@jaypie/constructs 1.1.18 → 1.1.20

package/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 Finlayson Studio, LLC
+Copyright (c) 2025 Finlayson Studio, LLC
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/dist/cjs/JaypieSsoGroups.d.ts

@@ -0,0 +1,121 @@
+import { Construct } from "constructs";
+import * as sso from "aws-cdk-lib/aws-sso";
+/**
+ * Account categories for SSO group assignments
+ */
+export interface JaypieSsoAccountMap {
+    development: string[];
+    management: string[];
+    operations: string[];
+    production: string[];
+    sandbox: string[];
+    security: string[];
+    stage: string[];
+}
+/**
+ * Mapping of group types to Google Workspace group GUIDs
+ */
+export interface JaypieSsoGroupMap {
+    administrators: string;
+    analysts: string;
+    developers: string;
+}
+/**
+ * IAM Policy Statement structure for inline policies
+ */
+export interface PolicyStatement {
+    Effect: "Allow" | "Deny";
+    Action: string[] | string;
+    Resource: string[] | string;
+    Condition?: Record<string, unknown>;
+}
+/**
+ * Properties for the JaypieSsoGroups construct
+ */
+export interface JaypieSsoGroupsProps {
+    /**
+     * ARN of the IAM Identity Center instance
+     */
+    instanceArn: string;
+    /**
+     * Mapping of account categories to AWS account IDs
+     */
+    accountMap: JaypieSsoAccountMap;
+    /**
+     * Mapping of group types to Google Workspace group GUIDs
+     */
+    groupMap: JaypieSsoGroupMap;
+    /**
+     * Additional inline policy statements to append to each group's permission set
+     * Each group can have its own set of policy statements that will be merged
+     * with the default policies.
+     */
+    inlinePolicyStatements?: {
+        administrators?: PolicyStatement[];
+        analysts?: PolicyStatement[];
+        developers?: PolicyStatement[];
+    };
+}
+/**
+ * Permission set types with corresponding AWS managed policies
+ */
+export declare enum PermissionSetType {
+    ADMINISTRATOR = "Administrator",
+    ANALYST = "Analyst",
+    DEVELOPER = "Developer"
+}
+/**
+ * Construct to simplify AWS SSO group management.
+ * This construct encapsulates the complexity of creating permission sets
+ * and assigning them to groups across multiple AWS accounts.
+ */
+export declare class JaypieSsoGroups extends Construct {
+    private readonly permissionSets;
+    private readonly instanceArn;
+    private readonly props;
+    constructor(scope: Construct, id: string, props: JaypieSsoGroupsProps);
+    /**
+     * Creates the Administrator permission set with AdministratorAccess policy
+     * and billing access
+     */
+    private createAdministratorPermissionSet;
+    /**
+     * Creates the Analyst permission set with ReadOnlyAccess policy
+     * and limited write access
+     */
+    private createAnalystPermissionSet;
+    /**
+     * Creates the Developer permission set with SystemAdministrator policy
+     * and expanded write access
+     */
+    private createDeveloperPermissionSet;
+    /**
+     * Gets the permission set for the specified type
+     */
+    getPermissionSet(type: PermissionSetType): sso.CfnPermissionSet;
+    /**
+     * Merges default inline policies with additional user-provided policy statements
+     *
+     * @param defaultPolicy - The default policy object with Version and Statement properties
+     * @param additionalStatements - Optional additional policy statements to merge
+     * @returns The merged policy object
+     */
+    private mergeInlinePolicies;
+    /**
+     * Creates assignments between permission sets, groups, and accounts
+     * based on the provided configuration
+     */
+    private createPermissionSetAssignments;
+    /**
+     * Assigns Administrator permissions to appropriate accounts
+     */
+    private assignAdministratorPermissions;
+    /**
+     * Assigns Analyst permissions to appropriate accounts
+     */
+    private assignAnalystPermissions;
+    /**
+     * Assigns Developer permissions to appropriate accounts
+     */
+    private assignDeveloperPermissions;
+}

package/dist/cjs/__tests__/JaypieSsoGroups.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/index.cjs

@@ -10,6 +10,7 @@ var awsRoute53 = require('aws-cdk-lib/aws-route53');
 var lambda = require('aws-cdk-lib/aws-lambda');
 var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
+var sso = require('aws-cdk-lib/aws-sso');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -33,6 +34,7 @@ var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsman
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
+var sso__namespace = /*#__PURE__*/_interopNamespaceDefault(sso);
 
 // It is a consumer if the environment is ephemeral
 function checkEnvIsConsumer(env = process.env) {
@@ -473,6 +475,282 @@ class JaypieQueuedLambda extends constructs.Construct {
     }
 }
 
+/**
+ * Permission set types with corresponding AWS managed policies
+ */
+exports.PermissionSetType = void 0;
+(function (PermissionSetType) {
+    PermissionSetType["ADMINISTRATOR"] = "Administrator";
+    PermissionSetType["ANALYST"] = "Analyst";
+    PermissionSetType["DEVELOPER"] = "Developer";
+})(exports.PermissionSetType || (exports.PermissionSetType = {}));
+/**
+ * Construct to simplify AWS SSO group management.
+ * This construct encapsulates the complexity of creating permission sets
+ * and assigning them to groups across multiple AWS accounts.
+ */
+class JaypieSsoGroups extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.permissionSets = {};
+        this.instanceArn = props.instanceArn;
+        this.props = props;
+        // Create the permission sets
+        this.createAdministratorPermissionSet();
+        this.createAnalystPermissionSet();
+        this.createDeveloperPermissionSet();
+        // Create the assignments
+        this.createPermissionSetAssignments(props);
+    }
+    /**
+     * Creates the Administrator permission set with AdministratorAccess policy
+     * and billing access
+     */
+    createAdministratorPermissionSet() {
+        const defaultInlinePolicy = {
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "aws-portal:ViewBilling",
+                        "aws-portal:ModifyBilling",
+                        "aws-portal:ViewAccount",
+                        "aws-portal:ModifyAccount",
+                        "budgets:ViewBudget",
+                        "budgets:ModifyBudget",
+                    ],
+                    Resource: "*",
+                },
+            ],
+        };
+        // Merge with any additional policy statements provided for administrators
+        const mergedPolicy = this.mergeInlinePolicies(defaultInlinePolicy, this.props?.inlinePolicyStatements?.administrators);
+        const permissionSet = new sso__namespace.CfnPermissionSet(this, "AdministratorPermissionSet", {
+            instanceArn: this.instanceArn,
+            name: exports.PermissionSetType.ADMINISTRATOR,
+            description: "Full administrative access to all AWS services and resources",
+            sessionDuration: cdk.Duration.hours(8).toIsoString(),
+            managedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"],
+            inlinePolicy: mergedPolicy,
+        });
+        cdk.Tags.of(permissionSet).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+        this.permissionSets[exports.PermissionSetType.ADMINISTRATOR] = permissionSet;
+    }
+    /**
+     * Creates the Analyst permission set with ReadOnlyAccess policy
+     * and limited write access
+     */
+    createAnalystPermissionSet() {
+        const defaultInlinePolicy = {
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "aws-portal:ViewBilling",
+                        "aws-portal:ViewAccount",
+                        "budgets:ViewBudget",
+                        "cloudwatch:PutDashboard",
+                        "cloudwatch:PutMetricData",
+                        "s3:PutObject",
+                        "s3:GetObject",
+                        "s3:ListBucket",
+                    ],
+                    Resource: "*",
+                },
+            ],
+        };
+        // Merge with any additional policy statements provided for analysts
+        const mergedPolicy = this.mergeInlinePolicies(defaultInlinePolicy, this.props?.inlinePolicyStatements?.analysts);
+        const permissionSet = new sso__namespace.CfnPermissionSet(this, "AnalystPermissionSet", {
+            instanceArn: this.instanceArn,
+            name: exports.PermissionSetType.ANALYST,
+            description: "Read-only access with billing visibility and limited write access",
+            sessionDuration: cdk.Duration.hours(4).toIsoString(),
+            managedPolicies: ["arn:aws:iam::aws:policy/ReadOnlyAccess"],
+            inlinePolicy: mergedPolicy,
+        });
+        cdk.Tags.of(permissionSet).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+        this.permissionSets[exports.PermissionSetType.ANALYST] = permissionSet;
+    }
+    /**
+     * Creates the Developer permission set with SystemAdministrator policy
+     * and expanded write access
+     */
+    createDeveloperPermissionSet() {
+        const defaultInlinePolicy = {
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "cloudwatch:*",
+                        "logs:*",
+                        "lambda:*",
+                        "apigateway:*",
+                        "dynamodb:*",
+                        "s3:*",
+                        "sns:*",
+                        "sqs:*",
+                        "events:*",
+                        "ecr:*",
+                        "ecs:*",
+                        "codebuild:*",
+                    ],
+                    Resource: "*",
+                },
+                {
+                    Effect: "Deny",
+                    Action: [
+                        "iam:*User*",
+                        "iam:*Role*",
+                        "iam:*Policy*",
+                        "organizations:*",
+                        "account:*",
+                    ],
+                    Resource: "*",
+                },
+            ],
+        };
+        // Merge with any additional policy statements provided for developers
+        const mergedPolicy = this.mergeInlinePolicies(defaultInlinePolicy, this.props?.inlinePolicyStatements?.developers);
+        const permissionSet = new sso__namespace.CfnPermissionSet(this, "DeveloperPermissionSet", {
+            instanceArn: this.instanceArn,
+            name: exports.PermissionSetType.DEVELOPER,
+            description: "System administrator access with expanded write permissions",
+            sessionDuration: cdk.Duration.hours(8).toIsoString(),
+            managedPolicies: [
+                "arn:aws:iam::aws:policy/job-function/SystemAdministrator",
+            ],
+            inlinePolicy: mergedPolicy,
+        });
+        cdk.Tags.of(permissionSet).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+        this.permissionSets[exports.PermissionSetType.DEVELOPER] = permissionSet;
+    }
+    /**
+     * Gets the permission set for the specified type
+     */
+    getPermissionSet(type) {
+        return this.permissionSets[type];
+    }
+    /**
+     * Merges default inline policies with additional user-provided policy statements
+     *
+     * @param defaultPolicy - The default policy object with Version and Statement properties
+     * @param additionalStatements - Optional additional policy statements to merge
+     * @returns The merged policy object
+     */
+    mergeInlinePolicies(defaultPolicy, additionalStatements) {
+        if (!additionalStatements || additionalStatements.length === 0) {
+            return defaultPolicy;
+        }
+        // Create a deep copy of the default policy to avoid modifying the original
+        const mergedPolicy = JSON.parse(JSON.stringify(defaultPolicy));
+        // Add the additional statements to the existing statements
+        mergedPolicy.Statement = [
+            ...mergedPolicy.Statement,
+            ...additionalStatements,
+        ];
+        return mergedPolicy;
+    }
+    /**
+     * Creates assignments between permission sets, groups, and accounts
+     * based on the provided configuration
+     */
+    createPermissionSetAssignments(props) {
+        // Administrator assignments
+        this.assignAdministratorPermissions(props);
+        // Analyst assignments
+        this.assignAnalystPermissions(props);
+        // Developer assignments
+        this.assignDeveloperPermissions(props);
+    }
+    /**
+     * Assigns Administrator permissions to appropriate accounts
+     */
+    assignAdministratorPermissions(props) {
+        const administratorGroup = props.groupMap.administrators;
+        const administratorPermissionSet = this.permissionSets[exports.PermissionSetType.ADMINISTRATOR];
+        // Administrators get access to all accounts
+        const allAccounts = [
+            ...props.accountMap.development,
+            ...props.accountMap.management,
+            ...props.accountMap.operations,
+            ...props.accountMap.production,
+            ...props.accountMap.sandbox,
+            ...props.accountMap.security,
+            ...props.accountMap.stage,
+        ];
+        // Create assignments for each account
+        allAccounts.forEach((accountId, index) => {
+            const assignment = new sso__namespace.CfnAssignment(this, `AdministratorAssignment${index}`, {
+                instanceArn: this.instanceArn,
+                permissionSetArn: administratorPermissionSet.attrPermissionSetArn,
+                principalId: administratorGroup,
+                principalType: "GROUP",
+                targetId: accountId,
+                targetType: "AWS_ACCOUNT",
+            });
+            cdk.Tags.of(assignment).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+            cdk.Tags.of(assignment).add("Group", "administrators");
+        });
+    }
+    /**
+     * Assigns Analyst permissions to appropriate accounts
+     */
+    assignAnalystPermissions(props) {
+        const analystGroup = props.groupMap.analysts;
+        const analystPermissionSet = this.permissionSets[exports.PermissionSetType.ANALYST];
+        // Analysts get access to development, management, sandbox, and stage accounts
+        const analystAccounts = [
+            ...props.accountMap.development,
+            ...props.accountMap.management,
+            ...props.accountMap.sandbox,
+            ...props.accountMap.stage,
+        ];
+        // Create assignments for each account
+        analystAccounts.forEach((accountId, index) => {
+            const assignment = new sso__namespace.CfnAssignment(this, `AnalystAssignment${index}`, {
+                instanceArn: this.instanceArn,
+                permissionSetArn: analystPermissionSet.attrPermissionSetArn,
+                principalId: analystGroup,
+                principalType: "GROUP",
+                targetId: accountId,
+                targetType: "AWS_ACCOUNT",
+            });
+            cdk.Tags.of(assignment).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+            cdk.Tags.of(assignment).add("Group", "analysts");
+        });
+    }
+    /**
+     * Assigns Developer permissions to appropriate accounts
+     */
+    assignDeveloperPermissions(props) {
+        const developerGroup = props.groupMap.developers;
+        const developerPermissionSet = this.permissionSets[exports.PermissionSetType.DEVELOPER];
+        // Developers get access to development, sandbox, and stage accounts
+        const developerAccounts = [
+            ...props.accountMap.development,
+            ...props.accountMap.sandbox,
+            ...props.accountMap.stage,
+        ];
+        // Create assignments for each account
+        developerAccounts.forEach((accountId, index) => {
+            const assignment = new sso__namespace.CfnAssignment(this, `DeveloperAssignment${index}`, {
+                instanceArn: this.instanceArn,
+                permissionSetArn: developerPermissionSet.attrPermissionSetArn,
+                principalId: developerGroup,
+                principalType: "GROUP",
+                targetId: accountId,
+                targetType: "AWS_ACCOUNT",
+            });
+            cdk.Tags.of(assignment).add(cdk$1.CDK.TAG.SERVICE, cdk$1.CDK.SERVICE.SSO);
+            cdk.Tags.of(assignment).add("Group", "developers");
+        });
+    }
+}
+
 class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
     constructor(scope, id = "TraceSigningKey", props) {
         const defaultProps = {
@@ -490,5 +768,6 @@ exports.JaypieHostedZone = JaypieHostedZone;
 exports.JaypieMongoDbSecret = JaypieMongoDbSecret;
 exports.JaypieOpenAiSecret = JaypieOpenAiSecret;
 exports.JaypieQueuedLambda = JaypieQueuedLambda;
+exports.JaypieSsoGroups = JaypieSsoGroups;
 exports.JaypieTraceSigningKeySecret = JaypieTraceSigningKeySecret;
 //# sourceMappingURL=index.cjs.map