fix(iam): permissions boundary aspect doesn't always recognize roles

[polothy]

Using instanceof does not seem to work in all scenarios. Instead, use the CfnResource.isCfnResource method to find the L1 constructs.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[polothy]

Might fix #15572

Backstory of the problem: we have a very small, simple NodeJS CDK project. It is using NodejsFunction for a lambda function. For some reason, the PermissionsBoundary aspect did not apply the permissions boundary to the lambda's service role. Perhaps the cause is due to type information being lost which would cause all the instanceof checks to fail. I think I read this is possible, and that is why all these isSomething methods exist to identify classes.

In the end, I think the code ends up being equivalent because all the code paths were just trying to modify the same L1 constructs.

I tested this code by writing my own aspect with same if statement logic. I used this aspect on the project and it resolved the problem. This appears to be tricky to test because when I try to add a test via jest, it doesn't seem to loose the type information and the instanceof checks continue to work (EG: wrote a test with a NodejsFunction).

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: b0f6abe
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).