@jaypie/constructs 1.2.20 → 1.2.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/JaypieWebSocket.d.ts +1 -1
- package/dist/cjs/index.cjs +44 -54
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/JaypieWebSocket.d.ts +1 -1
- package/dist/esm/index.js +5 -15
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -109,7 +109,7 @@ export declare class JaypieWebSocket extends Construct {
|
|
|
109
109
|
get callbackUrl(): string;
|
|
110
110
|
/**
|
|
111
111
|
* Grant a Lambda function permission to manage WebSocket connections
|
|
112
|
-
* (post to connections, delete connections).
|
|
112
|
+
* (post messages to connections, get connection info, delete connections).
|
|
113
113
|
*/
|
|
114
114
|
grantManageConnections(grantee: lambda.IFunction): iam.Grant;
|
|
115
115
|
}
|
package/dist/cjs/index.cjs
CHANGED
|
@@ -9,7 +9,7 @@ var route53Targets = require('aws-cdk-lib/aws-route53-targets');
|
|
|
9
9
|
var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
|
|
10
10
|
var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
|
|
11
11
|
var errors = require('@jaypie/errors');
|
|
12
|
-
var
|
|
12
|
+
var awsIam = require('aws-cdk-lib/aws-iam');
|
|
13
13
|
var acm = require('aws-cdk-lib/aws-certificatemanager');
|
|
14
14
|
var lambda = require('aws-cdk-lib/aws-lambda');
|
|
15
15
|
var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
|
|
@@ -54,7 +54,6 @@ var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
|
|
|
54
54
|
var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
|
|
55
55
|
var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
|
|
56
56
|
var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
|
|
57
|
-
var iam__namespace = /*#__PURE__*/_interopNamespaceDefault(iam);
|
|
58
57
|
var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
|
|
59
58
|
var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
|
|
60
59
|
var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
|
|
@@ -439,22 +438,22 @@ function extendDatadogRole(scope, options) {
|
|
|
439
438
|
}
|
|
440
439
|
const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
|
|
441
440
|
// Lookup the Datadog role
|
|
442
|
-
const datadogRole =
|
|
441
|
+
const datadogRole = awsIam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
|
|
443
442
|
// Build policy statements
|
|
444
443
|
const statements = [
|
|
445
444
|
// Allow view budget
|
|
446
|
-
new
|
|
445
|
+
new awsIam.PolicyStatement({
|
|
447
446
|
actions: ["budgets:ViewBudget"],
|
|
448
447
|
resources: ["*"],
|
|
449
448
|
}),
|
|
450
449
|
// Allow describe log groups
|
|
451
|
-
new
|
|
450
|
+
new awsIam.PolicyStatement({
|
|
452
451
|
actions: ["logs:DescribeLogGroups"],
|
|
453
452
|
resources: ["*"],
|
|
454
453
|
}),
|
|
455
454
|
];
|
|
456
455
|
// Create the custom policy
|
|
457
|
-
const datadogCustomPolicy = new
|
|
456
|
+
const datadogCustomPolicy = new awsIam.Policy(scope, id, {
|
|
458
457
|
roles: [datadogRole],
|
|
459
458
|
statements,
|
|
460
459
|
});
|
|
@@ -2230,22 +2229,22 @@ class JaypieDatadogBucket extends constructs.Construct {
|
|
|
2230
2229
|
}
|
|
2231
2230
|
const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
|
|
2232
2231
|
// Lookup the Datadog role
|
|
2233
|
-
const datadogRole =
|
|
2232
|
+
const datadogRole = awsIam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
|
|
2234
2233
|
// Build policy statements for bucket access
|
|
2235
2234
|
const statements = [
|
|
2236
2235
|
// Allow list bucket
|
|
2237
|
-
new
|
|
2236
|
+
new awsIam.PolicyStatement({
|
|
2238
2237
|
actions: ["s3:ListBucket"],
|
|
2239
2238
|
resources: [this.bucket.bucketArn],
|
|
2240
2239
|
}),
|
|
2241
2240
|
// Allow read and write to the bucket
|
|
2242
|
-
new
|
|
2241
|
+
new awsIam.PolicyStatement({
|
|
2243
2242
|
actions: ["s3:GetObject", "s3:PutObject"],
|
|
2244
2243
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
2245
2244
|
}),
|
|
2246
2245
|
];
|
|
2247
2246
|
// Create the custom policy
|
|
2248
|
-
const datadogBucketPolicy = new
|
|
2247
|
+
const datadogBucketPolicy = new awsIam.Policy(this, "DatadogBucketPolicy", {
|
|
2249
2248
|
roles: [datadogRole],
|
|
2250
2249
|
statements,
|
|
2251
2250
|
});
|
|
@@ -3014,8 +3013,8 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3014
3013
|
repoRestriction = `repo:${organization}/*:*`;
|
|
3015
3014
|
}
|
|
3016
3015
|
// Create the IAM role
|
|
3017
|
-
this._role = new
|
|
3018
|
-
assumedBy: new
|
|
3016
|
+
this._role = new awsIam.Role(this, "GitHubActionsRole", {
|
|
3017
|
+
assumedBy: new awsIam.FederatedPrincipal(oidcProviderArn, {
|
|
3019
3018
|
StringLike: {
|
|
3020
3019
|
"token.actions.githubusercontent.com:sub": repoRestriction,
|
|
3021
3020
|
},
|
|
@@ -3025,12 +3024,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3025
3024
|
});
|
|
3026
3025
|
cdk.Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
3027
3026
|
// Allow the role to access the GitHub OIDC provider
|
|
3028
|
-
this._role.addToPolicy(new
|
|
3027
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3029
3028
|
actions: ["sts:AssumeRoleWithWebIdentity"],
|
|
3030
3029
|
resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
|
|
3031
3030
|
}));
|
|
3032
3031
|
// Allow the role to deploy CDK apps
|
|
3033
|
-
this._role.addToPolicy(new
|
|
3032
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3034
3033
|
actions: [
|
|
3035
3034
|
"cloudformation:CreateStack",
|
|
3036
3035
|
"cloudformation:DeleteStack",
|
|
@@ -3047,12 +3046,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3047
3046
|
"s3:GetObject",
|
|
3048
3047
|
"s3:ListBucket",
|
|
3049
3048
|
],
|
|
3050
|
-
effect:
|
|
3049
|
+
effect: awsIam.Effect.ALLOW,
|
|
3051
3050
|
resources: ["*"],
|
|
3052
3051
|
}));
|
|
3053
|
-
this._role.addToPolicy(new
|
|
3052
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3054
3053
|
actions: ["iam:PassRole", "sts:AssumeRole"],
|
|
3055
|
-
effect:
|
|
3054
|
+
effect: awsIam.Effect.ALLOW,
|
|
3056
3055
|
resources: [
|
|
3057
3056
|
"arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
|
|
3058
3057
|
"arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
|
|
@@ -3147,7 +3146,7 @@ class JaypieHostedZone extends constructs.Construct {
|
|
|
3147
3146
|
cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
|
|
3148
3147
|
}
|
|
3149
3148
|
// Grant Route 53 permissions to write to the log group
|
|
3150
|
-
this.logGroup.grantWrite(new
|
|
3149
|
+
this.logGroup.grantWrite(new awsIam.ServicePrincipal(SERVICE.ROUTE53));
|
|
3151
3150
|
// Add destination based on configuration
|
|
3152
3151
|
if (destination !== false) {
|
|
3153
3152
|
const lambdaDestination = destination === true
|
|
@@ -3445,21 +3444,21 @@ class JaypieOrganizationTrail extends constructs.Construct {
|
|
|
3445
3444
|
],
|
|
3446
3445
|
});
|
|
3447
3446
|
// Add CloudTrail bucket policies
|
|
3448
|
-
this.bucket.addToResourcePolicy(new
|
|
3447
|
+
this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
|
|
3449
3448
|
actions: ["s3:GetBucketAcl"],
|
|
3450
|
-
effect:
|
|
3451
|
-
principals: [new
|
|
3449
|
+
effect: awsIam.Effect.ALLOW,
|
|
3450
|
+
principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3452
3451
|
resources: [this.bucket.bucketArn],
|
|
3453
3452
|
}));
|
|
3454
|
-
this.bucket.addToResourcePolicy(new
|
|
3453
|
+
this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
|
|
3455
3454
|
actions: ["s3:PutObject"],
|
|
3456
3455
|
conditions: {
|
|
3457
3456
|
StringEquals: {
|
|
3458
3457
|
"s3:x-amz-acl": "bucket-owner-full-control",
|
|
3459
3458
|
},
|
|
3460
3459
|
},
|
|
3461
|
-
effect:
|
|
3462
|
-
principals: [new
|
|
3460
|
+
effect: awsIam.Effect.ALLOW,
|
|
3461
|
+
principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3463
3462
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
3464
3463
|
}));
|
|
3465
3464
|
// Add tags to bucket
|
|
@@ -3552,9 +3551,9 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3552
3551
|
],
|
|
3553
3552
|
},
|
|
3554
3553
|
managedPolicies: [
|
|
3555
|
-
|
|
3554
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
|
|
3556
3555
|
.managedPolicyArn,
|
|
3557
|
-
|
|
3556
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3558
3557
|
],
|
|
3559
3558
|
sessionDuration: cdk.Duration.hours(1).toIsoString(),
|
|
3560
3559
|
tags: [
|
|
@@ -3633,10 +3632,10 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3633
3632
|
],
|
|
3634
3633
|
},
|
|
3635
3634
|
managedPolicies: [
|
|
3636
|
-
|
|
3635
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
3637
3636
|
.managedPolicyArn,
|
|
3638
|
-
|
|
3639
|
-
|
|
3637
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3638
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
3640
3639
|
.managedPolicyArn,
|
|
3641
3640
|
],
|
|
3642
3641
|
sessionDuration: cdk.Duration.hours(12).toIsoString(),
|
|
@@ -3691,12 +3690,12 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3691
3690
|
],
|
|
3692
3691
|
},
|
|
3693
3692
|
managedPolicies: [
|
|
3694
|
-
|
|
3693
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
3695
3694
|
.managedPolicyArn,
|
|
3696
|
-
|
|
3697
|
-
|
|
3695
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3696
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
3698
3697
|
.managedPolicyArn,
|
|
3699
|
-
|
|
3698
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
|
|
3700
3699
|
],
|
|
3701
3700
|
sessionDuration: cdk.Duration.hours(4).toIsoString(),
|
|
3702
3701
|
tags: [
|
|
@@ -3909,8 +3908,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3909
3908
|
repo = `repo:${process.env.CDK_ENV_REPO}:*`;
|
|
3910
3909
|
}
|
|
3911
3910
|
if (repo) {
|
|
3912
|
-
const bucketDeployRole = new
|
|
3913
|
-
assumedBy: new
|
|
3911
|
+
const bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
|
|
3912
|
+
assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
|
|
3914
3913
|
StringLike: {
|
|
3915
3914
|
"token.actions.githubusercontent.com:sub": repo,
|
|
3916
3915
|
},
|
|
@@ -3919,8 +3918,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3919
3918
|
});
|
|
3920
3919
|
cdk.Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
3921
3920
|
// Allow the role to write to the bucket
|
|
3922
|
-
bucketDeployRole.addToPolicy(new
|
|
3923
|
-
effect:
|
|
3921
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3922
|
+
effect: awsIam.Effect.ALLOW,
|
|
3924
3923
|
actions: [
|
|
3925
3924
|
"s3:DeleteObject",
|
|
3926
3925
|
"s3:GetObject",
|
|
@@ -3929,16 +3928,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3929
3928
|
],
|
|
3930
3929
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
3931
3930
|
}));
|
|
3932
|
-
bucketDeployRole.addToPolicy(new
|
|
3933
|
-
effect:
|
|
3931
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3932
|
+
effect: awsIam.Effect.ALLOW,
|
|
3934
3933
|
actions: ["s3:ListBucket"],
|
|
3935
3934
|
resources: [this.bucket.bucketArn],
|
|
3936
3935
|
}));
|
|
3937
3936
|
// Allow the role to describe the current stack
|
|
3938
3937
|
const stack = cdk.Stack.of(this);
|
|
3939
|
-
bucketDeployRole.addToPolicy(new
|
|
3938
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3940
3939
|
actions: ["cloudformation:DescribeStacks"],
|
|
3941
|
-
effect:
|
|
3940
|
+
effect: awsIam.Effect.ALLOW,
|
|
3942
3941
|
resources: [
|
|
3943
3942
|
`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
|
|
3944
3943
|
],
|
|
@@ -4339,21 +4338,12 @@ class JaypieWebSocket extends constructs.Construct {
|
|
|
4339
4338
|
//
|
|
4340
4339
|
/**
|
|
4341
4340
|
* Grant a Lambda function permission to manage WebSocket connections
|
|
4342
|
-
* (post to connections, delete connections).
|
|
4341
|
+
* (post messages to connections, get connection info, delete connections).
|
|
4343
4342
|
*/
|
|
4344
4343
|
grantManageConnections(grantee) {
|
|
4345
|
-
|
|
4346
|
-
|
|
4347
|
-
|
|
4348
|
-
resourceArns: [
|
|
4349
|
-
cdk.Stack.of(this).formatArn({
|
|
4350
|
-
arnFormat: cdk.ArnFormat.SLASH_RESOURCE_SLASH_RESOURCE_NAME,
|
|
4351
|
-
resource: this._api.apiId,
|
|
4352
|
-
resourceName: `${this._stage.stageName}/POST/@connections/*`,
|
|
4353
|
-
service: "execute-api",
|
|
4354
|
-
}),
|
|
4355
|
-
],
|
|
4356
|
-
});
|
|
4344
|
+
// Use the CDK's built-in grantManageConnections which properly grants
|
|
4345
|
+
// permissions for all @connections methods (POST, GET, DELETE) across all stages
|
|
4346
|
+
return this._api.grantManageConnections(grantee);
|
|
4357
4347
|
}
|
|
4358
4348
|
}
|
|
4359
4349
|
|