AWS CDK construct to create a service-linked role (SLR) if there is no SLR for the same service, and if there is, skip the creation process.
- Create a service-linked role. If it is already created in the same AWS account, just skip the creation.
- Standalone CFn template since no CDK assets are used. We use inline code for the Lambda function.
- Sleep some time after role creation to wait for IAM propagation.
npm install upsert-slrimport { ServiceLinkedRole } from 'upsert-slr';
new ServiceLinkedRole(this, 'ElasticsearchSlr', {
awsServiceName: 'es.amazonaws.com',
description: 'Service linked role for Elasticsearch',
});CloudFormation also supports a service-linked role (doc). Why do we need this?
Because the resource behaves strangely when there is already a role with the same name. All we need is to simply create a role, and skip it if it already exists. Such behavior as upsert is achieved by this construct, upsert-slr.
Also, even if CFn successfully creates a role, resources that depend on the role sometimes fail to be created because there is sometimes a delay before the role is actually available. See this stack overflow for more details.
To avoid the IAM propagation delay, this construct also waits for some time after a role is created.