@composurecdk/iam 0.3.0

package/README.md

@@ -0,0 +1,91 @@
+# @composurecdk/iam
+
+IAM role, customer-managed policy, and policy-statement builders for [ComposureCDK](../../README.md).
+
+This package provides fluent builders for the most commonly configured IAM resources and centralises least-privilege guardrails so that consuming packages (Lambda, Budgets, SNS topic policies, …) do not have to reinvent them.
+
+## Role Builder
+
+```ts
+import { createRoleBuilder, createStatementBuilder } from "@composurecdk/iam";
+import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
+
+const role = createRoleBuilder()
+  .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+  .description("Execution role for the budget remediation Lambda")
+  .addInlinePolicyStatements("StopEC2", [
+    createStatementBuilder()
+      .allow()
+      .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+      .resources(["*"])
+      .allowWildcardResources(true),
+  ])
+  .build(stack, "StopEC2Role");
+```
+
+Every [RoleProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.RoleProps.html) property is available as a fluent setter. `permissionsBoundary` additionally accepts a `Resolvable<IManagedPolicy>` so a sibling component can supply a boundary policy via `ref(...)`.
+
+### Defaults
+
+| Property             | Default             | Rationale                                                                                                     |
+| -------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------- |
+| `maxSessionDuration` | `Duration.hours(1)` | Short-lived credentials reduce the blast radius of leaked sessions. See AWS Well-Architected Security pillar. |
+
+Exported as `ROLE_DEFAULTS`.
+
+### Result
+
+```ts
+interface RoleBuilderResult {
+  role: Role;
+  inlinePolicies: Record<string, PolicyDocument>; // keyed by the name passed to addInlinePolicyStatements
+}
+```
+
+Inline policies are embedded in the underlying `AWS::IAM::Role` resource via its native `Policies` array — no separate `AWS::IAM::Policy` resources are created.
+
+## Managed Policy Builder
+
+```ts
+import { createManagedPolicyBuilder } from "@composurecdk/iam";
+
+const boundary = createManagedPolicyBuilder()
+  .managedPolicyName("ops-boundary")
+  .addStatements([
+    createStatementBuilder()
+      .allow()
+      .actions(["s3:GetObject"])
+      .resources(["arn:aws:s3:::my-bucket/*"]),
+  ])
+  .build(stack, "OpsBoundary");
+```
+
+## Statement Builder
+
+`createStatementBuilder()` is a fluent wrapper around the CDK [PolicyStatement](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html). Unlike the other builders in this package it is **not** a `Lifecycle` — its `build()` method returns a `PolicyStatement` synchronously.
+
+### Wildcard guard
+
+By default, `Allow` statements with `resources: ["*"]` fail with `WildcardResourceError`. Opt in explicitly with `.allowWildcardResources(true)` when an action genuinely requires unrestricted scope (such as `ec2:DescribeInstances`, which does not support resource-level permissions).
+
+```ts
+createStatementBuilder()
+  .allow()
+  .actions(["ec2:DescribeInstances"])
+  .resources(["*"])
+  .allowWildcardResources(true);
+```
+
+## Service Role Helper
+
+```ts
+import { createServiceRoleBuilder } from "@composurecdk/iam";
+
+const lambdaRole = createServiceRoleBuilder("lambda.amazonaws.com")
+  .description("Execution role for StopEC2 Lambda")
+  .addInlinePolicyStatements("StopEC2", [
+    /* statements */
+  ]);
+```
+
+Thin sugar over `createRoleBuilder().assumedBy(new ServicePrincipal(...))`.

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { createRoleBuilder, type IRoleBuilder, type RoleBuilderResult } from "./role-builder.js";
+export { ROLE_DEFAULTS } from "./role-defaults.js";
+export { createManagedPolicyBuilder, type IManagedPolicyBuilder, type ManagedPolicyBuilderResult, } from "./managed-policy-builder.js";
+export { createServiceRoleBuilder } from "./service-role-builder.js";
+export { createStatementBuilder, StatementBuilder, WildcardResourceError, } from "./statement-builder.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+export { createRoleBuilder } from "./role-builder.js";
+export { ROLE_DEFAULTS } from "./role-defaults.js";
+export { createManagedPolicyBuilder, } from "./managed-policy-builder.js";
+export { createServiceRoleBuilder } from "./service-role-builder.js";
+export { createStatementBuilder, StatementBuilder, WildcardResourceError, } from "./statement-builder.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAA6C,MAAM,mBAAmB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,GAG3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/managed-policy-builder.d.ts

@@ -0,0 +1,60 @@
+import { ManagedPolicy, type ManagedPolicyProps, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import type { IConstruct } from "constructs";
+import { type IBuilder, type Lifecycle } from "@composurecdk/core";
+import { StatementBuilder } from "./statement-builder.js";
+/**
+ * Configuration properties for the customer-managed IAM policy builder.
+ *
+ * Extends the CDK {@link ManagedPolicyProps} unchanged — the builder adds
+ * an {@link IManagedPolicyBuilder.addStatements | addStatements} method that
+ * accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+ */
+export type ManagedPolicyBuilderProps = ManagedPolicyProps;
+/**
+ * The build output of an {@link IManagedPolicyBuilder}.
+ */
+export interface ManagedPolicyBuilderResult {
+    /** The customer-managed policy created by the builder. */
+    policy: ManagedPolicy;
+}
+/**
+ * A fluent builder for configuring and creating an AWS IAM
+ * customer-managed policy.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html
+ *
+ * @example
+ * ```ts
+ * const boundary = createManagedPolicyBuilder()
+ *   .managedPolicyName("ops-boundary")
+ *   .addStatements([
+ *     createStatementBuilder()
+ *       .allow()
+ *       .actions(["s3:GetObject"])
+ *       .resources(["arn:aws:s3:::my-bucket/*"]),
+ *   ]);
+ * ```
+ */
+export type IManagedPolicyBuilder = IBuilder<ManagedPolicyBuilderProps, ManagedPolicyBuilder>;
+declare class ManagedPolicyBuilder implements Lifecycle<ManagedPolicyBuilderResult> {
+    props: Partial<ManagedPolicyBuilderProps>;
+    private readonly _extraStatements;
+    /**
+     * Append policy statements to the managed policy.
+     *
+     * Accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+     * Statement builders are resolved during {@link build} so wildcard-resource
+     * validation runs at the composition boundary.
+     */
+    addStatements(statements: (PolicyStatement | StatementBuilder)[]): this;
+    build(scope: IConstruct, id: string): ManagedPolicyBuilderResult;
+}
+/**
+ * Creates a new {@link IManagedPolicyBuilder} for configuring an AWS IAM
+ * customer-managed policy.
+ *
+ * @returns A fluent builder for a customer-managed policy.
+ */
+export declare function createManagedPolicyBuilder(): IManagedPolicyBuilder;
+export {};
+//# sourceMappingURL=managed-policy-builder.d.ts.map

package/dist/managed-policy-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.d.ts","sourceRoot":"","sources":["../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,MAAM,yBAAyB,GAAG,kBAAkB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,0DAA0D;IAC1D,MAAM,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAE9F,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAC/C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA8C;IAE/E;;;;;;OAMG;IACH,aAAa,CAAC,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GAAG,IAAI;IAKvE,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,0BAA0B;CAajE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/managed-policy-builder.js

@@ -0,0 +1,37 @@
+import { ManagedPolicy } from "aws-cdk-lib/aws-iam";
+import { Builder } from "@composurecdk/core";
+import { StatementBuilder } from "./statement-builder.js";
+class ManagedPolicyBuilder {
+    props = {};
+    _extraStatements = [];
+    /**
+     * Append policy statements to the managed policy.
+     *
+     * Accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+     * Statement builders are resolved during {@link build} so wildcard-resource
+     * validation runs at the composition boundary.
+     */
+    addStatements(statements) {
+        this._extraStatements.push(...statements);
+        return this;
+    }
+    build(scope, id) {
+        const resolvedExtras = this._extraStatements.map((s) => s instanceof StatementBuilder ? s.build() : s);
+        const mergedProps = {
+            ...this.props,
+            statements: [...(this.props.statements ?? []), ...resolvedExtras],
+        };
+        const policy = new ManagedPolicy(scope, id, mergedProps);
+        return { policy };
+    }
+}
+/**
+ * Creates a new {@link IManagedPolicyBuilder} for configuring an AWS IAM
+ * customer-managed policy.
+ *
+ * @returns A fluent builder for a customer-managed policy.
+ */
+export function createManagedPolicyBuilder() {
+    return Builder(ManagedPolicyBuilder);
+}
+//# sourceMappingURL=managed-policy-builder.js.map

package/dist/managed-policy-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.js","sourceRoot":"","sources":["../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAA4C,MAAM,qBAAqB,CAAC;AAE9F,OAAO,EAAE,OAAO,EAAiC,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAuC1D,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IAC9B,gBAAgB,GAA2C,EAAE,CAAC;IAE/E;;;;;;OAMG;IACH,aAAa,CAAC,UAAkD;QAC9D,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;QAEF,MAAM,WAAW,GAAuB;YACtC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;SAClE,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,OAAO,CAAkD,oBAAoB,CAAC,CAAC;AACxF,CAAC"}

package/dist/role-builder.d.ts

@@ -0,0 +1,110 @@
+import { type IManagedPolicy, PolicyDocument, PolicyStatement, Role, type RoleProps } from "aws-cdk-lib/aws-iam";
+import type { IConstruct } from "constructs";
+import { type IBuilder, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { StatementBuilder } from "./statement-builder.js";
+/**
+ * Configuration properties for the IAM role builder.
+ *
+ * Extends the CDK {@link RoleProps} with builder-specific options for
+ * cross-component wiring: `permissionsBoundary` accepts a {@link Resolvable}
+ * so boundary policies built by sibling components can be referenced at
+ * configuration time.
+ */
+interface RoleBuilderProps extends Omit<RoleProps, "permissionsBoundary"> {
+    /**
+     * A permissions boundary that caps the maximum permissions this role
+     * can ever grant, regardless of inline or managed policies attached.
+     *
+     * Accepts a concrete {@link IManagedPolicy} or a {@link Resolvable} for
+     * cross-component wiring (e.g. `ref("boundary", r => r.policy)`).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    permissionsBoundary?: Resolvable<IManagedPolicy>;
+}
+/**
+ * The build output of an {@link IRoleBuilder}.
+ *
+ * Exposes every CDK construct the builder creates so consumers can reference,
+ * extend, or attach additional policies to them.
+ */
+export interface RoleBuilderResult {
+    /** The IAM role construct created by the builder. */
+    role: Role;
+    /**
+     * Inline {@link PolicyDocument}s created for each
+     * {@link IRoleBuilder.addInlinePolicyStatements} call, keyed by the
+     * policy name supplied to the call.
+     *
+     * The documents are embedded in the underlying `AWS::IAM::Role`
+     * resource via the native `Policies` array — no separate
+     * `AWS::IAM::Policy` resources are created.
+     *
+     * Inline policies supplied directly via the native `inlinePolicies`
+     * prop on {@link RoleProps} do not appear in this map.
+     */
+    inlinePolicies: Record<string, PolicyDocument>;
+}
+/**
+ * A fluent builder for configuring and creating an AWS IAM role.
+ *
+ * Each configuration property from the CDK {@link RoleProps} is exposed as
+ * an overloaded method: call with a value to set it, or with no arguments
+ * to read the current value.
+ *
+ * The builder implements {@link Lifecycle}, so it can be used directly as a
+ * component in a {@link compose | composed system}. When built it creates
+ * an IAM role with well-architected defaults ({@link ROLE_DEFAULTS}) and
+ * returns a {@link RoleBuilderResult}.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Execution role for the budget remediation Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [
+ *     createStatementBuilder()
+ *       .allow()
+ *       .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *       .resources(["*"])
+ *       .allowWildcardResources(true)
+ *       .build(),
+ *   ]);
+ * ```
+ */
+export type IRoleBuilder = IBuilder<RoleBuilderProps, RoleBuilder>;
+declare class RoleBuilder implements Lifecycle<RoleBuilderResult> {
+    props: Partial<RoleBuilderProps>;
+    private readonly _inlinePolicies;
+    /**
+     * Append an inline policy to the role, embedded in the underlying
+     * `AWS::IAM::Role` resource's `Policies` array. The policy name becomes
+     * the key under which the resulting {@link PolicyDocument} appears in
+     * {@link RoleBuilderResult.inlinePolicies}.
+     *
+     * Accepts either {@link PolicyStatement} instances or
+     * {@link StatementBuilder}s (which are built lazily during {@link build}
+     * so that wildcard-resource validation runs at the composition boundary
+     * rather than at configuration time).
+     */
+    addInlinePolicyStatements(name: string, statements: (PolicyStatement | StatementBuilder)[]): this;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): RoleBuilderResult;
+}
+/**
+ * Creates a new {@link IRoleBuilder} for configuring an AWS IAM role.
+ *
+ * @returns A fluent builder for an AWS IAM role.
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Lambda execution role")
+ *   .build(stack, "LambdaRole");
+ * ```
+ */
+export declare function createRoleBuilder(): IRoleBuilder;
+export {};
+//# sourceMappingURL=role-builder.d.ts.map

package/dist/role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.d.ts","sourceRoot":"","sources":["../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,eAAe,EACf,IAAI,EACJ,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,SAAS,EAEd,KAAK,UAAU,EAChB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;;GAOG;AACH,UAAU,gBAAiB,SAAQ,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC;IACvE;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC;CAClD;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,IAAI,CAAC;IAEX;;;;;;;;;;;OAWG;IACH,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;AAOnE,cAAM,WAAY,YAAW,SAAS,CAAC,iBAAiB,CAAC;IACvD,KAAK,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAM;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA2B;IAE3D;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GACjD,IAAI;IAKP,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAAG,iBAAiB;CA8C9F;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,IAAI,YAAY,CAEhD"}

package/dist/role-builder.js

@@ -0,0 +1,70 @@
+import { PolicyDocument, Role, } from "aws-cdk-lib/aws-iam";
+import { Builder, resolve, } from "@composurecdk/core";
+import { ROLE_DEFAULTS } from "./role-defaults.js";
+import { StatementBuilder } from "./statement-builder.js";
+class RoleBuilder {
+    props = {};
+    _inlinePolicies = [];
+    /**
+     * Append an inline policy to the role, embedded in the underlying
+     * `AWS::IAM::Role` resource's `Policies` array. The policy name becomes
+     * the key under which the resulting {@link PolicyDocument} appears in
+     * {@link RoleBuilderResult.inlinePolicies}.
+     *
+     * Accepts either {@link PolicyStatement} instances or
+     * {@link StatementBuilder}s (which are built lazily during {@link build}
+     * so that wildcard-resource validation runs at the composition boundary
+     * rather than at configuration time).
+     */
+    addInlinePolicyStatements(name, statements) {
+        this._inlinePolicies.push({ name, statements });
+        return this;
+    }
+    build(scope, id, context = {}) {
+        const { permissionsBoundary, assumedBy, inlinePolicies: propsInlinePolicies, ...rest } = this.props;
+        if (!assumedBy) {
+            throw new Error(`RoleBuilder "${id}": assumedBy(...) must be called before build(). ` +
+                `An IAM role requires a trust policy principal.`);
+        }
+        const resolvedBoundary = permissionsBoundary
+            ? resolve(permissionsBoundary, context)
+            : undefined;
+        const addedInlinePolicies = {};
+        for (const entry of this._inlinePolicies) {
+            const resolvedStatements = entry.statements.map((s) => s instanceof StatementBuilder ? s.build() : s);
+            addedInlinePolicies[entry.name] = new PolicyDocument({ statements: resolvedStatements });
+        }
+        const mergedInlinePolicies = {
+            ...(propsInlinePolicies ?? {}),
+            ...addedInlinePolicies,
+        };
+        const mergedProps = {
+            ...ROLE_DEFAULTS,
+            ...rest,
+            assumedBy,
+            ...(Object.keys(mergedInlinePolicies).length > 0
+                ? { inlinePolicies: mergedInlinePolicies }
+                : {}),
+            ...(resolvedBoundary ? { permissionsBoundary: resolvedBoundary } : {}),
+        };
+        const role = new Role(scope, id, mergedProps);
+        return { role, inlinePolicies: addedInlinePolicies };
+    }
+}
+/**
+ * Creates a new {@link IRoleBuilder} for configuring an AWS IAM role.
+ *
+ * @returns A fluent builder for an AWS IAM role.
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Lambda execution role")
+ *   .build(stack, "LambdaRole");
+ * ```
+ */
+export function createRoleBuilder() {
+    return Builder(RoleBuilder);
+}
+//# sourceMappingURL=role-builder.js.map

package/dist/role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.js","sourceRoot":"","sources":["../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,cAAc,EAEd,IAAI,GAEL,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,OAAO,EAGP,OAAO,GAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAoF1D,MAAM,WAAW;IACf,KAAK,GAA8B,EAAE,CAAC;IACrB,eAAe,GAAwB,EAAE,CAAC;IAE3D;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAY,EACZ,UAAkD;QAElD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU,EAAE,UAAkC,EAAE;QACvE,MAAM,EACJ,mBAAmB,EACnB,SAAS,EACT,cAAc,EAAE,mBAAmB,EACnC,GAAG,IAAI,EACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gBAAgB,EAAE,mDAAmD;gBACnE,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,mBAAmB;YAC1C,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,OAAO,CAAC;YACvC,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,mBAAmB,GAAmC,EAAE,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,kBAAkB,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;YACF,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,cAAc,CAAC,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,oBAAoB,GAAmC;YAC3D,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC9B,GAAG,mBAAmB;SACvB,CAAC;QAEF,MAAM,WAAW,GAAc;YAC7B,GAAG,aAAa;YAChB,GAAG,IAAI;YACP,SAAS;YACT,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;gBAC9C,CAAC,CAAC,EAAE,cAAc,EAAE,oBAAoB,EAAE;gBAC1C,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE9C,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,CAAgC,WAAW,CAAC,CAAC;AAC7D,CAAC"}

package/dist/role-defaults.d.ts

@@ -0,0 +1,8 @@
+import type { RoleProps } from "aws-cdk-lib/aws-iam";
+/**
+ * Secure, AWS-recommended defaults applied to every IAM role built with
+ * {@link createRoleBuilder}. Each property can be individually overridden
+ * via the builder's fluent API.
+ */
+export declare const ROLE_DEFAULTS: Partial<RoleProps>;
+//# sourceMappingURL=role-defaults.d.ts.map

package/dist/role-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.d.ts","sourceRoot":"","sources":["../src/role-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAErD;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,OAAO,CAAC,SAAS,CAa5C,CAAC"}

package/dist/role-defaults.js

@@ -0,0 +1,21 @@
+import { Duration } from "aws-cdk-lib";
+/**
+ * Secure, AWS-recommended defaults applied to every IAM role built with
+ * {@link createRoleBuilder}. Each property can be individually overridden
+ * via the builder's fluent API.
+ */
+export const ROLE_DEFAULTS = {
+    /**
+     * Cap the session duration to one hour by default.
+     *
+     * Short-lived credentials reduce the blast radius of leaked or misused
+     * role sessions. Callers that genuinely need longer sessions (for
+     * example, long-running batch jobs that assume the role once) should
+     * override via {@link IRoleBuilder.maxSessionDuration}.
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define_guardrails.html
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+     */
+    maxSessionDuration: Duration.hours(1),
+};
+//# sourceMappingURL=role-defaults.js.map

package/dist/role-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.js","sourceRoot":"","sources":["../src/role-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB;IAC/C;;;;;;;;;;OAUG;IACH,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;CACtC,CAAC"}

package/dist/service-role-builder.d.ts

@@ -0,0 +1,24 @@
+import { type IRoleBuilder } from "./role-builder.js";
+/**
+ * Creates a pre-configured {@link IRoleBuilder} whose trust policy allows
+ * the given AWS service principal to assume the role.
+ *
+ * Thin sugar over {@link createRoleBuilder} for the most common role shape:
+ * a service-assumable role (Lambda, EC2, Budgets, etc.) with no extra
+ * trust-policy conditions. Any property set by the caller afterwards
+ * (including `assumedBy`) still wins, because the underlying builder
+ * simply records the last value written.
+ *
+ * @param servicePrincipal - The service identifier, e.g.
+ *   `"lambda.amazonaws.com"` or `"budgets.amazonaws.com"`.
+ * @returns A role builder with `assumedBy` preset to the given service.
+ *
+ * @example
+ * ```ts
+ * const role = createServiceRoleBuilder("lambda.amazonaws.com")
+ *   .description("Execution role for StopEC2 Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [ ... ]);
+ * ```
+ */
+export declare function createServiceRoleBuilder(servicePrincipal: string): IRoleBuilder;
+//# sourceMappingURL=service-role-builder.d.ts.map

package/dist/service-role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.d.ts","sourceRoot":"","sources":["../src/service-role-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,GAAG,YAAY,CAE/E"}

package/dist/service-role-builder.js

@@ -0,0 +1,27 @@
+import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { createRoleBuilder } from "./role-builder.js";
+/**
+ * Creates a pre-configured {@link IRoleBuilder} whose trust policy allows
+ * the given AWS service principal to assume the role.
+ *
+ * Thin sugar over {@link createRoleBuilder} for the most common role shape:
+ * a service-assumable role (Lambda, EC2, Budgets, etc.) with no extra
+ * trust-policy conditions. Any property set by the caller afterwards
+ * (including `assumedBy`) still wins, because the underlying builder
+ * simply records the last value written.
+ *
+ * @param servicePrincipal - The service identifier, e.g.
+ *   `"lambda.amazonaws.com"` or `"budgets.amazonaws.com"`.
+ * @returns A role builder with `assumedBy` preset to the given service.
+ *
+ * @example
+ * ```ts
+ * const role = createServiceRoleBuilder("lambda.amazonaws.com")
+ *   .description("Execution role for StopEC2 Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [ ... ]);
+ * ```
+ */
+export function createServiceRoleBuilder(servicePrincipal) {
+    return createRoleBuilder().assumedBy(new ServicePrincipal(servicePrincipal));
+}
+//# sourceMappingURL=service-role-builder.js.map

package/dist/service-role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.js","sourceRoot":"","sources":["../src/service-role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAqB,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAAwB;IAC/D,OAAO,iBAAiB,EAAE,CAAC,SAAS,CAAC,IAAI,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAC/E,CAAC"}

package/dist/statement-builder.d.ts

@@ -0,0 +1,92 @@
+import { Effect, type IPrincipal, PolicyStatement } from "aws-cdk-lib/aws-iam";
+/**
+ * Thrown when a {@link StatementBuilder} is built with an `Allow` effect and
+ * an unrestricted resource (`"*"`) without the caller having explicitly
+ * opted in via {@link StatementBuilder.allowWildcardResources}.
+ *
+ * Wildcard-resource allow statements grant the widest possible permission
+ * surface and should be an intentional choice, not an accident.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
+ */
+export declare class WildcardResourceError extends Error {
+    constructor(sid?: string);
+}
+/**
+ * Fluent wrapper around the CDK {@link PolicyStatement}.
+ *
+ * Unlike other ComposureCDK builders this one is **not** a
+ * {@link Lifecycle} — a policy statement is inline data attached to a Role,
+ * ManagedPolicy, or resource policy rather than a standalone CDK construct,
+ * so there is nothing to attach to a scope.
+ *
+ * The builder exists to:
+ * - centralise least-privilege validation (wildcard-resource guard,
+ *   {@link WildcardResourceError}),
+ * - give every consumer (Role, ManagedPolicy, SNS TopicPolicy, future
+ *   SQS/S3 bucket policies) one fluent API,
+ * - remain interchangeable with raw {@link PolicyStatement} instances via
+ *   {@link StatementBuilder.build}.
+ *
+ * @example
+ * ```ts
+ * const stmt = createStatementBuilder()
+ *   .sid("StopDevInstances")
+ *   .allow()
+ *   .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *   .resources(["*"])
+ *   .allowWildcardResources(true)
+ *   .build();
+ * ```
+ */
+export declare class StatementBuilder {
+    private _sid?;
+    private _effect;
+    private _actions;
+    private _notActions;
+    private _resources;
+    private _notResources;
+    private _principals;
+    private _notPrincipals;
+    private _conditions?;
+    private _allowWildcardResources;
+    sid(sid: string): this;
+    allow(): this;
+    deny(): this;
+    effect(effect: Effect): this;
+    actions(actions: string[]): this;
+    notActions(actions: string[]): this;
+    resources(resources: string[]): this;
+    notResources(resources: string[]): this;
+    principals(principals: IPrincipal[]): this;
+    notPrincipals(principals: IPrincipal[]): this;
+    conditions(conditions: Record<string, Record<string, unknown>>): this;
+    /**
+     * Opt in to Effect=Allow statements with wildcard resources (`"*"`).
+     *
+     * The builder rejects wildcard resources by default to surface
+     * least-privilege violations; call this to acknowledge that the
+     * statement genuinely needs unrestricted scope (for example actions
+     * such as `ec2:DescribeInstances` that do not support resource-level
+     * permissions).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+     */
+    allowWildcardResources(allow?: boolean): this;
+    /**
+     * Construct and return a {@link PolicyStatement} from the configured state.
+     *
+     * @throws {WildcardResourceError} when the statement is an Allow with a
+     *   wildcard resource and wildcard resources have not been opted in to.
+     */
+    build(): PolicyStatement;
+}
+/**
+ * Creates a new {@link StatementBuilder} for configuring an IAM
+ * {@link PolicyStatement} with least-privilege guardrails.
+ *
+ * @returns A fluent builder that produces a {@link PolicyStatement} when
+ *   {@link StatementBuilder.build} is called.
+ */
+export declare function createStatementBuilder(): StatementBuilder;
+//# sourceMappingURL=statement-builder.d.ts.map

package/dist/statement-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.d.ts","sourceRoot":"","sources":["../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,KAAK,UAAU,EACf,eAAe,EAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,GAAG,CAAC,EAAE,MAAM;CAOzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,IAAI,CAAC,CAAS;IACtB,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,UAAU,CAAgB;IAClC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,cAAc,CAAoB;IAC1C,OAAO,CAAC,WAAW,CAAC,CAA0C;IAC9D,OAAO,CAAC,uBAAuB,CAAS;IAExC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAKtB,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,IAAI;IAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK5B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKhC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKnC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKpC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKvC,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK1C,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK7C,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI;IAKrE;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,UAAO,GAAG,IAAI;IAK1C;;;;;OAKG;IACH,KAAK,IAAI,eAAe;CAuBzB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,IAAI,gBAAgB,CAEzD"}

package/dist/statement-builder.js

@@ -0,0 +1,152 @@
+import { Effect, PolicyStatement, } from "aws-cdk-lib/aws-iam";
+/**
+ * Thrown when a {@link StatementBuilder} is built with an `Allow` effect and
+ * an unrestricted resource (`"*"`) without the caller having explicitly
+ * opted in via {@link StatementBuilder.allowWildcardResources}.
+ *
+ * Wildcard-resource allow statements grant the widest possible permission
+ * surface and should be an intentional choice, not an accident.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
+ */
+export class WildcardResourceError extends Error {
+    constructor(sid) {
+        super(`PolicyStatement${sid ? ` "${sid}"` : ""} has Effect=Allow with a wildcard resource ("*"). ` +
+            `Scope the resources or call allowWildcardResources(true) to opt in explicitly.`);
+        this.name = "WildcardResourceError";
+    }
+}
+/**
+ * Fluent wrapper around the CDK {@link PolicyStatement}.
+ *
+ * Unlike other ComposureCDK builders this one is **not** a
+ * {@link Lifecycle} — a policy statement is inline data attached to a Role,
+ * ManagedPolicy, or resource policy rather than a standalone CDK construct,
+ * so there is nothing to attach to a scope.
+ *
+ * The builder exists to:
+ * - centralise least-privilege validation (wildcard-resource guard,
+ *   {@link WildcardResourceError}),
+ * - give every consumer (Role, ManagedPolicy, SNS TopicPolicy, future
+ *   SQS/S3 bucket policies) one fluent API,
+ * - remain interchangeable with raw {@link PolicyStatement} instances via
+ *   {@link StatementBuilder.build}.
+ *
+ * @example
+ * ```ts
+ * const stmt = createStatementBuilder()
+ *   .sid("StopDevInstances")
+ *   .allow()
+ *   .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *   .resources(["*"])
+ *   .allowWildcardResources(true)
+ *   .build();
+ * ```
+ */
+export class StatementBuilder {
+    _sid;
+    _effect = Effect.ALLOW;
+    _actions = [];
+    _notActions = [];
+    _resources = [];
+    _notResources = [];
+    _principals = [];
+    _notPrincipals = [];
+    _conditions;
+    _allowWildcardResources = false;
+    sid(sid) {
+        this._sid = sid;
+        return this;
+    }
+    allow() {
+        this._effect = Effect.ALLOW;
+        return this;
+    }
+    deny() {
+        this._effect = Effect.DENY;
+        return this;
+    }
+    effect(effect) {
+        this._effect = effect;
+        return this;
+    }
+    actions(actions) {
+        this._actions = [...actions];
+        return this;
+    }
+    notActions(actions) {
+        this._notActions = [...actions];
+        return this;
+    }
+    resources(resources) {
+        this._resources = [...resources];
+        return this;
+    }
+    notResources(resources) {
+        this._notResources = [...resources];
+        return this;
+    }
+    principals(principals) {
+        this._principals = [...principals];
+        return this;
+    }
+    notPrincipals(principals) {
+        this._notPrincipals = [...principals];
+        return this;
+    }
+    conditions(conditions) {
+        this._conditions = { ...conditions };
+        return this;
+    }
+    /**
+     * Opt in to Effect=Allow statements with wildcard resources (`"*"`).
+     *
+     * The builder rejects wildcard resources by default to surface
+     * least-privilege violations; call this to acknowledge that the
+     * statement genuinely needs unrestricted scope (for example actions
+     * such as `ec2:DescribeInstances` that do not support resource-level
+     * permissions).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+     */
+    allowWildcardResources(allow = true) {
+        this._allowWildcardResources = allow;
+        return this;
+    }
+    /**
+     * Construct and return a {@link PolicyStatement} from the configured state.
+     *
+     * @throws {WildcardResourceError} when the statement is an Allow with a
+     *   wildcard resource and wildcard resources have not been opted in to.
+     */
+    build() {
+        if (this._effect === Effect.ALLOW &&
+            !this._allowWildcardResources &&
+            this._resources.some((r) => r === "*")) {
+            throw new WildcardResourceError(this._sid);
+        }
+        const props = {
+            sid: this._sid,
+            effect: this._effect,
+            actions: this._actions.length > 0 ? this._actions : undefined,
+            notActions: this._notActions.length > 0 ? this._notActions : undefined,
+            resources: this._resources.length > 0 ? this._resources : undefined,
+            notResources: this._notResources.length > 0 ? this._notResources : undefined,
+            principals: this._principals.length > 0 ? this._principals : undefined,
+            notPrincipals: this._notPrincipals.length > 0 ? this._notPrincipals : undefined,
+            conditions: this._conditions,
+        };
+        return new PolicyStatement(props);
+    }
+}
+/**
+ * Creates a new {@link StatementBuilder} for configuring an IAM
+ * {@link PolicyStatement} with least-privilege guardrails.
+ *
+ * @returns A fluent builder that produces a {@link PolicyStatement} when
+ *   {@link StatementBuilder.build} is called.
+ */
+export function createStatementBuilder() {
+    return new StatementBuilder();
+}
+//# sourceMappingURL=statement-builder.js.map

package/dist/statement-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.js","sourceRoot":"","sources":["../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EAEN,eAAe,GAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,GAAY;QACtB,KAAK,CACH,kBAAkB,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,oDAAoD;YAC1F,gFAAgF,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,gBAAgB;IACnB,IAAI,CAAU;IACd,OAAO,GAAW,MAAM,CAAC,KAAK,CAAC;IAC/B,QAAQ,GAAa,EAAE,CAAC;IACxB,WAAW,GAAa,EAAE,CAAC;IAC3B,UAAU,GAAa,EAAE,CAAC;IAC1B,aAAa,GAAa,EAAE,CAAC;IAC7B,WAAW,GAAiB,EAAE,CAAC;IAC/B,cAAc,GAAiB,EAAE,CAAC;IAClC,WAAW,CAA2C;IACtD,uBAAuB,GAAG,KAAK,CAAC;IAExC,GAAG,CAAC,GAAW;QACb,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAiB;QACvB,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,OAAiB;QAC1B,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,CAAC,SAAmB;QAC3B,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,YAAY,CAAC,SAAmB;QAC9B,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAwB;QACjC,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa,CAAC,UAAwB;QACpC,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAmD;QAC5D,IAAI,CAAC,WAAW,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,GAAG,IAAI;QACjC,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK;QACH,IACE,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK;YAC7B,CAAC,IAAI,CAAC,uBAAuB;YAC7B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,EACtC,CAAC;YACD,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,KAAK,GAAyB;YAClC,GAAG,EAAE,IAAI,CAAC,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC7D,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnE,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC5E,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;YAC/E,UAAU,EAAE,IAAI,CAAC,WAAW;SAC7B,CAAC;QAEF,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,IAAI,gBAAgB,EAAE,CAAC;AAChC,CAAC"}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "@composurecdk/iam",
+  "version": "0.3.0",
+  "description": "Composable IAM role, policy, and statement builders with well-architected defaults",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/laazyj/composureCDK",
+    "directory": "packages/iam"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "clean": "rm -rf dist",
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest"
+  },
+  "keywords": [],
+  "author": "Jason Duffett (https://github.com/laazyj)",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "peerDependencies": {
+    "@composurecdk/core": "^0.3.0",
+    "aws-cdk-lib": "^2.0.0",
+    "constructs": "^10.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.6.0",
+    "aws-cdk-lib": "^2.250.0",
+    "constructs": "^10.6.0",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.4"
+  }
+}