@jaypie/constructs 1.2.20 → 1.2.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/JaypieWebSocket.d.ts +1 -1
- package/dist/cjs/index.cjs +45 -54
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/JaypieWebSocket.d.ts +1 -1
- package/dist/esm/index.js +6 -15
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -109,7 +109,7 @@ export declare class JaypieWebSocket extends Construct {
|
|
|
109
109
|
get callbackUrl(): string;
|
|
110
110
|
/**
|
|
111
111
|
* Grant a Lambda function permission to manage WebSocket connections
|
|
112
|
-
* (post to connections, delete connections).
|
|
112
|
+
* (post messages to connections, get connection info, delete connections).
|
|
113
113
|
*/
|
|
114
114
|
grantManageConnections(grantee: lambda.IFunction): iam.Grant;
|
|
115
115
|
}
|
package/dist/cjs/index.cjs
CHANGED
|
@@ -9,7 +9,7 @@ var route53Targets = require('aws-cdk-lib/aws-route53-targets');
|
|
|
9
9
|
var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
|
|
10
10
|
var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
|
|
11
11
|
var errors = require('@jaypie/errors');
|
|
12
|
-
var
|
|
12
|
+
var awsIam = require('aws-cdk-lib/aws-iam');
|
|
13
13
|
var acm = require('aws-cdk-lib/aws-certificatemanager');
|
|
14
14
|
var lambda = require('aws-cdk-lib/aws-lambda');
|
|
15
15
|
var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
|
|
@@ -54,7 +54,6 @@ var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
|
|
|
54
54
|
var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
|
|
55
55
|
var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
|
|
56
56
|
var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
|
|
57
|
-
var iam__namespace = /*#__PURE__*/_interopNamespaceDefault(iam);
|
|
58
57
|
var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
|
|
59
58
|
var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
|
|
60
59
|
var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
|
|
@@ -439,22 +438,22 @@ function extendDatadogRole(scope, options) {
|
|
|
439
438
|
}
|
|
440
439
|
const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
|
|
441
440
|
// Lookup the Datadog role
|
|
442
|
-
const datadogRole =
|
|
441
|
+
const datadogRole = awsIam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
|
|
443
442
|
// Build policy statements
|
|
444
443
|
const statements = [
|
|
445
444
|
// Allow view budget
|
|
446
|
-
new
|
|
445
|
+
new awsIam.PolicyStatement({
|
|
447
446
|
actions: ["budgets:ViewBudget"],
|
|
448
447
|
resources: ["*"],
|
|
449
448
|
}),
|
|
450
449
|
// Allow describe log groups
|
|
451
|
-
new
|
|
450
|
+
new awsIam.PolicyStatement({
|
|
452
451
|
actions: ["logs:DescribeLogGroups"],
|
|
453
452
|
resources: ["*"],
|
|
454
453
|
}),
|
|
455
454
|
];
|
|
456
455
|
// Create the custom policy
|
|
457
|
-
const datadogCustomPolicy = new
|
|
456
|
+
const datadogCustomPolicy = new awsIam.Policy(scope, id, {
|
|
458
457
|
roles: [datadogRole],
|
|
459
458
|
statements,
|
|
460
459
|
});
|
|
@@ -2230,22 +2229,22 @@ class JaypieDatadogBucket extends constructs.Construct {
|
|
|
2230
2229
|
}
|
|
2231
2230
|
const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
|
|
2232
2231
|
// Lookup the Datadog role
|
|
2233
|
-
const datadogRole =
|
|
2232
|
+
const datadogRole = awsIam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
|
|
2234
2233
|
// Build policy statements for bucket access
|
|
2235
2234
|
const statements = [
|
|
2236
2235
|
// Allow list bucket
|
|
2237
|
-
new
|
|
2236
|
+
new awsIam.PolicyStatement({
|
|
2238
2237
|
actions: ["s3:ListBucket"],
|
|
2239
2238
|
resources: [this.bucket.bucketArn],
|
|
2240
2239
|
}),
|
|
2241
2240
|
// Allow read and write to the bucket
|
|
2242
|
-
new
|
|
2241
|
+
new awsIam.PolicyStatement({
|
|
2243
2242
|
actions: ["s3:GetObject", "s3:PutObject"],
|
|
2244
2243
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
2245
2244
|
}),
|
|
2246
2245
|
];
|
|
2247
2246
|
// Create the custom policy
|
|
2248
|
-
const datadogBucketPolicy = new
|
|
2247
|
+
const datadogBucketPolicy = new awsIam.Policy(this, "DatadogBucketPolicy", {
|
|
2249
2248
|
roles: [datadogRole],
|
|
2250
2249
|
statements,
|
|
2251
2250
|
});
|
|
@@ -3014,8 +3013,8 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3014
3013
|
repoRestriction = `repo:${organization}/*:*`;
|
|
3015
3014
|
}
|
|
3016
3015
|
// Create the IAM role
|
|
3017
|
-
this._role = new
|
|
3018
|
-
assumedBy: new
|
|
3016
|
+
this._role = new awsIam.Role(this, "GitHubActionsRole", {
|
|
3017
|
+
assumedBy: new awsIam.FederatedPrincipal(oidcProviderArn, {
|
|
3019
3018
|
StringLike: {
|
|
3020
3019
|
"token.actions.githubusercontent.com:sub": repoRestriction,
|
|
3021
3020
|
},
|
|
@@ -3025,12 +3024,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3025
3024
|
});
|
|
3026
3025
|
cdk.Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
3027
3026
|
// Allow the role to access the GitHub OIDC provider
|
|
3028
|
-
this._role.addToPolicy(new
|
|
3027
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3029
3028
|
actions: ["sts:AssumeRoleWithWebIdentity"],
|
|
3030
3029
|
resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
|
|
3031
3030
|
}));
|
|
3032
3031
|
// Allow the role to deploy CDK apps
|
|
3033
|
-
this._role.addToPolicy(new
|
|
3032
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3034
3033
|
actions: [
|
|
3035
3034
|
"cloudformation:CreateStack",
|
|
3036
3035
|
"cloudformation:DeleteStack",
|
|
@@ -3047,12 +3046,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3047
3046
|
"s3:GetObject",
|
|
3048
3047
|
"s3:ListBucket",
|
|
3049
3048
|
],
|
|
3050
|
-
effect:
|
|
3049
|
+
effect: awsIam.Effect.ALLOW,
|
|
3051
3050
|
resources: ["*"],
|
|
3052
3051
|
}));
|
|
3053
|
-
this._role.addToPolicy(new
|
|
3052
|
+
this._role.addToPolicy(new awsIam.PolicyStatement({
|
|
3054
3053
|
actions: ["iam:PassRole", "sts:AssumeRole"],
|
|
3055
|
-
effect:
|
|
3054
|
+
effect: awsIam.Effect.ALLOW,
|
|
3056
3055
|
resources: [
|
|
3057
3056
|
"arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
|
|
3058
3057
|
"arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
|
|
@@ -3147,7 +3146,7 @@ class JaypieHostedZone extends constructs.Construct {
|
|
|
3147
3146
|
cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
|
|
3148
3147
|
}
|
|
3149
3148
|
// Grant Route 53 permissions to write to the log group
|
|
3150
|
-
this.logGroup.grantWrite(new
|
|
3149
|
+
this.logGroup.grantWrite(new awsIam.ServicePrincipal(SERVICE.ROUTE53));
|
|
3151
3150
|
// Add destination based on configuration
|
|
3152
3151
|
if (destination !== false) {
|
|
3153
3152
|
const lambdaDestination = destination === true
|
|
@@ -3445,21 +3444,21 @@ class JaypieOrganizationTrail extends constructs.Construct {
|
|
|
3445
3444
|
],
|
|
3446
3445
|
});
|
|
3447
3446
|
// Add CloudTrail bucket policies
|
|
3448
|
-
this.bucket.addToResourcePolicy(new
|
|
3447
|
+
this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
|
|
3449
3448
|
actions: ["s3:GetBucketAcl"],
|
|
3450
|
-
effect:
|
|
3451
|
-
principals: [new
|
|
3449
|
+
effect: awsIam.Effect.ALLOW,
|
|
3450
|
+
principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3452
3451
|
resources: [this.bucket.bucketArn],
|
|
3453
3452
|
}));
|
|
3454
|
-
this.bucket.addToResourcePolicy(new
|
|
3453
|
+
this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
|
|
3455
3454
|
actions: ["s3:PutObject"],
|
|
3456
3455
|
conditions: {
|
|
3457
3456
|
StringEquals: {
|
|
3458
3457
|
"s3:x-amz-acl": "bucket-owner-full-control",
|
|
3459
3458
|
},
|
|
3460
3459
|
},
|
|
3461
|
-
effect:
|
|
3462
|
-
principals: [new
|
|
3460
|
+
effect: awsIam.Effect.ALLOW,
|
|
3461
|
+
principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3463
3462
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
3464
3463
|
}));
|
|
3465
3464
|
// Add tags to bucket
|
|
@@ -3552,9 +3551,9 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3552
3551
|
],
|
|
3553
3552
|
},
|
|
3554
3553
|
managedPolicies: [
|
|
3555
|
-
|
|
3554
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
|
|
3556
3555
|
.managedPolicyArn,
|
|
3557
|
-
|
|
3556
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3558
3557
|
],
|
|
3559
3558
|
sessionDuration: cdk.Duration.hours(1).toIsoString(),
|
|
3560
3559
|
tags: [
|
|
@@ -3633,10 +3632,10 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3633
3632
|
],
|
|
3634
3633
|
},
|
|
3635
3634
|
managedPolicies: [
|
|
3636
|
-
|
|
3635
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
3637
3636
|
.managedPolicyArn,
|
|
3638
|
-
|
|
3639
|
-
|
|
3637
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3638
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
3640
3639
|
.managedPolicyArn,
|
|
3641
3640
|
],
|
|
3642
3641
|
sessionDuration: cdk.Duration.hours(12).toIsoString(),
|
|
@@ -3668,6 +3667,7 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3668
3667
|
"cloudformation:*",
|
|
3669
3668
|
"cloudwatch:*",
|
|
3670
3669
|
"cost-optimization-hub:*",
|
|
3670
|
+
"dynamodb:*",
|
|
3671
3671
|
"ec2:*",
|
|
3672
3672
|
"iam:Get*",
|
|
3673
3673
|
"iam:List*",
|
|
@@ -3691,12 +3691,12 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3691
3691
|
],
|
|
3692
3692
|
},
|
|
3693
3693
|
managedPolicies: [
|
|
3694
|
-
|
|
3694
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
3695
3695
|
.managedPolicyArn,
|
|
3696
|
-
|
|
3697
|
-
|
|
3696
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3697
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
3698
3698
|
.managedPolicyArn,
|
|
3699
|
-
|
|
3699
|
+
awsIam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
|
|
3700
3700
|
],
|
|
3701
3701
|
sessionDuration: cdk.Duration.hours(4).toIsoString(),
|
|
3702
3702
|
tags: [
|
|
@@ -3909,8 +3909,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3909
3909
|
repo = `repo:${process.env.CDK_ENV_REPO}:*`;
|
|
3910
3910
|
}
|
|
3911
3911
|
if (repo) {
|
|
3912
|
-
const bucketDeployRole = new
|
|
3913
|
-
assumedBy: new
|
|
3912
|
+
const bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
|
|
3913
|
+
assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
|
|
3914
3914
|
StringLike: {
|
|
3915
3915
|
"token.actions.githubusercontent.com:sub": repo,
|
|
3916
3916
|
},
|
|
@@ -3919,8 +3919,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3919
3919
|
});
|
|
3920
3920
|
cdk.Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
3921
3921
|
// Allow the role to write to the bucket
|
|
3922
|
-
bucketDeployRole.addToPolicy(new
|
|
3923
|
-
effect:
|
|
3922
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3923
|
+
effect: awsIam.Effect.ALLOW,
|
|
3924
3924
|
actions: [
|
|
3925
3925
|
"s3:DeleteObject",
|
|
3926
3926
|
"s3:GetObject",
|
|
@@ -3929,16 +3929,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3929
3929
|
],
|
|
3930
3930
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
3931
3931
|
}));
|
|
3932
|
-
bucketDeployRole.addToPolicy(new
|
|
3933
|
-
effect:
|
|
3932
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3933
|
+
effect: awsIam.Effect.ALLOW,
|
|
3934
3934
|
actions: ["s3:ListBucket"],
|
|
3935
3935
|
resources: [this.bucket.bucketArn],
|
|
3936
3936
|
}));
|
|
3937
3937
|
// Allow the role to describe the current stack
|
|
3938
3938
|
const stack = cdk.Stack.of(this);
|
|
3939
|
-
bucketDeployRole.addToPolicy(new
|
|
3939
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
3940
3940
|
actions: ["cloudformation:DescribeStacks"],
|
|
3941
|
-
effect:
|
|
3941
|
+
effect: awsIam.Effect.ALLOW,
|
|
3942
3942
|
resources: [
|
|
3943
3943
|
`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
|
|
3944
3944
|
],
|
|
@@ -4339,21 +4339,12 @@ class JaypieWebSocket extends constructs.Construct {
|
|
|
4339
4339
|
//
|
|
4340
4340
|
/**
|
|
4341
4341
|
* Grant a Lambda function permission to manage WebSocket connections
|
|
4342
|
-
* (post to connections, delete connections).
|
|
4342
|
+
* (post messages to connections, get connection info, delete connections).
|
|
4343
4343
|
*/
|
|
4344
4344
|
grantManageConnections(grantee) {
|
|
4345
|
-
|
|
4346
|
-
|
|
4347
|
-
|
|
4348
|
-
resourceArns: [
|
|
4349
|
-
cdk.Stack.of(this).formatArn({
|
|
4350
|
-
arnFormat: cdk.ArnFormat.SLASH_RESOURCE_SLASH_RESOURCE_NAME,
|
|
4351
|
-
resource: this._api.apiId,
|
|
4352
|
-
resourceName: `${this._stage.stageName}/POST/@connections/*`,
|
|
4353
|
-
service: "execute-api",
|
|
4354
|
-
}),
|
|
4355
|
-
],
|
|
4356
|
-
});
|
|
4345
|
+
// Use the CDK's built-in grantManageConnections which properly grants
|
|
4346
|
+
// permissions for all @connections methods (POST, GET, DELETE) across all stages
|
|
4347
|
+
return this._api.grantManageConnections(grantee);
|
|
4357
4348
|
}
|
|
4358
4349
|
}
|
|
4359
4350
|
|