CR.AwsCustomResourcePolicy.fromStatements([]), // I don't want this! Also specifying no statements doesn't work!
role: props.role // I want permissions from here!
});
props.lambda.addPermission('AllowS3Invocation', {
action: 'lambda:InvokeFunction',
principal: new IAM.ServicePrincipal('s3.amazonaws.com'),
sourceArn: props.bucket.bucketArn
});
}
}
interface S3NotificationLambdaProps {
role: IAM.IRole;
bucket: S3.IBucket;
lambda: Lambda.IFunction;
events: string[];
prefix: string;
}
What did you expect to happen?
I do not want to modify the execution role.
What actually happened?
The execution role is modified.
Environment
- CDK CLI Version : 1.90.0 (build 7edba31)
- Framework Version: 1.90.0
- Node.js Version: v12.18.3
- OS : Catalina 10.15.7
- Language (Version): TypeScript (3.8.3)
Other
This is 🐛 Bug Report