iam: Role.customizeRoles not work with dynamodb.Table.addGlobalSecondaryIndex #31653
Description
Describe the bug
With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.
Log with CDK_DEBUG=true:
Error: Resolution error: Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.
Object creation stack:
at new Intrinsic (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/intrinsic.js:1:942)
at new Reference (/path/to/repo//node_modules/aws-cdk-lib/core/lib/reference.js:1:599)
at new <anonymous> (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4806)
at mimicReference (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4802)
at Table.getResourceArnAttribute (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4185)
at new Table (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:19121)
at Object.<anonymous> (/path/to/repo//bin/quick/contrib-customizeroles-2.ts:12:15)
at Module._compile (node:internal/modules/cjs/loader:1358:14)
at Module.m._compile (/path/to/repo//node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
at Object.require.extensions.<computed> [as .ts] (/path/to/repo//node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1208:32)
at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
at phase4 (/path/to/repo//node_modules/ts-node/src/bin.ts:649:14)
at bootstrap (/path/to/repo//node_modules/ts-node/src/bin.ts:95:10)
at main (/path/to/repo//node_modules/ts-node/src/bin.ts:55:10)
at Object.<anonymous> (/path/to/repo//node_modules/ts-node/src/bin.ts:800:3)
at Module._compile (node:internal/modules/cjs/loader:1358:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
at Module.load (node:internal/modules/cjs/loader:1208:32)
at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
at node:internal/main/run_main_module:28:49.
Object creation stack:
at Function.string (/path/to/repo//node_modules/aws-cdk-lib/core/lib/lazy.js:1:953)
at Table.combinedGrant (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:13654)
at Table.grantReadData (/path/to/repo//node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:4379)
at Object.<anonymous> (/path/to/repo//bin/quick/contrib-customizeroles-2.ts:28:7)
at Module._compile (node:internal/modules/cjs/loader:1358:14)
at Module.m._compile (/path/to/repo//node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
at Object.require.extensions.<computed> [as .ts] (/path/to/repo//node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1208:32)
at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
at phase4 (/path/to/repo//node_modules/ts-node/src/bin.ts:649:14)
at bootstrap (/path/to/repo//node_modules/ts-node/src/bin.ts:95:10)
at main (/path/to/repo//node_modules/ts-node/src/bin.ts:55:10)
at Object.<anonymous> (/path/to/repo//node_modules/ts-node/src/bin.ts:800:3)
at Module._compile (node:internal/modules/cjs/loader:1358:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
at Module.load (node:internal/modules/cjs/loader:1208:32)
at Function.Module._load (node:internal/modules/cjs/loader:1024:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)
at node:internal/main/run_main_module:28:49
at _lookup (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:3005)
at _lookup (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:3178)
at Function.of (/path/to/repo//node_modules/aws-cdk-lib/core/lib/stack.js:1:2736)
at Object.produce (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4264)
at Reference.resolve (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resource.js:1:4877)
at DefaultTokenResolver.resolveToken (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)
at resolve (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2711)
at Object.resolve [as mapToken] (/path/to/repo//node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:1079)
at TokenizedStringFragments.mapTokens (/path/to/repo//node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1475)
at DefaultTokenResolver.resolveString (/path/to/repo//node_modules/aws-cdk-lib/core/lib/resolvable.js:4:362)
Subprocess exited with error 1
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
Successfully synthesize.
Current Behavior
Always throws error.
Reproduction Steps
const app = new App();
Role.customizeRoles(app, {
usePrecreatedRoles: {
'Stack/Role': 'my-precreated-role-name',
},
});
const stack = new Stack(app, 'Stack');
const table = new Table(stack, 'Table', {
partitionKey: {
name: 'pk',
type: AttributeType.STRING,
},
});
table.addGlobalSecondaryIndex({
indexName: 'gsi',
partitionKey: {
name: 'gsi-pk',
type: AttributeType.STRING,
},
});
const role = new Role(stack, 'Role', {
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
table.grantReadData(role);Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.161.0 (build be5ad8b)
Framework Version
2.161.0
Node.js Version
v20.13.1
OS
macOS Sonoma
Language
TypeScript
Language Version
TypeScript v5.6.2
Other information
No response