Role.addManagedPolicy does not work for imported roles

[its-mirus-lu]

Inconsistent Behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole

The Scenario

TLDR; aws_iam.Role.attachManagedPolicy does not attach the specified managed policy to the role, aws_iam.ManagedPolicy.attachToRole does.

I have two stacks: one stack deploys roles another deploys an application stack (both are in the same account). The roles stack is deployed first.

In the application stack, I would like to attach a managed policy to a role in the first.

Attempting to use aws_iam.Role.attachManagedPolicy does not create the association but aws_iam.ManagedPolicy.attachToRole does.

Environment

• CDK CLI Version: 1.39.0 (build 5d727c1)
• Module Version: 1.38.0
• Node.js Version: v14.0.0
• OS: macOS Mojave 10.14.6 (18G4032)
• Language: Typescript and Python

Other information

Steps to reproduce

1. Deploy one stack with an IAM role
2. In a second stack create a managed policy
3. In the second stack Import the role using aws_iam.Role.fromRoleArn (importedRole)
4. In the second stack attempt to add the managed policy to importedRole via importedRole.attachManagedPolicy

Observed

1. cdk synth does not show any associations made between the role and the managed policy
2. using ManagedPolicy.attachToRole works however

Expected

1. cdk synth (and subsequently) cdk deploy should associate the role and managed policy when Role.attachManagedPolicy is used

[its-mirus-lu]

It looks like addManagedPolicy is not implemented... https://github.com/aws/aws-cdk/blob/v1.42.1/packages/@aws-cdk/aws-iam/lib/role.ts#L216

Is there a way that this can be clearly stated in documentation?

[rix0rrr]

We can certainly add that to the documentation.

[Chriscbr]

Could this be resolved by changing addManagedPolicy to take a ManagedPolicy instead of IManagedPolicy as its argument (and then calling the appropriate method on the managed policy to attach it to the role)?

I feel like this could fit in with the design guidelines - "It's okay to enable multiple ways to achieve the same thing, in order to make it more natural for users who come from different mental models", even though it technically violates [awslint:ref-via-interface]. Also the attachInlinePolicy method on imported roles requires a Policy (opposed to an IPolicy), so this wouldn't be especially out of place.

[OperationalFallacy]

Just run into this bug, trying to configure some policies for roles managed outside of cdk app 😢