npm - @jaypie/constructs - Versions diffs - 1.2.53 → 1.2.55 - Mend

@jaypie/constructs 1.2.53 → 1.2.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/cjs/JaypieDistribution.d.ts +31 -0
package/dist/cjs/JaypieMigration.d.ts +3 -0
package/dist/cjs/index.cjs +170 -53
package/dist/cjs/index.cjs.map +1 -1
package/dist/esm/JaypieDistribution.d.ts +31 -0
package/dist/esm/JaypieMigration.d.ts +3 -0
package/dist/esm/index.js +125 -8
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/JaypieDistribution.d.ts CHANGED Viewed

@@ -8,6 +8,17 @@ import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
 import * as wafv2 from "aws-cdk-lib/aws-wafv2";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+/**
+ * One entry in a `waf.allow` list. Names one or more URL paths and, for each
+ * managed rule group key, the sub-rule names to flip from `block` to `count`
+ * on that path set. See JaypieWafConfig.allow.
+ */
+export interface JaypieWafAllowEntry {
+    /** URL path or paths. Trailing `*` → STARTS_WITH; otherwise EXACTLY. */
+    path: string | string[];
+    /** Managed-rule-group keys (e.g. AWSManagedRulesCommonRuleSet) → sub-rule names. */
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
 export interface JaypieWafConfig {
     /**
      * Unique name for this distribution's WAF resources. Required when passing a
@@ -76,6 +87,26 @@ export interface JaypieWafConfig {
      * @default 2000
      */
     rateLimitPerIp?: number;
+    /**
+     * Path-scoped relaxations layered on top of the default managed-rule groups.
+     * Each entry names one or more URL paths and, for each managed rule group
+     * key, the sub-rule names to flip from `block` to `count` on that path set.
+     * Strict default action is preserved on every other path.
+     *
+     * Composes with `managedRuleOverrides`: the baseline override list applies
+     * to both the relaxed and strict emissions of a group; entries in `allow`
+     * additionally relax specific (path × sub-rule) intersections.
+     *
+     * @example
+     * allow: [
+     *   {
+     *     path: "/hooks/*",
+     *     AWSManagedRulesCommonRuleSet: ["ExploitablePaths_URIPATH"],
+     *     AWSManagedRulesKnownBadInputsRuleSet: ["CrossSiteScripting_BODY"],
+     *   },
+     * ]
+     */
+    allow?: JaypieWafAllowEntry | JaypieWafAllowEntry[];
     /**
      * Use an existing WebACL ARN instead of creating one
      */

package/dist/cjs/JaypieMigration.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { Construct } from "constructs";
+import * as cdk from "aws-cdk-lib";
 import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import * as lambda from "aws-cdk-lib/aws-lambda";
 import { JaypieLambda } from "./JaypieLambda";
@@ -16,6 +17,8 @@ export interface JaypieMigrationProps {
     secrets?: SecretsArrayItem[];
     /** DynamoDB tables to grant read/write access */
     tables?: dynamodb.ITable[];
+    /** Lambda timeout. Defaults to 15 minutes (Lambda max). */
+    timeout?: cdk.Duration;
 }
 export declare class JaypieMigration extends Construct {
     readonly lambda: JaypieLambda;

package/dist/cjs/index.cjs CHANGED Viewed

@@ -9,7 +9,7 @@ var route53Targets = require('aws-cdk-lib/aws-route53-targets');
 var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
 var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
 var errors = require('@jaypie/errors');
-var awsIam = require('aws-cdk-lib/aws-iam');
+var iam = require('aws-cdk-lib/aws-iam');
 var acm = require('aws-cdk-lib/aws-certificatemanager');
 var logs = require('aws-cdk-lib/aws-logs');
 var lambda = require('aws-cdk-lib/aws-lambda');
@@ -56,6 +56,7 @@ var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
 var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
 var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
 var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
+var iam__namespace = /*#__PURE__*/_interopNamespaceDefault(iam);
 var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
 var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
@@ -476,22 +477,22 @@ function extendDatadogRole(scope, options) {
     }
     const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
     // Lookup the Datadog role
-    const datadogRole = awsIam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
+    const datadogRole = iam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
     // Build policy statements
     const statements = [
         // Allow view budget
-        new awsIam.PolicyStatement({
+        new iam.PolicyStatement({
             actions: ["budgets:ViewBudget"],
             resources: ["*"],
         }),
         // Allow describe log groups
-        new awsIam.PolicyStatement({
+        new iam.PolicyStatement({
             actions: ["logs:DescribeLogGroups"],
             resources: ["*"],
         }),
     ];
     // Create the custom policy
-    const datadogCustomPolicy = new awsIam.Policy(scope, id, {
+    const datadogCustomPolicy = new iam.Policy(scope, id, {
         roles: [datadogRole],
         statements,
     });
@@ -2327,22 +2328,22 @@ class JaypieDatadogBucket extends constructs.Construct {
         }
         const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
         // Lookup the Datadog role
-        const datadogRole = awsIam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
+        const datadogRole = iam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
         // Build policy statements for bucket access
         const statements = [
             // Allow list bucket
-            new awsIam.PolicyStatement({
+            new iam.PolicyStatement({
                 actions: ["s3:ListBucket"],
                 resources: [this.bucket.bucketArn],
             }),
             // Allow read and write to the bucket
-            new awsIam.PolicyStatement({
+            new iam.PolicyStatement({
                 actions: ["s3:GetObject", "s3:PutObject"],
                 resources: [`${this.bucket.bucketArn}/*`],
             }),
         ];
         // Create the custom policy
-        const datadogBucketPolicy = new awsIam.Policy(this, "DatadogBucketPolicy", {
+        const datadogBucketPolicy = new iam.Policy(this, "DatadogBucketPolicy", {
             roles: [datadogRole],
             statements,
         });
@@ -2716,13 +2717,110 @@ class JaypieDistribution extends constructs.Construct {
             }
             else {
                 // Create new WebACL
-                const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                const allowEntries = allow
+                    ? Array.isArray(allow)
+                        ? allow
+                        : [allow]
+                    : [];
+                const groupAllowances = {};
+                for (const entry of allowEntries) {
+                    const paths = Array.isArray(entry.path) ? entry.path : [entry.path];
+                    for (const key of Object.keys(entry)) {
+                        if (key === "path")
+                            continue;
+                        const raw = entry[key];
+                        if (raw == null)
+                            continue;
+                        const ruleNames = Array.isArray(raw) ? raw : [raw];
+                        if (!groupAllowances[key])
+                            groupAllowances[key] = [];
+                        groupAllowances[key].push({ paths, ruleNames });
+                    }
+                }
+                const pathToStatement = (path) => {
+                    const isPrefix = path.endsWith("*");
+                    return {
+                        byteMatchStatement: {
+                            fieldToMatch: { uriPath: {} },
+                            positionalConstraint: isPrefix ? "STARTS_WITH" : "EXACTLY",
+                            searchString: isPrefix ? path.slice(0, -1) : path,
+                            textTransformations: [{ priority: 0, type: "NONE" }],
+                        },
+                    };
+                };
+                const pathsToStatement = (paths) => {
+                    if (paths.length === 1)
+                        return pathToStatement(paths[0]);
+                    return {
+                        orStatement: { statements: paths.map(pathToStatement) },
+                    };
+                };
+                const andScopeDown = (base, extra) => base ? { andStatement: { statements: [base, extra] } } : extra;
                 let priority = 0;
                 const rules = [];
                 // Add managed rule groups
                 for (const ruleName of managedRules) {
-                    const ruleActionOverrides = managedRuleOverrides?.[ruleName];
-                    const scopeDownStatement = managedRuleScopeDowns?.[ruleName];
+                    const baseOverrides = managedRuleOverrides?.[ruleName];
+                    const baseScopeDown = managedRuleScopeDowns?.[ruleName];
+                    const allowances = groupAllowances[ruleName];
+                    if (!allowances || allowances.length === 0) {
+                        rules.push({
+                            name: ruleName,
+                            priority: priority++,
+                            overrideAction: { none: {} },
+                            statement: {
+                                managedRuleGroupStatement: {
+                                    name: ruleName,
+                                    vendorName: "AWS",
+                                    ...(baseOverrides && { ruleActionOverrides: baseOverrides }),
+                                    ...(baseScopeDown && { scopeDownStatement: baseScopeDown }),
+                                },
+                            },
+                            visibilityConfig: {
+                                cloudWatchMetricsEnabled: true,
+                                metricName: ruleName,
+                                sampledRequestsEnabled: true,
+                            },
+                        });
+                        continue;
+                    }
+                    // Emit one relaxed rule per allow entry that names this group
+                    allowances.forEach(({ paths, ruleNames }, index) => {
+                        const entryOverrides = ruleNames.map((n) => ({
+                            name: n,
+                            actionToUse: { count: {} },
+                        }));
+                        const combinedOverrides = [
+                            ...(baseOverrides ?? []),
+                            ...entryOverrides,
+                        ];
+                        const relaxedScopeDown = andScopeDown(baseScopeDown, pathsToStatement(paths));
+                        const relaxedName = `${ruleName}-allow-${index}`;
+                        rules.push({
+                            name: relaxedName,
+                            priority: priority++,
+                            overrideAction: { none: {} },
+                            statement: {
+                                managedRuleGroupStatement: {
+                                    name: ruleName,
+                                    vendorName: "AWS",
+                                    ruleActionOverrides: combinedOverrides,
+                                    scopeDownStatement: relaxedScopeDown,
+                                },
+                            },
+                            visibilityConfig: {
+                                cloudWatchMetricsEnabled: true,
+                                metricName: relaxedName,
+                                sampledRequestsEnabled: true,
+                            },
+                        });
+                    });
+                    // Emit one strict rule whose scope-down excludes every relaxed path
+                    const allPaths = allowances.flatMap((a) => a.paths);
+                    const strictScopeDown = andScopeDown(baseScopeDown, {
+                        notStatement: { statement: pathsToStatement(allPaths) },
+                    });
                     rules.push({
                         name: ruleName,
                         priority: priority++,
@@ -2731,8 +2829,8 @@ class JaypieDistribution extends constructs.Construct {
                             managedRuleGroupStatement: {
                                 name: ruleName,
                                 vendorName: "AWS",
-                                ...(ruleActionOverrides && { ruleActionOverrides }),
-                                ...(scopeDownStatement && { scopeDownStatement }),
+                                ...(baseOverrides && { ruleActionOverrides: baseOverrides }),
+                                scopeDownStatement: strictScopeDown,
                             },
                         },
                         visibilityConfig: {
@@ -3348,8 +3446,8 @@ class JaypieGitHubDeployRole extends constructs.Construct {
         }
         const sponsor = propsSponsor || process.env.PROJECT_SPONSOR || envRepoOrganization;
         // Create the IAM role
-        this._role = new awsIam.Role(this, "GitHubActionsRole", {
-            assumedBy: new awsIam.FederatedPrincipal(oidcProviderArn, {
+        this._role = new iam.Role(this, "GitHubActionsRole", {
+            assumedBy: new iam.FederatedPrincipal(oidcProviderArn, {
                 StringLike: {
                     "token.actions.githubusercontent.com:sub": repoRestriction,
                 },
@@ -3359,12 +3457,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
         });
         cdk.Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
         // Allow the role to access the GitHub OIDC provider
-        this._role.addToPolicy(new awsIam.PolicyStatement({
+        this._role.addToPolicy(new iam.PolicyStatement({
             actions: ["sts:AssumeRoleWithWebIdentity"],
             resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
         }));
         // Allow the role to deploy CDK apps
-        this._role.addToPolicy(new awsIam.PolicyStatement({
+        this._role.addToPolicy(new iam.PolicyStatement({
             actions: [
                 "cloudformation:CreateStack",
                 "cloudformation:DeleteStack",
@@ -3381,12 +3479,12 @@ class JaypieGitHubDeployRole extends constructs.Construct {
                 "ssm:GetParameter",
                 "ssm:GetParameters",
             ],
-            effect: awsIam.Effect.ALLOW,
+            effect: iam.Effect.ALLOW,
             resources: ["*"],
         }));
-        this._role.addToPolicy(new awsIam.PolicyStatement({
+        this._role.addToPolicy(new iam.PolicyStatement({
             actions: ["iam:PassRole", "sts:AssumeRole"],
-            effect: awsIam.Effect.ALLOW,
+            effect: iam.Effect.ALLOW,
             resources: [
                 "arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
                 "arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
@@ -3399,14 +3497,14 @@ class JaypieGitHubDeployRole extends constructs.Construct {
             if (!sponsor) {
                 throw new errors.ConfigurationError("Cannot grant default ECR permissions without a sponsor. Set sponsor prop, PROJECT_SPONSOR, CDK_ENV_REPO, or PROJECT_REPO, or pass `ecr: false`");
             }
-            this._role.addToPolicy(new awsIam.PolicyStatement({
+            this._role.addToPolicy(new iam.PolicyStatement({
                 actions: ["ecr:GetAuthorizationToken"],
-                effect: awsIam.Effect.ALLOW,
+                effect: iam.Effect.ALLOW,
                 resources: ["*"],
             }));
-            this._role.addToPolicy(new awsIam.PolicyStatement({
+            this._role.addToPolicy(new iam.PolicyStatement({
                 actions: ECR_PUSH_ACTIONS,
-                effect: awsIam.Effect.ALLOW,
+                effect: iam.Effect.ALLOW,
                 resources: [`arn:aws:ecr:*:${accountId}:repository/${sponsor}-*`],
             }));
         }
@@ -3560,11 +3658,18 @@ class JaypieInfrastructureStack extends JaypieStack {
     }
 }
+const DYNAMODB_CONTROL_PLANE_ACTIONS = [
+    "dynamodb:DescribeContinuousBackups",
+    "dynamodb:DescribeTable",
+    "dynamodb:DescribeTimeToLive",
+    "dynamodb:UpdateContinuousBackups",
+    "dynamodb:UpdateTable",
+    "dynamodb:UpdateTimeToLive",
+];
 class JaypieMigration extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { code, dependencies = [], environment, handler = "index.handler", secrets = [], tables = [], } = props;
-        // Migration Lambda — 5 minute timeout for long-running migrations
+        const { code, dependencies = [], environment, handler = "index.handler", secrets = [], tables = [], timeout = cdk__namespace.Duration.minutes(15), } = props;
         this.lambda = new JaypieLambda(this, "MigrationLambda", {
             code,
             description: "DynamoDB migration custom resource",
@@ -3573,8 +3678,20 @@ class JaypieMigration extends constructs.Construct {
             roleTag: CDK$2.ROLE.PROCESSING,
             secrets,
             tables,
-            timeout: cdk__namespace.Duration.minutes(5),
+            timeout,
         });
+        // Grant control-plane perms on the passed tables so migrations that
+        // alter table shape (GSIs, TTL, streams, backups) succeed. JaypieLambda
+        // only grants data-plane access via grantReadWriteData. Issue #339.
+        if (tables.length > 0) {
+            this.lambda.addToRolePolicy(new iam__namespace.PolicyStatement({
+                actions: DYNAMODB_CONTROL_PLANE_ACTIONS,
+                resources: tables.flatMap((table) => [
+                    table.tableArn,
+                    `${table.tableArn}/index/*`,
+                ]),
+            }));
+        }
         // Custom Resource provider wrapping the Lambda
         const provider = new cr__namespace.Provider(this, "MigrationProvider", {
             onEventHandler: this.lambda,
@@ -3837,21 +3954,21 @@ class JaypieOrganizationTrail extends constructs.Construct {
             ],
         });
         // Add CloudTrail bucket policies
-        this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
+        this.bucket.addToResourcePolicy(new iam.PolicyStatement({
             actions: ["s3:GetBucketAcl"],
-            effect: awsIam.Effect.ALLOW,
-            principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
+            effect: iam.Effect.ALLOW,
+            principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
             resources: [this.bucket.bucketArn],
         }));
-        this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
+        this.bucket.addToResourcePolicy(new iam.PolicyStatement({
             actions: ["s3:PutObject"],
             conditions: {
                 StringEquals: {
                     "s3:x-amz-acl": "bucket-owner-full-control",
                 },
             },
-            effect: awsIam.Effect.ALLOW,
-            principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
+            effect: iam.Effect.ALLOW,
+            principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
             resources: [`${this.bucket.bucketArn}/*`],
         }));
         // Add tags to bucket
@@ -3966,9 +4083,9 @@ class JaypieSsoPermissions extends constructs.Construct {
                 ],
             },
             managedPolicies: [
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
                     .managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
             ],
             sessionDuration: cdk.Duration.hours(1).toIsoString(),
             tags: [
@@ -4047,10 +4164,10 @@ class JaypieSsoPermissions extends constructs.Construct {
                 ],
             },
             managedPolicies: [
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
                     .managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+                iam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
                     .managedPolicyArn,
             ],
             sessionDuration: cdk.Duration.hours(12).toIsoString(),
@@ -4109,12 +4226,12 @@ class JaypieSsoPermissions extends constructs.Construct {
                 ],
             },
             managedPolicies: [
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
                     .managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+                iam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
                     .managedPolicyArn,
-                awsIam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
+                iam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
             ],
             sessionDuration: cdk.Duration.hours(4).toIsoString(),
             tags: [
@@ -4345,8 +4462,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
         }
         let bucketDeployRole;
         if (repo) {
-            bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
-                assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
+            bucketDeployRole = new iam.Role(this, "DestinationBucketDeployRole", {
+                assumedBy: new iam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
                     StringLike: {
                         "token.actions.githubusercontent.com:sub": repo,
                     },
@@ -4355,8 +4472,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             });
             cdk.Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
             // Allow the role to write to the bucket
-            bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
-                effect: awsIam.Effect.ALLOW,
+            bucketDeployRole.addToPolicy(new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
                 actions: [
                     "s3:DeleteObject",
                     "s3:GetObject",
@@ -4365,16 +4482,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 ],
                 resources: [`${this.bucket.bucketArn}/*`],
             }));
-            bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
-                effect: awsIam.Effect.ALLOW,
+            bucketDeployRole.addToPolicy(new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
                 actions: ["s3:ListBucket"],
                 resources: [this.bucket.bucketArn],
             }));
             // Allow the role to describe the current stack
             const stack = cdk.Stack.of(this);
-            bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
+            bucketDeployRole.addToPolicy(new iam.PolicyStatement({
                 actions: ["cloudformation:DescribeStacks"],
-                effect: awsIam.Effect.ALLOW,
+                effect: iam.Effect.ALLOW,
                 resources: [
                     `arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
                 ],
@@ -4561,8 +4678,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             });
             // Add CloudFront invalidation permission to deploy role if it exists
             if (bucketDeployRole) {
-                bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
-                    effect: awsIam.Effect.ALLOW,
+                bucketDeployRole.addToPolicy(new iam.PolicyStatement({
+                    effect: iam.Effect.ALLOW,
                     actions: ["cloudfront:CreateInvalidation"],
                     resources: [
                         `arn:aws:cloudfront::${cdk.Stack.of(this).account}:distribution/${this.distribution.distributionId}`,