@gradientedge/cdk-utils 5.8.0 → 5.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/src/lib/construct/api-to-eventbridge-target/main.js +6 -0
  2. package/dist/src/lib/manager/aws/iam-manager.d.ts +36 -15
  3. package/dist/src/lib/manager/aws/iam-manager.js +59 -31
  4. package/package.json +1 -1
  5. package/src/lib/construct/api-to-eventbridge-target/main.ts +8 -0
  6. package/src/lib/manager/aws/iam-manager.ts +60 -32
package/dist/src/lib/construct/api-to-eventbridge-target/main.js CHANGED
@@ -477,6 +477,10 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
477
477
  this.apiDestinedRestApi.api = apig.RestApi.fromRestApiId(this, `${this.id}-sns-rest-api`, cdk.Fn.importValue(this.props.api.importedRestApiRef));
478
478
  return;
479
479
  }
480
+ const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
481
+ logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
482
+ removalPolicy: cdk.RemovalPolicy.DESTROY,
483
+ });
480
484
  this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
481
485
  ...{
482
486
  defaultIntegration: this.apiDestinedRestApi.integration,
@@ -489,6 +493,8 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
489
493
  loggingLevel: apig.MethodLoggingLevel.INFO,
490
494
  metricsEnabled: true,
491
495
  stageName: this.props.stage,
496
+ accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
497
+ accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
492
498
  },
493
499
  endpointConfiguration: {
494
500
  types: [apig.EndpointType.REGIONAL],
package/dist/src/lib/manager/aws/iam-manager.d.ts CHANGED
@@ -30,12 +30,14 @@ export declare class IamManager {
30
30
  /**
31
31
  * @summary Method to create iam statement to read secrets
32
32
  * @param {common.CommonConstruct} scope scope in which this resource is defined
33
+ * @param {string[]} resourceArns list of ARNs to allow access to
33
34
  */
34
- statementForReadSecrets(scope: common.CommonConstruct): cdk.aws_iam.PolicyStatement;
35
+ statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
35
36
  /**
36
37
  * @summary Method to create iam statement to put events
38
+ * @param {string[]} resourceArns list of ARNs to allow access to
37
39
  */
38
- statementForPutEvents(): cdk.aws_iam.PolicyStatement;
40
+ statementForPutEvents(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
39
41
  /**
40
42
  * @summary Method to create iam statement to invoke lambda function
41
43
  * @param {string[]} resourceArns list of ARNs to allow access to
@@ -43,8 +45,9 @@ export declare class IamManager {
43
45
  statementForInvokeLambda(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
44
46
  /**
45
47
  * @summary Method to create iam statement to read app config
48
+ * @param {string[]} resourceArns list of ARNs to allow access to
46
49
  */
47
- statementForReadAnyAppConfig(): cdk.aws_iam.PolicyStatement;
50
+ statementForReadAnyAppConfig(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
48
51
  /**
49
52
  * @summary Method to create iam statement to list s3 buckets
50
53
  * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -53,38 +56,45 @@ export declare class IamManager {
53
56
  statementForListBucket(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
54
57
  /**
55
58
  * @summary Method to create iam statement to list all s3 buckets
59
+ * @param {string[]} resourceArns list of ARNs to allow access to
56
60
  */
57
- statementForListAllMyBuckets(): cdk.aws_iam.PolicyStatement;
61
+ statementForListAllMyBuckets(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
58
62
  /**
59
63
  * @summary Method to create iam statement to get s3 objects in buckets
60
64
  * @param {common.CommonConstruct} scope scope in which this resource is defined
61
65
  * @param {s3.IBucket} bucket
66
+ * @param {string[]} resourceArns list of ARNs to allow access to
62
67
  */
63
- statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
68
+ statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
64
69
  /**
65
70
  * @summary Method to create iam statement to delete s3 objects in buckets
66
71
  * @param {common.CommonConstruct} scope scope in which this resource is defined
67
72
  * @param {s3.IBucket} bucket
73
+ * @param {string[]} resourceArns list of ARNs to allow access to
68
74
  */
69
- statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
75
+ statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
70
76
  /**
71
77
  * @summary Method to create iam statement to write s3 objects in buckets
72
78
  * @param {common.CommonConstruct} scope scope in which this resource is defined
73
79
  * @param {s3.IBucket} bucket
80
+ * @param {string[]} resourceArns list of ARNs to allow access to
74
81
  */
75
- statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
82
+ statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
76
83
  /**
77
84
  * @summary Method to create iam statement to pass iam role
85
+ * @param {string[]} resourceArns list of ARNs to allow access to
78
86
  */
79
- statementForPassRole(): cdk.aws_iam.PolicyStatement;
87
+ statementForPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
80
88
  /**
81
89
  * @summary Method to create iam statement to invalidate cloudfront cache
90
+ * @param {string[]} resourceArns list of ARNs to allow access to
82
91
  */
83
- statementForCloudfrontInvalidation(): cdk.aws_iam.PolicyStatement;
92
+ statementForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
84
93
  /**
85
94
  * @summary Method to create iam policy to invalidate cloudfront cache
95
+ * @param {string[]} resourceArns list of ARNs to allow access to
86
96
  */
87
- policyForCloudfrontInvalidation(): cdk.aws_iam.PolicyDocument;
97
+ policyForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyDocument;
88
98
  /**
89
99
  * @summary Method to create iam role to invalidate cloudfront cache
90
100
  * @param {string} id scoped id of the resource
@@ -99,8 +109,9 @@ export declare class IamManager {
99
109
  statementForAssumeRole(scope: common.CommonConstruct, servicePrincipals: iam.ServicePrincipal[]): cdk.aws_iam.PolicyStatement;
100
110
  /**
101
111
  * @summary Method to create iam statement to pass ecs role
112
+ * @param {string[]} resourceArns list of ARNs to allow access to
102
113
  */
103
- statementForEcsPassRole(): cdk.aws_iam.PolicyStatement;
114
+ statementForEcsPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
104
115
  /**
105
116
  * @summary Method to create iam statement to run ecs task
106
117
  * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -116,8 +127,9 @@ export declare class IamManager {
116
127
  statementForCreateLogStream(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
117
128
  /**
118
129
  * @summary Method to create iam statement to create any log stream
130
+ * @param {string[]} resourceArns list of ARNs to allow access to
119
131
  */
120
- statementForCreateAnyLogStream(): cdk.aws_iam.PolicyStatement;
132
+ statementForCreateAnyLogStream(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
121
133
  /**
122
134
  * @summary Method to create iam statement to write log events
123
135
  * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -126,12 +138,19 @@ export declare class IamManager {
126
138
  statementForPutLogEvent(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
127
139
  /**
128
140
  * @summary Method to create iam statement to write any log events
141
+ * @param {string[]} resourceArns list of ARNs to allow access to
129
142
  */
130
- statementForPutAnyLogEvent(): cdk.aws_iam.PolicyStatement;
143
+ statementForPutAnyLogEvent(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
131
144
  /**
132
145
  * @summary Method to create iam statement to read items from dynamodb table
146
+ * @param {string[]} resourceArns list of ARNs to allow access to
133
147
  */
134
- statementForReadTableItems(): cdk.aws_iam.PolicyStatement;
148
+ statementForReadTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
149
+ /**
150
+ * @summary Method to create iam statement to write items from dynamodb table
151
+ * @param {string[]} resourceArns list of ARNs to allow access to
152
+ */
153
+ statementForWriteTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
135
154
  /**
136
155
  * @summary Method to create iam statement for cloud trail
137
156
  * @param {string} id scoped id of the resource
@@ -174,7 +193,9 @@ export declare class IamManager {
174
193
  * @summary Method to create iam policy for sqs
175
194
  * @param {string} id scoped id of the resource
176
195
  * @param {common.CommonConstruct} scope scope in which this resource is defined
177
- * @param {iam.ServicePrincipal} servicePrinicpal
196
+ * @param sqsQueue
197
+ * @param eventBridgeRule
198
+ * @param servicePrincipals
178
199
  */
179
200
  createPolicyForSqsEvent(id: string, scope: common.CommonConstruct, sqsQueue: sqs.Queue, eventBridgeRule: events.IRule, servicePrincipals?: iam.ServicePrincipal[]): cdk.aws_iam.PolicyDocument;
180
201
  }
package/dist/src/lib/manager/aws/iam-manager.js CHANGED
@@ -51,22 +51,26 @@ class IamManager {
51
51
  /**
52
52
  * @summary Method to create iam statement to read secrets
53
53
  * @param {common.CommonConstruct} scope scope in which this resource is defined
54
+ * @param {string[]} resourceArns list of ARNs to allow access to
54
55
  */
55
- statementForReadSecrets(scope) {
56
+ statementForReadSecrets(scope, resourceArns) {
56
57
  return new iam.PolicyStatement({
57
58
  effect: iam.Effect.ALLOW,
58
59
  actions: ['secretsmanager:GetSecretValue'],
59
- resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
60
+ resources: resourceArns ?? [
61
+ `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
62
+ ],
60
63
  });
61
64
  }
62
65
  /**
63
66
  * @summary Method to create iam statement to put events
67
+ * @param {string[]} resourceArns list of ARNs to allow access to
64
68
  */
65
- statementForPutEvents() {
69
+ statementForPutEvents(resourceArns) {
66
70
  return new iam.PolicyStatement({
67
71
  effect: iam.Effect.ALLOW,
68
72
  actions: ['events:PutEvents'],
69
- resources: ['*'],
73
+ resources: resourceArns ?? ['*'],
70
74
  });
71
75
  }
72
76
  /**
@@ -82,8 +86,9 @@ class IamManager {
82
86
  }
83
87
  /**
84
88
  * @summary Method to create iam statement to read app config
89
+ * @param {string[]} resourceArns list of ARNs to allow access to
85
90
  */
86
- statementForReadAnyAppConfig() {
91
+ statementForReadAnyAppConfig(resourceArns) {
87
92
  return new iam.PolicyStatement({
88
93
  effect: iam.Effect.ALLOW,
89
94
  actions: [
@@ -100,7 +105,7 @@ class IamManager {
100
105
  'appconfig:GetConfiguration',
101
106
  'appconfig:ListDeployments',
102
107
  ],
103
- resources: ['*'],
108
+ resources: resourceArns ?? ['*'],
104
109
  });
105
110
  }
106
111
  /**
@@ -117,74 +122,81 @@ class IamManager {
117
122
  }
118
123
  /**
119
124
  * @summary Method to create iam statement to list all s3 buckets
125
+ * @param {string[]} resourceArns list of ARNs to allow access to
120
126
  */
121
- statementForListAllMyBuckets() {
127
+ statementForListAllMyBuckets(resourceArns) {
122
128
  return new iam.PolicyStatement({
123
129
  effect: iam.Effect.ALLOW,
124
130
  actions: ['s3:ListAllMyBuckets'],
125
- resources: ['*'],
131
+ resources: resourceArns ?? ['*'],
126
132
  });
127
133
  }
128
134
  /**
129
135
  * @summary Method to create iam statement to get s3 objects in buckets
130
136
  * @param {common.CommonConstruct} scope scope in which this resource is defined
131
137
  * @param {s3.IBucket} bucket
138
+ * @param {string[]} resourceArns list of ARNs to allow access to
132
139
  */
133
- statementForGetAnyS3Objects(scope, bucket) {
140
+ statementForGetAnyS3Objects(scope, bucket, resourceArns) {
134
141
  return new iam.PolicyStatement({
135
142
  effect: iam.Effect.ALLOW,
136
143
  actions: ['s3:GetObject', 's3:GetObjectAcl'],
137
- resources: [bucket.arnForObjects(`*`)],
144
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
138
145
  });
139
146
  }
140
147
  /**
141
148
  * @summary Method to create iam statement to delete s3 objects in buckets
142
149
  * @param {common.CommonConstruct} scope scope in which this resource is defined
143
150
  * @param {s3.IBucket} bucket
151
+ * @param {string[]} resourceArns list of ARNs to allow access to
144
152
  */
145
- statementForDeleteAnyS3Objects(scope, bucket) {
153
+ statementForDeleteAnyS3Objects(scope, bucket, resourceArns) {
146
154
  return new iam.PolicyStatement({
147
155
  effect: iam.Effect.ALLOW,
148
156
  actions: ['s3:DeleteObject'],
149
- resources: [bucket.arnForObjects(`*`)],
157
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
150
158
  });
151
159
  }
152
160
  /**
153
161
  * @summary Method to create iam statement to write s3 objects in buckets
154
162
  * @param {common.CommonConstruct} scope scope in which this resource is defined
155
163
  * @param {s3.IBucket} bucket
164
+ * @param {string[]} resourceArns list of ARNs to allow access to
156
165
  */
157
- statementForPutAnyS3Objects(scope, bucket) {
166
+ statementForPutAnyS3Objects(scope, bucket, resourceArns) {
158
167
  return new iam.PolicyStatement({
159
168
  effect: iam.Effect.ALLOW,
160
169
  actions: ['s3:PutObject', 's3:PutObjectAcl'],
161
- resources: [bucket.arnForObjects(`*`)],
170
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
162
171
  });
163
172
  }
164
173
  /**
165
174
  * @summary Method to create iam statement to pass iam role
175
+ * @param {string[]} resourceArns list of ARNs to allow access to
166
176
  */
167
- statementForPassRole() {
177
+ statementForPassRole(resourceArns) {
168
178
  return new iam.PolicyStatement({
169
179
  effect: iam.Effect.ALLOW,
170
180
  actions: ['iam:PassRole'],
171
- resources: ['*'],
181
+ resources: resourceArns ?? ['*'],
172
182
  });
173
183
  }
174
184
  /**
175
185
  * @summary Method to create iam statement to invalidate cloudfront cache
186
+ * @param {string[]} resourceArns list of ARNs to allow access to
176
187
  */
177
- statementForCloudfrontInvalidation() {
188
+ statementForCloudfrontInvalidation(resourceArns) {
178
189
  return new iam.PolicyStatement({
179
190
  effect: iam.Effect.ALLOW,
180
191
  actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
181
- resources: ['*'],
192
+ resources: resourceArns ?? ['*'],
182
193
  });
183
194
  }
184
195
  /**
185
196
  * @summary Method to create iam policy to invalidate cloudfront cache
197
+ * @param {string[]} resourceArns list of ARNs to allow access to
186
198
  */
187
- policyForCloudfrontInvalidation() {
199
+ policyForCloudfrontInvalidation(resourceArns) {
188
200
  return new iam.PolicyDocument({
189
201
  statements: [
190
202
  this.statementForCreateAnyLogStream(),
@@ -198,7 +210,7 @@ class IamManager {
198
210
  'ecr:BatchCheckLayerAvailability',
199
211
  'ecr:GetAuthorizationToken',
200
212
  ],
201
- resources: ['*'],
213
+ resources: resourceArns ?? ['*'],
202
214
  }),
203
215
  ],
204
216
  });
@@ -230,12 +242,13 @@ class IamManager {
230
242
  }
231
243
  /**
232
244
  * @summary Method to create iam statement to pass ecs role
245
+ * @param {string[]} resourceArns list of ARNs to allow access to
233
246
  */
234
- statementForEcsPassRole() {
247
+ statementForEcsPassRole(resourceArns) {
235
248
  return new iam.PolicyStatement({
236
249
  effect: iam.Effect.ALLOW,
237
250
  actions: ['iam:PassRole'],
238
- resources: ['*'],
251
+ resources: resourceArns ?? ['*'],
239
252
  conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
240
253
  });
241
254
  }
@@ -270,12 +283,13 @@ class IamManager {
270
283
  }
271
284
  /**
272
285
  * @summary Method to create iam statement to create any log stream
286
+ * @param {string[]} resourceArns list of ARNs to allow access to
273
287
  */
274
- statementForCreateAnyLogStream() {
288
+ statementForCreateAnyLogStream(resourceArns) {
275
289
  return new iam.PolicyStatement({
276
290
  effect: iam.Effect.ALLOW,
277
291
  actions: ['logs:CreateLogStream'],
278
- resources: ['*'],
292
+ resources: resourceArns ?? ['*'],
279
293
  });
280
294
  }
281
295
  /**
@@ -295,18 +309,20 @@ class IamManager {
295
309
  }
296
310
  /**
297
311
  * @summary Method to create iam statement to write any log events
312
+ * @param {string[]} resourceArns list of ARNs to allow access to
298
313
  */
299
- statementForPutAnyLogEvent() {
314
+ statementForPutAnyLogEvent(resourceArns) {
300
315
  return new iam.PolicyStatement({
301
316
  effect: iam.Effect.ALLOW,
302
317
  actions: ['logs:PutLogEvents'],
303
- resources: ['*'],
318
+ resources: resourceArns ?? ['*'],
304
319
  });
305
320
  }
306
321
  /**
307
322
  * @summary Method to create iam statement to read items from dynamodb table
323
+ * @param {string[]} resourceArns list of ARNs to allow access to
308
324
  */
309
- statementForReadTableItems() {
325
+ statementForReadTableItems(resourceArns) {
310
326
  return new iam.PolicyStatement({
311
327
  effect: iam.Effect.ALLOW,
312
328
  actions: [
@@ -318,7 +334,18 @@ class IamManager {
318
334
  'dynamodb:Query',
319
335
  'dynamodb:GetRecords',
320
336
  ],
321
- resources: ['*'],
337
+ resources: resourceArns ?? ['*'],
338
+ });
339
+ }
340
+ /**
341
+ * @summary Method to create iam statement to write items from dynamodb table
342
+ * @param {string[]} resourceArns list of ARNs to allow access to
343
+ */
344
+ statementForWriteTableItems(resourceArns) {
345
+ return new iam.PolicyStatement({
346
+ effect: iam.Effect.ALLOW,
347
+ actions: ['dynamodb:BatchWriteItem', 'dynamodb:DeleteItem', 'dynamodb:PutItem', 'dynamodb:UpdateItem'],
348
+ resources: resourceArns ?? ['*'],
322
349
  });
323
350
  }
324
351
  /**
@@ -434,10 +461,12 @@ class IamManager {
434
461
  * @summary Method to create iam policy for sqs
435
462
  * @param {string} id scoped id of the resource
436
463
  * @param {common.CommonConstruct} scope scope in which this resource is defined
437
- * @param {iam.ServicePrincipal} servicePrinicpal
464
+ * @param sqsQueue
465
+ * @param eventBridgeRule
466
+ * @param servicePrincipals
438
467
  */
439
468
  createPolicyForSqsEvent(id, scope, sqsQueue, eventBridgeRule, servicePrincipals) {
440
- const policy = new iam.PolicyDocument({
469
+ return new iam.PolicyDocument({
441
470
  statements: [
442
471
  new iam.PolicyStatement({
443
472
  actions: ['sqs:*'],
@@ -452,7 +481,6 @@ class IamManager {
452
481
  }),
453
482
  ],
454
483
  });
455
- return policy;
456
484
  }
457
485
  }
458
486
  exports.IamManager = IamManager;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@gradientedge/cdk-utils",
3
- "version": "5.8.0",
3
+ "version": "5.11.0",
4
4
  "description": "Utilities for AWS CDK provisioning",
5
5
  "main": "dist/index.js",
6
6
  "engines": {
package/src/lib/construct/api-to-eventbridge-target/main.ts CHANGED
@@ -532,6 +532,12 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
532
532
  )
533
533
  return
534
534
  }
535
+
536
+ const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
537
+ logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
538
+ removalPolicy: cdk.RemovalPolicy.DESTROY,
539
+ })
540
+
535
541
  this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
536
542
  ...{
537
543
  defaultIntegration: this.apiDestinedRestApi.integration,
@@ -544,6 +550,8 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
544
550
  loggingLevel: apig.MethodLoggingLevel.INFO,
545
551
  metricsEnabled: true,
546
552
  stageName: this.props.stage,
553
+ accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
554
+ accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
547
555
  },
548
556
  endpointConfiguration: {
549
557
  types: [apig.EndpointType.REGIONAL],
package/src/lib/manager/aws/iam-manager.ts CHANGED
@@ -32,23 +32,27 @@ export class IamManager {
32
32
  /**
33
33
  * @summary Method to create iam statement to read secrets
34
34
  * @param {common.CommonConstruct} scope scope in which this resource is defined
35
+ * @param {string[]} resourceArns list of ARNs to allow access to
35
36
  */
36
- public statementForReadSecrets(scope: common.CommonConstruct) {
37
+ public statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]) {
37
38
  return new iam.PolicyStatement({
38
39
  effect: iam.Effect.ALLOW,
39
40
  actions: ['secretsmanager:GetSecretValue'],
40
- resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
41
+ resources: resourceArns ?? [
42
+ `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
43
+ ],
41
44
  })
42
45
  }
43
46
 
44
47
  /**
45
48
  * @summary Method to create iam statement to put events
49
+ * @param {string[]} resourceArns list of ARNs to allow access to
46
50
  */
47
- public statementForPutEvents() {
51
+ public statementForPutEvents(resourceArns?: string[]) {
48
52
  return new iam.PolicyStatement({
49
53
  effect: iam.Effect.ALLOW,
50
54
  actions: ['events:PutEvents'],
51
- resources: ['*'],
55
+ resources: resourceArns ?? ['*'],
52
56
  })
53
57
  }
54
58
 
@@ -66,8 +70,9 @@ export class IamManager {
66
70
 
67
71
  /**
68
72
  * @summary Method to create iam statement to read app config
73
+ * @param {string[]} resourceArns list of ARNs to allow access to
69
74
  */
70
- public statementForReadAnyAppConfig() {
75
+ public statementForReadAnyAppConfig(resourceArns?: string[]) {
71
76
  return new iam.PolicyStatement({
72
77
  effect: iam.Effect.ALLOW,
73
78
  actions: [
@@ -84,7 +89,7 @@ export class IamManager {
84
89
  'appconfig:GetConfiguration',
85
90
  'appconfig:ListDeployments',
86
91
  ],
87
- resources: ['*'],
92
+ resources: resourceArns ?? ['*'],
88
93
  })
89
94
  }
90
95
 
@@ -103,12 +108,13 @@ export class IamManager {
103
108
 
104
109
  /**
105
110
  * @summary Method to create iam statement to list all s3 buckets
111
+ * @param {string[]} resourceArns list of ARNs to allow access to
106
112
  */
107
- public statementForListAllMyBuckets() {
113
+ public statementForListAllMyBuckets(resourceArns?: string[]) {
108
114
  return new iam.PolicyStatement({
109
115
  effect: iam.Effect.ALLOW,
110
116
  actions: ['s3:ListAllMyBuckets'],
111
- resources: ['*'],
117
+ resources: resourceArns ?? ['*'],
112
118
  })
113
119
  }
114
120
 
@@ -116,12 +122,13 @@ export class IamManager {
116
122
  * @summary Method to create iam statement to get s3 objects in buckets
117
123
  * @param {common.CommonConstruct} scope scope in which this resource is defined
118
124
  * @param {s3.IBucket} bucket
125
+ * @param {string[]} resourceArns list of ARNs to allow access to
119
126
  */
120
- public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
127
+ public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
121
128
  return new iam.PolicyStatement({
122
129
  effect: iam.Effect.ALLOW,
123
130
  actions: ['s3:GetObject', 's3:GetObjectAcl'],
124
- resources: [bucket.arnForObjects(`*`)],
131
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
125
132
  })
126
133
  }
127
134
 
@@ -129,12 +136,13 @@ export class IamManager {
129
136
  * @summary Method to create iam statement to delete s3 objects in buckets
130
137
  * @param {common.CommonConstruct} scope scope in which this resource is defined
131
138
  * @param {s3.IBucket} bucket
139
+ * @param {string[]} resourceArns list of ARNs to allow access to
132
140
  */
133
- public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
141
+ public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
134
142
  return new iam.PolicyStatement({
135
143
  effect: iam.Effect.ALLOW,
136
144
  actions: ['s3:DeleteObject'],
137
- resources: [bucket.arnForObjects(`*`)],
145
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
138
146
  })
139
147
  }
140
148
 
@@ -142,41 +150,45 @@ export class IamManager {
142
150
  * @summary Method to create iam statement to write s3 objects in buckets
143
151
  * @param {common.CommonConstruct} scope scope in which this resource is defined
144
152
  * @param {s3.IBucket} bucket
153
+ * @param {string[]} resourceArns list of ARNs to allow access to
145
154
  */
146
- public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
155
+ public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
147
156
  return new iam.PolicyStatement({
148
157
  effect: iam.Effect.ALLOW,
149
158
  actions: ['s3:PutObject', 's3:PutObjectAcl'],
150
- resources: [bucket.arnForObjects(`*`)],
159
+ resources: resourceArns ?? [bucket.arnForObjects(`*`)],
151
160
  })
152
161
  }
153
162
 
154
163
  /**
155
164
  * @summary Method to create iam statement to pass iam role
165
+ * @param {string[]} resourceArns list of ARNs to allow access to
156
166
  */
157
- public statementForPassRole() {
167
+ public statementForPassRole(resourceArns?: string[]) {
158
168
  return new iam.PolicyStatement({
159
169
  effect: iam.Effect.ALLOW,
160
170
  actions: ['iam:PassRole'],
161
- resources: ['*'],
171
+ resources: resourceArns ?? ['*'],
162
172
  })
163
173
  }
164
174
 
165
175
  /**
166
176
  * @summary Method to create iam statement to invalidate cloudfront cache
177
+ * @param {string[]} resourceArns list of ARNs to allow access to
167
178
  */
168
- public statementForCloudfrontInvalidation() {
179
+ public statementForCloudfrontInvalidation(resourceArns?: string[]) {
169
180
  return new iam.PolicyStatement({
170
181
  effect: iam.Effect.ALLOW,
171
182
  actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
172
- resources: ['*'],
183
+ resources: resourceArns ?? ['*'],
173
184
  })
174
185
  }
175
186
 
176
187
  /**
177
188
  * @summary Method to create iam policy to invalidate cloudfront cache
189
+ * @param {string[]} resourceArns list of ARNs to allow access to
178
190
  */
179
- public policyForCloudfrontInvalidation() {
191
+ public policyForCloudfrontInvalidation(resourceArns?: string[]) {
180
192
  return new iam.PolicyDocument({
181
193
  statements: [
182
194
  this.statementForCreateAnyLogStream(),
@@ -190,7 +202,7 @@ export class IamManager {
190
202
  'ecr:BatchCheckLayerAvailability',
191
203
  'ecr:GetAuthorizationToken',
192
204
  ],
193
- resources: ['*'],
205
+ resources: resourceArns ?? ['*'],
194
206
  }),
195
207
  ],
196
208
  })
@@ -225,12 +237,13 @@ export class IamManager {
225
237
 
226
238
  /**
227
239
  * @summary Method to create iam statement to pass ecs role
240
+ * @param {string[]} resourceArns list of ARNs to allow access to
228
241
  */
229
- public statementForEcsPassRole() {
242
+ public statementForEcsPassRole(resourceArns?: string[]) {
230
243
  return new iam.PolicyStatement({
231
244
  effect: iam.Effect.ALLOW,
232
245
  actions: ['iam:PassRole'],
233
- resources: ['*'],
246
+ resources: resourceArns ?? ['*'],
234
247
  conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
235
248
  })
236
249
  }
@@ -270,12 +283,13 @@ export class IamManager {
270
283
 
271
284
  /**
272
285
  * @summary Method to create iam statement to create any log stream
286
+ * @param {string[]} resourceArns list of ARNs to allow access to
273
287
  */
274
- public statementForCreateAnyLogStream() {
288
+ public statementForCreateAnyLogStream(resourceArns?: string[]) {
275
289
  return new iam.PolicyStatement({
276
290
  effect: iam.Effect.ALLOW,
277
291
  actions: ['logs:CreateLogStream'],
278
- resources: ['*'],
292
+ resources: resourceArns ?? ['*'],
279
293
  })
280
294
  }
281
295
 
@@ -299,19 +313,21 @@ export class IamManager {
299
313
 
300
314
  /**
301
315
  * @summary Method to create iam statement to write any log events
316
+ * @param {string[]} resourceArns list of ARNs to allow access to
302
317
  */
303
- public statementForPutAnyLogEvent() {
318
+ public statementForPutAnyLogEvent(resourceArns?: string[]) {
304
319
  return new iam.PolicyStatement({
305
320
  effect: iam.Effect.ALLOW,
306
321
  actions: ['logs:PutLogEvents'],
307
- resources: ['*'],
322
+ resources: resourceArns ?? ['*'],
308
323
  })
309
324
  }
310
325
 
311
326
  /**
312
327
  * @summary Method to create iam statement to read items from dynamodb table
328
+ * @param {string[]} resourceArns list of ARNs to allow access to
313
329
  */
314
- public statementForReadTableItems() {
330
+ public statementForReadTableItems(resourceArns?: string[]) {
315
331
  return new iam.PolicyStatement({
316
332
  effect: iam.Effect.ALLOW,
317
333
  actions: [
@@ -323,7 +339,19 @@ export class IamManager {
323
339
  'dynamodb:Query',
324
340
  'dynamodb:GetRecords',
325
341
  ],
326
- resources: ['*'],
342
+ resources: resourceArns ?? ['*'],
343
+ })
344
+ }
345
+
346
+ /**
347
+ * @summary Method to create iam statement to write items from dynamodb table
348
+ * @param {string[]} resourceArns list of ARNs to allow access to
349
+ */
350
+ public statementForWriteTableItems(resourceArns?: string[]) {
351
+ return new iam.PolicyStatement({
352
+ effect: iam.Effect.ALLOW,
353
+ actions: ['dynamodb:BatchWriteItem', 'dynamodb:DeleteItem', 'dynamodb:PutItem', 'dynamodb:UpdateItem'],
354
+ resources: resourceArns ?? ['*'],
327
355
  })
328
356
  }
329
357
 
@@ -483,7 +511,9 @@ export class IamManager {
483
511
  * @summary Method to create iam policy for sqs
484
512
  * @param {string} id scoped id of the resource
485
513
  * @param {common.CommonConstruct} scope scope in which this resource is defined
486
- * @param {iam.ServicePrincipal} servicePrinicpal
514
+ * @param sqsQueue
515
+ * @param eventBridgeRule
516
+ * @param servicePrincipals
487
517
  */
488
518
  public createPolicyForSqsEvent(
489
519
  id: string,
@@ -492,7 +522,7 @@ export class IamManager {
492
522
  eventBridgeRule: events.IRule,
493
523
  servicePrincipals?: iam.ServicePrincipal[]
494
524
  ) {
495
- const policy = new iam.PolicyDocument({
525
+ return new iam.PolicyDocument({
496
526
  statements: [
497
527
  new iam.PolicyStatement({
498
528
  actions: ['sqs:*'],
@@ -507,7 +537,5 @@ export class IamManager {
507
537
  }),
508
538
  ],
509
539
  })
510
-
511
- return policy
512
540
  }
513
541
  }