@jaypie/constructs 1.2.53 → 1.2.54
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/index.cjs +66 -45
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/index.js +21 -0
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
package/dist/cjs/index.cjs
CHANGED
|
@@ -9,7 +9,7 @@ var route53Targets = require('aws-cdk-lib/aws-route53-targets');
|
|
|
9
9
|
var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
|
|
10
10
|
var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
|
|
11
11
|
var errors = require('@jaypie/errors');
|
|
12
|
-
var
|
|
12
|
+
var iam = require('aws-cdk-lib/aws-iam');
|
|
13
13
|
var acm = require('aws-cdk-lib/aws-certificatemanager');
|
|
14
14
|
var logs = require('aws-cdk-lib/aws-logs');
|
|
15
15
|
var lambda = require('aws-cdk-lib/aws-lambda');
|
|
@@ -56,6 +56,7 @@ var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
|
|
|
56
56
|
var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
|
|
57
57
|
var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
|
|
58
58
|
var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
|
|
59
|
+
var iam__namespace = /*#__PURE__*/_interopNamespaceDefault(iam);
|
|
59
60
|
var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
|
|
60
61
|
var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
|
|
61
62
|
var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
|
|
@@ -476,22 +477,22 @@ function extendDatadogRole(scope, options) {
|
|
|
476
477
|
}
|
|
477
478
|
const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
|
|
478
479
|
// Lookup the Datadog role
|
|
479
|
-
const datadogRole =
|
|
480
|
+
const datadogRole = iam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
|
|
480
481
|
// Build policy statements
|
|
481
482
|
const statements = [
|
|
482
483
|
// Allow view budget
|
|
483
|
-
new
|
|
484
|
+
new iam.PolicyStatement({
|
|
484
485
|
actions: ["budgets:ViewBudget"],
|
|
485
486
|
resources: ["*"],
|
|
486
487
|
}),
|
|
487
488
|
// Allow describe log groups
|
|
488
|
-
new
|
|
489
|
+
new iam.PolicyStatement({
|
|
489
490
|
actions: ["logs:DescribeLogGroups"],
|
|
490
491
|
resources: ["*"],
|
|
491
492
|
}),
|
|
492
493
|
];
|
|
493
494
|
// Create the custom policy
|
|
494
|
-
const datadogCustomPolicy = new
|
|
495
|
+
const datadogCustomPolicy = new iam.Policy(scope, id, {
|
|
495
496
|
roles: [datadogRole],
|
|
496
497
|
statements,
|
|
497
498
|
});
|
|
@@ -2327,22 +2328,22 @@ class JaypieDatadogBucket extends constructs.Construct {
|
|
|
2327
2328
|
}
|
|
2328
2329
|
const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
|
|
2329
2330
|
// Lookup the Datadog role
|
|
2330
|
-
const datadogRole =
|
|
2331
|
+
const datadogRole = iam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
|
|
2331
2332
|
// Build policy statements for bucket access
|
|
2332
2333
|
const statements = [
|
|
2333
2334
|
// Allow list bucket
|
|
2334
|
-
new
|
|
2335
|
+
new iam.PolicyStatement({
|
|
2335
2336
|
actions: ["s3:ListBucket"],
|
|
2336
2337
|
resources: [this.bucket.bucketArn],
|
|
2337
2338
|
}),
|
|
2338
2339
|
// Allow read and write to the bucket
|
|
2339
|
-
new
|
|
2340
|
+
new iam.PolicyStatement({
|
|
2340
2341
|
actions: ["s3:GetObject", "s3:PutObject"],
|
|
2341
2342
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
2342
2343
|
}),
|
|
2343
2344
|
];
|
|
2344
2345
|
// Create the custom policy
|
|
2345
|
-
const datadogBucketPolicy = new
|
|
2346
|
+
const datadogBucketPolicy = new iam.Policy(this, "DatadogBucketPolicy", {
|
|
2346
2347
|
roles: [datadogRole],
|
|
2347
2348
|
statements,
|
|
2348
2349
|
});
|
|
@@ -3348,8 +3349,8 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3348
3349
|
}
|
|
3349
3350
|
const sponsor = propsSponsor || process.env.PROJECT_SPONSOR || envRepoOrganization;
|
|
3350
3351
|
// Create the IAM role
|
|
3351
|
-
this._role = new
|
|
3352
|
-
assumedBy: new
|
|
3352
|
+
this._role = new iam.Role(this, "GitHubActionsRole", {
|
|
3353
|
+
assumedBy: new iam.FederatedPrincipal(oidcProviderArn, {
|
|
3353
3354
|
StringLike: {
|
|
3354
3355
|
"token.actions.githubusercontent.com:sub": repoRestriction,
|
|
3355
3356
|
},
|
|
@@ -3359,12 +3360,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3359
3360
|
});
|
|
3360
3361
|
cdk.Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
3361
3362
|
// Allow the role to access the GitHub OIDC provider
|
|
3362
|
-
this._role.addToPolicy(new
|
|
3363
|
+
this._role.addToPolicy(new iam.PolicyStatement({
|
|
3363
3364
|
actions: ["sts:AssumeRoleWithWebIdentity"],
|
|
3364
3365
|
resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
|
|
3365
3366
|
}));
|
|
3366
3367
|
// Allow the role to deploy CDK apps
|
|
3367
|
-
this._role.addToPolicy(new
|
|
3368
|
+
this._role.addToPolicy(new iam.PolicyStatement({
|
|
3368
3369
|
actions: [
|
|
3369
3370
|
"cloudformation:CreateStack",
|
|
3370
3371
|
"cloudformation:DeleteStack",
|
|
@@ -3381,12 +3382,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3381
3382
|
"ssm:GetParameter",
|
|
3382
3383
|
"ssm:GetParameters",
|
|
3383
3384
|
],
|
|
3384
|
-
effect:
|
|
3385
|
+
effect: iam.Effect.ALLOW,
|
|
3385
3386
|
resources: ["*"],
|
|
3386
3387
|
}));
|
|
3387
|
-
this._role.addToPolicy(new
|
|
3388
|
+
this._role.addToPolicy(new iam.PolicyStatement({
|
|
3388
3389
|
actions: ["iam:PassRole", "sts:AssumeRole"],
|
|
3389
|
-
effect:
|
|
3390
|
+
effect: iam.Effect.ALLOW,
|
|
3390
3391
|
resources: [
|
|
3391
3392
|
"arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
|
|
3392
3393
|
"arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
|
|
@@ -3399,14 +3400,14 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3399
3400
|
if (!sponsor) {
|
|
3400
3401
|
throw new errors.ConfigurationError("Cannot grant default ECR permissions without a sponsor. Set sponsor prop, PROJECT_SPONSOR, CDK_ENV_REPO, or PROJECT_REPO, or pass `ecr: false`");
|
|
3401
3402
|
}
|
|
3402
|
-
this._role.addToPolicy(new
|
|
3403
|
+
this._role.addToPolicy(new iam.PolicyStatement({
|
|
3403
3404
|
actions: ["ecr:GetAuthorizationToken"],
|
|
3404
|
-
effect:
|
|
3405
|
+
effect: iam.Effect.ALLOW,
|
|
3405
3406
|
resources: ["*"],
|
|
3406
3407
|
}));
|
|
3407
|
-
this._role.addToPolicy(new
|
|
3408
|
+
this._role.addToPolicy(new iam.PolicyStatement({
|
|
3408
3409
|
actions: ECR_PUSH_ACTIONS,
|
|
3409
|
-
effect:
|
|
3410
|
+
effect: iam.Effect.ALLOW,
|
|
3410
3411
|
resources: [`arn:aws:ecr:*:${accountId}:repository/${sponsor}-*`],
|
|
3411
3412
|
}));
|
|
3412
3413
|
}
|
|
@@ -3560,6 +3561,14 @@ class JaypieInfrastructureStack extends JaypieStack {
|
|
|
3560
3561
|
}
|
|
3561
3562
|
}
|
|
3562
3563
|
|
|
3564
|
+
const DYNAMODB_CONTROL_PLANE_ACTIONS = [
|
|
3565
|
+
"dynamodb:DescribeContinuousBackups",
|
|
3566
|
+
"dynamodb:DescribeTable",
|
|
3567
|
+
"dynamodb:DescribeTimeToLive",
|
|
3568
|
+
"dynamodb:UpdateContinuousBackups",
|
|
3569
|
+
"dynamodb:UpdateTable",
|
|
3570
|
+
"dynamodb:UpdateTimeToLive",
|
|
3571
|
+
];
|
|
3563
3572
|
class JaypieMigration extends constructs.Construct {
|
|
3564
3573
|
constructor(scope, id, props) {
|
|
3565
3574
|
super(scope, id);
|
|
@@ -3575,6 +3584,18 @@ class JaypieMigration extends constructs.Construct {
|
|
|
3575
3584
|
tables,
|
|
3576
3585
|
timeout: cdk__namespace.Duration.minutes(5),
|
|
3577
3586
|
});
|
|
3587
|
+
// Grant control-plane perms on the passed tables so migrations that
|
|
3588
|
+
// alter table shape (GSIs, TTL, streams, backups) succeed. JaypieLambda
|
|
3589
|
+
// only grants data-plane access via grantReadWriteData. Issue #339.
|
|
3590
|
+
if (tables.length > 0) {
|
|
3591
|
+
this.lambda.addToRolePolicy(new iam__namespace.PolicyStatement({
|
|
3592
|
+
actions: DYNAMODB_CONTROL_PLANE_ACTIONS,
|
|
3593
|
+
resources: tables.flatMap((table) => [
|
|
3594
|
+
table.tableArn,
|
|
3595
|
+
`${table.tableArn}/index/*`,
|
|
3596
|
+
]),
|
|
3597
|
+
}));
|
|
3598
|
+
}
|
|
3578
3599
|
// Custom Resource provider wrapping the Lambda
|
|
3579
3600
|
const provider = new cr__namespace.Provider(this, "MigrationProvider", {
|
|
3580
3601
|
onEventHandler: this.lambda,
|
|
@@ -3837,21 +3858,21 @@ class JaypieOrganizationTrail extends constructs.Construct {
|
|
|
3837
3858
|
],
|
|
3838
3859
|
});
|
|
3839
3860
|
// Add CloudTrail bucket policies
|
|
3840
|
-
this.bucket.addToResourcePolicy(new
|
|
3861
|
+
this.bucket.addToResourcePolicy(new iam.PolicyStatement({
|
|
3841
3862
|
actions: ["s3:GetBucketAcl"],
|
|
3842
|
-
effect:
|
|
3843
|
-
principals: [new
|
|
3863
|
+
effect: iam.Effect.ALLOW,
|
|
3864
|
+
principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3844
3865
|
resources: [this.bucket.bucketArn],
|
|
3845
3866
|
}));
|
|
3846
|
-
this.bucket.addToResourcePolicy(new
|
|
3867
|
+
this.bucket.addToResourcePolicy(new iam.PolicyStatement({
|
|
3847
3868
|
actions: ["s3:PutObject"],
|
|
3848
3869
|
conditions: {
|
|
3849
3870
|
StringEquals: {
|
|
3850
3871
|
"s3:x-amz-acl": "bucket-owner-full-control",
|
|
3851
3872
|
},
|
|
3852
3873
|
},
|
|
3853
|
-
effect:
|
|
3854
|
-
principals: [new
|
|
3874
|
+
effect: iam.Effect.ALLOW,
|
|
3875
|
+
principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
|
|
3855
3876
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
3856
3877
|
}));
|
|
3857
3878
|
// Add tags to bucket
|
|
@@ -3966,9 +3987,9 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3966
3987
|
],
|
|
3967
3988
|
},
|
|
3968
3989
|
managedPolicies: [
|
|
3969
|
-
|
|
3990
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
|
|
3970
3991
|
.managedPolicyArn,
|
|
3971
|
-
|
|
3992
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
3972
3993
|
],
|
|
3973
3994
|
sessionDuration: cdk.Duration.hours(1).toIsoString(),
|
|
3974
3995
|
tags: [
|
|
@@ -4047,10 +4068,10 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
4047
4068
|
],
|
|
4048
4069
|
},
|
|
4049
4070
|
managedPolicies: [
|
|
4050
|
-
|
|
4071
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
4051
4072
|
.managedPolicyArn,
|
|
4052
|
-
|
|
4053
|
-
|
|
4073
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
4074
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
4054
4075
|
.managedPolicyArn,
|
|
4055
4076
|
],
|
|
4056
4077
|
sessionDuration: cdk.Duration.hours(12).toIsoString(),
|
|
@@ -4109,12 +4130,12 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
4109
4130
|
],
|
|
4110
4131
|
},
|
|
4111
4132
|
managedPolicies: [
|
|
4112
|
-
|
|
4133
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
|
|
4113
4134
|
.managedPolicyArn,
|
|
4114
|
-
|
|
4115
|
-
|
|
4135
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
|
|
4136
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
|
|
4116
4137
|
.managedPolicyArn,
|
|
4117
|
-
|
|
4138
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
|
|
4118
4139
|
],
|
|
4119
4140
|
sessionDuration: cdk.Duration.hours(4).toIsoString(),
|
|
4120
4141
|
tags: [
|
|
@@ -4345,8 +4366,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
4345
4366
|
}
|
|
4346
4367
|
let bucketDeployRole;
|
|
4347
4368
|
if (repo) {
|
|
4348
|
-
bucketDeployRole = new
|
|
4349
|
-
assumedBy: new
|
|
4369
|
+
bucketDeployRole = new iam.Role(this, "DestinationBucketDeployRole", {
|
|
4370
|
+
assumedBy: new iam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
|
|
4350
4371
|
StringLike: {
|
|
4351
4372
|
"token.actions.githubusercontent.com:sub": repo,
|
|
4352
4373
|
},
|
|
@@ -4355,8 +4376,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
4355
4376
|
});
|
|
4356
4377
|
cdk.Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
|
|
4357
4378
|
// Allow the role to write to the bucket
|
|
4358
|
-
bucketDeployRole.addToPolicy(new
|
|
4359
|
-
effect:
|
|
4379
|
+
bucketDeployRole.addToPolicy(new iam.PolicyStatement({
|
|
4380
|
+
effect: iam.Effect.ALLOW,
|
|
4360
4381
|
actions: [
|
|
4361
4382
|
"s3:DeleteObject",
|
|
4362
4383
|
"s3:GetObject",
|
|
@@ -4365,16 +4386,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
4365
4386
|
],
|
|
4366
4387
|
resources: [`${this.bucket.bucketArn}/*`],
|
|
4367
4388
|
}));
|
|
4368
|
-
bucketDeployRole.addToPolicy(new
|
|
4369
|
-
effect:
|
|
4389
|
+
bucketDeployRole.addToPolicy(new iam.PolicyStatement({
|
|
4390
|
+
effect: iam.Effect.ALLOW,
|
|
4370
4391
|
actions: ["s3:ListBucket"],
|
|
4371
4392
|
resources: [this.bucket.bucketArn],
|
|
4372
4393
|
}));
|
|
4373
4394
|
// Allow the role to describe the current stack
|
|
4374
4395
|
const stack = cdk.Stack.of(this);
|
|
4375
|
-
bucketDeployRole.addToPolicy(new
|
|
4396
|
+
bucketDeployRole.addToPolicy(new iam.PolicyStatement({
|
|
4376
4397
|
actions: ["cloudformation:DescribeStacks"],
|
|
4377
|
-
effect:
|
|
4398
|
+
effect: iam.Effect.ALLOW,
|
|
4378
4399
|
resources: [
|
|
4379
4400
|
`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
|
|
4380
4401
|
],
|
|
@@ -4561,8 +4582,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
4561
4582
|
});
|
|
4562
4583
|
// Add CloudFront invalidation permission to deploy role if it exists
|
|
4563
4584
|
if (bucketDeployRole) {
|
|
4564
|
-
bucketDeployRole.addToPolicy(new
|
|
4565
|
-
effect:
|
|
4585
|
+
bucketDeployRole.addToPolicy(new iam.PolicyStatement({
|
|
4586
|
+
effect: iam.Effect.ALLOW,
|
|
4566
4587
|
actions: ["cloudfront:CreateInvalidation"],
|
|
4567
4588
|
resources: [
|
|
4568
4589
|
`arn:aws:cloudfront::${cdk.Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
|