npm - @byaga/cdk-patterns - Versions diffs - 0.5.0 → 0.6.1 - Mend

@byaga/cdk-patterns 0.5.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/Role.d.ts ADDED Viewed

@@ -0,0 +1,139 @@
+import { IPrincipal, Role as CdkRole } from "aws-cdk-lib/aws-iam";
+import { Duration } from "aws-cdk-lib";
+import { IDeployStack } from "./IDeployStack";
+import { IManagedPolicy } from "aws-cdk-lib/aws-iam/lib/managed-policy";
+import { PolicyDocument } from "aws-cdk-lib/aws-iam/lib/policy-document";
+interface IRoleProps {
+    identityPool: string;
+    amr: string;
+    /**
+     * The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
+     *
+     * You can later modify the assume role policy document by accessing it via
+     * the `assumeRolePolicy` property.
+     *
+     * @stability stable
+     */
+    assumedBy?: IPrincipal;
+    /**
+     * (deprecated) ID that the role assumer needs to provide when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @deprecated see {@link externalIds}
+     */
+    readonly externalId?: string;
+    /**
+     * List of IDs that the role assumer needs to provide one of when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @stability stable
+     */
+    readonly externalIds?: string[];
+    /**
+     * A list of managed policies associated with this role.
+     *
+     * You can add managed policies later using
+     * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
+     *
+     * @default - No managed policies.
+     * @stability stable
+     */
+    readonly managedPolicies?: IManagedPolicy[];
+    /**
+     * A list of named policies to inline into this role.
+     *
+     * These policies will be
+     * created with the role, whereas those added by ``addToPolicy`` are added
+     * using a separate CloudFormation resource (allowing a way around circular
+     * dependencies that could otherwise be introduced).
+     *
+     * @default - No policy is inlined in the Role resource.
+     * @stability stable
+     */
+    readonly inlinePolicies?: {
+        [name: string]: PolicyDocument;
+    };
+    /**
+     * The path associated with this role.
+     *
+     * For information about IAM paths, see
+     * Friendly Names and Paths in IAM User Guide.
+     *
+     * @default /
+     * @stability stable
+     */
+    readonly path?: string;
+    /**
+     * AWS supports permissions boundaries for IAM entities (users or roles).
+     *
+     * A permissions boundary is an advanced feature for using a managed policy
+     * to set the maximum permissions that an identity-based policy can grant to
+     * an IAM entity. An entity's permissions boundary allows it to perform only
+     * the actions that are allowed by both its identity-based policies and its
+     * permissions boundaries.
+     *
+     * @default - No permissions boundary.
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    readonly permissionsBoundary?: IManagedPolicy;
+    /**
+     * A name for the IAM role.
+     *
+     * For valid values, see the RoleName parameter for
+     * the CreateRole action in the IAM API Reference.
+     *
+     * IMPORTANT: If you specify a name, you cannot perform updates that require
+     * replacement of this resource. You can perform updates that require no or
+     * some interruption. If you must replace the resource, specify a new name.
+     *
+     * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
+     * acknowledge your template's capabilities. For more information, see
+     * Acknowledging IAM Resources in AWS CloudFormation Templates.
+     *
+     * @default - AWS CloudFormation generates a unique physical ID and uses that ID
+     * for the role name.
+     * @stability stable
+     */
+    readonly roleName?: string;
+    /**
+     * The maximum session duration that you want to set for the specified role.
+     *
+     * This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
+     *
+     * Anyone who assumes the role from the AWS CLI or API can use the
+     * DurationSeconds API parameter or the duration-seconds CLI parameter to
+     * request a longer session. The MaxSessionDuration setting determines the
+     * maximum duration that can be requested using the DurationSeconds
+     * parameter.
+     *
+     * If users don't specify a value for the DurationSeconds parameter, their
+     * security credentials are valid for one hour by default. This applies when
+     * you use the AssumeRole* API operations or the assume-role* CLI operations
+     * but does not apply when you use those operations to create a console URL.
+     *
+     * @default Duration.hours(1)
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+     */
+    readonly maxSessionDuration?: Duration;
+    /**
+     * A description of the role.
+     *
+     * It can be up to 1000 characters long.
+     *
+     * @default - No description.
+     * @stability stable
+     */
+    readonly description?: string;
+}
+export declare class Role extends CdkRole {
+    constructor(stack: IDeployStack, id: string, props: IRoleProps);
+}
+export {};

package/lib/Role.js ADDED Viewed

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Role = void 0;
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+class Role extends aws_iam_1.Role {
+    constructor(stack, id, props) {
+        console.log('Defining Role', stack.genId(id));
+        if (!props.assumedBy) {
+            props.assumedBy = new aws_iam_1.FederatedPrincipal('cognito-identity.amazonaws.com', {
+                StringEquals: {
+                    'cognito-identity.amazonaws.com:aud': props.identityPool
+                },
+                "ForAnyValue:StringLike": {
+                    'cognito-identity.amazonaws.com:amr': props.amr
+                }
+            }, 'sts:AssumeRoleWithWebIdentity');
+        }
+        super(stack, stack.genId(id), {
+            ...props,
+            roleName: stack.genName(props.roleName || id),
+            assumedBy: props.assumedBy
+        });
+        new aws_cdk_lib_1.CfnOutput(stack, stack.genId(id, 'arn-output'), {
+            value: this.roleArn,
+            exportName: stack.genName(id, 'arn')
+        });
+    }
+}
+exports.Role = Role;

package/lib/index.d.ts CHANGED Viewed

@@ -3,3 +3,4 @@ export { IDeployStack } from "./IDeployStack";
 export { IDomainConfig } from "./IDomainConfig";
 export { IHostedZoneConfig } from "./IHostedZoneConfig";
 export { IStackArguments } from "./IStackArguments";
+export { Role } from "./Role";

package/lib/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IDeployStack = exports.ApiCertificate = void 0;
+exports.Role = exports.IDeployStack = exports.ApiCertificate = void 0;
 var ApiCertificate_1 = require("./ApiCertificate");
 Object.defineProperty(exports, "ApiCertificate", { enumerable: true, get: function () { return ApiCertificate_1.ApiCertificate; } });
 var IDeployStack_1 = require("./IDeployStack");
 Object.defineProperty(exports, "IDeployStack", { enumerable: true, get: function () { return IDeployStack_1.IDeployStack; } });
+var Role_1 = require("./Role");
+Object.defineProperty(exports, "Role", { enumerable: true, get: function () { return Role_1.Role; } });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@byaga/cdk-patterns",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "description": "Collection of common patterns used when making AWS CloudFormation templates using CDK",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
@@ -15,13 +15,12 @@
   "author": "VeryFineHat",
   "license": "MIT",
   "dependencies": {
+    "aws-cdk": "^2.92.0",
     "aws-cdk-lib": "^2.92.0",
-    "constructs": "^10.2.69",
-    "fs-extra": "^11.1.1",
-    "glob": "^10.3.3",
-    "js-yaml": "^4.1.0"
+    "constructs": "^10.2.69"
   },
   "devDependencies": {
+    "@types/node": "^20.5.0",
     "typescript": "^5.1.6"
   }
 }

package/src/Role.ts ADDED Viewed

@@ -0,0 +1,167 @@
+import {FederatedPrincipal, IPrincipal, Role as CdkRole} from "aws-cdk-lib/aws-iam";
+import {CfnOutput, Duration} from "aws-cdk-lib";
+import {IDeployStack} from "./IDeployStack";
+import {IManagedPolicy} from "aws-cdk-lib/aws-iam/lib/managed-policy";
+import {PolicyDocument} from "aws-cdk-lib/aws-iam/lib/policy-document";
+interface IRoleProps {
+    identityPool: string,
+    amr: string,
+    /**
+     * The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
+     *
+     * You can later modify the assume role policy document by accessing it via
+     * the `assumeRolePolicy` property.
+     *
+     * @stability stable
+     */
+    assumedBy?: IPrincipal,
+    /**
+     * (deprecated) ID that the role assumer needs to provide when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @deprecated see {@link externalIds}
+     */
+    readonly externalId?: string;
+    /**
+     * List of IDs that the role assumer needs to provide one of when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @stability stable
+     */
+    readonly externalIds?: string[];
+    /**
+     * A list of managed policies associated with this role.
+     *
+     * You can add managed policies later using
+     * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
+     *
+     * @default - No managed policies.
+     * @stability stable
+     */
+    readonly managedPolicies?: IManagedPolicy[];
+    /**
+     * A list of named policies to inline into this role.
+     *
+     * These policies will be
+     * created with the role, whereas those added by ``addToPolicy`` are added
+     * using a separate CloudFormation resource (allowing a way around circular
+     * dependencies that could otherwise be introduced).
+     *
+     * @default - No policy is inlined in the Role resource.
+     * @stability stable
+     */
+    readonly inlinePolicies?: {
+        [name: string]: PolicyDocument;
+    };
+    /**
+     * The path associated with this role.
+     *
+     * For information about IAM paths, see
+     * Friendly Names and Paths in IAM User Guide.
+     *
+     * @default /
+     * @stability stable
+     */
+    readonly path?: string;
+    /**
+     * AWS supports permissions boundaries for IAM entities (users or roles).
+     *
+     * A permissions boundary is an advanced feature for using a managed policy
+     * to set the maximum permissions that an identity-based policy can grant to
+     * an IAM entity. An entity's permissions boundary allows it to perform only
+     * the actions that are allowed by both its identity-based policies and its
+     * permissions boundaries.
+     *
+     * @default - No permissions boundary.
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    readonly permissionsBoundary?: IManagedPolicy;
+    /**
+     * A name for the IAM role.
+     *
+     * For valid values, see the RoleName parameter for
+     * the CreateRole action in the IAM API Reference.
+     *
+     * IMPORTANT: If you specify a name, you cannot perform updates that require
+     * replacement of this resource. You can perform updates that require no or
+     * some interruption. If you must replace the resource, specify a new name.
+     *
+     * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
+     * acknowledge your template's capabilities. For more information, see
+     * Acknowledging IAM Resources in AWS CloudFormation Templates.
+     *
+     * @default - AWS CloudFormation generates a unique physical ID and uses that ID
+     * for the role name.
+     * @stability stable
+     */
+    readonly roleName?: string;
+    /**
+     * The maximum session duration that you want to set for the specified role.
+     *
+     * This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
+     *
+     * Anyone who assumes the role from the AWS CLI or API can use the
+     * DurationSeconds API parameter or the duration-seconds CLI parameter to
+     * request a longer session. The MaxSessionDuration setting determines the
+     * maximum duration that can be requested using the DurationSeconds
+     * parameter.
+     *
+     * If users don't specify a value for the DurationSeconds parameter, their
+     * security credentials are valid for one hour by default. This applies when
+     * you use the AssumeRole* API operations or the assume-role* CLI operations
+     * but does not apply when you use those operations to create a console URL.
+     *
+     * @default Duration.hours(1)
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+     */
+    readonly maxSessionDuration?: Duration;
+    /**
+     * A description of the role.
+     *
+     * It can be up to 1000 characters long.
+     *
+     * @default - No description.
+     * @stability stable
+     */
+    readonly description?: string;
+}
+export class Role extends CdkRole {
+    constructor(stack: IDeployStack, id: string, props: IRoleProps) {
+        console.log('Defining Role', stack.genId(id))
+        if (!props.assumedBy) {
+            props.assumedBy = new FederatedPrincipal(
+                'cognito-identity.amazonaws.com',
+                {
+                    StringEquals: {
+                        'cognito-identity.amazonaws.com:aud': props.identityPool
+                    },
+                    "ForAnyValue:StringLike": {
+                        'cognito-identity.amazonaws.com:amr': props.amr
+                    }
+                },
+                'sts:AssumeRoleWithWebIdentity'
+            )
+        }
+        super(stack, stack.genId(id), {
+            ...props,
+            roleName: stack.genName(props.roleName || id),
+            assumedBy: props.assumedBy
+        })
+        new CfnOutput(stack, stack.genId(id, 'arn-output'), {
+            value: this.roleArn,
+            exportName: stack.genName(id, 'arn')
+        })
+    }
+}

package/src/index.ts CHANGED Viewed

@@ -3,3 +3,4 @@ export {IDeployStack} from "./IDeployStack";
 export {IDomainConfig} from "./IDomainConfig";
 export {IHostedZoneConfig} from "./IHostedZoneConfig";
 export {IStackArguments} from "./IStackArguments";
+export {Role} from "./Role";