@cloud-copilot/iam-simulate 0.1.102 → 0.1.104

package/dist/cjs/simulation_engine/policyResources.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getMatchingResourceStringsForPolicies = getMatchingResourceStringsForPolicies;
+exports.getResourceStringsFromStatement = getResourceStringsFromStatement;
+exports.statementResourceStringsForResourceTypeAndPattern = statementResourceStringsForResourceTypeAndPattern;
+exports.statementAllowsAction = statementAllowsAction;
+const iam_utils_1 = require("@cloud-copilot/iam-utils");
+const resourceStrings_js_1 = require("../util/resourceStrings.js");
+const resourceTypes_js_1 = require("./resourceTypes.js");
+/**
+ * Extracts matching resource strings from a set of policies for a given action and resource pattern.
+ *
+ * @param policies Array of policies to search through (undefined entries are skipped)
+ * @param action The action to match against policy statements
+ * @param resourceType The resource type to filter resource strings by
+ * @param resourceArnPattern The resource ARN pattern to match against
+ * @returns Array of unique resource strings that match the criteria
+ */
+function getMatchingResourceStringsForPolicies(policies, action, resourceType, resourceArnPattern) {
+    const resourceStrings = new Set();
+    for (const policy of policies) {
+        if (!policy) {
+            continue;
+        }
+        for (const statement of policy.statements()) {
+            const stmtResourceStrings = getResourceStringsFromStatement(statement, action, resourceType, resourceArnPattern);
+            for (const rs of stmtResourceStrings) {
+                resourceStrings.add(rs);
+            }
+        }
+    }
+    return Array.from(resourceStrings);
+}
+/**
+ * Extracts resource strings from a single policy statement that allows the specified action.
+ *
+ * @param statement The policy statement to analyze
+ * @param action The action to check if the statement allows
+ * @param resourceType The resource type to filter by
+ * @param resourceArnPattern The resource ARN pattern to match
+ * @returns Array of resource strings from the statement, or empty array if statement doesn't allow the action
+ */
+function getResourceStringsFromStatement(statement, action, resourceType, resourceArnPattern) {
+    if (statementAllowsAction(statement, action)) {
+        return statementResourceStringsForResourceTypeAndPattern(statement, resourceType, resourceArnPattern);
+    }
+    return [];
+}
+/**
+ * Extracts resource strings from a statement's Resource or NotResource elements that match the given criteria.
+ *
+ * @param statement The policy statement to analyze
+ * @param resourceType The resource type to filter by
+ * @param resourceArnPattern The resource ARN pattern to check for overlap
+ * @returns Array of matching resource strings, or ['*'] for certain NotResource cases
+ */
+function statementResourceStringsForResourceTypeAndPattern(statement, resourceType, resourceArnPattern) {
+    if (statement.isResourceStatement() && statement.isAllow()) {
+        const resourceStrings = [];
+        for (const stmtResource of statement.resources()) {
+            if ((0, resourceTypes_js_1.resourceStringMatchesResourceTypePattern)(stmtResource.value(), resourceType.arn)) {
+                if ((0, resourceStrings_js_1.resourceArnsOverlap)(resourceArnPattern, stmtResource.value())) {
+                    resourceStrings.push(stmtResource.value());
+                }
+            }
+        }
+        return resourceStrings;
+    }
+    if (statement.isNotResourceStatement() && statement.isAllow()) {
+        for (const stmtNotResource of statement.notResources()) {
+            // If any NotResource string equals or is a superset of the resource type pattern, then the statement does not apply to the string. Otherwise, it should return the string '*'
+            if (stmtNotResource.value() === resourceArnPattern ||
+                isResourceArnSuperset(stmtNotResource.value(), resourceArnPattern)) {
+                return [];
+            }
+        }
+        return ['*'];
+    }
+    // If it's a statement that has no Resource or NotResource such as a trust policy, just return the original pattern
+    return [resourceArnPattern];
+}
+/**
+ * Determines if a policy statement allows the specified action.
+ *
+ * @param statement The policy statement to check
+ * @param action The action to test against the statement
+ * @returns true if the statement allows the action, false otherwise
+ */
+function statementAllowsAction(statement, action) {
+    if (statement.isActionStatement() && statement.isAllow()) {
+        for (const stmtAction of statement.actions()) {
+            if ((0, iam_utils_1.actionMatchesPattern)(action, stmtAction.value())) {
+                return true;
+            }
+        }
+        return false;
+    }
+    else if (statement.isNotActionStatement() && statement.isAllow()) {
+        for (const stmtAction of statement.notActions()) {
+            if ((0, iam_utils_1.actionMatchesPattern)(action, stmtAction.value())) {
+                return false;
+            }
+        }
+        return true;
+    }
+    return false;
+}
+function isResourceArnSuperset(arnSuperset, arnSubset) {
+    const regexSuperset = (0, iam_utils_1.resourceArnWithWildcardsToRegex)(arnSuperset);
+    return regexSuperset.test(arnSubset);
+}
+//# sourceMappingURL=policyResources.js.map

package/dist/cjs/simulation_engine/policyResources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyResources.js","sourceRoot":"","sources":["../../../src/simulation_engine/policyResources.ts"],"names":[],"mappings":";;AAgBA,sFAwBC;AAWD,0EAcC;AAUD,8GAgCC;AASD,sDAkBC;AApID,wDAAgG;AAEhG,mEAAgE;AAChE,yDAA6E;AAE7E;;;;;;;;GAQG;AACH,SAAgB,qCAAqC,CACnD,QAAwC,EACxC,MAAc,EACd,YAA0B,EAC1B,kBAA0B;IAE1B,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAA;IACzC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,SAAQ;QACV,CAAC;QACD,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,mBAAmB,GAAG,+BAA+B,CACzD,SAAS,EACT,MAAM,EACN,YAAY,EACZ,kBAAkB,CACnB,CAAA;YACD,KAAK,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;gBACrC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,+BAA+B,CAC7C,SAAoB,EACpB,MAAc,EACd,YAA0B,EAC1B,kBAA0B;IAE1B,IAAI,qBAAqB,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;QAC7C,OAAO,iDAAiD,CACtD,SAAS,EACT,YAAY,EACZ,kBAAkB,CACnB,CAAA;IACH,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iDAAiD,CAC/D,SAAoB,EACpB,YAA0B,EAC1B,kBAA0B;IAE1B,IAAI,SAAS,CAAC,mBAAmB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC3D,MAAM,eAAe,GAAa,EAAE,CAAA;QACpC,KAAK,MAAM,YAAY,IAAI,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACjD,IAAI,IAAA,2DAAwC,EAAC,YAAY,CAAC,KAAK,EAAE,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrF,IAAI,IAAA,wCAAmB,EAAC,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;oBAClE,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,CAAA;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,IAAI,SAAS,CAAC,sBAAsB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9D,KAAK,MAAM,eAAe,IAAI,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACvD,8KAA8K;YAC9K,IACE,eAAe,CAAC,KAAK,EAAE,KAAK,kBAAkB;gBAC9C,qBAAqB,CAAC,eAAe,CAAC,KAAK,EAAE,EAAE,kBAAkB,CAAC,EAClE,CAAC;gBACD,OAAO,EAAE,CAAA;YACX,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IAED,mHAAmH;IACnH,OAAO,CAAC,kBAAkB,CAAC,CAAA;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CAAC,SAAoB,EAAE,MAAc;IACxE,IAAI,SAAS,CAAC,iBAAiB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QACzD,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;YAC7C,IAAI,IAAA,gCAAoB,EAAC,MAAM,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;gBACrD,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;SAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QACnE,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;YAChD,IAAI,IAAA,gCAAoB,EAAC,MAAM,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;gBACrD,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,WAAmB,EAAE,SAAiB;IACnE,MAAM,aAAa,GAAG,IAAA,2CAA+B,EAAC,WAAW,CAAC,CAAA;IAClE,OAAO,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AACtC,CAAC"}

package/dist/cjs/simulation_engine/resourceTypes.d.ts

@@ -0,0 +1,18 @@
+import { ResourceType } from '@cloud-copilot/iam-data';
+/**
+ * Checks to see if a resource string ARN matches a resource pattern from the Service Authorization Reference
+ *
+ * @param resourceString
+ * @param resourcePattern
+ */
+export declare function resourceStringMatchesResourceTypePattern(resourceString: string, resourcePattern: string): boolean;
+/**
+ * Get the the possible resource types for an action and resource
+ *
+ * @param service the service the action belongs to
+ * @param action the action to get the resource type for
+ * @param resource the resource type matching the action, if any
+ * @throws an error if the service or action does not exist, or if the action is a wildcard only action
+ */
+export declare function getResourceTypesForAction(service: string, action: string, resource: string): Promise<ResourceType[]>;
+//# sourceMappingURL=resourceTypes.d.ts.map

package/dist/cjs/simulation_engine/resourceTypes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resourceTypes.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/resourceTypes.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAGhG;;;;;GAKG;AACH,wBAAgB,wCAAwC,CACtD,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,GACtB,OAAO,CA2GT;AAqCD;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,EAAE,CAAC,CAkBzB"}

package/dist/cjs/simulation_engine/resourceTypes.js

@@ -0,0 +1,145 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resourceStringMatchesResourceTypePattern = resourceStringMatchesResourceTypePattern;
+exports.getResourceTypesForAction = getResourceTypesForAction;
+const iam_data_1 = require("@cloud-copilot/iam-data");
+const util_js_1 = require("../util.js");
+/**
+ * Checks to see if a resource string ARN matches a resource pattern from the Service Authorization Reference
+ *
+ * @param resourceString
+ * @param resourcePattern
+ */
+function resourceStringMatchesResourceTypePattern(resourceString, resourcePattern) {
+    if (resourceString === '*') {
+        return true;
+    }
+    const resourceParts = (0, util_js_1.splitArnParts)(resourceString);
+    const patternParts = (0, util_js_1.splitArnParts)(resourcePattern);
+    if (!resourceComponentMatchesResourceTypeComponent(resourceParts.partition, patternParts.partition)) {
+        return false;
+    }
+    if (!resourceComponentMatchesResourceTypeComponent(resourceParts.service, patternParts.service)) {
+        return false;
+    }
+    if (!resourceComponentMatchesResourceTypeComponent(resourceParts.region, patternParts.region)) {
+        return false;
+    }
+    if (!resourceComponentMatchesResourceTypeComponent(resourceParts.accountId, patternParts.accountId)) {
+        return false;
+    }
+    const [resourceResourcePartsSegments, resourceResourceParts] = splitResourceTypeComponent(resourceParts.resource);
+    const [patternResourcePartsSegments, patternResourceParts] = splitResourceTypeComponent(patternParts.resource);
+    // If there are more segments in the resource than the pattern, it cannot match,
+    // unless the final pattern component is a variable (e.g. ${ObjectName}) which
+    // can span multiple segments (like S3 object keys with slashes).
+    if (resourceResourcePartsSegments > patternResourcePartsSegments) {
+        const lastPatternComponent = patternResourceParts.at(-1);
+        if (!isResourceTypeVariable(lastPatternComponent) || patternResourcePartsSegments === 1) {
+            return false;
+        }
+    }
+    // If there are fewer segments with contents in the resource than the pattern, and the last segment of the resource
+    // does not end with a wildcard, it cannot match
+    if (resourceResourceParts.length < patternResourceParts.length &&
+        !resourceResourceParts.at(-1)?.endsWith('*')) {
+        return false;
+    }
+    const compareLen = Math.min(resourceResourceParts.length, patternResourceParts.length);
+    for (let i = 0; i < compareLen; i++) {
+        const resourceComponent = resourceResourceParts[i];
+        const isLastPattern = i === patternResourceParts.length - 1;
+        const patternComponent = patternResourceParts[i];
+        if (!patternComponent) {
+            return false;
+        }
+        if (isResourceTypeVariable(patternComponent)) {
+            if (isLastPattern &&
+                resourceResourcePartsSegments > patternResourcePartsSegments &&
+                patternResourcePartsSegments > 1) {
+                // Variable at the end can absorb additional segments.
+                return true;
+            }
+            if (isLastPattern && resourceComponent?.endsWith('*')) {
+                // If the resource component ends with a wildcard, it matches everything after
+                break;
+            }
+            // These match anything, move along.
+            continue;
+        }
+        if (!resourceComponent) {
+            return false;
+        }
+        const resourceComponentPattern = '^' + resourceComponent.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
+        const regex = new RegExp(resourceComponentPattern);
+        const match = patternComponent.match(regex);
+        if (match) {
+            if (isLastPattern && resourceComponent.endsWith('*')) {
+                // If the resource component ends with a wildcard, it matches everything after
+                break;
+            }
+            continue;
+        }
+        else {
+            return false;
+        }
+    }
+    /*
+      Matching resource types.
+      If the pattern has a slash or colon in the resource portion, those need to exist in the pattern.
+      If the pattern ends with a wildcard, that matches everything.
+    */
+    return true;
+}
+function splitResourceTypeComponent(component) {
+    const parts = component?.split(/[:/]/) ?? [];
+    return [parts.length, parts.filter((p) => p && p !== '')];
+}
+function resourceComponentMatchesResourceTypeComponent(resourceComponent, resourceTypeComponent) {
+    if (resourceTypeComponent === '*' || resourceTypeComponent === resourceComponent) {
+        return true;
+    }
+    if (!resourceComponent || !resourceTypeComponent) {
+        return false;
+    }
+    if (isResourceTypeVariable(resourceTypeComponent)) {
+        // If the entire component is a single variable, it matches anything
+        return true;
+    }
+    const pattern = (0, util_js_1.convertResourcePatternToRegex)(resourceTypeComponent);
+    const regex = new RegExp(pattern);
+    const match = resourceComponent.match(regex);
+    return !!match;
+}
+function isResourceTypeVariable(component) {
+    if (!component) {
+        return false;
+    }
+    return component.match(/^\$\{[0-9a-zA-Z]+\}$/) !== null;
+}
+/**
+ * Get the the possible resource types for an action and resource
+ *
+ * @param service the service the action belongs to
+ * @param action the action to get the resource type for
+ * @param resource the resource type matching the action, if any
+ * @throws an error if the service or action does not exist, or if the action is a wildcard only action
+ */
+async function getResourceTypesForAction(service, action, resource) {
+    const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
+    if (actionDetails.resourceTypes.length === 0) {
+        throw new Error(`${service}:${action} does not have any resource types`);
+    }
+    const matchingResourceTypes = [];
+    for (const rt of actionDetails.resourceTypes) {
+        const resourceType = await (0, iam_data_1.iamResourceTypeDetails)(service, rt.name);
+        // const pattern = convertResourcePatternToRegex(resourceType.arn)
+        // const match = resource.match(new RegExp(pattern))
+        const match = resourceStringMatchesResourceTypePattern(resource, resourceType.arn);
+        if (match) {
+            matchingResourceTypes.push(resourceType);
+        }
+    }
+    return matchingResourceTypes;
+}
+//# sourceMappingURL=resourceTypes.js.map

package/dist/cjs/simulation_engine/resourceTypes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resourceTypes.js","sourceRoot":"","sources":["../../../src/simulation_engine/resourceTypes.ts"],"names":[],"mappings":";;AASA,4FA8GC;AA6CD,8DAsBC;AA1LD,sDAAgG;AAChG,wCAAyE;AAEzE;;;;;GAKG;AACH,SAAgB,wCAAwC,CACtD,cAAsB,EACtB,eAAuB;IAEvB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,aAAa,GAAG,IAAA,uBAAa,EAAC,cAAc,CAAC,CAAA;IACnD,MAAM,YAAY,GAAG,IAAA,uBAAa,EAAC,eAAe,CAAC,CAAA;IAEnD,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;QAChG,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9F,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,CAAC,6BAA6B,EAAE,qBAAqB,CAAC,GAAG,0BAA0B,CACvF,aAAa,CAAC,QAAQ,CACvB,CAAA;IACD,MAAM,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,GAAG,0BAA0B,CACrF,YAAY,CAAC,QAAQ,CACtB,CAAA;IAED,gFAAgF;IAChF,8EAA8E;IAC9E,iEAAiE;IACjE,IAAI,6BAA6B,GAAG,4BAA4B,EAAE,CAAC;QACjE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,IAAI,4BAA4B,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,mHAAmH;IACnH,gDAAgD;IAChD,IACE,qBAAqB,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM;QAC1D,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAC5C,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAA;IACtF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,aAAa,GAAG,CAAC,KAAK,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAEhD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,sBAAsB,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,IACE,aAAa;gBACb,6BAA6B,GAAG,4BAA4B;gBAC5D,4BAA4B,GAAG,CAAC,EAChC,CAAC;gBACD,sDAAsD;gBACtD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,IAAI,aAAa,IAAI,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YAED,oCAAoC;YACpC,SAAQ;QACV,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,wBAAwB,GAC5B,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;QACzE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,wBAAwB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,aAAa,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YACD,SAAQ;QACV,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IACD;;;;MAIE;IAEF,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,0BAA0B,CAAC,SAA6B;IAC/D,MAAM,KAAK,GAAG,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;IAC5C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;AAC3D,CAAC;AAED,SAAS,6CAA6C,CACpD,iBAAqC,EACrC,qBAAyC;IAEzC,IAAI,qBAAqB,KAAK,GAAG,IAAI,qBAAqB,KAAK,iBAAiB,EAAE,CAAC;QACjF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,sBAAsB,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,oEAAoE;QACpE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,uCAA6B,EAAC,qBAAqB,CAAC,CAAA;IACpE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAC5C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,SAA6B;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,KAAK,IAAI,CAAA;AACzD,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,yBAAyB,CAC7C,OAAe,EACf,MAAc,EACd,QAAgB;IAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC7D,IAAI,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,IAAI,MAAM,mCAAmC,CAAC,CAAA;IAC1E,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAA;IAChD,KAAK,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;QACnE,kEAAkE;QAClE,oDAAoD;QACpD,MAAM,KAAK,GAAG,wCAAwC,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,CAAC,CAAA;QAClF,IAAI,KAAK,EAAE,CAAC;YACV,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,qBAAqB,CAAA;AAC9B,CAAC"}

package/dist/cjs/simulation_engine/simulationEngine.d.ts

@@ -1,5 +1,6 @@
+import { ResourceType } from '@cloud-copilot/iam-data';
 import { ValidationError } from '@cloud-copilot/iam-policy';
-import { RequestAnalysis } from '../evaluate.js';
+import { EvaluationResult, RequestAnalysis } from '../evaluate.js';
 import { Simulation } from './simulation.js';
 import { SimulationOptions } from './simulationOptions.js';
 export interface SimulationErrors {
@@ -12,16 +13,11 @@ export interface SimulationErrors {
     vpcEndpointErrors?: Record<string, ValidationError[]>;
     message: string;
 }
-export interface SimulationResult {
-    errors?: SimulationErrors;
-    analysis?: RequestAnalysis;
-    /**
-     * The resource type that was used for the simulation, if applicable.
-     *
-     * Will only be present if the request passes validation to reach the policy
-     * evaluation stage and the action is not a wildcard-only action.
-     */
-    resourceType?: string;
+/**
+ * Result of evaluating a single resource simulation, containing the analysis and any ignored context keys.
+ */
+export interface SimulationResourceResult {
+    analysis: RequestAnalysis;
     /**
      * Any context keys provided in the request that were filtered out before
      * policy evaluation because they do not apply to the action/resource type.
@@ -33,15 +29,97 @@ export interface SimulationResult {
      */
     ignoredContextKeys?: string[];
 }
+/**
+ * Extended simulation resource result that includes resource type and pattern information
+ * for wildcard resource simulations.
+ */
+export interface WildcardSimulationResourceResult extends SimulationResourceResult {
+    /**
+     * The resource type that was used for the simulation, if applicable.
+     *
+     * Will only be present if the request passes validation to reach the policy
+     * evaluation stage and the action is not a wildcard-only action.
+     */
+    resourceType: string;
+    /**
+     * The resource pattern that was used for the simulation, if applicable. If a wildcard
+     * resource was provided and multiple simulations were run, this will indicate the
+     * specific resource string that was simulated.
+     */
+    resourcePattern: string;
+}
+/**
+ * Simulation result indicating that errors prevented the simulation from running.
+ */
+export interface ErrorSimulationResult {
+    resultType: 'error';
+    /**
+     * Errors in the simulation input that prevented the simulation from being run.
+     */
+    errors: SimulationErrors;
+}
+/**
+ * Simulation result for a single resource (non-wildcard) evaluation.
+ */
+export interface SingleResourceSimulationResult {
+    /**
+     * A single resource simulation result.
+     */
+    resultType: 'single';
+    /**
+     * The overall result of the one simulation that was run.
+     */
+    overallResult: EvaluationResult;
+    /**
+     * The detailed result of the simulation that was run and the request analysis
+     */
+    result: SimulationResourceResult;
+}
+/**
+ * Simulation results for wildcard resource evaluations, containing multiple individual results.
+ */
+export interface WildcardResourceSimulationResults {
+    /**
+     * Whether a wildcard was detected in the resource ARN of the request and the
+     * simulation was not a wildcard-only action, which can cause multiple simulations to be run.
+     */
+    resultType: 'wildcard';
+    /**
+     * The overall result of the simulation, calculated based on the results of individual simulations if
+     * multiple were run.
+     */
+    overallResult: EvaluationResult;
+    /**
+     * The results of the simulation or simulations that were run.
+     * If it is a wildcard only action or the resource ARN contains no wildcards, this will contain a single result.
+     * If the resource ARN contains a wildcard and the action is not a wildcard-only action, this may contain no
+     * results, or one result for each matching pattern found in the provided identity and resource policies.
+     */
+    results: WildcardSimulationResourceResult[];
+}
+/**
+ * The result of running a simulation.
+ * Can be an error, a single result, or a wildcard result.
+ * Discriminated by the `resultType` field.
+ */
+export type RunSimulationResults = ErrorSimulationResult | SingleResourceSimulationResult | WildcardResourceSimulationResults;
+/**
+ * Union type representing successful simulation results (excluding error cases).
+ */
+export type SuccessfulRunSimulationResults = SingleResourceSimulationResult | WildcardResourceSimulationResults;
+/**
+ * Discriminant type for the different kinds of simulation results.
+ */
+export type SimulationResultType = RunSimulationResults['resultType'];
 /**
  * Run a simulation with validation
  *
  * @param simulation The simulation to run
  * @param simulationOptions Options for the simulation
- * @returns
+ * @returns The results of the simulation, or errors if the simulation could not be run
  */
-export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<SimulationResult>;
-export declare function normalizeSimulationParameters(simulation: Simulation): Promise<{
+export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<RunSimulationResults>;
+export declare function normalizeSimulationParameters(simulation: Simulation, suggestedResourceType: ResourceType | undefined): Promise<{
     validContextValues: Record<string, string | string[]>;
     ignoredContextKeys: string[];
 }>;

package/dist/cjs/simulation_engine/simulationEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAYlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAA;IACvC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC9D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACrD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CA6O3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAyCD"}
+{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqC,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACzF,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAYlC,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAQlE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAA;IACvC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC9D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACrD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,eAAe,CAAA;IAEzB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;GAGG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF;;;;;OAKG;IACH,YAAY,EAAE,MAAM,CAAA;IAEpB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,OAAO,CAAA;IAEnB;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C;;OAEG;IACH,UAAU,EAAE,QAAQ,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,gBAAgB,CAAA;IAE/B;;OAEG;IACH,MAAM,EAAE,wBAAwB,CAAA;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;;OAGG;IACH,UAAU,EAAE,UAAU,CAAA;IAEtB;;;OAGG;IACH,aAAa,EAAE,gBAAgB,CAAA;IAE/B;;;;;OAKG;IACH,OAAO,EAAE,gCAAgC,EAAE,CAAA;CAC5C;AAED;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,8BAA8B,GAC9B,iCAAiC,CAAA;AAErC;;GAEG;AACH,MAAM,MAAM,8BAA8B,GACtC,8BAA8B,GAC9B,iCAAiC,CAAA;AAErC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAA;AAErE;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,oBAAoB,CAAC,CA0T/B;AAED,wBAAsB,6BAA6B,CACjD,UAAU,EAAE,UAAU,EACtB,qBAAqB,EAAE,YAAY,GAAG,SAAS,GAC9C,OAAO,CAAC;IACT,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CA0CD"}

package/dist/cjs/simulation_engine/simulationEngine.js

@@ -13,6 +13,9 @@ const request_js_1 = require("../request/request.js");
 const requestContext_js_1 = require("../requestContext.js");
 const util_js_1 = require("../util.js");
 const contextKeys_js_2 = require("./contextKeys.js");
+const overallResult_js_1 = require("./overallResult.js");
+const policyResources_js_1 = require("./policyResources.js");
+const resourceTypes_js_1 = require("./resourceTypes.js");
 const DEFAULT_RCP = {
     name: 'RCPFullAWSAccess',
     policy: {
@@ -32,15 +35,18 @@ const DEFAULT_RCP = {
  *
  * @param simulation The simulation to run
  * @param simulationOptions Options for the simulation
- * @returns
+ * @returns The results of the simulation, or errors if the simulation could not be run
  */
 async function runSimulation(simulation, simulationOptions) {
     const principal = simulation.request.principal;
+    const resourceArn = simulation.request.resource.resource;
+    const resourceHasWildcard = resourceArn.includes('*');
     if (simulation.sessionPolicy) {
         if (!(0, iam_utils_1.isIamRoleArn)(principal) &&
             !(0, iam_utils_1.isAssumedRoleArn)(principal) &&
             !(0, iam_utils_1.isFederatedUserArn)(principal)) {
             return {
+                resultType: 'error',
                 errors: {
                     message: 'session.policy.invalid.principal'
                 }
@@ -143,6 +149,7 @@ async function runSimulation(simulation, simulationOptions) {
         resourcePolicyErrors.length > 0 ||
         sessionPolicyErrors.length > 0) {
         return {
+            resultType: 'error',
             errors: {
                 sessionPolicyErrors,
                 identityPolicyErrors,
@@ -160,6 +167,7 @@ async function runSimulation(simulation, simulationOptions) {
         : undefined;
     if (simulation.request.action.split(':').length != 2) {
         return {
+            resultType: 'error',
             errors: {
                 message: 'invalid.action'
             }
@@ -169,6 +177,7 @@ async function runSimulation(simulation, simulationOptions) {
     const validService = await (0, iam_data_1.iamServiceExists)(service);
     if (!validService) {
         return {
+            resultType: 'error',
             errors: {
                 message: 'invalid.service'
             }
@@ -177,17 +186,19 @@ async function runSimulation(simulation, simulationOptions) {
     const validAction = await (0, iam_data_1.iamActionExists)(service, action);
     if (!validAction) {
         return {
+            resultType: 'error',
             errors: {
                 message: 'invalid.action'
             }
         };
     }
-    const resourceArn = simulation.request.resource.resource;
     const isWildCardOnlyAction = await (0, util_js_1.isWildcardOnlyAction)(service, action);
-    let resourceType = undefined;
+    const runMultipleSimulations = resourceHasWildcard && !isWildCardOnlyAction;
+    let resourceTypes = undefined;
     if (isWildCardOnlyAction) {
         if (resourceArn !== '*') {
             return {
+                resultType: 'error',
                 errors: {
                     message: 'must.use.wildcard'
                 }
@@ -195,37 +206,39 @@ async function runSimulation(simulation, simulationOptions) {
         }
     }
     else {
-        const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resourceArn);
-        if (resourceTypes.length === 0) {
+        const actionResourceTypes = await (0, resourceTypes_js_1.getResourceTypesForAction)(service, action, resourceArn);
+        if (actionResourceTypes.length === 0) {
             return {
+                resultType: 'error',
                 errors: {
                     message: 'no.resource.types'
                 }
             };
         }
-        else if (resourceTypes.length > 1) {
+        else if (actionResourceTypes.length > 1 && !resourceHasWildcard) {
             return {
+                resultType: 'error',
                 errors: {
                     message: 'multiple.resource.types'
                 }
             };
         }
         else {
-            resourceType = resourceTypes[0].key;
+            resourceTypes = actionResourceTypes.map((item) => item);
         }
     }
-    const { validContextValues, ignoredContextKeys } = await normalizeSimulationParameters(simulation);
     const simulationMode = CoreSimulatorEngine_js_1.validSimulationModes.includes(simulationOptions.simulationMode)
         ? simulationOptions.simulationMode
         : 'Strict';
+    // For each resource type, find the resource patterns, for each pattern, run a simulation
     const strictConditionKeys = simulationMode === 'Discovery'
         ? new strictContextKeys_js_1.StrictContextKeys(simulationOptions.strictConditionKeys || [])
         : new strictContextKeys_js_1.StrictContextKeys([]);
-    const simulationResult = (0, CoreSimulatorEngine_js_1.authorize)({
+    const curriedAuthorize = (curriedResourceString, curriedContextValues) => (0, CoreSimulatorEngine_js_1.authorize)({
         request: new request_js_1.AwsRequestImpl(principal, {
-            resource: simulation.request.resource.resource,
+            resource: curriedResourceString,
             accountId: simulation.request.resource.accountId
-        }, simulation.request.action, new requestContext_js_1.RequestContextImpl(validContextValues)),
+        }, simulation.request.action, new requestContext_js_1.RequestContextImpl(curriedContextValues)),
         sessionPolicy,
         identityPolicies,
         serviceControlPolicies,
@@ -238,16 +251,61 @@ async function runSimulation(simulation, simulationOptions) {
             strictConditionKeys: strictConditionKeys
         }
     });
+    const policiesThatGrantAccess = [resourcePolicy, ...identityPolicies];
+    // If there is only one simulation to run, run it
+    if (!runMultipleSimulations) {
+        const { validContextValues, ignoredContextKeys } = await normalizeSimulationParameters(simulation, undefined);
+        const singleResult = curriedAuthorize(resourceArn, validContextValues);
+        return {
+            resultType: 'single',
+            overallResult: singleResult.result,
+            result: {
+                analysis: singleResult,
+                ignoredContextKeys
+            }
+        };
+    }
+    // Here, we know it is a wildcard resource and not a wildcard-only action, so we need to run multiple simulations
+    const simulationResults = [];
+    const resourceTypesToSimulate = resourceTypes && resourceTypes.length > 0 ? resourceTypes : [];
+    for (const resourceType of resourceTypesToSimulate) {
+        // If "run multiple" get the resource strings that match the wildcard pattern, otherwise, just run the one.
+        const { validContextValues, ignoredContextKeys } = await normalizeSimulationParameters(simulation, resourceType);
+        //Run the pattern directly first.
+        const exactPatternResult = curriedAuthorize(resourceArn, validContextValues);
+        if (exactPatternResult.result === 'ExplicitlyDenied') {
+            simulationResults.push({
+                analysis: exactPatternResult,
+                ignoredContextKeys,
+                resourceType: resourceType.key,
+                resourcePattern: resourceArn
+            });
+        }
+        else {
+            let resourceStrings = [simulation.request.resource.resource];
+            resourceStrings = (0, policyResources_js_1.getMatchingResourceStringsForPolicies)(policiesThatGrantAccess, simulation.request.action, resourceType, simulation.request.resource.resource);
+            for (const resourceString of resourceStrings) {
+                const simulationResult = curriedAuthorize(resourceString, validContextValues);
+                simulationResults.push({
+                    analysis: simulationResult,
+                    ignoredContextKeys,
+                    resourceType: resourceType.key,
+                    resourcePattern: resourceString
+                });
+            }
+        }
+    }
+    const overallResult = (0, overallResult_js_1.calculateOverallResult)(simulationResults);
     return {
-        analysis: simulationResult,
-        ignoredContextKeys,
-        resourceType
+        resultType: 'wildcard',
+        overallResult,
+        results: simulationResults
     };
 }
-async function normalizeSimulationParameters(simulation) {
+async function normalizeSimulationParameters(simulation, suggestedResourceType) {
     const [service, action] = simulation.request.action.split(':');
     const resourceArn = simulation.request.resource.resource;
-    const contextVariablesForAction = new Set(await (0, contextKeys_js_2.allowedContextKeysForRequest)(service, action, resourceArn, !!simulation.additionalSettings?.s3?.bucketAbacEnabled));
+    const contextVariablesForAction = new Set(await (0, contextKeys_js_2.allowedContextKeysForRequest)(service, action, resourceArn, !!simulation.additionalSettings?.s3?.bucketAbacEnabled, suggestedResourceType));
     //Get the types of the context variables and set a string or array of strings based on that.
     const validContextValues = {};
     const ignoredContextKeys = [];