diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.assets.json index 3ee550ae131a1..c88ed9c7fb5b8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.assets.json @@ -1,15 +1,16 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { - "c3c8f98183d2c9cb42e81d10e09f14c47c677e1d8cc0960e43b0c203ce50b689": { + "6cebb60a7262e4a1ad95b04b0a883be05e921629d220594c41bc6c1a79f095fe": { + "displayName": "aws-ecs-integ Template", "source": { "path": "aws-ecs-integ.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-5fa2019a": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c3c8f98183d2c9cb42e81d10e09f14c47c677e1d8cc0960e43b0c203ce50b689.json", + "objectKey": "6cebb60a7262e4a1ad95b04b0a883be05e921629d220594c41bc6c1a79f095fe.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.template.json index e45f409691a23..7f716d6f5a027 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.template.json @@ -423,21 +423,11 @@ "Fn::Join": [ "", [ - "arn:", { - "Ref": "AWS::Partition" - }, - ":ecs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":task/", - { - "Ref": "ClusterEB0386A7" + "Fn::GetAtt": [ + "ClusterEB0386A7", + "Arn" + ] }, "/*" ] diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93.assets.json index 59e1fc8c03beb..a0857672dcf68 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93.assets.json @@ -1,13 +1,14 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93 Template", "source": { "path": "awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-d8d86b35": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/cdk.out index 1f0068d32659a..523a9aac37cbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/integ.json index 6e80ebb486998..3c2166e38346e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "testCases": { "aws-ecs-cluster-grant-task-protection/DefaultTest": { "stacks": [ @@ -8,5 +8,6 @@ "assertionStack": "aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert", "assertionStackName": "awsecsclustergranttaskprotectionDefaultTestDeployAssert24DEFE93" } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/manifest.json index 5db9857548b64..71d730ead2a4d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "artifacts": { "aws-ecs-integ.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c3c8f98183d2c9cb42e81d10e09f14c47c677e1d8cc0960e43b0c203ce50b689.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6cebb60a7262e4a1ad95b04b0a883be05e921629d220594c41bc6c1a79f095fe.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,12 +34,57 @@ "aws-ecs-integ.assets" ], "metadata": { + "/aws-ecs-integ/Vpc": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "maxAzs": "*", + "restrictDefaultSecurityGroup": false + } + } + ], "/aws-ecs-integ/Vpc/Resource": [ { "type": "aws:cdk:logicalId", "data": "Vpc8378EB38" } ], + "/aws-ecs-integ/Vpc/PublicSubnet1": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": true, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": true, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": {} + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addNatGateway": [ + "*" + ] + } + } + ], "/aws-ecs-integ/Vpc/PublicSubnet1/Subnet": [ { "type": "aws:cdk:logicalId", @@ -76,6 +121,42 @@ "data": "VpcPublicSubnet1NATGateway4D7517AA" } ], + "/aws-ecs-integ/Vpc/PublicSubnet2": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": true, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": true, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": {} + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addNatGateway": [ + "*" + ] + } + } + ], "/aws-ecs-integ/Vpc/PublicSubnet2/Subnet": [ { "type": "aws:cdk:logicalId", @@ -112,6 +193,34 @@ "data": "VpcPublicSubnet2NATGateway9182C01D" } ], + "/aws-ecs-integ/Vpc/PrivateSubnet1": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": false, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": false, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": {} + } + ], "/aws-ecs-integ/Vpc/PrivateSubnet1/Subnet": [ { "type": "aws:cdk:logicalId", @@ -136,6 +245,34 @@ "data": "VpcPrivateSubnet1DefaultRouteBE02A9ED" } ], + "/aws-ecs-integ/Vpc/PrivateSubnet2": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": false, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "availabilityZone": "*", + "vpcId": "*", + "cidrBlock": "*", + "mapPublicIpOnLaunch": false, + "ipv6CidrBlock": "*", + "assignIpv6AddressOnCreation": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": {} + } + ], "/aws-ecs-integ/Vpc/PrivateSubnet2/Subnet": [ { "type": "aws:cdk:logicalId", @@ -172,18 +309,105 @@ "data": "VpcVPCGWBF912B6E" } ], + "/aws-ecs-integ/Cluster": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "vpc": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "grantTaskProtection": [ + "*" + ] + } + } + ], "/aws-ecs-integ/Cluster/Resource": [ { "type": "aws:cdk:logicalId", "data": "ClusterEB0386A7" } ], + "/aws-ecs-integ/TaskRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-ecs-integ/TaskRole/ImportTaskRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-ecs-integ/TaskRole/Resource": [ { "type": "aws:cdk:logicalId", "data": "TaskRole30FC0FBB" } ], + "/aws-ecs-integ/TaskRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-ecs-integ/TaskRole/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", @@ -258,6 +482,502 @@ "properties": { "file": "tree.json" } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } } - } + }, + "minimumCliVersion": "2.1031.2" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/tree.json index e1a0fa0007c06..d2b1d0e13cc11 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/tree.json @@ -1,871 +1 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-ecs-integ": { - "id": "aws-ecs-integ", - "path": "aws-ecs-integ", - "children": { - "Vpc": { - "id": "Vpc", - "path": "aws-ecs-integ/Vpc", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-ecs-integ/Vpc/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::VPC", - "aws:cdk:cloudformation:props": { - "cidrBlock": "10.0.0.0/16", - "enableDnsHostnames": true, - "enableDnsSupport": true, - "instanceTenancy": "default", - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", - "version": "0.0.0" - } - }, - "PublicSubnet1": { - "id": "PublicSubnet1", - "path": "aws-ecs-integ/Vpc/PublicSubnet1", - "children": { - "Subnet": { - "id": "Subnet", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/Subnet", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", - "aws:cdk:cloudformation:props": { - "availabilityZone": { - "Fn::Select": [ - 0, - { - "Fn::GetAZs": "" - } - ] - }, - "cidrBlock": "10.0.0.0/18", - "mapPublicIpOnLaunch": true, - "tags": [ - { - "key": "aws-cdk:subnet-name", - "value": "Public" - }, - { - "key": "aws-cdk:subnet-type", - "value": "Public" - }, - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet1" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" - } - }, - "Acl": { - "id": "Acl", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/Acl", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "RouteTable": { - "id": "RouteTable", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/RouteTable", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet1" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" - } - }, - "RouteTableAssociation": { - "id": "RouteTableAssociation", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/RouteTableAssociation", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", - "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" - }, - "subnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" - } - }, - "DefaultRoute": { - "id": "DefaultRoute", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/DefaultRoute", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Route", - "aws:cdk:cloudformation:props": { - "destinationCidrBlock": "0.0.0.0/0", - "gatewayId": { - "Ref": "VpcIGWD7BA715C" - }, - "routeTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" - } - }, - "EIP": { - "id": "EIP", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/EIP", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::EIP", - "aws:cdk:cloudformation:props": { - "domain": "vpc", - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet1" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" - } - }, - "NATGateway": { - "id": "NATGateway", - "path": "aws-ecs-integ/Vpc/PublicSubnet1/NATGateway", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", - "aws:cdk:cloudformation:props": { - "allocationId": { - "Fn::GetAtt": [ - "VpcPublicSubnet1EIPD7E02669", - "AllocationId" - ] - }, - "subnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" - }, - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet1" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" - } - }, - "PublicSubnet2": { - "id": "PublicSubnet2", - "path": "aws-ecs-integ/Vpc/PublicSubnet2", - "children": { - "Subnet": { - "id": "Subnet", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/Subnet", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", - "aws:cdk:cloudformation:props": { - "availabilityZone": { - "Fn::Select": [ - 1, - { - "Fn::GetAZs": "" - } - ] - }, - "cidrBlock": "10.0.64.0/18", - "mapPublicIpOnLaunch": true, - "tags": [ - { - "key": "aws-cdk:subnet-name", - "value": "Public" - }, - { - "key": "aws-cdk:subnet-type", - "value": "Public" - }, - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet2" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" - } - }, - "Acl": { - "id": "Acl", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/Acl", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "RouteTable": { - "id": "RouteTable", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/RouteTable", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet2" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" - } - }, - "RouteTableAssociation": { - "id": "RouteTableAssociation", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/RouteTableAssociation", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", - "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" - }, - "subnetId": { - "Ref": "VpcPublicSubnet2Subnet691E08A3" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" - } - }, - "DefaultRoute": { - "id": "DefaultRoute", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/DefaultRoute", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Route", - "aws:cdk:cloudformation:props": { - "destinationCidrBlock": "0.0.0.0/0", - "gatewayId": { - "Ref": "VpcIGWD7BA715C" - }, - "routeTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" - } - }, - "EIP": { - "id": "EIP", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/EIP", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::EIP", - "aws:cdk:cloudformation:props": { - "domain": "vpc", - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet2" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" - } - }, - "NATGateway": { - "id": "NATGateway", - "path": "aws-ecs-integ/Vpc/PublicSubnet2/NATGateway", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", - "aws:cdk:cloudformation:props": { - "allocationId": { - "Fn::GetAtt": [ - "VpcPublicSubnet2EIP3C605A87", - "AllocationId" - ] - }, - "subnetId": { - "Ref": "VpcPublicSubnet2Subnet691E08A3" - }, - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PublicSubnet2" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" - } - }, - "PrivateSubnet1": { - "id": "PrivateSubnet1", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1", - "children": { - "Subnet": { - "id": "Subnet", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1/Subnet", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", - "aws:cdk:cloudformation:props": { - "availabilityZone": { - "Fn::Select": [ - 0, - { - "Fn::GetAZs": "" - } - ] - }, - "cidrBlock": "10.0.128.0/18", - "mapPublicIpOnLaunch": false, - "tags": [ - { - "key": "aws-cdk:subnet-name", - "value": "Private" - }, - { - "key": "aws-cdk:subnet-type", - "value": "Private" - }, - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PrivateSubnet1" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" - } - }, - "Acl": { - "id": "Acl", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1/Acl", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "RouteTable": { - "id": "RouteTable", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1/RouteTable", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PrivateSubnet1" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" - } - }, - "RouteTableAssociation": { - "id": "RouteTableAssociation", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1/RouteTableAssociation", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", - "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" - }, - "subnetId": { - "Ref": "VpcPrivateSubnet1Subnet536B997A" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" - } - }, - "DefaultRoute": { - "id": "DefaultRoute", - "path": "aws-ecs-integ/Vpc/PrivateSubnet1/DefaultRoute", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Route", - "aws:cdk:cloudformation:props": { - "destinationCidrBlock": "0.0.0.0/0", - "natGatewayId": { - "Ref": "VpcPublicSubnet1NATGateway4D7517AA" - }, - "routeTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" - } - }, - "PrivateSubnet2": { - "id": "PrivateSubnet2", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2", - "children": { - "Subnet": { - "id": "Subnet", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2/Subnet", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", - "aws:cdk:cloudformation:props": { - "availabilityZone": { - "Fn::Select": [ - 1, - { - "Fn::GetAZs": "" - } - ] - }, - "cidrBlock": "10.0.192.0/18", - "mapPublicIpOnLaunch": false, - "tags": [ - { - "key": "aws-cdk:subnet-name", - "value": "Private" - }, - { - "key": "aws-cdk:subnet-type", - "value": "Private" - }, - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PrivateSubnet2" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" - } - }, - "Acl": { - "id": "Acl", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2/Acl", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "RouteTable": { - "id": "RouteTable", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2/RouteTable", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc/PrivateSubnet2" - } - ], - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" - } - }, - "RouteTableAssociation": { - "id": "RouteTableAssociation", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2/RouteTableAssociation", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", - "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" - }, - "subnetId": { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" - } - }, - "DefaultRoute": { - "id": "DefaultRoute", - "path": "aws-ecs-integ/Vpc/PrivateSubnet2/DefaultRoute", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::Route", - "aws:cdk:cloudformation:props": { - "destinationCidrBlock": "0.0.0.0/0", - "natGatewayId": { - "Ref": "VpcPublicSubnet2NATGateway9182C01D" - }, - "routeTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" - } - }, - "IGW": { - "id": "IGW", - "path": "aws-ecs-integ/Vpc/IGW", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::InternetGateway", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "Name", - "value": "aws-ecs-integ/Vpc" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", - "version": "0.0.0" - } - }, - "VPCGW": { - "id": "VPCGW", - "path": "aws-ecs-integ/Vpc/VPCGW", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", - "aws:cdk:cloudformation:props": { - "internetGatewayId": { - "Ref": "VpcIGWD7BA715C" - }, - "vpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", - "version": "0.0.0" - } - }, - "Cluster": { - "id": "Cluster", - "path": "aws-ecs-integ/Cluster", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-ecs-integ/Cluster/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::ECS::Cluster", - "aws:cdk:cloudformation:props": {} - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnCluster", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.Cluster", - "version": "0.0.0" - } - }, - "TaskRole": { - "id": "TaskRole", - "path": "aws-ecs-integ/TaskRole", - "children": { - "ImportTaskRole": { - "id": "ImportTaskRole", - "path": "aws-ecs-integ/TaskRole/ImportTaskRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-ecs-integ/TaskRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "ecs-tasks.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "aws-ecs-integ/TaskRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-ecs-integ/TaskRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "ecs:UpdateTaskProtection", - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":ecs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":task/", - { - "Ref": "ClusterEB0386A7" - }, - "/*" - ] - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "TaskRoleDefaultPolicy07FC53DE", - "roles": [ - { - "Ref": "TaskRole30FC0FBB" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-ecs-integ/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-ecs-integ/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "aws-ecs-cluster-grant-task-protection": { - "id": "aws-ecs-cluster-grant-task-protection", - "path": "aws-ecs-cluster-grant-task-protection", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "aws-ecs-cluster-grant-task-protection/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "aws-ecs-cluster-grant-task-protection/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-ecs-integ":{"id":"aws-ecs-integ","path":"aws-ecs-integ","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Vpc":{"id":"Vpc","path":"aws-ecs-integ/Vpc","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.Vpc","version":"0.0.0","metadata":[{"maxAzs":"*","restrictDefaultSecurityGroup":false}]},"children":{"Resource":{"id":"Resource","path":"aws-ecs-integ/Vpc/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnVPC","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::VPC","aws:cdk:cloudformation:props":{"cidrBlock":"10.0.0.0/16","enableDnsHostnames":true,"enableDnsSupport":true,"instanceTenancy":"default","tags":[{"key":"Name","value":"aws-ecs-integ/Vpc"}]}}},"PublicSubnet1":{"id":"PublicSubnet1","path":"aws-ecs-integ/Vpc/PublicSubnet1","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.PublicSubnet","version":"0.0.0","metadata":[{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":true,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":true,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{},{"addNatGateway":["*"]}]},"children":{"Subnet":{"id":"Subnet","path":"aws-ecs-integ/Vpc/PublicSubnet1/Subnet","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnet","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[0,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.0.0/18","mapPublicIpOnLaunch":true,"tags":[{"key":"aws-cdk:subnet-name","value":"Public"},{"key":"aws-cdk:subnet-type","value":"Public"},{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet1"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"Acl":{"id":"Acl","path":"aws-ecs-integ/Vpc/PublicSubnet1/Acl","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"aws-ecs-integ/Vpc/PublicSubnet1/RouteTable","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRouteTable","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet1"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"aws-ecs-integ/Vpc/PublicSubnet1/RouteTableAssociation","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VpcPublicSubnet1RouteTable6C95E38E"},"subnetId":{"Ref":"VpcPublicSubnet1Subnet5C2D37C4"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"aws-ecs-integ/Vpc/PublicSubnet1/DefaultRoute","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRoute","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","gatewayId":{"Ref":"VpcIGWD7BA715C"},"routeTableId":{"Ref":"VpcPublicSubnet1RouteTable6C95E38E"}}}},"EIP":{"id":"EIP","path":"aws-ecs-integ/Vpc/PublicSubnet1/EIP","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnEIP","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::EIP","aws:cdk:cloudformation:props":{"domain":"vpc","tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet1"}]}}},"NATGateway":{"id":"NATGateway","path":"aws-ecs-integ/Vpc/PublicSubnet1/NATGateway","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnNatGateway","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::NatGateway","aws:cdk:cloudformation:props":{"allocationId":{"Fn::GetAtt":["VpcPublicSubnet1EIPD7E02669","AllocationId"]},"subnetId":{"Ref":"VpcPublicSubnet1Subnet5C2D37C4"},"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet1"}]}}}}},"PublicSubnet2":{"id":"PublicSubnet2","path":"aws-ecs-integ/Vpc/PublicSubnet2","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.PublicSubnet","version":"0.0.0","metadata":[{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":true,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":true,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{},{"addNatGateway":["*"]}]},"children":{"Subnet":{"id":"Subnet","path":"aws-ecs-integ/Vpc/PublicSubnet2/Subnet","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnet","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[1,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.64.0/18","mapPublicIpOnLaunch":true,"tags":[{"key":"aws-cdk:subnet-name","value":"Public"},{"key":"aws-cdk:subnet-type","value":"Public"},{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet2"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"Acl":{"id":"Acl","path":"aws-ecs-integ/Vpc/PublicSubnet2/Acl","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"aws-ecs-integ/Vpc/PublicSubnet2/RouteTable","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRouteTable","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet2"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"aws-ecs-integ/Vpc/PublicSubnet2/RouteTableAssociation","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VpcPublicSubnet2RouteTable94F7E489"},"subnetId":{"Ref":"VpcPublicSubnet2Subnet691E08A3"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"aws-ecs-integ/Vpc/PublicSubnet2/DefaultRoute","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRoute","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","gatewayId":{"Ref":"VpcIGWD7BA715C"},"routeTableId":{"Ref":"VpcPublicSubnet2RouteTable94F7E489"}}}},"EIP":{"id":"EIP","path":"aws-ecs-integ/Vpc/PublicSubnet2/EIP","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnEIP","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::EIP","aws:cdk:cloudformation:props":{"domain":"vpc","tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet2"}]}}},"NATGateway":{"id":"NATGateway","path":"aws-ecs-integ/Vpc/PublicSubnet2/NATGateway","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnNatGateway","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::NatGateway","aws:cdk:cloudformation:props":{"allocationId":{"Fn::GetAtt":["VpcPublicSubnet2EIP3C605A87","AllocationId"]},"subnetId":{"Ref":"VpcPublicSubnet2Subnet691E08A3"},"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PublicSubnet2"}]}}}}},"PrivateSubnet1":{"id":"PrivateSubnet1","path":"aws-ecs-integ/Vpc/PrivateSubnet1","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.PrivateSubnet","version":"0.0.0","metadata":[{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":false,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":false,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{}]},"children":{"Subnet":{"id":"Subnet","path":"aws-ecs-integ/Vpc/PrivateSubnet1/Subnet","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnet","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[0,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.128.0/18","mapPublicIpOnLaunch":false,"tags":[{"key":"aws-cdk:subnet-name","value":"Private"},{"key":"aws-cdk:subnet-type","value":"Private"},{"key":"Name","value":"aws-ecs-integ/Vpc/PrivateSubnet1"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"Acl":{"id":"Acl","path":"aws-ecs-integ/Vpc/PrivateSubnet1/Acl","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"aws-ecs-integ/Vpc/PrivateSubnet1/RouteTable","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRouteTable","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PrivateSubnet1"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"aws-ecs-integ/Vpc/PrivateSubnet1/RouteTableAssociation","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VpcPrivateSubnet1RouteTableB2C5B500"},"subnetId":{"Ref":"VpcPrivateSubnet1Subnet536B997A"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"aws-ecs-integ/Vpc/PrivateSubnet1/DefaultRoute","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRoute","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","natGatewayId":{"Ref":"VpcPublicSubnet1NATGateway4D7517AA"},"routeTableId":{"Ref":"VpcPrivateSubnet1RouteTableB2C5B500"}}}}}},"PrivateSubnet2":{"id":"PrivateSubnet2","path":"aws-ecs-integ/Vpc/PrivateSubnet2","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.PrivateSubnet","version":"0.0.0","metadata":[{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":false,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{"availabilityZone":"*","vpcId":"*","cidrBlock":"*","mapPublicIpOnLaunch":false,"ipv6CidrBlock":"*","assignIpv6AddressOnCreation":"*"},{}]},"children":{"Subnet":{"id":"Subnet","path":"aws-ecs-integ/Vpc/PrivateSubnet2/Subnet","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnet","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[1,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.192.0/18","mapPublicIpOnLaunch":false,"tags":[{"key":"aws-cdk:subnet-name","value":"Private"},{"key":"aws-cdk:subnet-type","value":"Private"},{"key":"Name","value":"aws-ecs-integ/Vpc/PrivateSubnet2"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"Acl":{"id":"Acl","path":"aws-ecs-integ/Vpc/PrivateSubnet2/Acl","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"aws-ecs-integ/Vpc/PrivateSubnet2/RouteTable","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRouteTable","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc/PrivateSubnet2"}],"vpcId":{"Ref":"Vpc8378EB38"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"aws-ecs-integ/Vpc/PrivateSubnet2/RouteTableAssociation","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VpcPrivateSubnet2RouteTableA678073B"},"subnetId":{"Ref":"VpcPrivateSubnet2Subnet3788AAA1"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"aws-ecs-integ/Vpc/PrivateSubnet2/DefaultRoute","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnRoute","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","natGatewayId":{"Ref":"VpcPublicSubnet2NATGateway9182C01D"},"routeTableId":{"Ref":"VpcPrivateSubnet2RouteTableA678073B"}}}}}},"IGW":{"id":"IGW","path":"aws-ecs-integ/Vpc/IGW","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnInternetGateway","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::InternetGateway","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"aws-ecs-integ/Vpc"}]}}},"VPCGW":{"id":"VPCGW","path":"aws-ecs-integ/Vpc/VPCGW","constructInfo":{"fqn":"aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::VPCGatewayAttachment","aws:cdk:cloudformation:props":{"internetGatewayId":{"Ref":"VpcIGWD7BA715C"},"vpcId":{"Ref":"Vpc8378EB38"}}}}}},"Cluster":{"id":"Cluster","path":"aws-ecs-integ/Cluster","constructInfo":{"fqn":"aws-cdk-lib.aws_ecs.Cluster","version":"0.0.0","metadata":[{"vpc":"*"},{"grantTaskProtection":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-ecs-integ/Cluster/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_ecs.CfnCluster","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ECS::Cluster","aws:cdk:cloudformation:props":{}}}}},"TaskRole":{"id":"TaskRole","path":"aws-ecs-integ/TaskRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]},"children":{"ImportTaskRole":{"id":"ImportTaskRole","path":"aws-ecs-integ/TaskRole/ImportTaskRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-ecs-integ/TaskRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-ecs-integ/TaskRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-ecs-integ/TaskRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"ecs:UpdateTaskProtection","Effect":"Allow","Resource":{"Fn::Join":["",[{"Fn::GetAtt":["ClusterEB0386A7","Arn"]},"/*"]]}}],"Version":"2012-10-17"},"policyName":"TaskRoleDefaultPolicy07FC53DE","roles":[{"Ref":"TaskRole30FC0FBB"}]}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-ecs-integ/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-ecs-integ/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"aws-ecs-cluster-grant-task-protection":{"id":"aws-ecs-cluster-grant-task-protection","path":"aws-ecs-cluster-grant-task-protection","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"aws-ecs-cluster-grant-task-protection/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"aws-ecs-cluster-grant-task-protection/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-ecs-cluster-grant-task-protection/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-apigateway/grants.json b/packages/aws-cdk-lib/aws-apigateway/grants.json new file mode 100644 index 0000000000000..4b4a79c9cc870 --- /dev/null +++ b/packages/aws-cdk-lib/aws-apigateway/grants.json @@ -0,0 +1,42 @@ +{ + "resources": { + "ApiKey": { + "grants": { + "read": { + "actions": [ + "apigateway:GET" + ], + "docSummary": "Permits the IAM principal all read operations through this key" + }, + "write": { + "actions": [ + "apigateway:POST", + "apigateway:PUT", + "apigateway:PATCH", + "apigateway:DELETE" + ], + "docSummary": "Permits the IAM principal all write operations through this key" + }, + "readWrite": { + "actions": [ + "apigateway:GET", + "apigateway:POST", + "apigateway:PUT", + "apigateway:PATCH", + "apigateway:DELETE" + ], + "docSummary": "Permits the IAM principal all read and write operations through this key" + } + } + }, + "Method": { + "grants": { + "execute": { + "actions": [ + "execute-api:Invoke" + ] + } + } + } + } +} diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/api-key.ts b/packages/aws-cdk-lib/aws-apigateway/lib/api-key.ts index 06155af14da80..fa4bc8b813792 100644 --- a/packages/aws-cdk-lib/aws-apigateway/lib/api-key.ts +++ b/packages/aws-cdk-lib/aws-apigateway/lib/api-key.ts @@ -1,4 +1,5 @@ import { Construct } from 'constructs'; +import { ApiKeyGrants } from './apigateway-grants.generated'; import { ApiKeyReference, CfnApiKey, IApiKeyRef, IStageRef } from './apigateway.generated'; import { ResourceOptions } from './resource'; import { IRestApi } from './restapi'; @@ -100,17 +101,18 @@ abstract class ApiKeyBase extends Resource implements IApiKey { public abstract readonly keyId: string; public abstract readonly keyArn: string; + /** + * Collection of grant methods for an ApiKey + */ + public readonly grants = ApiKeyGrants._fromApiKey(this); + /** * Permits the IAM principal all read operations through this key * * @param grantee The principal to grant access to */ public grantRead(grantee: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee, - actions: readPermissions, - resourceArns: [this.keyArn], - }); + return this.grants.read(grantee); } /** @@ -119,11 +121,7 @@ abstract class ApiKeyBase extends Resource implements IApiKey { * @param grantee The principal to grant access to */ public grantWrite(grantee: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee, - actions: writePermissions, - resourceArns: [this.keyArn], - }); + return this.grants.write(grantee); } /** @@ -132,11 +130,7 @@ abstract class ApiKeyBase extends Resource implements IApiKey { * @param grantee The principal to grant access to */ public grantReadWrite(grantee: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee, - actions: [...readPermissions, ...writePermissions], - resourceArns: [this.keyArn], - }); + return this.grants.readWrite(grantee); } public get apiKeyRef(): ApiKeyReference { @@ -294,14 +288,3 @@ export class RateLimitedApiKey extends ApiKeyBase { this.keyArn = resource.keyArn; } } - -const readPermissions = [ - 'apigateway:GET', -]; - -const writePermissions = [ - 'apigateway:POST', - 'apigateway:PUT', - 'apigateway:PATCH', - 'apigateway:DELETE', -]; diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/index.ts b/packages/aws-cdk-lib/aws-apigateway/lib/index.ts index ed68870b500a1..04ae02e32666a 100644 --- a/packages/aws-cdk-lib/aws-apigateway/lib/index.ts +++ b/packages/aws-cdk-lib/aws-apigateway/lib/index.ts @@ -25,3 +25,4 @@ export * from './stepfunctions-api'; // AWS::ApiGateway CloudFormation Resources: export * from './apigateway.generated'; +export * from './apigateway-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-apigateway/test/api-key.test.ts b/packages/aws-cdk-lib/aws-apigateway/test/api-key.test.ts index 01d485e6dbc7b..5d88a14d20996 100644 --- a/packages/aws-cdk-lib/aws-apigateway/test/api-key.test.ts +++ b/packages/aws-cdk-lib/aws-apigateway/test/api-key.test.ts @@ -3,6 +3,7 @@ import { Match, Template } from '../../assertions'; import * as iam from '../../aws-iam'; import * as cdk from '../../core'; import * as apigateway from '../lib'; +import { CfnRestApi } from '../lib'; describe('api key', () => { test('default setup', () => { @@ -425,3 +426,35 @@ describe('api key', () => { }); }); }); + +describe('L1 static methods', () => { + test('asdads', () => { + const stack = new cdk.Stack(); + + const logicalId = 'BackendApi'; + const api = new apigateway.RestApi(stack, 'api', { + cloudWatchRole: false, + deploy: true, + deployOptions: { stageName: 'test' }, + }); + (api.node.defaultChild as CfnRestApi).overrideLogicalId(logicalId); + + const arn = apigateway.CfnRestApi.arnForRestApi(api); + + expect(stack.resolve(arn)).toEqual({ + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':apigateway:', { Ref: 'AWS::Region' }, '::/restapis/', { Ref: logicalId }]], + }); + }); + + test('axxzxzzx', () => { + const stack = new cdk.Stack(); + + const restApiId = 'BackendApi'; + const api = apigateway.CfnRestApi.fromRestApiId(stack, 'asdas', restApiId); + const arn = apigateway.CfnRestApi.arnForRestApi(api); + + expect(stack.resolve(arn)).toEqual({ + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':apigateway:', { Ref: 'AWS::Region' }, `::/restapis/${restApiId}`]], + }); + }); +}); diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/grants.json b/packages/aws-cdk-lib/aws-apigatewayv2/grants.json new file mode 100644 index 0000000000000..df6d6c21ccb6c --- /dev/null +++ b/packages/aws-cdk-lib/aws-apigatewayv2/grants.json @@ -0,0 +1,25 @@ +{ + "resources": { + "WebSocketApi": { + "grants": { + "manageConnections": { + "arnFormat": "${webSocketApiArn}/*/*/@connections/*", + "actions": [ + "execute-api:ManageConnections" + ] + } + } + }, + "WebSocketStage": { + "grants": { + "managementApiAccess": { + "arnFormat": "${webSocketStageArn}/*/@connections/*", + "actions": [ + "execute-api:ManageConnections" + ] + } + } + } + } +} + diff --git a/packages/aws-cdk-lib/aws-appconfig/grants.json b/packages/aws-cdk-lib/aws-appconfig/grants.json new file mode 100644 index 0000000000000..6e8a78d6b4669 --- /dev/null +++ b/packages/aws-cdk-lib/aws-appconfig/grants.json @@ -0,0 +1,16 @@ +{ + "resources": { + "Environment": { + "grants": { + "readConfig": { + "arnFormat": "${environmentArn}/configuration/*", + "actions": [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession" + ] + } + } + } + } +} + diff --git a/packages/aws-cdk-lib/aws-appmesh/grants.json b/packages/aws-cdk-lib/aws-appmesh/grants.json new file mode 100644 index 0000000000000..a4b617582bb9a --- /dev/null +++ b/packages/aws-cdk-lib/aws-appmesh/grants.json @@ -0,0 +1,24 @@ +{ + "resources": { + "VirtualGateway": { + "grants": { + "streamAggregatedResources": { + "actions": [ + "appmesh:StreamAggregatedResources" + ], + "docSummary": "Grants the given entity `appmesh:StreamAggregatedResources`." + } + } + }, + "VirtualNode": { + "grants": { + "streamAggregatedResources": { + "actions": [ + "appmesh:StreamAggregatedResources" + ] + } + } + } + } +} + diff --git a/packages/aws-cdk-lib/aws-appmesh/lib/index.ts b/packages/aws-cdk-lib/aws-appmesh/lib/index.ts index d5ea8fedb70d6..12b9baf460df1 100644 --- a/packages/aws-cdk-lib/aws-appmesh/lib/index.ts +++ b/packages/aws-cdk-lib/aws-appmesh/lib/index.ts @@ -1,5 +1,6 @@ // AWS::AppMesh CloudFormation Resources: export * from './appmesh.generated'; +export * from './appmesh-grants.generated'; export * from './mesh'; export * from './route'; export * from './service-discovery'; diff --git a/packages/aws-cdk-lib/aws-appmesh/lib/virtual-gateway.ts b/packages/aws-cdk-lib/aws-appmesh/lib/virtual-gateway.ts index 7f0d6c5683710..530a71850c96e 100644 --- a/packages/aws-cdk-lib/aws-appmesh/lib/virtual-gateway.ts +++ b/packages/aws-cdk-lib/aws-appmesh/lib/virtual-gateway.ts @@ -1,5 +1,6 @@ import { Construct } from 'constructs'; -import { CfnVirtualGateway } from './appmesh.generated'; +import { VirtualGatewayGrants } from './appmesh-grants.generated'; +import { CfnVirtualGateway, IVirtualGatewayRef, VirtualGatewayReference } from './appmesh.generated'; import { GatewayRoute, GatewayRouteBaseProps } from './gateway-route'; import { IMesh, Mesh } from './mesh'; import { renderTlsClientPolicy, renderMeshOwner } from './private/utils'; @@ -13,7 +14,7 @@ import { propertyInjectable } from '../../core/lib/prop-injectable'; /** * Interface which all Virtual Gateway based classes must implement */ -export interface IVirtualGateway extends cdk.IResource { +export interface IVirtualGateway extends cdk.IResource, IVirtualGatewayRef { /** * Name of the VirtualGateway * @@ -103,6 +104,18 @@ abstract class VirtualGatewayBase extends cdk.Resource implements IVirtualGatewa */ public abstract readonly mesh: IMesh; + /** + * Collection of grant methods for a VirtualGateway + */ + public readonly grants: VirtualGatewayGrants = VirtualGatewayGrants._fromVirtualGateway(this); + + public get virtualGatewayRef(): VirtualGatewayReference { + return { + virtualGatewayArn: this.virtualGatewayArn, + virtualGatewayId: this.virtualGatewayName, + }; + } + /** * Utility method to add a new GatewayRoute to the VirtualGateway */ @@ -114,11 +127,7 @@ abstract class VirtualGatewayBase extends cdk.Resource implements IVirtualGatewa } public grantStreamAggregatedResources(identity: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee: identity, - actions: ['appmesh:StreamAggregatedResources'], - resourceArns: [this.virtualGatewayArn], - }); + return this.grants.streamAggregatedResources(identity); } } diff --git a/packages/aws-cdk-lib/aws-appmesh/test/virtual-gateway.test.ts b/packages/aws-cdk-lib/aws-appmesh/test/virtual-gateway.test.ts index 542b5043e3c30..59cf577a1561e 100644 --- a/packages/aws-cdk-lib/aws-appmesh/test/virtual-gateway.test.ts +++ b/packages/aws-cdk-lib/aws-appmesh/test/virtual-gateway.test.ts @@ -3,6 +3,7 @@ import * as acm from '../../aws-certificatemanager'; import * as iam from '../../aws-iam'; import * as cdk from '../../core'; import * as appmesh from '../lib'; +import { VirtualGatewayGrants } from '../lib/appmesh-grants.generated'; describe('virtual gateway', () => { describe('When creating a VirtualGateway', () => { @@ -951,4 +952,40 @@ describe('virtual gateway', () => { }, }); }); + + test('Can grant an identity StreamAggregatedResources for a given CfnVirtualGateway', () => { + // GIVEN + const stack = new cdk.Stack(); + const mesh = new appmesh.Mesh(stack, 'mesh', { + meshName: 'test-mesh', + }); + const gateway = new appmesh.CfnVirtualGateway(stack, 'testGateway', { + meshName: mesh.meshName, + spec: { + listeners: [], + }, + }); + + // WHEN + const user = new iam.User(stack, 'test'); + VirtualGatewayGrants._fromVirtualGateway(gateway).streamAggregatedResources(user); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'appmesh:StreamAggregatedResources', + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'testGateway', + 'Arn', + ], + }, + }, + ], + }, + }); + }); }); diff --git a/packages/aws-cdk-lib/aws-cloudfront/grants.json b/packages/aws-cdk-lib/aws-cloudfront/grants.json new file mode 100644 index 0000000000000..578e2e80c3e25 --- /dev/null +++ b/packages/aws-cdk-lib/aws-cloudfront/grants.json @@ -0,0 +1,14 @@ +{ + "resources": { + "Distribution": { + "grants": { + "createInvalidation": { + "actions": [ + "cloudfront:CreateInvalidation" + ], + "docSummary": "Grant to create invalidations for this bucket to an IAM principal (Role/Group/User)." + } + } + } + } +} diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts index 5b055190508b4..264af3a89fb92 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts @@ -1,4 +1,5 @@ import { Construct } from 'constructs'; +import { DistributionGrants } from './cloudfront-grants.generated'; import { CfnDistribution, CfnMonitoringSubscription, @@ -332,7 +333,7 @@ export class Distribution extends Resource implements IDistribution { return grant(this, grantee, ...actions); } public grantCreateInvalidation(grantee: iam.IGrantable): iam.Grant { - return this.grant(grantee, 'cloudfront:CreateInvalidation'); + return DistributionGrants._fromDistribution(this).createInvalidation(grantee); } }(); } @@ -342,6 +343,11 @@ export class Distribution extends Resource implements IDistribution { public readonly distributionId: string; public readonly distributionRef: DistributionReference; + /** + * Collection of grant methods for a Distribution + */ + public readonly grants = DistributionGrants._fromDistribution(this); + private readonly httpVersion: HttpVersion; private readonly defaultBehavior: CacheBehavior; private readonly additionalBehaviors: CacheBehavior[] = []; @@ -672,7 +678,7 @@ export class Distribution extends Resource implements IDistribution { */ @MethodMetadata() public grantCreateInvalidation(identity: iam.IGrantable): iam.Grant { - return this.grant(identity, 'cloudfront:CreateInvalidation'); + return this.grants.createInvalidation(identity); } /** diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/index.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/index.ts index 91901ad246b35..f131e364fb639 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/index.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/index.ts @@ -19,3 +19,4 @@ export * as experimental from './experimental'; // AWS::CloudFront CloudFormation Resources: export * from './cloudfront.generated'; +export * from './cloudfront-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts index 25d444b53cea6..dfd08b9ba7fe2 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts @@ -1,4 +1,5 @@ import { Construct } from 'constructs'; +import { DistributionGrants } from './cloudfront-grants.generated'; import { CfnDistribution, DistributionReference } from './cloudfront.generated'; import { HttpVersion, @@ -787,11 +788,16 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu return iam.Grant.addToPrincipal({ grantee, actions, resourceArns: [formatDistributionArn(this)] }); } public grantCreateInvalidation(identity: iam.IGrantable): iam.Grant { - return this.grant(identity, 'cloudfront:CreateInvalidation'); + return DistributionGrants._fromDistribution(this).createInvalidation(identity); } }(); } + /** + * Collection of grant methods for a Distribution + */ + public readonly grants = DistributionGrants._fromDistribution(this); + /** * The logging bucket for this CloudFront distribution. * If logging is not enabled for this distribution - this property will be undefined. @@ -1044,7 +1050,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu * @param identity The principal */ grantCreateInvalidation(identity: iam.IGrantable): iam.Grant { - return this.grant(identity, 'cloudfront:CreateInvalidation'); + return this.grants.createInvalidation(identity); } private toBehavior(input: BehaviorWithOrigin, protoPolicy?: ViewerProtocolPolicy) { diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts index a5c7bb668cf49..e6907c9d87fbc 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts @@ -24,6 +24,7 @@ import { SecurityPolicyProtocol, SSLMethod, } from '../lib'; +import { DistributionGrants } from '../lib/cloudfront-grants.generated'; let app: App; let stack: Stack; @@ -1272,6 +1273,38 @@ test('grants createInvalidation', () => { }); }); +test('grants createInvalidation to L1', () => { + const distribution = new Distribution(stack, 'Distribution', { + defaultBehavior: { origin: defaultOrigin() }, + }); + + const role = new iam.Role(stack, 'Role', { + assumedBy: new iam.AccountRootPrincipal(), + }); + + DistributionGrants. + _fromDistribution(distribution.node.defaultChild as CfnDistribution) + .createInvalidation(role); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'cloudfront:CreateInvalidation', + Resource: { + 'Fn::Join': [ + '', [ + 'arn:', { Ref: 'AWS::Partition' }, ':cloudfront::1234:distribution/', + { Ref: 'Distribution830FAC52' }, + ], + ], + }, + }, + ], + }, + }); +}); + test('render distribution behavior with realtime log config', () => { const role = new iam.Role(stack, 'Role', { assumedBy: new iam.ServicePrincipal('cloudfront.amazonaws.com'), diff --git a/packages/aws-cdk-lib/aws-codecommit/grants.json b/packages/aws-cdk-lib/aws-codecommit/grants.json new file mode 100644 index 0000000000000..b2d0c472d02ca --- /dev/null +++ b/packages/aws-cdk-lib/aws-codecommit/grants.json @@ -0,0 +1,28 @@ +{ + "resources": { + "Repository": { + "grants": { + "pull": { + "actions": [ + "codecommit:GitPull" + ] + }, + "pullPush": { + "actions": [ + "codecommit:GitPull", + "codecommit:GitPush" + ] + }, + "read": { + "actions": [ + "codecommit:GitPull", + "codecommit:EvaluatePullRequestApprovalRules", + "codecommit:Get*", + "codecommit:Describe*" + ] + } + } + } + } +} + diff --git a/packages/aws-cdk-lib/aws-codecommit/lib/index.ts b/packages/aws-cdk-lib/aws-codecommit/lib/index.ts index 8ef697865609e..89949ffa76c3a 100644 --- a/packages/aws-cdk-lib/aws-codecommit/lib/index.ts +++ b/packages/aws-cdk-lib/aws-codecommit/lib/index.ts @@ -4,3 +4,4 @@ export * from './code'; // AWS::CodeCommit CloudFormation Resources: export * from './codecommit.generated'; +export * from './codecommit-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-codecommit/lib/repository.ts b/packages/aws-cdk-lib/aws-codecommit/lib/repository.ts index d893f47de5132..2b9e53fde85b9 100644 --- a/packages/aws-cdk-lib/aws-codecommit/lib/repository.ts +++ b/packages/aws-cdk-lib/aws-codecommit/lib/repository.ts @@ -1,6 +1,7 @@ import { Construct } from 'constructs'; import { Code } from './code'; -import { CfnRepository } from './codecommit.generated'; +import { RepositoryGrants } from './codecommit-grants.generated'; +import { CfnRepository, IRepositoryRef, RepositoryReference } from './codecommit.generated'; import * as notifications from '../../aws-codestarnotifications'; import * as events from '../../aws-events'; import * as iam from '../../aws-iam'; @@ -21,7 +22,7 @@ export interface RepositoryNotifyOnOptions extends notifications.NotificationRul readonly events: RepositoryNotificationEvents[]; } -export interface IRepository extends IResource, notifications.INotificationRuleSource { +export interface IRepository extends IResource, notifications.INotificationRuleSource, IRepositoryRef { /** * The ARN of this Repository. * @attribute @@ -253,6 +254,18 @@ abstract class RepositoryBase extends Resource implements IRepository { public abstract readonly repositoryCloneUrlGrc: string; + /** + * Collection of grant methods for a Repository + */ + public readonly grants = RepositoryGrants._fromRepository(this); + + public get repositoryRef(): RepositoryReference { + return { + repositoryId: this.repositoryName, + repositoryArn: this.repositoryArn, + }; + } + /** * Defines a CloudWatch event rule which triggers for repository events. Use * `rule.addEventPattern(pattern)` to specify a filter. @@ -356,21 +369,15 @@ abstract class RepositoryBase extends Resource implements IRepository { } public grantPull(grantee: iam.IGrantable) { - return this.grant(grantee, 'codecommit:GitPull'); + return this.grants.pull(grantee); } public grantPullPush(grantee: iam.IGrantable) { - this.grantPull(grantee); - return this.grant(grantee, 'codecommit:GitPush'); + return this.grants.pullPush(grantee); } public grantRead(grantee: iam.IGrantable) { - this.grantPull(grantee); - return this.grant(grantee, - 'codecommit:EvaluatePullRequestApprovalRules', - 'codecommit:Get*', - 'codecommit:Describe*', - ); + return this.grants.read(grantee); } public notifyOn( diff --git a/packages/aws-cdk-lib/aws-codecommit/test/codecommit.test.ts b/packages/aws-cdk-lib/aws-codecommit/test/codecommit.test.ts index 4d250742d6e1f..74ea90d4aa7ca 100644 --- a/packages/aws-cdk-lib/aws-codecommit/test/codecommit.test.ts +++ b/packages/aws-cdk-lib/aws-codecommit/test/codecommit.test.ts @@ -260,17 +260,7 @@ describe('codecommit', () => { PolicyDocument: { Statement: [ { - Action: 'codecommit:GitPull', - Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - 'Repo02AC86CF', - 'Arn', - ], - }, - }, - { - Action: 'codecommit:GitPush', + Action: ['codecommit:GitPull', 'codecommit:GitPush'], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ diff --git a/packages/aws-cdk-lib/aws-codeguruprofiler/grants.json b/packages/aws-cdk-lib/aws-codeguruprofiler/grants.json new file mode 100644 index 0000000000000..c6f078c1f4c32 --- /dev/null +++ b/packages/aws-cdk-lib/aws-codeguruprofiler/grants.json @@ -0,0 +1,25 @@ +{ + "resources": { + "ProfilingGroup": { + "grants": { + "publish": { + "actions": [ + "codeguru-profiler:ConfigureAgent", + "codeguru-profiler:PostAgentProfile" + ], + "docSummary": "Grant access to publish profiling information to the Profiling Group to the given identity.\n\nThis will grant the following permissions:\n\n - codeguru-profiler:ConfigureAgent\n - codeguru-profiler:PostAgentProfile" + }, + "read": { + "actions": [ + "codeguru-profiler:GetProfile", + "codeguru-profiler:DescribeProfilingGroup" + ], + "docSummary": "Grant access to read profiling information from the Profiling Group to the given identity.\n\nThis will grant the following permissions:\n\n - codeguru-profiler:GetProfile\n - codeguru-profiler:DescribeProfilingGroup" + } + } + } + } +} + + + diff --git a/packages/aws-cdk-lib/aws-codeguruprofiler/lib/index.ts b/packages/aws-cdk-lib/aws-codeguruprofiler/lib/index.ts index 6ee79ba3c2171..24b1cf111026c 100644 --- a/packages/aws-cdk-lib/aws-codeguruprofiler/lib/index.ts +++ b/packages/aws-cdk-lib/aws-codeguruprofiler/lib/index.ts @@ -1,3 +1,5 @@ // AWS::CodeGuruProfiler CloudFormation Resources: export * from './codeguruprofiler.generated'; +export * from './codeguruprofiler-grants.generated'; + export * from './profiling-group'; diff --git a/packages/aws-cdk-lib/aws-codeguruprofiler/lib/profiling-group.ts b/packages/aws-cdk-lib/aws-codeguruprofiler/lib/profiling-group.ts index 057dd7108cba4..d5243b7648282 100644 --- a/packages/aws-cdk-lib/aws-codeguruprofiler/lib/profiling-group.ts +++ b/packages/aws-cdk-lib/aws-codeguruprofiler/lib/profiling-group.ts @@ -1,5 +1,6 @@ import { Construct } from 'constructs'; -import { CfnProfilingGroup } from './codeguruprofiler.generated'; +import { ProfilingGroupGrants } from './codeguruprofiler-grants.generated'; +import { CfnProfilingGroup, IProfilingGroupRef, ProfilingGroupReference } from './codeguruprofiler.generated'; import { Grant, IGrantable } from '../../aws-iam'; import { ArnFormat, IResource, Lazy, Names, Resource, Stack } from '../../core'; import { addConstructMetadata } from '../../core/lib/metadata-resource'; @@ -24,7 +25,7 @@ export enum ComputePlatform { /** * IResource represents a Profiling Group. */ -export interface IProfilingGroup extends IResource { +export interface IProfilingGroup extends IResource, IProfilingGroupRef { /** * The name of the profiling group. @@ -71,6 +72,18 @@ abstract class ProfilingGroupBase extends Resource implements IProfilingGroup { public abstract readonly profilingGroupArn: string; + /** + * Collection of grant methods for a ProfilingGroup + */ + public readonly grants = ProfilingGroupGrants._fromProfilingGroup(this); + + public get profilingGroupRef(): ProfilingGroupReference { + return { + profilingGroupArn: this.profilingGroupArn, + profilingGroupName: this.profilingGroupName, + }; + } + /** * Grant access to publish profiling information to the Profiling Group to the given identity. * @@ -82,12 +95,7 @@ abstract class ProfilingGroupBase extends Resource implements IProfilingGroup { * @param grantee Principal to grant publish rights to */ public grantPublish(grantee: IGrantable) { - // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control - return Grant.addToPrincipal({ - grantee, - actions: ['codeguru-profiler:ConfigureAgent', 'codeguru-profiler:PostAgentProfile'], - resourceArns: [this.profilingGroupArn], - }); + return this.grants.publish(grantee); } /** @@ -101,12 +109,7 @@ abstract class ProfilingGroupBase extends Resource implements IProfilingGroup { * @param grantee Principal to grant read rights to */ public grantRead(grantee: IGrantable) { - // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control - return Grant.addToPrincipal({ - grantee, - actions: ['codeguru-profiler:GetProfile', 'codeguru-profiler:DescribeProfilingGroup'], - resourceArns: [this.profilingGroupArn], - }); + return this.grants.read(grantee); } } diff --git a/packages/aws-cdk-lib/aws-ecs/grants.json b/packages/aws-cdk-lib/aws-ecs/grants.json new file mode 100644 index 0000000000000..e04c3f71f4eb6 --- /dev/null +++ b/packages/aws-cdk-lib/aws-ecs/grants.json @@ -0,0 +1,15 @@ +{ + "resources": { + "Cluster": { + "grants": { + "taskProtection": { + "actions": [ + "ecs:UpdateTaskProtection" + ], + "arnFormat": "${clusterArn}/*", + "docSummary": "Grants an ECS Task Protection API permission to the specified grantee.\nThis method provides a streamlined way to assign the 'ecs:UpdateTaskProtection'\npermission, enabling the grantee to manage task protection in the ECS cluster." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts b/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts index ed8c110be1194..633f6067d9741 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts @@ -2,7 +2,14 @@ import { Construct, IConstruct } from 'constructs'; import { BottleRocketImage, EcsOptimizedAmi } from './amis'; import { InstanceDrainHook } from './drain-hook/instance-drain-hook'; import { ECSMetrics } from './ecs-canned-metrics.generated'; -import { CfnCluster, CfnCapacityProvider, CfnClusterCapacityProviderAssociations } from './ecs.generated'; +import { ClusterGrants } from './ecs-grants.generated'; +import { + CfnCluster, + CfnCapacityProvider, + CfnClusterCapacityProviderAssociations, + IClusterRef, + ClusterReference, +} from './ecs.generated'; import * as autoscaling from '../../aws-autoscaling'; import * as cloudwatch from '../../aws-cloudwatch'; import { InstanceRequirementsConfig } from '../../aws-ec2'; @@ -196,6 +203,12 @@ export class Cluster extends Resource implements ICluster { get vpc(): ec2.IVpc { throw new ValidationError(`vpc ${errorSuffix}`, this); } + public get clusterRef(): ClusterReference { + return { + clusterArn: this.clusterArn, + clusterName: this.clusterName, + }; + } } return new Import(scope, id, { @@ -223,6 +236,11 @@ export class Cluster extends Resource implements ICluster { */ public readonly clusterName: string; + /** + * Collection of grant methods for a Cluster + */ + public readonly grants = ClusterGrants._fromCluster(this); + /** * The names of both ASG and Fargate capacity providers associated with the cluster. */ @@ -351,6 +369,13 @@ export class Cluster extends Resource implements ICluster { }); } + public get clusterRef(): ClusterReference { + return { + clusterArn: this.clusterArn, + clusterName: this.clusterName, + }; + } + /** * Applies policy to the target key for encryption. * @@ -827,11 +852,7 @@ export class Cluster extends Resource implements ICluster { */ @MethodMetadata() public grantTaskProtection(grantee: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee, - actions: ['ecs:UpdateTaskProtection'], - resourceArns: [this.arnForTasks('*')], - }); + return this.grants.taskProtection(grantee); } private configureWindowsAutoScalingGroup(autoScalingGroup: autoscaling.AutoScalingGroup, options: AddAutoScalingGroupCapacityOptions = {}) { @@ -965,7 +986,7 @@ Object.defineProperty(Cluster.prototype, CLUSTER_SYMBOL, { /** * A regional grouping of one or more container instances on which you can run tasks and services. */ -export interface ICluster extends IResource { +export interface ICluster extends IResource, IClusterRef { /** * The name of the cluster. * @attribute @@ -1088,6 +1109,13 @@ class ImportedCluster extends Resource implements ICluster { */ public readonly vpc: ec2.IVpc; + public get clusterRef(): ClusterReference { + return { + clusterArn: this.clusterArn, + clusterName: this.clusterName, + }; + } + /** * Security group of the cluster instances */ diff --git a/packages/aws-cdk-lib/aws-ecs/lib/index.ts b/packages/aws-cdk-lib/aws-ecs/lib/index.ts index 44f77052f914f..44e324e85cab9 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/index.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/index.ts @@ -53,3 +53,4 @@ export * from './alternate-target-configuration'; // AWS::ECS CloudFormation Resources: // export * from './ecs.generated'; +export * from './ecs-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts b/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts index 0116283340951..e160a22985dd9 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts @@ -1323,14 +1323,12 @@ describe('cluster', () => { 'Fn::Join': [ '', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':ecs:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':task/', - { Ref: 'EcsCluster97242B84' }, + { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, '/*', ], ], diff --git a/packages/aws-cdk-lib/aws-elasticsearch/grants.json b/packages/aws-cdk-lib/aws-elasticsearch/grants.json new file mode 100644 index 0000000000000..6040102f1cc92 --- /dev/null +++ b/packages/aws-cdk-lib/aws-elasticsearch/grants.json @@ -0,0 +1,38 @@ +{ + "resources": { + "Domain": { + "grants": { + "read": { + "actions": [ + "es:ESHttpGet", + "es:ESHttpHead" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant read permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + }, + "write": { + "actions": [ + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut", + "es:ESHttpPatch" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant write permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + }, + "readWrite": { + "actions": [ + "es:ESHttpGet", + "es:ESHttpHead", + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut", + "es:ESHttpPatch" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant read/write permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts b/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts index 5f2fdfe57e83f..4a47d84c14afd 100644 --- a/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts @@ -2,7 +2,8 @@ import { URL } from 'url'; import { Construct } from 'constructs'; import { ElasticsearchAccessPolicy } from './elasticsearch-access-policy'; -import { CfnDomain } from './elasticsearch.generated'; +import { DomainGrants } from './elasticsearch-grants.generated'; +import { CfnDomain, DomainReference, IDomainRef } from './elasticsearch.generated'; import { LogGroupResourcePolicy } from './log-group-resource-policy'; import * as perms from './perms'; import * as acm from '../../aws-certificatemanager'; @@ -705,7 +706,7 @@ export interface DomainProps { * * @deprecated use opensearchservice module instead */ -export interface IDomain extends cdk.IResource { +export interface IDomain extends cdk.IResource, IDomainRef { /** * Arn of the Elasticsearch domain. * @@ -953,6 +954,18 @@ abstract class DomainBase extends cdk.Resource implements IDomain { public abstract readonly domainName: string; public abstract readonly domainEndpoint: string; + /** + * Collection of grant methods for a Domain + */ + public readonly grants = DomainGrants._fromDomain(this); + + public get domainRef(): DomainReference { + return { + domainId: this.domainName, + domainArn: this.domainArn, + }; + } + /** * Grant read permissions for this domain and its contents to an IAM * principal (Role/Group/User). @@ -961,12 +974,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @deprecated use opensearchservice module instead */ grantRead(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_READ_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.read(identity); } /** @@ -977,12 +985,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @deprecated use opensearchservice module instead */ grantWrite(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_WRITE_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.write(identity); } /** @@ -993,12 +996,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @deprecated use opensearchservice module instead */ grantReadWrite(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_READ_WRITE_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.readWrite(identity); } /** diff --git a/packages/aws-cdk-lib/aws-elasticsearch/lib/index.ts b/packages/aws-cdk-lib/aws-elasticsearch/lib/index.ts index 3a3d943f9825d..74808ff7337b1 100644 --- a/packages/aws-cdk-lib/aws-elasticsearch/lib/index.ts +++ b/packages/aws-cdk-lib/aws-elasticsearch/lib/index.ts @@ -2,3 +2,4 @@ export * from './domain'; // AWS::Elasticsearch CloudFormation Resources: export * from './elasticsearch.generated'; +export * from './elasticsearch-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-events/grants.json b/packages/aws-cdk-lib/aws-events/grants.json new file mode 100644 index 0000000000000..575da56282933 --- /dev/null +++ b/packages/aws-cdk-lib/aws-events/grants.json @@ -0,0 +1,13 @@ +{ + "resources": { + "EventBus": { + "grants": { + "allPutEvents": { + "actions": ["events:PutEvents"], + "arnFormat": "*", + "docSummary": "Permits an IAM Principal to send custom events to EventBridge\nso that they can be matched to rules." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-events/lib/event-bus.ts b/packages/aws-cdk-lib/aws-events/lib/event-bus.ts index 79f4b47630999..b854176a7fb05 100644 --- a/packages/aws-cdk-lib/aws-events/lib/event-bus.ts +++ b/packages/aws-cdk-lib/aws-events/lib/event-bus.ts @@ -1,6 +1,7 @@ import { Construct } from 'constructs'; import { Archive, BaseArchiveProps } from './archive'; -import { CfnEventBus, CfnEventBusPolicy } from './events.generated'; +import { EventBusGrants } from './events-grants.generated'; +import { CfnEventBus, CfnEventBusPolicy, EventBusReference, IEventBusRef } from './events.generated'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as sqs from '../../aws-sqs'; @@ -67,7 +68,7 @@ export interface LogConfig { /** * Interface which all EventBus based classes MUST implement */ -export interface IEventBus extends IResource { +export interface IEventBus extends IResource, IEventBusRef { /** * The physical ID of this event bus resource * @@ -230,6 +231,18 @@ abstract class EventBusBase extends Resource implements IEventBus, iam.IResource */ public abstract readonly eventSourceName?: string; + /** + * Collection of grant methods for an EventBus + */ + public readonly grants = EventBusGrants._fromEventBus(this); + + public get eventBusRef(): EventBusReference { + return { + eventBusArn: this.eventBusArn, + eventBusName: this.eventBusName, + }; + } + public archive(id: string, props: BaseArchiveProps): Archive { return new Archive(this, id, { sourceEventBus: this, @@ -366,11 +379,10 @@ export class EventBus extends EventBusBase { * @param grantee The principal (no-op if undefined) */ public static grantAllPutEvents(grantee: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee, - actions: ['events:PutEvents'], - resourceArns: ['*'], - }); + // FIXME Doing this hack because this method is static, and we don't have an actual instance of + // IEventBusRef to use here for the grants. + const eventBus = EventBus.fromEventBusName(new Stack(), 'dummy', 'dummy'); + return EventBusGrants._fromEventBus(eventBus).allPutEvents(grantee); } private static eventBusProps(defaultEventBusName: string, props: EventBusProps = {}) { diff --git a/packages/aws-cdk-lib/aws-events/lib/index.ts b/packages/aws-cdk-lib/aws-events/lib/index.ts index 34dcfcf792b9d..b47937852136d 100644 --- a/packages/aws-cdk-lib/aws-events/lib/index.ts +++ b/packages/aws-cdk-lib/aws-events/lib/index.ts @@ -12,3 +12,4 @@ export * from './api-destination'; // AWS::Events CloudFormation Resources: export * from './events.generated'; +export * from './events-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-iam/lib/grant.ts b/packages/aws-cdk-lib/aws-iam/lib/grant.ts index 5305a864ac242..844a44cb7a0e1 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/grant.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/grant.ts @@ -2,7 +2,8 @@ import { Dependable, IConstruct, IDependable } from 'constructs'; import { PolicyStatement } from './policy-statement'; import { IGrantable, IPrincipal } from './principals'; import * as cdk from '../../core'; -import { IEnvironmentAware } from '../../interfaces/environment-aware'; +import { IEnvironmentAware } from '../../core'; +import * as iam from '../index'; /** * Basic options for a grant operation @@ -419,6 +420,28 @@ interface GrantProps { readonly policyDependable?: IDependable; } +/** + * Result of a call to grantOnKey(). + */ +export interface GrantOnKeyResult { + /** + * The Grant object, if a grant was created. + * + * @default No grant + */ + readonly grant?: Grant; +} + +/** + * A resource that contains data that can be encrypted, using a KMS key. + */ +export interface IEncryptedResource extends cdk.IResource { + /** + * Gives permissions to a grantable entity to perform actions on the encryption key. + */ + grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult; +} + /** * A resource with a resource policy that can be added to */ @@ -429,6 +452,25 @@ export interface IResourceWithPolicyV2 extends IEnvironmentAware { addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult; } +/** + * Utility methods to check for specific types of grantable resources + */ +export class GrantableResources { + /** + * Whether this resource admits a resource policy. + */ + static isResourceWithPolicy(resource: IEnvironmentAware): resource is iam.IResourceWithPolicyV2 { + return (resource as unknown as iam.IResourceWithPolicyV2).addToResourcePolicy !== undefined; + } + + /** + * Whether this resource holds data that can be encrypted using a KMS key. + */ + static isEncryptedResource(resource: IConstruct): resource is iam.IEncryptedResource { + return (resource as unknown as iam.IEncryptedResource).grantOnKey !== undefined; + } +} + /** * A resource with a resource policy that can be added to * diff --git a/packages/aws-cdk-lib/aws-iam/lib/index.ts b/packages/aws-cdk-lib/aws-iam/lib/index.ts index a3cdf891fe5c5..0a10897d94a0f 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/index.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/index.ts @@ -17,6 +17,7 @@ export * from './saml-provider'; export * from './access-key'; export * from './utils'; export * from './instance-profile'; +export * from './role-grants'; // AWS::IAM CloudFormation Resources: export * from './iam.generated'; diff --git a/packages/aws-cdk-lib/aws-iam/lib/role-grants.ts b/packages/aws-cdk-lib/aws-iam/lib/role-grants.ts new file mode 100644 index 0000000000000..7c427afb41b0b --- /dev/null +++ b/packages/aws-cdk-lib/aws-iam/lib/role-grants.ts @@ -0,0 +1,47 @@ +import { Grant } from './grant'; +import { IRoleRef } from './iam.generated'; +import { AccountPrincipal, IPrincipal, ServicePrincipal } from './principals'; +import { ValidationError } from '../../core'; + +/** + * Collection of grant methods for a IRoleRef + */ +export class RoleGrants { + /** + * Creates grants for IRoleRef + * + * @internal + */ + public static _fromRole(role: IRoleRef): RoleGrants { + return new RoleGrants(role); + } + + private constructor(private readonly role: IRoleRef) { + } + + /** + * Grant permissions to the given principal to assume this role. + */ + public assumeRole(identity: IPrincipal): Grant { + // Service and account principals must use assumeRolePolicy + if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) { + throw new ValidationError('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.', this.role); + } + return Grant.addToPrincipal({ + grantee: identity, + actions: ['sts:AssumeRole'], + resourceArns: [this.role.roleRef.roleArn], + }); + } + + /** + * Grant permissions to the given principal to pass this role. + */ + public passRole(identity: IPrincipal): Grant { + return Grant.addToPrincipal({ + grantee: identity, + actions: ['iam:PassRole'], + resourceArns: [this.role.roleRef.roleArn], + }); + } +} diff --git a/packages/aws-cdk-lib/aws-iam/lib/role.ts b/packages/aws-cdk-lib/aws-iam/lib/role.ts index c4f7e615e7454..be01863f8eb7d 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/role.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/role.ts @@ -7,12 +7,10 @@ import { Policy } from './policy'; import { PolicyDocument } from './policy-document'; import { PolicyStatement } from './policy-statement'; import { - AccountPrincipal, AddToPrincipalPolicyResult, ArnPrincipal, IPrincipal, PrincipalPolicyFragment, - ServicePrincipal, } from './principals'; import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy'; import { ImmutableRole } from './private/immutable-role'; @@ -20,6 +18,7 @@ import { ImportedRole } from './private/imported-role'; import { MutatingPolicyDocumentAdapter } from './private/policydoc-adapter'; import { PrecreatedRole } from './private/precreated-role'; import { AttachedPolicies, UniqueStringSet } from './private/util'; +import { RoleGrants } from './role-grants'; import * as cxschema from '../../cloud-assembly-schema'; import { Annotations, @@ -481,6 +480,11 @@ export class Role extends Resource implements IRole { */ public readonly permissionsBoundary?: IManagedPolicy; + /** + * Collection of grant methods for a Role + */ + public readonly grants = RoleGrants._fromRole(this); + private defaultPolicy?: Policy; private readonly managedPolicies: IManagedPolicy[] = []; private readonly attachedPolicies = new AttachedPolicies(); @@ -687,7 +691,7 @@ export class Role extends Resource implements IRole { */ @MethodMetadata() public grantPassRole(identity: IPrincipal) { - return this.grant(identity, 'iam:PassRole'); + return this.grants.passRole(identity); } /** @@ -695,11 +699,7 @@ export class Role extends Resource implements IRole { */ @MethodMetadata() public grantAssumeRole(identity: IPrincipal) { - // Service and account principals must use assumeRolePolicy - if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) { - throw new ValidationError('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.', this); - } - return this.grant(identity, 'sts:AssumeRole'); + return this.grants.assumeRole(identity); } /** diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/grants.json b/packages/aws-cdk-lib/aws-kinesisfirehose/grants.json new file mode 100644 index 0000000000000..4ee044eb55ad7 --- /dev/null +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/grants.json @@ -0,0 +1,15 @@ +{ + "resources": { + "DeliveryStream": { + "grants": { + "putRecords": { + "actions": [ + "firehose:PutRecord", + "firehose:PutRecordBatch" + ], + "docSummary": "Grant the `grantee` identity permissions to perform `actions`." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/delivery-stream.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/delivery-stream.ts index 7f1bfe5ac839d..c5475b711c5d6 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/delivery-stream.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/delivery-stream.ts @@ -2,7 +2,8 @@ import { Construct, Node } from 'constructs'; import { IDestination } from './destination'; import { StreamEncryption } from './encryption'; import { FirehoseMetrics } from './kinesisfirehose-canned-metrics.generated'; -import { CfnDeliveryStream } from './kinesisfirehose.generated'; +import { DeliveryStreamGrants } from './kinesisfirehose-grants.generated'; +import { CfnDeliveryStream, DeliveryStreamReference, IDeliveryStreamRef } from './kinesisfirehose.generated'; import { ISource } from './source'; import * as cloudwatch from '../../aws-cloudwatch'; import * as ec2 from '../../aws-ec2'; @@ -13,15 +14,10 @@ import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; import { RegionInfo } from '../../region-info'; -const PUT_RECORD_ACTIONS = [ - 'firehose:PutRecord', - 'firehose:PutRecordBatch', -]; - /** * Represents an Amazon Data Firehose delivery stream. */ -export interface IDeliveryStream extends cdk.IResource, iam.IGrantable, ec2.IConnectable { +export interface IDeliveryStream extends cdk.IResource, iam.IGrantable, ec2.IConnectable, IDeliveryStreamRef { /** * The ARN of the delivery stream. * @@ -99,6 +95,11 @@ abstract class DeliveryStreamBase extends cdk.Resource implements IDeliveryStrea public abstract readonly grantPrincipal: iam.IPrincipal; + /** + * Collection of grant methods for a DeliveryStream + */ + public readonly grants = DeliveryStreamGrants._fromDeliveryStream(this); + /** * Network connections between Amazon Data Firehose and other resources, i.e. Redshift cluster. */ @@ -110,6 +111,13 @@ abstract class DeliveryStreamBase extends cdk.Resource implements IDeliveryStrea this.connections = setConnections(this); } + public get deliveryStreamRef(): DeliveryStreamReference { + return { + deliveryStreamArn: this.deliveryStreamArn, + deliveryStreamName: this.deliveryStreamName, + }; + } + public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { return iam.Grant.addToPrincipal({ resourceArns: [this.deliveryStreamArn], @@ -119,7 +127,7 @@ abstract class DeliveryStreamBase extends cdk.Resource implements IDeliveryStrea } public grantPutRecords(grantee: iam.IGrantable): iam.Grant { - return this.grant(grantee, ...PUT_RECORD_ACTIONS); + return this.grants.putRecords(grantee); } public metric(metricName: string, props?: cloudwatch.MetricOptions): cloudwatch.Metric { diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts index 928ca970de47e..14475bcc1f2bc 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts @@ -14,3 +14,4 @@ export * from './record-format'; // AWS::KinesisFirehose CloudFormation Resources: export * from './kinesisfirehose.generated'; +export * from './kinesisfirehose-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-logs/grants.json b/packages/aws-cdk-lib/aws-logs/grants.json new file mode 100644 index 0000000000000..2647501fd2fae --- /dev/null +++ b/packages/aws-cdk-lib/aws-logs/grants.json @@ -0,0 +1,26 @@ +{ + "resources": { + "LogGroup": { + "hasResourcePolicy": true, + "grants": { + "write": { + "actions": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "docSummary": "Give permissions to create and write to streams in this log group" + }, + "read": { + "actions": [ + "logs:FilterLogEvents", + "logs:GetLogEvents", + "logs:GetLogGroupFields", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams" + ], + "docSummary": "Give permissions to read and filter events from this log group" + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-logs/lib/index.ts b/packages/aws-cdk-lib/aws-logs/lib/index.ts index 43dbbbe189eea..2e4eb85c1ee6e 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/index.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/index.ts @@ -13,3 +13,4 @@ export * from './transformer'; // AWS::Logs CloudFormation Resources: export * from './logs.generated'; +export * from './logs-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index a626f21b46b67..21234f6a5fee9 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -2,7 +2,8 @@ import { Construct } from 'constructs'; import { DataProtectionPolicy } from './data-protection-policy'; import { FieldIndexPolicy } from './field-index-policy'; import { LogStream } from './log-stream'; -import { CfnLogGroup } from './logs.generated'; +import { LogGroupGrants } from './logs-grants.generated'; +import { CfnLogGroup, ILogGroupRef, LogGroupReference } from './logs.generated'; import { MetricFilter } from './metric-filter'; import { FilterPattern, IFilterPattern } from './pattern'; import { ResourcePolicy } from './policy'; @@ -15,7 +16,7 @@ import { Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token, ValidationError import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; -export interface ILogGroup extends iam.IResourceWithPolicy { +export interface ILogGroup extends iam.IResourceWithPolicy, ILogGroupRef { /** * The ARN of this log group, with ':*' appended * @@ -138,6 +139,11 @@ abstract class LogGroupBase extends Resource implements ILogGroup { */ public abstract readonly logGroupName: string; + /** + * Collection of grant methods for a LogGroup + */ + public readonly grants = LogGroupGrants._fromLogGroup(this); + private policy?: ResourcePolicy; /** @@ -153,6 +159,13 @@ abstract class LogGroupBase extends Resource implements ILogGroup { }); } + public get logGroupRef(): LogGroupReference { + return { + logGroupArn: this.logGroupArn, + logGroupName: this.logGroupName, + }; + } + /** * Create a new Subscription Filter on this Log Group * @@ -222,20 +235,14 @@ abstract class LogGroupBase extends Resource implements ILogGroup { * Give permissions to create and write to streams in this log group */ public grantWrite(grantee: iam.IGrantable) { - return this.grant(grantee, 'logs:CreateLogStream', 'logs:PutLogEvents'); + return this.grants.write(grantee); } /** * Give permissions to read and filter events from this log group */ public grantRead(grantee: iam.IGrantable) { - return this.grant(grantee, - 'logs:FilterLogEvents', - 'logs:GetLogEvents', - 'logs:GetLogGroupFields', - 'logs:DescribeLogGroups', - 'logs:DescribeLogStreams', - ); + return this.grants.read(grantee); } /** diff --git a/packages/aws-cdk-lib/aws-opensearchservice/grants.json b/packages/aws-cdk-lib/aws-opensearchservice/grants.json new file mode 100644 index 0000000000000..6040102f1cc92 --- /dev/null +++ b/packages/aws-cdk-lib/aws-opensearchservice/grants.json @@ -0,0 +1,38 @@ +{ + "resources": { + "Domain": { + "grants": { + "read": { + "actions": [ + "es:ESHttpGet", + "es:ESHttpHead" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant read permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + }, + "write": { + "actions": [ + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut", + "es:ESHttpPatch" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant write permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + }, + "readWrite": { + "actions": [ + "es:ESHttpGet", + "es:ESHttpHead", + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut", + "es:ESHttpPatch" + ], + "arnFormat": ["${domainArn}", "${domainArn}/*"], + "docSummary": "Grant read/write permissions for this domain and its contents to an IAM\nprincipal (Role/Group/User)." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts index 57efcb81c4ea2..5f8328f674d32 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts @@ -3,7 +3,8 @@ import { URL } from 'url'; import { Construct } from 'constructs'; import { LogGroupResourcePolicy } from './log-group-resource-policy'; import { OpenSearchAccessPolicy } from './opensearch-access-policy'; -import { CfnDomain } from './opensearchservice.generated'; +import { DomainGrants } from './opensearchservice-grants.generated'; +import { CfnDomain, DomainReference, IDomainRef } from './opensearchservice.generated'; import * as perms from './perms'; import { EngineVersion } from './version'; import * as acm from '../../aws-certificatemanager'; @@ -760,7 +761,7 @@ export interface DomainProps { /** * An interface that represents an Amazon OpenSearch Service domain - either created with the CDK, or an existing one. */ -export interface IDomain extends cdk.IResource { +export interface IDomain extends cdk.IResource, IDomainRef { /** * Arn of the Amazon OpenSearch Service domain. * @@ -986,6 +987,17 @@ abstract class DomainBase extends cdk.Resource implements IDomain { public abstract readonly domainName: string; public abstract readonly domainId: string; public abstract readonly domainEndpoint: string; + /** + * Collection of grant methods for a Domain + */ + public readonly grants = DomainGrants._fromDomain(this); + + public get domainRef(): DomainReference { + return { + domainArn: this.domainArn, + domainName: this.domainName, + }; + } /** * Grant read permissions for this domain and its contents to an IAM @@ -994,12 +1006,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @param identity The principal */ grantRead(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_READ_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.read(identity); } /** @@ -1009,12 +1016,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @param identity The principal */ grantWrite(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_WRITE_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.write(identity); } /** @@ -1024,12 +1026,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { * @param identity The principal */ grantReadWrite(identity: iam.IGrantable): iam.Grant { - return this.grant( - identity, - perms.ES_READ_WRITE_ACTIONS, - this.domainArn, - `${this.domainArn}/*`, - ); + return this.grants.readWrite(identity); } /** diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/index.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/index.ts index 8c90500d9533e..979232443e272 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/index.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/index.ts @@ -3,3 +3,4 @@ export * from './version'; // AWS::OpenSearchService CloudFormation Resources: export * from './opensearchservice.generated'; +export * from './opensearchservice-grants.generated'; diff --git a/packages/aws-cdk-lib/aws-scheduler/grants.json b/packages/aws-cdk-lib/aws-scheduler/grants.json new file mode 100644 index 0000000000000..ccb7131c893cf --- /dev/null +++ b/packages/aws-cdk-lib/aws-scheduler/grants.json @@ -0,0 +1,31 @@ +{ + "resources": { + "ScheduleGroup": { + "grants": { + "readSchedules": { + "actions": [ + "scheduler:GetSchedule", + "scheduler:ListSchedules" + ], + "arnFormat": "${scheduleGroupArn}/*", + "docSummary": "Grant list and get schedule permissions for schedules in this group to the given principal" + }, + "writeSchedules": { + "actions": [ + "scheduler:CreateSchedule", + "scheduler:UpdateSchedule" + ], + "arnFormat": "${scheduleGroupArn}/*", + "docSummary": "Grant create and update schedule permissions for schedules in this group to the given principal" + }, + "deleteSchedules": { + "actions": [ + "scheduler:DeleteSchedule" + ], + "arnFormat": "${scheduleGroupArn}/*", + "docSummary": "Grant delete schedule permission for schedules in this group to the given principal" + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/index.ts b/packages/aws-cdk-lib/aws-scheduler/lib/index.ts index 19129526e35bd..4de6b79a5cd3b 100644 --- a/packages/aws-cdk-lib/aws-scheduler/lib/index.ts +++ b/packages/aws-cdk-lib/aws-scheduler/lib/index.ts @@ -1,4 +1,5 @@ export * from './scheduler.generated'; +export * from './scheduler-grants.generated'; export * from './schedule-expression'; export * from './input'; export * from './schedule'; diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts index 9f479529a5ea8..82137f9814bdd 100644 --- a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts +++ b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts @@ -1,8 +1,9 @@ import { Construct } from 'constructs'; -import { CfnScheduleGroup } from './scheduler.generated'; +import { ScheduleGroupGrants } from './scheduler-grants.generated'; +import { CfnScheduleGroup, IScheduleGroupRef, ScheduleGroupReference } from './scheduler.generated'; import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; -import { Arn, ArnFormat, Aws, IResource, Names, RemovalPolicy, Resource, Stack } from '../../core'; +import { ArnFormat, IResource, Names, RemovalPolicy, Resource, Stack } from '../../core'; import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -30,7 +31,7 @@ export interface ScheduleGroupProps { /** * Interface representing a created or an imported `ScheduleGroup`. */ -export interface IScheduleGroup extends IResource { +export interface IScheduleGroup extends IResource, IScheduleGroupRef { /** * The name of the schedule group * @@ -143,6 +144,18 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { */ public abstract readonly scheduleGroupArn: string; + /** + * Collection of grant methods for a ScheduleGroup + */ + public readonly grants = ScheduleGroupGrants._fromScheduleGroup(this); + + public get scheduleGroupRef(): ScheduleGroupReference { + return { + scheduleGroupArn: this.scheduleGroupArn, + scheduleGroupName: this.scheduleGroupName, + }; + } + /** * Return the given named metric for this schedule group * @@ -247,48 +260,51 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { }); } - private arnForScheduleInGroup(scheduleName: string): string { - return Arn.format({ - region: this.env.region, - account: this.env.account, - partition: Aws.PARTITION, - service: 'scheduler', - resource: 'schedule', - resourceName: this.scheduleGroupName + '/' + scheduleName, - }); - } + // private arnForScheduleInGroup(scheduleName: string): string { + // return Arn.format({ + // region: this.env.region, + // account: this.env.account, + // partition: Aws.PARTITION, + // service: 'scheduler', + // resource: 'schedule', + // resourceName: this.scheduleGroupName + '/' + scheduleName, + // }); + // } /** * Grant list and get schedule permissions for schedules in this group to the given principal */ public grantReadSchedules(identity: iam.IGrantable) { - return iam.Grant.addToPrincipal({ - grantee: identity, - actions: ['scheduler:GetSchedule', 'scheduler:ListSchedules'], - resourceArns: [this.arnForScheduleInGroup('*')], - }); + return this.grants.readSchedules(identity); + // return iam.Grant.addToPrincipal({ + // grantee: identity, + // actions: ['scheduler:GetSchedule', 'scheduler:ListSchedules'], + // resourceArns: [this.arnForScheduleInGroup('*')], + // }); } /** * Grant create and update schedule permissions for schedules in this group to the given principal */ public grantWriteSchedules(identity: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee: identity, - actions: ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'], - resourceArns: [this.arnForScheduleInGroup('*')], - }); + return this.grants.writeSchedules(identity); + // return iam.Grant.addToPrincipal({ + // grantee: identity, + // actions: ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'], + // resourceArns: [this.arnForScheduleInGroup('*')], + // }); } /** * Grant delete schedule permission for schedules in this group to the given principal */ public grantDeleteSchedules(identity: iam.IGrantable): iam.Grant { - return iam.Grant.addToPrincipal({ - grantee: identity, - actions: ['scheduler:DeleteSchedule'], - resourceArns: [this.arnForScheduleInGroup('*')], - }); + return this.grants.deleteSchedules(identity); + // return iam.Grant.addToPrincipal({ + // grantee: identity, + // actions: ['scheduler:DeleteSchedule'], + // resourceArns: [this.arnForScheduleInGroup('*')], + // }); } } diff --git a/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts b/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts index cc4a7bb4bc9d3..1e27ab254e2d6 100644 --- a/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts +++ b/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts @@ -185,11 +185,13 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ - 'arn:', { - Ref: 'AWS::Partition', + 'Fn::GetAtt': [ + 'TestGroupAF88660E', + 'Arn', + ], }, - ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', + '/*', ], ], }, @@ -226,11 +228,13 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ - 'arn:', { - Ref: 'AWS::Partition', + 'Fn::GetAtt': [ + 'TestGroupAF88660E', + 'Arn', + ], }, - ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', + '/*', ], ], }, @@ -254,7 +258,8 @@ describe('Schedule Group', () => { group.grantDeleteSchedules(user); // THEN - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + let template = Template.fromStack(stack); + template.hasResourceProperties('AWS::IAM::Policy', { PolicyDocument: { Statement: [ { @@ -264,11 +269,13 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ - 'arn:', { - Ref: 'AWS::Partition', + 'Fn::GetAtt': [ + 'TestGroupAF88660E', + 'Arn', + ], }, - ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', + '/*', ], ], }, diff --git a/packages/aws-cdk-lib/aws-ses/grants.json b/packages/aws-cdk-lib/aws-ses/grants.json new file mode 100644 index 0000000000000..2e5f7e254462c --- /dev/null +++ b/packages/aws-cdk-lib/aws-ses/grants.json @@ -0,0 +1,15 @@ +{ + "resources": { + "EmailIdentity": { + "grants": { + "sendEmail": { + "actions": [ + "ses:SendEmail", + "ses:SendRawEmail" + ], + "docSummary": "Adds an IAM policy statement associated with this email identity to an IAM principal's policy." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-sns/grants.json b/packages/aws-cdk-lib/aws-sns/grants.json new file mode 100644 index 0000000000000..1d71ef107f472 --- /dev/null +++ b/packages/aws-cdk-lib/aws-sns/grants.json @@ -0,0 +1,18 @@ +{ + "resources": { + "Topic": { + "hasResourcePolicy": true, + "grants": { + "publish": { + "actions": ["sns:Publish"], + "keyActions": ["kms:Decrypt", "kms:GenerateDataKey*"], + "docSummary": "Grant topic publishing permissions to the given identity" + }, + "subscribe": { + "actions": ["sns:Subscribe"], + "docSummary": "Grant topic subscribing permissions to the given identity" + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-sns/lib/index.ts b/packages/aws-cdk-lib/aws-sns/lib/index.ts index 2ea429718b107..73b4b2d2163d9 100644 --- a/packages/aws-cdk-lib/aws-sns/lib/index.ts +++ b/packages/aws-cdk-lib/aws-sns/lib/index.ts @@ -8,5 +8,6 @@ export * from './delivery-policy'; // AWS::SNS CloudFormation Resources: export * from './sns.generated'; +export * from './sns-grants.generated'; import './sns-augmentations.generated'; diff --git a/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts b/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts index 150b3855c2ada..e33f4dbeb64ab 100644 --- a/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts +++ b/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts @@ -1,10 +1,13 @@ import * as constructs from 'constructs'; import { Construct } from 'constructs'; import { TopicPolicy } from './policy'; +import { TopicGrants } from './sns-grants.generated'; +import { ITopicRef, TopicReference } from './sns.generated'; import { ITopicSubscription } from './subscriber'; import { Subscription } from './subscription'; import * as notifications from '../../aws-codestarnotifications'; import * as iam from '../../aws-iam'; +import { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam'; import { IKey } from '../../aws-kms'; import { IResource, Resource, ResourceProps, Token } from '../../core'; import { ValidationError } from '../../core/lib/errors'; @@ -12,7 +15,7 @@ import { ValidationError } from '../../core/lib/errors'; /** * Represents an SNS topic */ -export interface ITopic extends IResource, notifications.INotificationRuleTarget { +export interface ITopic extends IResource, notifications.INotificationRuleTarget, ITopicRef { /** * The ARN of the topic * @@ -80,7 +83,7 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget /** * Either a new or imported Topic */ -export abstract class TopicBase extends Resource implements ITopic { +export abstract class TopicBase extends Resource implements ITopic, IEncryptedResource { public abstract readonly topicArn: string; public abstract readonly topicName: string; @@ -91,6 +94,11 @@ export abstract class TopicBase extends Resource implements ITopic { public abstract readonly contentBasedDeduplication: boolean; + /** + * Collection of grant methods for a Topic + */ + public readonly grants: TopicGrants = TopicGrants._fromTopic(this); + /** * Controls automatic creation of policy objects. * @@ -111,6 +119,12 @@ export abstract class TopicBase extends Resource implements ITopic { this.node.addValidation({ validate: () => this.policy?.document.validateForResourcePolicy() ?? [] }); } + public get topicRef(): TopicReference { + return { + topicArn: this.topicArn, + }; + } + /** * Subscribe some endpoint to this topic */ @@ -201,32 +215,26 @@ export abstract class TopicBase extends Resource implements ITopic { }); } + public grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult { + const grant = this.masterKey + ? this.masterKey.grant(grantee, ...actions) + : undefined; + + return { grant }; + } + /** * Grant topic publishing permissions to the given identity */ public grantPublish(grantee: iam.IGrantable) { - const ret = iam.Grant.addToPrincipalOrResource({ - grantee, - actions: ['sns:Publish'], - resourceArns: [this.topicArn], - resource: this, - }); - if (this.masterKey) { - this.masterKey.grant(grantee, 'kms:Decrypt', 'kms:GenerateDataKey*'); - } - return ret; + return this.grants.publish(grantee); } /** * Grant topic subscribing permissions to the given identity */ public grantSubscribe(grantee: iam.IGrantable) { - return iam.Grant.addToPrincipalOrResource({ - grantee, - actions: ['sns:Subscribe'], - resourceArns: [this.topicArn], - resource: this, - }); + return this.grants.subscribe(grantee); } /** diff --git a/packages/aws-cdk-lib/aws-sns/test/sns.test.ts b/packages/aws-cdk-lib/aws-sns/test/sns.test.ts index 901a21c3bd6ba..5f8a9a92c51e7 100644 --- a/packages/aws-cdk-lib/aws-sns/test/sns.test.ts +++ b/packages/aws-cdk-lib/aws-sns/test/sns.test.ts @@ -4,6 +4,7 @@ import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as cdk from '../../core'; import * as sns from '../lib'; +import { TopicGrants } from '../lib/sns-grants.generated'; /* eslint-disable quote-props */ @@ -304,6 +305,31 @@ describe('Topic', () => { }); }); + test('give publishing permissions to CfnTopic', () => { + // GIVEN + const stack = new cdk.Stack(); + const topic = new sns.CfnTopic(stack, 'Topic'); + const user = new iam.User(stack, 'User'); + + // WHEN + TopicGrants._fromTopic(topic).publish(user); + + // THEN + let template = Template.fromStack(stack); + template.hasResourceProperties('AWS::IAM::Policy', { + 'PolicyDocument': { + Version: '2012-10-17', + 'Statement': [ + { + 'Action': 'sns:Publish', + 'Effect': 'Allow', + 'Resource': { Ref: 'Topic' }, + }, + ], + }, + }); + }); + test('refer to masterKey', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-sqs/grants.json b/packages/aws-cdk-lib/aws-sqs/grants.json new file mode 100644 index 0000000000000..a4ff57b7f8740 --- /dev/null +++ b/packages/aws-cdk-lib/aws-sqs/grants.json @@ -0,0 +1,44 @@ +{ + "resources": { + "Queue": { + "hasResourcePolicy": true, + "grants": { + "consumeMessages": { + "actions": [ + "sqs:ReceiveMessage", + "sqs:ChangeMessageVisibility", + "sqs:GetQueueUrl", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes" + ], + "keyActions": [ + "kms:Decrypt" + ], + "docSummary": "Grant permissions to consume messages from a queue\n\nThis will grant the following permissions:\n\n - sqs:ChangeMessageVisibility\n - sqs:DeleteMessage\n - sqs:ReceiveMessage\n - sqs:GetQueueAttributes\n - sqs:GetQueueUrl\n\nIf encryption is used, permission to use the key to decrypt the contents of the queue will also be granted to the same principal.\n\nThis will grant the following KMS permissions:\n\n - kms:Decrypt" + }, + "sendMessages": { + "actions": [ + "sqs:SendMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl" + ], + "keyActions": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*" + ], + "docSummary": "Grant access to send messages to a queue to the given identity.\n\nThis will grant the following permissions:\n\n - sqs:SendMessage\n - sqs:GetQueueAttributes\n - sqs:GetQueueUrl\n\nIf encryption is used, permission to use the key to encrypt/decrypt the contents of the queue will also be granted to the same principal.\n\nThis will grant the following KMS permissions:\n\n - kms:Decrypt\n - kms:Encrypt\n - kms:ReEncrypt*\n - kms:GenerateDataKey*" + }, + "purge": { + "actions": [ + "sqs:PurgeQueue", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl" + ] + + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-sqs/lib/index.ts b/packages/aws-cdk-lib/aws-sqs/lib/index.ts index 7217be04ffc04..04bd53a6db744 100644 --- a/packages/aws-cdk-lib/aws-sqs/lib/index.ts +++ b/packages/aws-cdk-lib/aws-sqs/lib/index.ts @@ -4,5 +4,6 @@ export * from './queue-base'; // AWS::SQS CloudFormation Resources: export * from './sqs.generated'; +export * from './sqs-grants.generated'; import './sqs-augmentations.generated'; diff --git a/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts b/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts index b6f33b9fede46..dc94e4c8901c6 100644 --- a/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts +++ b/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts @@ -1,13 +1,16 @@ import { Construct } from 'constructs'; import { QueuePolicy } from './policy'; +import { QueueGrants } from './sqs-grants.generated'; +import { IQueueRef, QueueReference } from './sqs.generated'; import * as iam from '../../aws-iam'; +import { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam'; import * as kms from '../../aws-kms'; import { IResource, Resource, ResourceProps } from '../../core'; /** * Represents an SQS queue */ -export interface IQueue extends IResource { +export interface IQueue extends IResource, IQueueRef { /** * The ARN of this queue * @attribute @@ -104,7 +107,7 @@ export interface IQueue extends IResource { /** * Reference to a new or existing Amazon SQS queue */ -export abstract class QueueBase extends Resource implements IQueue { +export abstract class QueueBase extends Resource implements IQueue, IEncryptedResource { /** * The ARN of this queue */ @@ -135,6 +138,11 @@ export abstract class QueueBase extends Resource implements IQueue { */ public abstract readonly encryptionType?: QueueEncryption; + /** + * Collection of grant methods for a Queue + */ + public readonly grants = QueueGrants._fromQueue(this); + /** * Controls automatic creation of policy objects. * @@ -150,6 +158,20 @@ export abstract class QueueBase extends Resource implements IQueue { this.node.addValidation({ validate: () => this.policy?.document.validateForResourcePolicy() ?? [] }); } + public grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult { + const grant = this.encryptionMasterKey + ? this.encryptionMasterKey.grant(grantee, ...actions) + : undefined; + return { grant }; + } + + public get queueRef(): QueueReference { + return { + queueUrl: this.queueUrl, + queueArn: this.queueArn, + }; + } + /** * Adds a statement to the IAM resource policy associated with this queue. * @@ -190,18 +212,7 @@ export abstract class QueueBase extends Resource implements IQueue { * @param grantee Principal to grant consume rights to */ public grantConsumeMessages(grantee: iam.IGrantable) { - const ret = this.grant(grantee, - 'sqs:ReceiveMessage', - 'sqs:ChangeMessageVisibility', - 'sqs:GetQueueUrl', - 'sqs:DeleteMessage', - 'sqs:GetQueueAttributes'); - - if (this.encryptionMasterKey) { - this.encryptionMasterKey.grantDecrypt(grantee); - } - - return ret; + return this.grants.consumeMessages(grantee); } /** @@ -225,16 +236,7 @@ export abstract class QueueBase extends Resource implements IQueue { * @param grantee Principal to grant send rights to */ public grantSendMessages(grantee: iam.IGrantable) { - const ret = this.grant(grantee, - 'sqs:SendMessage', - 'sqs:GetQueueAttributes', - 'sqs:GetQueueUrl'); - - if (this.encryptionMasterKey) { - // kms:Decrypt necessary to execute grantsendMessages to an SSE enabled SQS queue - this.encryptionMasterKey.grantEncryptDecrypt(grantee); - } - return ret; + return this.grants.sendMessages(grantee); } /** @@ -249,10 +251,7 @@ export abstract class QueueBase extends Resource implements IQueue { * @param grantee Principal to grant send rights to */ public grantPurge(grantee: iam.IGrantable) { - return this.grant(grantee, - 'sqs:PurgeQueue', - 'sqs:GetQueueAttributes', - 'sqs:GetQueueUrl'); + return this.grants.purge(grantee); } /** diff --git a/packages/aws-cdk-lib/aws-ssm/grants.json b/packages/aws-cdk-lib/aws-ssm/grants.json new file mode 100644 index 0000000000000..8966b310e6056 --- /dev/null +++ b/packages/aws-cdk-lib/aws-ssm/grants.json @@ -0,0 +1,19 @@ +{ + "resources": { + "Parameter": { + "hasResourcePolicy": true, + "grants": { + "read": { + "actions": [ + "ssm:DescribeParameters", + "ssm:GetParameters", + "ssm:GetParameter", + "ssm:GetParameterHistory" + ], + "keyActions": ["kms:Decrypt"], + "docSummary": "The encryption key that is used to encrypt this parameter." + } + } + } + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-ssm/lib/parameter.ts b/packages/aws-cdk-lib/aws-ssm/lib/parameter.ts index c620f669a78c6..46b980554649b 100644 --- a/packages/aws-cdk-lib/aws-ssm/lib/parameter.ts +++ b/packages/aws-cdk-lib/aws-ssm/lib/parameter.ts @@ -1,7 +1,9 @@ import { Construct } from 'constructs'; import * as ssm from './ssm.generated'; +import { IParameterRef, ParameterReference } from './ssm.generated'; import { arnForParameterName, AUTOGEN_MARKER } from './util'; import * as iam from '../../aws-iam'; +import { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as cxschema from '../../cloud-assembly-schema'; import { @@ -17,7 +19,7 @@ import { propertyInjectable } from '../../core/lib/prop-injectable'; /** * An SSM Parameter reference. */ -export interface IParameter extends IResource { +export interface IParameter extends IResource, IParameterRef { /** * The ARN of the SSM Parameter resource. * @attribute @@ -166,7 +168,7 @@ export interface StringListParameterProps extends ParameterOptions { /** * Basic features shared across all types of SSM Parameters. */ -abstract class ParameterBase extends Resource implements IParameter { +abstract class ParameterBase extends Resource implements IParameter, IEncryptedResource { public abstract readonly parameterArn: string; public abstract readonly parameterName: string; public abstract readonly parameterType: string; @@ -178,6 +180,20 @@ abstract class ParameterBase extends Resource implements IParameter { */ public readonly encryptionKey?: kms.IKey; + public grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult { + const grant = this.encryptionKey + ? this.encryptionKey.grant(grantee, ...actions) + : undefined; + + return { grant }; + } + + public get parameterRef(): ParameterReference { + return { + parameterName: this.parameterName, + }; + } + public grantRead(grantee: iam.IGrantable): iam.Grant { if (this.encryptionKey) { this.encryptionKey.grantDecrypt(grantee); diff --git a/packages/aws-cdk-lib/aws-stepfunctions/test/state-machine-resources.test.ts b/packages/aws-cdk-lib/aws-stepfunctions/test/state-machine-resources.test.ts index bd47bd2001823..b395c2ddc8871 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions/test/state-machine-resources.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions/test/state-machine-resources.test.ts @@ -208,13 +208,13 @@ describe('State Machine Resources', () => { Catch: undefined, InputPath: '$', Parameters: - { - 'input.$': '$', - 'stringArgument': 'inital-task', - 'numberArgument': 123, - 'booleanArgument': true, - 'arrayArgument': ['a', 'b', 'c'], - }, + { + 'input.$': '$', + 'stringArgument': 'inital-task', + 'numberArgument': 123, + 'booleanArgument': true, + 'arrayArgument': ['a', 'b', 'c'], + }, OutputPath: '$.state', Type: 'Task', Comment: undefined, @@ -256,10 +256,10 @@ describe('State Machine Resources', () => { Catch: undefined, InputPath: '$', Parameters: - { - a: 'aa', - b: 'bb', - }, + { + a: 'aa', + b: 'bb', + }, OutputPath: '$.state', Type: 'Task', Comment: undefined, @@ -804,13 +804,13 @@ describe('State Machine Resources', () => { InputPath: '$', OutputPath: '$.state', Parameters: - { - 'input.$': '$', - 'stringArgument': 'inital-task', - 'numberArgument': 123, - 'booleanArgument': true, - 'arrayArgument': ['a', 'b', 'c'], - }, + { + 'input.$': '$', + 'stringArgument': 'inital-task', + 'numberArgument': 123, + 'booleanArgument': true, + 'arrayArgument': ['a', 'b', 'c'], + }, Type: 'Pass', QueryLanguage: undefined, Comment: undefined, @@ -969,7 +969,7 @@ describe('State Machine Resources', () => { expect(taskState).toEqual({ End: true, Parameters: - { 'input.$': '$.myField' }, + { 'input.$': '$.myField' }, Type: 'Pass', }); }), diff --git a/packages/aws-cdk-lib/scripts/gen.ts b/packages/aws-cdk-lib/scripts/gen.ts index 88b5e9df5b056..bb9fefa12b370 100644 --- a/packages/aws-cdk-lib/scripts/gen.ts +++ b/packages/aws-cdk-lib/scripts/gen.ts @@ -1,6 +1,5 @@ import * as path from 'node:path'; -import { naming, topo } from '@aws-cdk/spec2cdk'; -import { generateAll } from '@aws-cdk/spec2cdk/lib/cfn2ts'; +import { naming, generateAll, topo } from '@aws-cdk/spec2cdk'; import * as fs from 'fs-extra'; import generateServiceSubmoduleFiles from './submodules'; import writeCloudFormationIncludeMapping from './submodules/cloudformation-include'; @@ -27,7 +26,7 @@ async function main() { })); await updateExportsAndEntryPoints(generated); - await topo.writeModuleMap(generated); + topo.writeModuleMap(generated); await writeCloudFormationIncludeMapping(generated, awsCdkLibDir); for (const nss of NON_SERVICE_SUBMODULES) { diff --git a/packages/awslint/bin/awslint.ts b/packages/awslint/bin/awslint.ts index 2f6e71da6c532..befdf2d25051f 100644 --- a/packages/awslint/bin/awslint.ts +++ b/packages/awslint/bin/awslint.ts @@ -247,7 +247,10 @@ main().catch(e => { async function loadModule(dir: string) { const ts = new reflect.TypeSystem(); - await ts.load(dir, { validate: false }); // Don't validate to save 66% of execution time (20s vs 1min). + await ts.load(dir, { + validate: false, // Don't validate to save 66% of execution time (20s vs 1min). + supportedFeatures: ['intersection-types', 'class-covariant-overrides'], + }); // We run 'awslint' during build time, assemblies are guaranteed to be ok. // We won't load any more assemblies. Lock the typesystem to benefit from performance improvements. diff --git a/packages/awslint/package.json b/packages/awslint/package.json index cc051201339e9..f0969246d7154 100644 --- a/packages/awslint/package.json +++ b/packages/awslint/package.json @@ -18,10 +18,10 @@ "awslint": "bin/awslint" }, "dependencies": { - "@jsii/spec": "1.116.0", + "@jsii/spec": "1.119.0", "chalk": "^4", "fs-extra": "^9.1.0", - "jsii-reflect": "1.116.0", + "jsii-reflect": "1.119.0", "change-case": "^4.1.2", "yargs": "^16.2.0" }, diff --git a/tools/@aws-cdk/cdk-build-tools/package.json b/tools/@aws-cdk/cdk-build-tools/package.json index 2efbe60732825..8e24051676626 100644 --- a/tools/@aws-cdk/cdk-build-tools/package.json +++ b/tools/@aws-cdk/cdk-build-tools/package.json @@ -62,7 +62,7 @@ "jest": "^29.7.0", "jest-junit": "^13.2.0", "jsii": "~5.9.13", - "jsii-rosetta": "~5.9.9", + "jsii-rosetta": "~5.9.14", "jsii-pacmak": "1.119.0", "jsii-reflect": "1.119.0", "markdownlint-cli": "^0.45.0", diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/arn.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/arn.ts new file mode 100644 index 0000000000000..6ededc1c5fcff --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/arn.ts @@ -0,0 +1,23 @@ +import { Resource } from '@aws-cdk/service-spec-types'; + +/** + * Find an ARN property for a given resource + * + * Returns `undefined` if no ARN property is found, or if the ARN property is already + * included in the primary identifier. + */ +export function findNonIdentifierArnProperty(resource: Resource) { + return findArnProperty(resource, (name) => !resource.primaryIdentifier?.includes(name)); +} + +export function findArnProperty(resource: Resource, filter: (name: string) => boolean = () => true): any { + const possibleArnNames = ['Arn', `${resource.name}Arn`]; + for (const name of possibleArnNames) { + const prop = resource.attributes[name]; + if (prop && filter(name)) { + return name; + } + } + return undefined; +} + diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/aws-cdk-lib.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/aws-cdk-lib.ts index 4a728d76acf8a..200741ce01f99 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cdk/aws-cdk-lib.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/aws-cdk-lib.ts @@ -8,12 +8,14 @@ import { AddServiceProps, LibraryBuilder, LibraryBuilderProps } from './library- import { ResourceClass } from './resource-class'; import { LocatedModule, relativeImportPath, BaseServiceSubmodule } from './service-submodule'; import { submoduleSymbolFromName } from '../naming'; +import { GrantsModule } from './grants-module'; class AwsCdkLibServiceSubmodule extends BaseServiceSubmodule { public readonly resourcesMod: LocatedModule; public readonly augmentations: LocatedModule; public readonly cannedMetrics: LocatedModule; public readonly interfaces: LocatedModule; + public readonly grants?: LocatedModule; public readonly didCreateInterfaceModule: boolean; public constructor(props: { @@ -23,6 +25,7 @@ class AwsCdkLibServiceSubmodule extends BaseServiceSubmodule { readonly augmentations: LocatedModule; readonly cannedMetrics: LocatedModule; readonly interfaces: LocatedModule; + readonly grants?: LocatedModule; readonly didCreateInterfaceModule: boolean; }) { super(props); @@ -31,11 +34,16 @@ class AwsCdkLibServiceSubmodule extends BaseServiceSubmodule { this.cannedMetrics = props.cannedMetrics; this.interfaces = props.interfaces; this.didCreateInterfaceModule = props.didCreateInterfaceModule; + this.grants = props.grants; this.registerModule(this.resourcesMod); this.registerModule(this.cannedMetrics); this.registerModule(this.augmentations); this.registerModule(this.interfaces); + + if (this.grants) { + this.registerModule(this.grants); + } } } @@ -64,6 +72,11 @@ export interface AwsCdkLibFilePatterns { * The pattern used to name the interfaces file */ readonly interfaces: string; + + /** + * The pattern used to name the grants module + */ + readonly grants: string; } export interface AwsCdkLibBuilderProps extends LibraryBuilderProps{ @@ -88,6 +101,7 @@ export const DEFAULT_FILE_PATTERNS: AwsCdkLibFilePatterns = { cannedMetrics: '%moduleName%/%serviceShortName%-canned-metrics.generated.ts', interfacesEntry: 'interfaces/index.generated.ts', interfaces: 'interfaces/generated/%serviceName%-interfaces.generated.ts', + grants: '%moduleName%/%serviceShortName%-grants.generated.ts', }; /** @@ -118,12 +132,16 @@ export class AwsCdkLibBuilder extends LibraryBuilder }); } - protected createServiceSubmodule(service: Service, submoduleName: string): AwsCdkLibServiceSubmodule { + protected createServiceSubmodule(service: Service, submoduleName: string, grantsConfig?: string): AwsCdkLibServiceSubmodule { const resourcesMod = this.rememberModule(this.createResourceModule(submoduleName, service)); const augmentations = this.rememberModule(this.createAugmentationsModule(submoduleName, service)); const cannedMetrics = this.rememberModule(this.createCannedMetricsModule(submoduleName, service)); const [interfaces, didCreateInterfaceModule] = this.obtainInterfaceModule(service); + const grants = grantsConfig != null + ? this.rememberModule(this.createGrantsModule(submoduleName, service, grantsConfig)) + : undefined; + const createdSubmod: AwsCdkLibServiceSubmodule = new AwsCdkLibServiceSubmodule({ submoduleName, service, @@ -132,12 +150,21 @@ export class AwsCdkLibBuilder extends LibraryBuilder cannedMetrics, interfaces, didCreateInterfaceModule, + grants, }); return createdSubmod; } - protected addResourceToSubmodule(submodule: AwsCdkLibServiceSubmodule, resource: Resource, props?: AddServiceProps) { + private createGrantsModule(moduleName: string, service: Service, grantsConfig: string): LocatedModule { + const filePath = this.pathsFor(moduleName, service).grants; + return { + module: new GrantsModule(service, this.db, JSON.parse(grantsConfig)), + filePath, + }; + } + + protected addResourceToSubmodule(submodule: AwsCdkLibServiceSubmodule, resource: Resource, props?: AddServiceProps): ResourceClass { const resourceModule = submodule.resourcesMod.module; const resourceClass = new ResourceClass(resourceModule, this.db, resource, { @@ -161,6 +188,8 @@ export class AwsCdkLibBuilder extends LibraryBuilder fromLocation: relativeImportPath(submodule.resourcesMod.filePath, sourceModule.name), }); } + + return resourceClass; } private createResourceModule(moduleName: string, service: Service): LocatedModule { diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/grants-module.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/grants-module.ts new file mode 100644 index 0000000000000..b111a46d57e8f --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/grants-module.ts @@ -0,0 +1,331 @@ +import { Resource, Service, SpecDatabase } from '@aws-cdk/service-spec-types'; +import { + $E, + ClassType, + expr, + Expression, + ExternalModule, + InterfaceType, + MemberVisibility, + Module, + stmt, + Type, +} from '@cdklabs/typewriter'; +import { PropertySpec } from '@cdklabs/typewriter/lib/property'; +import { classNameFromResource } from '../naming'; +import { Referenceable } from './resource-class'; + +const $this = $E(expr.this_()); + +/** + * From some data, generate grants + * + * For now, the grants data will be in a JSON file inside the service directory; + * in the future, this data will be moved to the `awscdk-service-spec` + * repository. + */ +export class GrantsModule extends Module { + public constructor(private readonly service: Service, private readonly db: SpecDatabase, private readonly schema: GrantsFileSchema) { + super(`${service.shortName}.grants`); + } + + public build(resourceClasses: Record, nameSuffix?: string) { + let hasContent = false; + const resources = this.db.follow('hasResource', this.service); + const resourceIndex = Object.fromEntries(resources.map(r => [r.entity.name, r.entity])); + const encryptedResourcePropName = 'encryptedResource'; + + // Generate one Grants class per construct available in the schema, for this module. + for (const [name, config] of Object.entries(this.schema.resources ?? {})) { + if (!resourceIndex[name] || Object.keys(config.grants ?? {}).length === 0) continue; + const resource = resourceIndex[name]; + + const hasPolicy = config.hasResourcePolicy ?? false; + const hasKeyActions = Object.values(config.grants) + .some(grant => grant.keyActions && grant.keyActions.length > 0); + + const resourceClass = resourceClasses[resource.cloudFormationType]; + + const refSymbol = resourceClass.ref.interfaceType.symbol; + if (refSymbol != null) { + this.linkSymbol(refSymbol, expr.ident(this.service.shortName).prop(refSymbol.name)); + } + + if (!resourceClass.hasArnGetter) { + // Without an ARN we can't create policies + continue; + } + + const className = `${name}Grants`; + const refInterfaceType = resourceClass.ref.interfaceType; + + const propsProperties: PropertySpec[] = [{ + name: 'resource', + type: refInterfaceType, + immutable: true, + docs: { + summary: 'The resource on which actions will be allowed', + }, + }]; + + if (hasPolicy) { + propsProperties.push({ + name: 'policyResource', + type: Type.fromName(this, 'iam.IResourceWithPolicyV2'), + optional: true, + immutable: true, + docs: { + summary: 'The resource with policy on which actions will be allowed', + default: 'No resource policy is created', + }, + }); + } + if (hasKeyActions) { + propsProperties.push({ + name: encryptedResourcePropName, + type: Type.fromName(this, 'iam.IEncryptedResource'), + optional: true, + immutable: true, + docs: { + summary: 'The encrypted resource on which actions will be allowed', + default: 'No permission is added to the KMS key, even if it exists', + }, + }); + } + + // Generate a GrantsProps that contains at least one property, called resource, of type IRef. + // Additionally, depending on what is available in the config for this class, two other properties will be added: + // - policyResource?: iam.IResourceWithPolicyV2, which can be used to generate a resource policy. + // - encryptedResource?: iam.IEncryptedResource, which can be used to add permission to the KMS key associated with this resource. + const propsType = new InterfaceType(this, { + name: `${className}Props`, + export: false, + properties: propsProperties, + docs: { + summary: `Properties for ${className}`, + }, + }); + + const classType = new ClassType(this, { + name: className, + export: true, + docs: { + summary: `Collection of grant methods for a ${refInterfaceType.fqn}`, + }, + }); + + classType.addProperty({ + name: 'resource', + immutable: true, + type: refInterfaceType, // IBucketRef + protected: true, + }); + + const init = classType.addInitializer({ + visibility: MemberVisibility.Private, + }); + + const propsParameter = init.addParameter({ + name: 'props', + type: propsType.type, + }); + + init.addBody(stmt.assign($this.resource, propsParameter.prop('resource'))); + + if (hasKeyActions) { + const iEncryptedResourceType = Type.fromName(this, 'iam.IEncryptedResource'); + classType.addProperty({ + name: encryptedResourcePropName, + immutable: true, + type: iEncryptedResourceType, + optional: true, + protected: true, + }); + + init.addBody(stmt.assign($this[encryptedResourcePropName], propsParameter.prop(encryptedResourcePropName))); + } + + if (hasPolicy) { + const resourceWithPolicy = Type.fromName(this, 'iam.IResourceWithPolicyV2'); + classType.addProperty({ + name: 'policyResource', + immutable: true, + type: resourceWithPolicy, + optional: true, + protected: true, + }); + init.addBody(stmt.assign($this.policyResource, propsParameter.prop('policyResource'))); + } + + const factoryMethod = classType.addMethod({ + name: `_from${resource.name}`, + static: true, + returnType: Type.fromName(this, `${classType.name}`), + docs: { + summary: `Creates grants for ${className}`, + remarks: '@internal', + }, + }); + + const staticResourceParam = factoryMethod.addParameter({ + name: 'resource', + type: refInterfaceType, + }); + + const props: Record = { + resource: staticResourceParam, + }; + + if (hasKeyActions) { + props[encryptedResourcePropName] = expr.cond( + $E(expr.ident('iam.GrantableResources')).isEncryptedResource(staticResourceParam), + staticResourceParam, + expr.UNDEFINED, + ); + } + + if (hasPolicy) { + props.policyResource = expr.cond( + $E(expr.ident('iam.GrantableResources')).isResourceWithPolicy(staticResourceParam), + staticResourceParam, + expr.UNDEFINED, + ); + } + + factoryMethod.addBody( + stmt.ret(Type.fromName(this, className).newInstance(expr.object(props))), + ); + + // Add one method per entry in the config + for (const [methodName, grantSchema] of Object.entries(config.grants)) { + const arnFormat = grantSchema.arnFormat; + const arnFormats = Array.isArray(arnFormat) ? arnFormat : [arnFormat]; + const resourceArns = expr.list( + arnFormats.map(format => makeArnCall(this.service.shortName, resource, nameSuffix, format)), + ); + + const method = classType.addMethod({ + name: methodName, + returnType: Type.fromName(this, 'iam.Grant'), + docs: { + summary: grantSchema.docSummary ?? `Grants ${methodName} permissions`, + }, + }); + + const grantee = method.addParameter({ + name: 'grantee', + type: Type.fromName(this, 'iam.IGrantable'), + }); + + const actions = expr.ident('actions'); + + const commonStatementProps: Record = { + actions, + grantee, + resourceArns, + }; + if (grantSchema.conditions != null) { + commonStatementProps.conditions = expr.lit(grantSchema.conditions); + } + + const addToPrincipalExpr = $E(expr.ident('iam.Grant')) + .addToPrincipal(expr.object(commonStatementProps)); + + const addToBothExpr = $E(expr.ident('iam.Grant')) + .addToPrincipalOrResource(expr.object({ + ...commonStatementProps, + resource: $this.policyResource, + })); + + method.addBody(stmt.constVar(actions, expr.lit(grantSchema.actions))); + + const result = expr.ident('result'); + if (hasPolicy) { + method.addBody(stmt.constVar(result, expr.cond($this.policyResource, addToBothExpr, addToPrincipalExpr))); + } else { + method.addBody(stmt.constVar(result, addToPrincipalExpr)); + } + + if (grantSchema && grantSchema.keyActions && grantSchema.keyActions.length > 0) { + const grantOnKey = $this.prop(`${encryptedResourcePropName}?`) + .callMethod('grantOnKey', grantee, ...grantSchema.keyActions.map((a) => expr.lit(a))); + + method.addBody(grantOnKey); + } + + method.addBody(stmt.ret(result)); + + hasContent = true; + } + } + + if (hasContent) { + new ExternalModule(`aws-cdk-lib/aws-${this.service.shortName}`) + .import(this, this.service.shortName, { fromLocation: `./${this.service.shortName}.generated` }); + new ExternalModule('aws-cdk-lib/aws-iam').import(this, 'iam'); + } + } +} + +export interface GrantsFileSchema { + readonly resources: Record; + readonly constants?: Record; +} + +export interface ResourceSchema { + readonly hasResourcePolicy?: boolean; + readonly grants: Record; +} + +export interface GrantSchema { + /** + * ARN format containing placeholders + * + * If absent, just use the resource's default ARN format. + */ + readonly arnFormat?: string | string[]; + readonly actions: string[]; + readonly keyActions?: string[]; + readonly docSummary?: string; + readonly conditions?: Record>; +} + +function makeArnCall(serviceName: string, resource: Resource, nameSuffix?: string, arnFormat?: string): Expression { + const arnCall = $E(expr + .ident(`${serviceName}`) + .prop(classNameFromResource(resource, nameSuffix)) + .callMethod(`arnFor${resource.name}`, $this.resource), + ); + + return arnFormat != null + ? expr.strConcat(...replaceVariableWithExpression(arnFormat, arnCall)) + : arnCall; +} + +/** + * Replaces the single variable in the ARN format with an expression. The result may contain up to + * three elements: prefix, expression and suffix, depending on the arn format. + * Example: "Foo/${somethingArn}/Bar" -> ["Foo/", CfnSomething.arnForSomething(...), "/Bar"] + */ +function replaceVariableWithExpression(arnFormat: string, expression: Expression): Expression[] { + const i = arnFormat.indexOf('${'); + const j = arnFormat.indexOf('}', i); + + const prefix = arnFormat.substring(0, i); + const suffix = arnFormat.substring(j + 1); + + const result: Expression[] = []; + if (prefix !== '') { + result.push(expr.lit(prefix)); + } + if (i >= 0) { + // Only replace with an expression if there is + // a variable in the format to begin with + result.push(expression); + } + if (suffix !== '') { + result.push(expr.lit(suffix)); + } + + return result; +} diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/library-builder.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/library-builder.ts index 623695cc179a0..5f594a6537a11 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cdk/library-builder.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/library-builder.ts @@ -3,6 +3,8 @@ import * as path from 'path'; import { SpecDatabase, Resource, Service } from '@aws-cdk/service-spec-types'; import { Module } from '@cdklabs/typewriter'; import { IWriter, substituteFilePattern } from '../util'; +import { GrantsModule } from './grants-module'; +import { ResourceClass } from './resource-class'; import { BaseServiceSubmodule, LocatedModule, relativeImportPath } from './service-submodule'; export interface AddServiceProps { @@ -25,6 +27,13 @@ export interface AddServiceProps { * experiment to emit `aws-kinesisanalyticsv2` into `aws-kinesisanalytics`. */ readonly destinationSubmodule?: string; + + /** + * The JSON string to configure the grants for the service + * + * @default No grants module is generated + */ + readonly grantsConfig?: string; } export interface LibraryBuilderProps { @@ -63,10 +72,19 @@ export abstract class LibraryBuilder = {}; for (const { entity: resource } of resources) { - this.addResourceToSubmodule(submod, resource, props); + resourceClasses[resource.cloudFormationType] = this.addResourceToSubmodule(submod, resource, props); + } + + const grantModule = submod.locatedModules + .map(lm => lm.module) + .find(m => m instanceof GrantsModule); + + if (grantModule != null) { + grantModule.build(resourceClasses, props?.nameSuffix); } this.postprocessSubmodule(submod); @@ -130,7 +148,7 @@ export abstract class LibraryBuilder(); - private ref: ReferenceInterfaceTypes; + public ref: ReferenceInterfaceTypes; constructor( scope: IScope, @@ -185,6 +197,7 @@ export class ResourceClass extends ClassType { this.makeFromCloudFormationFactory(); this.makeFromArnFactory(); this.makeFromNameFactory(); + this.addArnForResourceMethod(); if (this.resource.cloudFormationTransform) { this.addProperty({ @@ -305,6 +318,27 @@ export class ResourceClass extends ClassType { }); } + /** + * ```ts + * public static fromApplicationInstanceArn(scope: constructs.Construct, id: string, arn: string): IApplicationInstanceRef { + * class Import extends cdk.Resource { + * public applicationInstanceRef: ApplicationInstanceReference; + * + * public constructor(scope: constructs.Construct, id: string, arn: string) { + * super(scope, id, { + * "environmentFromArn": arn + * }); + * + * const variables = new cfn_parse.TemplateString("arn:${Partition}:panorama:${Region}:${Account}:applicationInstance/${ApplicationInstanceId}").parse(arn); + * this.applicationInstanceRef = { + * "applicationInstanceId": variables.ApplicationInstanceId, + * "applicationInstanceArn": arn + * }; + * } + * } + * return new Import(scope, id, arn); + * } + */ private makeFromArnFactory() { const arnTemplate = this.resource.arnTemplate; if (!(arnTemplate && this.ref.struct)) { @@ -312,7 +346,7 @@ export class ResourceClass extends ClassType { return; } - const cfnArnProperty = findArnProperty(this.resource); + const cfnArnProperty = findNonIdentifierArnProperty(this.resource); if (cfnArnProperty == null) { return; } @@ -393,6 +427,85 @@ export class ResourceClass extends ClassType { ); } + /** + * Generates a static method that returns the ARN of the provided resource. + * If the resource's ref interface already has an ARN, that's what's returned: + * + * public static arnForTable(resource: ITableRef): string { + * return resource.tableRef.tableArn; + * } + * + * Otherwise, we fall back to using the ARN template: + * + * public static arnForRestApi(resource: IRestApiRef): string { + * return new cfn_parse.TemplateString("arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}").interpolate({ + * "Partition": cdk.Stack.of(resource).partition, + * "Region": cdk.Stack.of(resource).region, + * "Account": cdk.Stack.of(resource).account, + * "RestApiId": resource.restApiRef.restApiId + * }); + * } + */ + private addArnForResourceMethod() { + const doAddMethod = () => { + const method = this.addMethod({ + name: `arnFor${this.resource.name}`, + static: true, + visibility: MemberVisibility.Public, + returnType: Type.STRING, + }); + + method.addParameter({ + name: 'resource', + type: this.ref.interfaceType, + }); + + return method; + }; + + const arnTemplate = this.resource.arnTemplate; + const arnPropertyName = findArnProperty(this.resource); + + const refAttributeName = referenceInterfaceAttributeName(this.decider.camelResourceName); + if (arnPropertyName != null) { + const method = doAddMethod(); + const arn = referencePropertyName(arnPropertyName, this.resource.name); + method.addBody( + stmt.ret($E(method.parameters[0])[refAttributeName][arn]), + ); + this._hasArnGetter = true; + } else if (arnTemplate != null) { + const propsWithoutArn = this.decider.referenceProps.filter(prop => !prop.declaration.name.endsWith('Arn')); + + if (propsWithoutArn.length !== 1) { + // Only generate the method if there is exactly one non-ARN prop in the Reference interface + // and only one variable in the ARN template that is not Partition, Region or Account + return; + } + + const allVariables = extractVariables(arnTemplate); + const propName = propsWithoutArn[0].declaration.name; + const variableName = allVariables.find(v => propertyNameFromCloudFormation(v) === propName); + if (variableName == null) { + return; + } + + const resourceIdentifier = expr.ident('resource'); + const method = doAddMethod(); + const stackOfResource = $T(CDK_CORE.Stack).of(resourceIdentifier); + const interpolateArn = CDK_CORE.helpers.TemplateString.newInstance(expr.lit(arnTemplate)).prop('interpolate').call(expr.object({ + Partition: stackOfResource.prop('partition'), + Region: stackOfResource.prop('region'), + Account: stackOfResource.prop('account'), + [variableName]: $E(resourceIdentifier)[refAttributeName][propName], + })); + method.addBody( + stmt.ret(interpolateArn), + ); + this._hasArnGetter = true; + } + } + private makeFromNameFactory() { const arnTemplate = this.resource.arnTemplate; if (!(arnTemplate && this.ref.struct)) { @@ -713,6 +826,10 @@ export class ResourceClass extends ClassType { this.converter.convertTypeDefinitionType(typeDef); } } + + public get hasArnGetter(): boolean { + return this._hasArnGetter; + } } interface ReferenceInterfaceTypes { diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/resource-decider.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/resource-decider.ts index f67567b577889..77c5a1cbe665c 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cdk/resource-decider.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/resource-decider.ts @@ -393,4 +393,3 @@ export function deprecationMessage(property: Property): string | undefined { return undefined; } - diff --git a/tools/@aws-cdk/spec2cdk/lib/cfn2ts/index.ts b/tools/@aws-cdk/spec2cdk/lib/cfn2ts/index.ts index 116911b0bfdbb..5cf73288544ff 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cfn2ts/index.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cfn2ts/index.ts @@ -88,6 +88,7 @@ export async function generateAll( resources: '%moduleName%/lib/%serviceShortName%.generated.ts', augmentations: '%moduleName%/lib/%serviceShortName%-augmentations.generated.ts', cannedMetrics: '%moduleName%/lib/%serviceShortName%-canned-metrics.generated.ts', + grants: '%moduleName%/lib/%serviceShortName%-grants.generated.ts', }, }, }, diff --git a/tools/@aws-cdk/spec2cdk/lib/generate.ts b/tools/@aws-cdk/spec2cdk/lib/generate.ts index 615afdc984c1b..74a86b5b104ad 100644 --- a/tools/@aws-cdk/spec2cdk/lib/generate.ts +++ b/tools/@aws-cdk/spec2cdk/lib/generate.ts @@ -202,6 +202,7 @@ async function generator( destinationSubmodule: moduleName, nameSuffix: req.suffix, deprecated: req.deprecated, + grantsConfig: readGrantsConfig(moduleName, options.outputPath), }); servicesPerModule[moduleName] ??= []; @@ -246,3 +247,15 @@ function mergeObjects(all: T, res: T) { ...res, }; } + +function readGrantsConfig(moduleName: string, rootDir: string): string | undefined { + const filename = `${moduleName}/grants.json`; + try { + return fs.readFileSync(path.join(rootDir, filename), 'utf-8'); + } catch (e: any) { + if (e.code === 'ENOENT') { + return undefined; + } + throw e; + } +} diff --git a/tools/@aws-cdk/spec2cdk/lib/index.ts b/tools/@aws-cdk/spec2cdk/lib/index.ts index a3c06c85fad22..f8ef452867f5a 100644 --- a/tools/@aws-cdk/spec2cdk/lib/index.ts +++ b/tools/@aws-cdk/spec2cdk/lib/index.ts @@ -2,3 +2,4 @@ export * from './generate'; export * as util from './util'; export * as naming from './naming'; export * as topo from './module-topology'; +export { generateAll } from './cfn2ts/index'; diff --git a/tools/@aws-cdk/spec2cdk/test/__snapshots__/grants.test.ts.snap b/tools/@aws-cdk/spec2cdk/test/__snapshots__/grants.test.ts.snap new file mode 100644 index 0000000000000..2b7aae98c8fbe --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/test/__snapshots__/grants.test.ts.snap @@ -0,0 +1,98 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`generates grants for methods with and without key actions 1`] = ` +"/* eslint-disable prettier/prettier, @stylistic/max-len */ +import * as sns from "./sns.generated"; +import * as iam from "aws-cdk-lib/aws-iam"; + +/** + * Properties for TopicGrants + */ +interface TopicGrantsProps { + /** + * The resource on which actions will be allowed + */ + readonly resource: sns.ITopicRef; + + /** + * The resource with policy on which actions will be allowed + * + * @default - No resource policy is created + */ + readonly policyResource?: iam.IResourceWithPolicyV2; + + /** + * The encrypted resource on which actions will be allowed + * + * @default - No permission is added to the KMS key, even if it exists + */ + readonly encryptedResource?: iam.IEncryptedResource; +} + +/** + * Collection of grant methods for a ITopicRef + */ +export class TopicGrants { + /** + * Creates grants for TopicGrants + * + * @internal + */ + public static _fromTopic(resource: sns.ITopicRef): TopicGrants { + return new TopicGrants({ + resource: resource, + encryptedResource: (iam.GrantableResources.isEncryptedResource(resource) ? resource : undefined), + policyResource: (iam.GrantableResources.isResourceWithPolicy(resource) ? resource : undefined) + }); + } + + protected readonly resource: sns.ITopicRef; + + protected readonly encryptedResource?: iam.IEncryptedResource; + + protected readonly policyResource?: iam.IResourceWithPolicyV2; + + private constructor(props: TopicGrantsProps) { + this.resource = props.resource; + this.encryptedResource = props.encryptedResource; + this.policyResource = props.policyResource; + } + + /** + * Grants publish permissions + */ + public publish(grantee: iam.IGrantable): iam.Grant { + const actions = ["sns:Publish"]; + const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({ + actions: actions, + grantee: grantee, + resourceArns: [sns.CfnTopic.arnForTopic(this.resource)], + resource: this.policyResource + }) : iam.Grant.addToPrincipal({ + actions: actions, + grantee: grantee, + resourceArns: [sns.CfnTopic.arnForTopic(this.resource)] + })); + this.encryptedResource?.grantOnKey(grantee, "kms:Decrypt", "kms:GenerateDataKey*"); + return result; + } + + /** + * Grants subscribe permissions + */ + public subscribe(grantee: iam.IGrantable): iam.Grant { + const actions = ["sns:Subscribe"]; + const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({ + actions: actions, + grantee: grantee, + resourceArns: [sns.CfnTopic.arnForTopic(this.resource)], + resource: this.policyResource + }) : iam.Grant.addToPrincipal({ + actions: actions, + grantee: grantee, + resourceArns: [sns.CfnTopic.arnForTopic(this.resource)] + })); + return result; + } +}" +`; diff --git a/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap b/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap index 97a53f9671ebe..5457b6eba3f21 100644 --- a/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap +++ b/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap @@ -518,6 +518,10 @@ export class CfnSomething extends cdk.CfnResource implements cdk.IInspectable, I return ret; } + public static arnForSomething(resource: ISomethingRef): string { + return resource.somethingRef.somethingArn; + } + /** * The identifier of the resource * @@ -669,6 +673,10 @@ export class CfnResource extends cdk.CfnResource implements cdk.IInspectable, IR return ret; } + public static arnForResource(resource: IResourceRef): string { + return resource.resourceRef.resourceArn; + } + /** * The arn for the resource * @@ -979,6 +987,10 @@ export class CfnResource extends cdk.CfnResource implements cdk.IInspectable, IR return ret; } + public static arnForResource(resource: IResourceRef): string { + return resource.resourceRef.resourceArn; + } + /** * The arn of the resource * @@ -1296,6 +1308,15 @@ export class CfnResource extends cdk.CfnResource implements cdk.IInspectable, IR return new Import(scope, id, resourceId); } + public static arnForResource(resource: IResourceRef): string { + return new cfn_parse.TemplateString("arn:\${Partition}:some:\${Region}:\${Account}:resource/\${ResourceId}").interpolate({ + Partition: cdk.Stack.of(resource).partition, + Region: cdk.Stack.of(resource).region, + Account: cdk.Stack.of(resource).account, + ResourceId: resource.resourceRef.resourceId + }); + } + /** * The identifier of the resource. */ diff --git a/tools/@aws-cdk/spec2cdk/test/grants.test.ts b/tools/@aws-cdk/spec2cdk/test/grants.test.ts new file mode 100644 index 0000000000000..78b161de10308 --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/test/grants.test.ts @@ -0,0 +1,58 @@ +import { loadAwsServiceSpec } from '@aws-cdk/aws-service-spec'; +import { SpecDatabase } from '@aws-cdk/service-spec-types'; +import { InterfaceType, Module, Stability, StructType, TypeScriptRenderer } from '@cdklabs/typewriter'; +import { CDK_INTERFACES_ENVIRONMENT_AWARE, CONSTRUCTS } from '../lib/cdk/cdk'; +import { GrantsModule } from '../lib/cdk/grants-module'; + +const renderer = new TypeScriptRenderer(); +let db: SpecDatabase; + +beforeAll(async () => { + db = await loadAwsServiceSpec(); +}); + +test('generates grants for methods with and without key actions', async () => { + const config = { + resources: { + Topic: { + hasResourcePolicy: true, + grants: { + publish: { + actions: ['sns:Publish'], + keyActions: ['kms:Decrypt', 'kms:GenerateDataKey*'], + }, + subscribe: { + actions: ['sns:Subscribe'], + }, + }, + }, + }, + }; + const service = db.lookup('service', 'name', 'equals', 'aws-sns').only(); + const module = new GrantsModule(service, db, config); + + const scope = new Module('@aws-cdk/aws-sns'); + const refInterface = new InterfaceType(scope, { + export: true, + name: 'ITopicRef', + extends: [CONSTRUCTS.IConstruct, CDK_INTERFACES_ENVIRONMENT_AWARE.IEnvironmentAware], + docs: { + summary: 'Indicates that this resource can be referenced', + stability: Stability.Experimental, + }, + }); + + module.build({ + 'AWS::SNS::Topic': { + hasArnGetter: true, + ref: { + interfaceType: refInterface.type, + property: refInterface.properties[0], + struct: {} as unknown as StructType, // FIXME What should go here? + }, + }, + }); + + const rendered = renderer.render(module); + expect(rendered).toMatchSnapshot(); +}); diff --git a/yarn.lock b/yarn.lock index 5fe93eaac6465..2010b87a0a25b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3535,14 +3535,6 @@ chalk "^4.1.2" semver "^7.7.2" -"@jsii/check-node@1.116.0": - version "1.116.0" - resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.116.0.tgz#f4db6461511f60232aa02bfaf46bd607da49bbae" - integrity sha512-Avk6AKggZJcWpDLGH8lb5duyfGIVHCmmeglM3LfmQvKU/zumbRfeg4LvUXGqJflnRB7GAbzbx8iDNo8FMjIWjg== - dependencies: - chalk "^4.1.2" - semver "^7.7.2" - "@jsii/check-node@1.118.0": version "1.118.0" resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.118.0.tgz#0be4fef43c7058764e3b4d146c6fbc80306de6bd" @@ -3551,7 +3543,7 @@ chalk "^4.1.2" semver "^7.7.2" -"@jsii/check-node@1.119.0": +"@jsii/check-node@1.119.0", "@jsii/check-node@^1.118.0": version "1.119.0" resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.119.0.tgz#d4acb0ada485114c8c2b4ad34d8c4bbc418f66b8" integrity sha512-dJ6hz+kpDWC/gAR7X5gmZVWjHX24Nlh2YEYKfY4r/NXrAp+2tdQ1Xhzt1fgOyh0nea+yLdiBLjkOzE1sRIPQFA== @@ -3566,20 +3558,13 @@ dependencies: ajv "^8.17.1" -"@jsii/spec@1.115.0", "@jsii/spec@^1.114.1", "@jsii/spec@^1.115.0": +"@jsii/spec@1.115.0", "@jsii/spec@^1.115.0": version "1.115.0" resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.115.0.tgz#be0818bd31509687cb6445873d1ec65e8d24bd24" integrity sha512-qnicuByM0G5L6ZF2yO/e5cHwT6pb5E0aUvgHBycFPHBkgf5yjtvm+Wtk6q61srNuRASYI25BiTOonyABNeRjlw== dependencies: ajv "^8.17.1" -"@jsii/spec@1.116.0": - version "1.116.0" - resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.116.0.tgz#8da502da897f15b46ac969033cea5cbee4738f43" - integrity sha512-BqsOMsE7Md6EwaLammXeCOi20GlsA4lAawIrPN0jHeFjZnEqUsiWRXZw+9EG3lTImW9QLVN1cF9kbQ3t3vAXeQ== - dependencies: - ajv "^8.17.1" - "@jsii/spec@1.118.0": version "1.118.0" resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.118.0.tgz#66d6da3089e002ee3ee89dcc6e9d284a039acf94" @@ -3587,7 +3572,7 @@ dependencies: ajv "^8.17.1" -"@jsii/spec@1.119.0": +"@jsii/spec@1.119.0", "@jsii/spec@^1.118.0": version "1.119.0" resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.119.0.tgz#e8b4f3bee3b454ea2f0da8f409390ff7ac653e19" integrity sha512-A542Rq4h+DkBivoYWYmo86j8fdmd5kzGNN+2K+MhKPbZ3mHYRN6HHa3fLKYPcbNyLRi1eT+n8LXaVjEBtDKEDQ== @@ -10149,18 +10134,6 @@ jsii-pacmak@1.119.0: xmlbuilder "^15.1.1" yargs "^17.7.2" -jsii-reflect@1.116.0: - version "1.116.0" - resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.116.0.tgz#2dda056b311b9b7eed49ac27c45743f64f0057d7" - integrity sha512-ZIHznFUMHQinqNLu48JibrnB0O0EeINCUgtkgV+SqEN7wsM1kxT3SBLHEbCQqPzB5ZsQzrdl9JW1vMi14/YqGA== - dependencies: - "@jsii/check-node" "1.116.0" - "@jsii/spec" "1.116.0" - chalk "^4" - fs-extra "^10.1.0" - oo-ascii-tree "^1.116.0" - yargs "^17.7.2" - jsii-reflect@1.119.0, jsii-reflect@^1.119.0: version "1.119.0" resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.119.0.tgz#f445c2f70e636f1a20babd844254de2f07265c19" @@ -10185,19 +10158,19 @@ jsii-reflect@^1.115.0: oo-ascii-tree "^1.115.0" yargs "^17.7.2" -jsii-rosetta@~5.9.9: - version "5.9.9" - resolved "https://registry.npmjs.org/jsii-rosetta/-/jsii-rosetta-5.9.9.tgz#3fd42ebb64bed453aac03f9c5c908048bd495102" - integrity sha512-qpEWAjeXpL7ju8bnNuXY2kSkehCeu7O3qBsTmks1upDZTZh9eNBzII1cfuYl9oPHUHWfykXxq9HkXM1w1QeNxg== +jsii-rosetta@~5.9.14: + version "5.9.14" + resolved "https://registry.npmjs.org/jsii-rosetta/-/jsii-rosetta-5.9.14.tgz#c6390f2c02982cf41704f32722b1e5cc1dcb328e" + integrity sha512-f8Yxe/QCdZGHuA4k/VSEcAPusZxNDVWGyT3sXZL/MAj8ryDMpMF0w44WH++0Y2kR9hXih7DQ5gkrib173YAMSg== dependencies: - "@jsii/check-node" "1.114.1" - "@jsii/spec" "^1.114.1" + "@jsii/check-node" "^1.118.0" + "@jsii/spec" "^1.118.0" "@xmldom/xmldom" "^0.9.8" chalk "^4" commonmark "^0.31.2" fast-glob "^3.3.3" jsii "~5.9.1" - semver "^7.7.2" + semver "^7.7.3" semver-intersect "^1.5.0" stream-json "^1.9.1" typescript "~5.9" @@ -11814,11 +11787,6 @@ oo-ascii-tree@^1.115.0: resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.115.0.tgz#60a28f29cc449cd4274140f5d939c08a18c5ac8b" integrity sha512-KbZpipKiCQ5Ws2GryfOUWBxuVpVYosqAi85mtplgMyhQuueOZAO8qeTmNqYYHUxBHOz9O+kKCCjidEkLmCDhLQ== -oo-ascii-tree@^1.116.0: - version "1.116.0" - resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.116.0.tgz#2bd95d7de16b842289e01bd83e29f93ea463eaf5" - integrity sha512-GI0n8coDIoZPywmZp5l2qPO1tqZxN40/tFPYBxWD2vpPeciKiB/nxZ7blDjp97ejxtmdkNouvAmtg4nCYgZihg== - oo-ascii-tree@^1.119.0: version "1.119.0" resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.119.0.tgz#642c9906bc93e419917bfaf4f8ed1559773d8125"