@ttoss/cloud-roles 0.8.48 → 0.8.49
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +111 -0
- package/package.json +4 -4
package/README.md
ADDED
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
# @ttoss/cloud-roles
|
|
2
|
+
|
|
3
|
+
Create CloudFormation templates for IAM roles with TypeScript.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
pnpm add @ttoss/cloud-roles
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
## Usage
|
|
12
|
+
|
|
13
|
+
```typescript
|
|
14
|
+
import { createRolesTemplate } from '@ttoss/cloud-roles';
|
|
15
|
+
|
|
16
|
+
const template = createRolesTemplate({
|
|
17
|
+
resources: {
|
|
18
|
+
AppSyncLambdaFunctionIAMRole: {
|
|
19
|
+
Type: 'AWS::IAM::Role',
|
|
20
|
+
Properties: {
|
|
21
|
+
AssumeRolePolicyDocument: {
|
|
22
|
+
Version: '2012-10-17',
|
|
23
|
+
Statement: [
|
|
24
|
+
{
|
|
25
|
+
Effect: 'Allow',
|
|
26
|
+
Action: 'sts:AssumeRole',
|
|
27
|
+
Principal: { Service: 'lambda.amazonaws.com' },
|
|
28
|
+
},
|
|
29
|
+
],
|
|
30
|
+
},
|
|
31
|
+
ManagedPolicyArns: [
|
|
32
|
+
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
|
|
33
|
+
],
|
|
34
|
+
},
|
|
35
|
+
},
|
|
36
|
+
},
|
|
37
|
+
});
|
|
38
|
+
|
|
39
|
+
export default template;
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## API
|
|
43
|
+
|
|
44
|
+
### `createRolesTemplate`
|
|
45
|
+
|
|
46
|
+
Generates a CloudFormation template containing one or more `AWS::IAM::Role` resources and automatically exports each role's ARN as a stack output.
|
|
47
|
+
|
|
48
|
+
#### Parameters
|
|
49
|
+
|
|
50
|
+
- `resources: { [key: string]: IAMRoleResource }` — map of logical resource IDs to `AWS::IAM::Role` resource definitions.
|
|
51
|
+
- `path?: string` — IAM path applied to every role that does not already define `Properties.Path`. Defaults to `IAM_PATH` (`'/custom-iam/'`). IAM (and thus CloudFormation) requires paths to begin and end with `/` (e.g. `'/my-app/'`); `createRolesTemplate` does not validate this, so an invalid path will cause a deploy-time error.
|
|
52
|
+
|
|
53
|
+
#### Behavior
|
|
54
|
+
|
|
55
|
+
- Any role in `resources` that has no `Properties.Path` set will have its `Path` automatically set to the resolved `path` value.
|
|
56
|
+
- For every role, a stack output named `<LogicalId>Arn` is added, exporting the role ARN under the key `<StackName>:<LogicalId>Arn`.
|
|
57
|
+
- `createRolesTemplate` mutates the provided `resources` objects by setting `resource.Properties.Path` when it is missing. If you need to reuse the same resource definitions elsewhere, clone them before passing them to this function.
|
|
58
|
+
|
|
59
|
+
#### Overriding the default path
|
|
60
|
+
|
|
61
|
+
```typescript
|
|
62
|
+
import { createRolesTemplate } from '@ttoss/cloud-roles';
|
|
63
|
+
|
|
64
|
+
const template = createRolesTemplate({
|
|
65
|
+
path: '/my-app/',
|
|
66
|
+
resources: {
|
|
67
|
+
/* ... */
|
|
68
|
+
},
|
|
69
|
+
});
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
Roles that already declare `Properties.Path` are left unchanged.
|
|
73
|
+
|
|
74
|
+
### `IAM_PATH`
|
|
75
|
+
|
|
76
|
+
The default IAM path constant used when `path` is not provided:
|
|
77
|
+
|
|
78
|
+
```typescript
|
|
79
|
+
import { IAM_PATH } from '@ttoss/cloud-roles';
|
|
80
|
+
|
|
81
|
+
console.log(IAM_PATH); // '/custom-iam/'
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
## Security: restricting `iam:PassRole` with IAM paths
|
|
85
|
+
|
|
86
|
+
Setting a dedicated IAM path for application roles enables a simple but effective deployment security boundary.
|
|
87
|
+
|
|
88
|
+
**Pattern:**
|
|
89
|
+
|
|
90
|
+
1. Create all application roles centrally with `createRolesTemplate` (keeping them under `/custom-iam/` or a custom path).
|
|
91
|
+
2. Grant deployment users `iam:PassRole` only for roles under that path.
|
|
92
|
+
3. Deny deployment users the ability to create, update, tag, or delete IAM roles.
|
|
93
|
+
|
|
94
|
+
This separates _privileged IAM management_ (run infrequently, with elevated permissions) from _regular application deployment_ (run on every release, with limited permissions).
|
|
95
|
+
|
|
96
|
+
**Example deployment policy:**
|
|
97
|
+
|
|
98
|
+
```yaml
|
|
99
|
+
- Effect: Allow
|
|
100
|
+
Action:
|
|
101
|
+
- iam:PassRole
|
|
102
|
+
Resource:
|
|
103
|
+
- arn:aws:iam::*:role/custom-iam/*
|
|
104
|
+
Condition:
|
|
105
|
+
StringEquals:
|
|
106
|
+
iam:PassedToService:
|
|
107
|
+
- lambda.amazonaws.com
|
|
108
|
+
- appsync.amazonaws.com
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
With this policy, a deployment pipeline can attach centrally managed roles to Lambda functions and AppSync data sources, but cannot create or modify those roles itself.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ttoss/cloud-roles",
|
|
3
|
-
"version": "0.8.
|
|
3
|
+
"version": "0.8.49",
|
|
4
4
|
"description": "Create CloudFormation templates for roles with TypeScript.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "ttoss",
|
|
@@ -23,14 +23,14 @@
|
|
|
23
23
|
"dist"
|
|
24
24
|
],
|
|
25
25
|
"dependencies": {
|
|
26
|
-
"@ttoss/cloudformation": "^0.12.
|
|
26
|
+
"@ttoss/cloudformation": "^0.12.8"
|
|
27
27
|
},
|
|
28
28
|
"devDependencies": {
|
|
29
29
|
"@types/jest": "^30.0.0",
|
|
30
30
|
"jest": "^30.3.0",
|
|
31
31
|
"tsup": "^8.5.1",
|
|
32
|
-
"@ttoss/config": "^1.37.
|
|
33
|
-
"@ttoss/test-utils": "^4.2.
|
|
32
|
+
"@ttoss/config": "^1.37.6",
|
|
33
|
+
"@ttoss/test-utils": "^4.2.6"
|
|
34
34
|
},
|
|
35
35
|
"keywords": [],
|
|
36
36
|
"publishConfig": {
|