npm - aws-cdk-lib - Versions diffs - 2.34.1 → 2.34.2 - Mend

aws-cdk-lib 2.34.1 → 2.34.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (867) hide show

package/aws-iam/lib/policy-statement.js CHANGED Viewed

@@ -1,3 +1,3 @@
 "use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.deriveEstimateSizeOptions=exports.Effect=exports.PolicyStatement=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),cdk=require("../../core"),group_1=require("./group"),principals_1=require("./principals"),postprocess_policy_document_1=require("./private/postprocess-policy-document"),util_1=require("./util"),ensureArrayOrUndefined=field=>{if(field!==void 0){if(typeof field!="string"&&!Array.isArray(field))throw new Error("Fields must be either a string or an array of strings");if(Array.isArray(field)&&!!field.find(f=>typeof f!="string"))throw new Error("Fields must be either a string or an array of strings");return Array.isArray(field)?field:[field]}},DEFAULT_ARN_SIZE_ESTIMATE=150,ARN_SIZE_ESTIMATE_CONTEXT_KEY="@aws-cdk/aws-iam.arnSizeEstimate";class PolicyStatement{constructor(props={}){this._action=new OrderedSet,this._notAction=new OrderedSet,this._principal={},this._notPrincipal={},this._resource=new OrderedSet,this._notResource=new OrderedSet,this._condition={},this._principals=new OrderedSet,this._notPrincipals=new OrderedSet,this._frozen=!1;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatementProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,PolicyStatement),error}for(const action of[...props.actions||[],...props.notActions||[]])if(!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)&&!cdk.Token.isUnresolved(action))throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);this._sid=props.sid,this._effect=props.effect||Effect.ALLOW,this.addActions(...props.actions||[]),this.addNotActions(...props.notActions||[]),this.addPrincipals(...props.principals||[]),this.addNotPrincipals(...props.notPrincipals||[]),this.addResources(...props.resources||[]),this.addNotResources(...props.notResources||[]),props.conditions!==void 0&&this.addConditions(props.conditions)}static fromJson(obj){const ret=new PolicyStatement({sid:obj.Sid,actions:ensureArrayOrUndefined(obj.Action),resources:ensureArrayOrUndefined(obj.Resource),conditions:obj.Condition,effect:obj.Effect,notActions:ensureArrayOrUndefined(obj.NotAction),notResources:ensureArrayOrUndefined(obj.NotResource),principals:obj.Principal?[new JsonPrincipal(obj.Principal)]:void 0,notPrincipals:obj.NotPrincipal?[new JsonPrincipal(obj.NotPrincipal)]:void 0}),errors=ret.validateForAnyPolicy();if(errors.length>0)throw new Error("Incorrect Policy Statement: "+errors.join(`
-`));return ret}get sid(){return this._sid}set sid(sid){this.assertNotFrozen("sid"),this._sid=sid}get effect(){return this._effect}set effect(effect){this.assertNotFrozen("effect"),this._effect=effect}addActions(...actions){if(this.assertNotFrozen("addActions"),actions.length>0&&this._notAction.length>0)throw new Error("Cannot add 'Actions' to policy statement if 'NotActions' have been added");this._action.push(...actions)}addNotActions(...notActions){if(this.assertNotFrozen("addNotActions"),notActions.length>0&&this._action.length>0)throw new Error("Cannot add 'NotActions' to policy statement if 'Actions' have been added");this._notAction.push(...notActions)}get hasPrincipal(){return this._principals.length+this._notPrincipals.length>0}addPrincipals(...principals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addPrincipals),error}if(this.assertNotFrozen("addPrincipals"),principals.length>0&&this._notPrincipals.length>0)throw new Error("Cannot add 'Principals' to policy statement if 'NotPrincipals' have been added");for(const principal of principals)this.validatePolicyPrincipal(principal);const added=this._principals.push(...principals);for(const principal of added){const fragment=principal.policyFragment;util_1.mergePrincipal(this._principal,fragment.principalJson),this.addPrincipalConditions(fragment.conditions)}}addNotPrincipals(...notPrincipals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(notPrincipals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addNotPrincipals),error}if(this.assertNotFrozen("addNotPrincipals"),notPrincipals.length>0&&this._principals.length>0)throw new Error("Cannot add 'NotPrincipals' to policy statement if 'Principals' have been added");for(const notPrincipal of notPrincipals)this.validatePolicyPrincipal(notPrincipal);const added=this._notPrincipals.push(...notPrincipals);for(const notPrincipal of added){const fragment=notPrincipal.policyFragment;util_1.mergePrincipal(this._notPrincipal,fragment.principalJson),this.addPrincipalConditions(fragment.conditions)}}validatePolicyPrincipal(principal){if(principal instanceof group_1.Group)throw new Error("Cannot use an IAM Group as the 'Principal' or 'NotPrincipal' in an IAM Policy")}addAwsAccountPrincipal(accountId){this.addPrincipals(new principals_1.AccountPrincipal(accountId))}addArnPrincipal(arn){this.addPrincipals(new principals_1.ArnPrincipal(arn))}addServicePrincipal(service,opts){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ServicePrincipalOpts(opts)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addServicePrincipal),error}this.addPrincipals(new principals_1.ServicePrincipal(service,opts))}addFederatedPrincipal(federated,conditions){this.addPrincipals(new principals_1.FederatedPrincipal(federated,conditions))}addAccountRootPrincipal(){this.addPrincipals(new principals_1.AccountRootPrincipal)}addCanonicalUserPrincipal(canonicalUserId){this.addPrincipals(new principals_1.CanonicalUserPrincipal(canonicalUserId))}addAnyPrincipal(){this.addPrincipals(new principals_1.AnyPrincipal)}addResources(...arns){if(this.assertNotFrozen("addResources"),arns.length>0&&this._notResource.length>0)throw new Error("Cannot add 'Resources' to policy statement if 'NotResources' have been added");this._resource.push(...arns)}addNotResources(...arns){if(this.assertNotFrozen("addNotResources"),arns.length>0&&this._resource.length>0)throw new Error("Cannot add 'NotResources' to policy statement if 'Resources' have been added");this._notResource.push(...arns)}addAllResources(){this.addResources("*")}get hasResource(){return this._resource&&this._resource.length>0}addCondition(key,value){this.assertNotFrozen("addCondition"),principals_1.validateConditionObject(value);const existingValue=this._condition[key];this._condition[key]=existingValue?{...existingValue,...value}:value}addConditions(conditions){Object.keys(conditions).map(key=>{this.addCondition(key,conditions[key])})}addAccountCondition(accountId){this.addCondition("StringEquals",{"sts:ExternalId":accountId})}copy(overrides={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatementProps(overrides)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.copy),error}return new PolicyStatement({sid:overrides.sid??this.sid,effect:overrides.effect??this.effect,actions:overrides.actions??this.actions,notActions:overrides.notActions??this.notActions,principals:overrides.principals??this.principals,notPrincipals:overrides.notPrincipals??this.notPrincipals,resources:overrides.resources??this.resources,notResources:overrides.notResources??this.notResources,conditions:overrides.conditions??this.conditions})}toStatementJson(){return postprocess_policy_document_1.normalizeStatement({Action:this._action.direct(),NotAction:this._notAction.direct(),Condition:this._condition,Effect:this.effect,Principal:this._principal,NotPrincipal:this._notPrincipal,Resource:this._resource.direct(),NotResource:this._notResource.direct(),Sid:this.sid})}toString(){return cdk.Token.asString(this,{displayHint:"PolicyStatement"})}toJSON(){return this.toStatementJson()}addPrincipalConditions(conditions){const theseConditions=JSON.stringify(conditions);if(this.principalConditionsJson===void 0)this.principalConditionsJson=theseConditions;else if(this.principalConditionsJson!==theseConditions)throw new Error(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);this.addConditions(conditions)}validateForAnyPolicy(){const errors=new Array;return this._action.length===0&&this._notAction.length===0&&errors.push("A PolicyStatement must specify at least one 'action' or 'notAction'."),errors}validateForResourcePolicy(){const errors=this.validateForAnyPolicy();return this._principals.length===0&&this._notPrincipals.length===0&&errors.push("A PolicyStatement used in a resource-based policy must specify at least one IAM principal."),errors}validateForIdentityPolicy(){const errors=this.validateForAnyPolicy();return(this._principals.length>0||this._notPrincipals.length>0)&&errors.push("A PolicyStatement used in an identity-based policy cannot specify any IAM principals."),this._resource.length===0&&this._notResource.length===0&&errors.push("A PolicyStatement used in an identity-based policy must specify at least one resource."),errors}get actions(){return this._action.copy()}get notActions(){return this._notAction.copy()}get principals(){return this._principals.copy()}get notPrincipals(){return this._notPrincipals.copy()}get resources(){return this._resource.copy()}get notResources(){return this._notResource.copy()}get conditions(){return{...this._condition}}freeze(){return this._frozen=!0,this}get frozen(){return this._frozen}_estimateSize(options){let ret=0;const{actionEstimate,arnEstimate}=options;return ret+=`"Effect": "${this.effect}",`.length,count("Action",this.actions,actionEstimate),count("NotAction",this.notActions,actionEstimate),count("Resource",this.resources,arnEstimate),count("NotResource",this.notResources,arnEstimate),ret+=this.principals.length*arnEstimate,ret+=this.notPrincipals.length*arnEstimate,ret+=JSON.stringify(this.conditions).length,ret;function count(key,values,tokenSize){values.length>0&&(ret+=key.length+5+util_1.sum(values.map(v=>(cdk.Token.isUnresolved(v)?tokenSize:v.length)+3)))}}assertNotFrozen(method){if(this._frozen)throw new Error(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`)}}exports.PolicyStatement=PolicyStatement,_a=JSII_RTTI_SYMBOL_1,PolicyStatement[_a]={fqn:"aws-cdk-lib.aws_iam.PolicyStatement",version:"2.34.1"};var Effect;(function(Effect2){Effect2.ALLOW="Allow",Effect2.DENY="Deny"})(Effect=exports.Effect||(exports.Effect={}));class JsonPrincipal extends principals_1.PrincipalBase{constructor(json={}){if(super(),typeof json=="string"&&(json={[util_1.LITERAL_STRING_KEY]:[json]}),typeof json!="object")throw new Error(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);this.policyFragment={principalJson:json,conditions:{}}}dedupeString(){return JSON.stringify(this.policyFragment)}}function deriveEstimateSizeOptions(scope){const arnEstimate=scope.node.tryGetContext(ARN_SIZE_ESTIMATE_CONTEXT_KEY)??DEFAULT_ARN_SIZE_ESTIMATE;if(typeof arnEstimate!="number")throw new Error(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);return{actionEstimate:20,arnEstimate}}exports.deriveEstimateSizeOptions=deriveEstimateSizeOptions;class OrderedSet{constructor(){this.set=new Set,this.array=new Array}push(...xs){const ret=new Array;for(const x of xs)this.set.has(x)||(this.set.add(x),this.array.push(x),ret.push(x));return ret}get length(){return this.array.length}copy(){return[...this.array]}direct(){return this.array}}
+`));return ret}get sid(){return this._sid}set sid(sid){this.assertNotFrozen("sid"),this._sid=sid}get effect(){return this._effect}set effect(effect){this.assertNotFrozen("effect"),this._effect=effect}addActions(...actions){if(this.assertNotFrozen("addActions"),actions.length>0&&this._notAction.length>0)throw new Error("Cannot add 'Actions' to policy statement if 'NotActions' have been added");this._action.push(...actions)}addNotActions(...notActions){if(this.assertNotFrozen("addNotActions"),notActions.length>0&&this._action.length>0)throw new Error("Cannot add 'NotActions' to policy statement if 'Actions' have been added");this._notAction.push(...notActions)}get hasPrincipal(){return this._principals.length+this._notPrincipals.length>0}addPrincipals(...principals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addPrincipals),error}if(this.assertNotFrozen("addPrincipals"),principals.length>0&&this._notPrincipals.length>0)throw new Error("Cannot add 'Principals' to policy statement if 'NotPrincipals' have been added");for(const principal of principals)this.validatePolicyPrincipal(principal);const added=this._principals.push(...principals);for(const principal of added){const fragment=principal.policyFragment;util_1.mergePrincipal(this._principal,fragment.principalJson),this.addPrincipalConditions(fragment.conditions)}}addNotPrincipals(...notPrincipals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(notPrincipals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addNotPrincipals),error}if(this.assertNotFrozen("addNotPrincipals"),notPrincipals.length>0&&this._principals.length>0)throw new Error("Cannot add 'NotPrincipals' to policy statement if 'Principals' have been added");for(const notPrincipal of notPrincipals)this.validatePolicyPrincipal(notPrincipal);const added=this._notPrincipals.push(...notPrincipals);for(const notPrincipal of added){const fragment=notPrincipal.policyFragment;util_1.mergePrincipal(this._notPrincipal,fragment.principalJson),this.addPrincipalConditions(fragment.conditions)}}validatePolicyPrincipal(principal){if(principal instanceof group_1.Group)throw new Error("Cannot use an IAM Group as the 'Principal' or 'NotPrincipal' in an IAM Policy")}addAwsAccountPrincipal(accountId){this.addPrincipals(new principals_1.AccountPrincipal(accountId))}addArnPrincipal(arn){this.addPrincipals(new principals_1.ArnPrincipal(arn))}addServicePrincipal(service,opts){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ServicePrincipalOpts(opts)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addServicePrincipal),error}this.addPrincipals(new principals_1.ServicePrincipal(service,opts))}addFederatedPrincipal(federated,conditions){this.addPrincipals(new principals_1.FederatedPrincipal(federated,conditions))}addAccountRootPrincipal(){this.addPrincipals(new principals_1.AccountRootPrincipal)}addCanonicalUserPrincipal(canonicalUserId){this.addPrincipals(new principals_1.CanonicalUserPrincipal(canonicalUserId))}addAnyPrincipal(){this.addPrincipals(new principals_1.AnyPrincipal)}addResources(...arns){if(this.assertNotFrozen("addResources"),arns.length>0&&this._notResource.length>0)throw new Error("Cannot add 'Resources' to policy statement if 'NotResources' have been added");this._resource.push(...arns)}addNotResources(...arns){if(this.assertNotFrozen("addNotResources"),arns.length>0&&this._resource.length>0)throw new Error("Cannot add 'NotResources' to policy statement if 'Resources' have been added");this._notResource.push(...arns)}addAllResources(){this.addResources("*")}get hasResource(){return this._resource&&this._resource.length>0}addCondition(key,value){this.assertNotFrozen("addCondition"),principals_1.validateConditionObject(value);const existingValue=this._condition[key];this._condition[key]=existingValue?{...existingValue,...value}:value}addConditions(conditions){Object.keys(conditions).map(key=>{this.addCondition(key,conditions[key])})}addAccountCondition(accountId){this.addCondition("StringEquals",{"sts:ExternalId":accountId})}copy(overrides={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatementProps(overrides)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.copy),error}return new PolicyStatement({sid:overrides.sid??this.sid,effect:overrides.effect??this.effect,actions:overrides.actions??this.actions,notActions:overrides.notActions??this.notActions,principals:overrides.principals??this.principals,notPrincipals:overrides.notPrincipals??this.notPrincipals,resources:overrides.resources??this.resources,notResources:overrides.notResources??this.notResources,conditions:overrides.conditions??this.conditions})}toStatementJson(){return postprocess_policy_document_1.normalizeStatement({Action:this._action.direct(),NotAction:this._notAction.direct(),Condition:this._condition,Effect:this.effect,Principal:this._principal,NotPrincipal:this._notPrincipal,Resource:this._resource.direct(),NotResource:this._notResource.direct(),Sid:this.sid})}toString(){return cdk.Token.asString(this,{displayHint:"PolicyStatement"})}toJSON(){return this.toStatementJson()}addPrincipalConditions(conditions){const theseConditions=JSON.stringify(conditions);if(this.principalConditionsJson===void 0)this.principalConditionsJson=theseConditions;else if(this.principalConditionsJson!==theseConditions)throw new Error(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);this.addConditions(conditions)}validateForAnyPolicy(){const errors=new Array;return this._action.length===0&&this._notAction.length===0&&errors.push("A PolicyStatement must specify at least one 'action' or 'notAction'."),errors}validateForResourcePolicy(){const errors=this.validateForAnyPolicy();return this._principals.length===0&&this._notPrincipals.length===0&&errors.push("A PolicyStatement used in a resource-based policy must specify at least one IAM principal."),errors}validateForIdentityPolicy(){const errors=this.validateForAnyPolicy();return(this._principals.length>0||this._notPrincipals.length>0)&&errors.push("A PolicyStatement used in an identity-based policy cannot specify any IAM principals."),this._resource.length===0&&this._notResource.length===0&&errors.push("A PolicyStatement used in an identity-based policy must specify at least one resource."),errors}get actions(){return this._action.copy()}get notActions(){return this._notAction.copy()}get principals(){return this._principals.copy()}get notPrincipals(){return this._notPrincipals.copy()}get resources(){return this._resource.copy()}get notResources(){return this._notResource.copy()}get conditions(){return{...this._condition}}freeze(){return this._frozen=!0,this}get frozen(){return this._frozen}_estimateSize(options){let ret=0;const{actionEstimate,arnEstimate}=options;return ret+=`"Effect": "${this.effect}",`.length,count("Action",this.actions,actionEstimate),count("NotAction",this.notActions,actionEstimate),count("Resource",this.resources,arnEstimate),count("NotResource",this.notResources,arnEstimate),ret+=this.principals.length*arnEstimate,ret+=this.notPrincipals.length*arnEstimate,ret+=JSON.stringify(this.conditions).length,ret;function count(key,values,tokenSize){values.length>0&&(ret+=key.length+5+util_1.sum(values.map(v=>(cdk.Token.isUnresolved(v)?tokenSize:v.length)+3)))}}assertNotFrozen(method){if(this._frozen)throw new Error(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`)}}exports.PolicyStatement=PolicyStatement,_a=JSII_RTTI_SYMBOL_1,PolicyStatement[_a]={fqn:"aws-cdk-lib.aws_iam.PolicyStatement",version:"2.34.2"};var Effect;(function(Effect2){Effect2.ALLOW="Allow",Effect2.DENY="Deny"})(Effect=exports.Effect||(exports.Effect={}));class JsonPrincipal extends principals_1.PrincipalBase{constructor(json={}){if(super(),typeof json=="string"&&(json={[util_1.LITERAL_STRING_KEY]:[json]}),typeof json!="object")throw new Error(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);this.policyFragment={principalJson:json,conditions:{}}}dedupeString(){return JSON.stringify(this.policyFragment)}}function deriveEstimateSizeOptions(scope){const arnEstimate=scope.node.tryGetContext(ARN_SIZE_ESTIMATE_CONTEXT_KEY)??DEFAULT_ARN_SIZE_ESTIMATE;if(typeof arnEstimate!="number")throw new Error(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);return{actionEstimate:20,arnEstimate}}exports.deriveEstimateSizeOptions=deriveEstimateSizeOptions;class OrderedSet{constructor(){this.set=new Set,this.array=new Array}push(...xs){const ret=new Array;for(const x of xs)this.set.has(x)||(this.set.add(x),this.array.push(x),ret.push(x));return ret}get length(){return this.array.length}copy(){return[...this.array]}direct(){return this.array}}
 //# sourceMappingURL=policy-statement.js.map

package/aws-iam/lib/policy.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.Policy=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),iam_generated_1=require("./iam.generated"),policy_document_1=require("./policy-document"),util_1=require("./util");class Policy extends core_1.Resource{constructor(scope,id,props={}){super(scope,id,{physicalName:props.policyName||core_1.Lazy.string({produce:()=>util_1.generatePolicyName(scope,resource.logicalId)})}),this.document=new policy_document_1.PolicyDocument,this.roles=new Array,this.users=new Array,this.groups=new Array,this.referenceTaken=!1;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Policy),error}const self=this;class CfnPolicyConditional extends iam_generated_1.CfnPolicy{shouldSynthesize(){return self.force||self.referenceTaken||!self.document.isEmpty&&self.isAttached}}props.document&&(this.document=props.document);const resource=new CfnPolicyConditional(this,"Resource",{policyDocument:this.document,policyName:this.physicalName,roles:util_1.undefinedIfEmpty(()=>this.roles.map(r=>r.roleName)),users:util_1.undefinedIfEmpty(()=>this.users.map(u=>u.userName)),groups:util_1.undefinedIfEmpty(()=>this.groups.map(g=>g.groupName))});this._policyName=this.physicalName,this.force=props.force??!1,props.users&&props.users.forEach(u=>this.attachToUser(u)),props.groups&&props.groups.forEach(g=>this.attachToGroup(g)),props.roles&&props.roles.forEach(r=>this.attachToRole(r)),props.statements&&props.statements.forEach(p=>this.addStatements(p)),this.node.addValidation({validate:()=>this.validatePolicy()})}static fromPolicyName(scope,id,policyName){class Import extends core_1.Resource{constructor(){super(...arguments),this.policyName=policyName}}return new Import(scope,id)}addStatements(...statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addStatements),error}this.document.addStatements(...statement)}attachToUser(user){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IUser(user)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToUser),error}this.users.find(u=>u===user)||(this.users.push(user),user.attachInlinePolicy(this))}attachToRole(role){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IRole(role)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToRole),error}this.roles.find(r=>r===role)||(this.roles.push(role),role.attachInlinePolicy(this))}attachToGroup(group){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IGroup(group)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToGroup),error}this.groups.find(g=>g===group)||(this.groups.push(group),group.attachInlinePolicy(this))}get policyName(){return this.referenceTaken=!0,this._policyName}validatePolicy(){const result=new Array;return this.document.isEmpty&&(this.force&&result.push("Policy created with force=true is empty. You must add statements to the policy"),!this.force&&this.referenceTaken&&result.push("This Policy has been referenced by a resource, so it must contain at least one statement.")),this.isAttached||(this.force&&result.push("Policy created with force=true must be attached to at least one principal: user, group or role"),!this.force&&this.referenceTaken&&result.push("This Policy has been referenced by a resource, so it must be attached to at least one user, group or role.")),result.push(...this.document.validateForIdentityPolicy()),result}get isAttached(){return this.groups.length+this.users.length+this.roles.length>0}}exports.Policy=Policy,_a=JSII_RTTI_SYMBOL_1,Policy[_a]={fqn:"aws-cdk-lib.aws_iam.Policy",version:"2.34.1"};
+"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.Policy=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),iam_generated_1=require("./iam.generated"),policy_document_1=require("./policy-document"),util_1=require("./util");class Policy extends core_1.Resource{constructor(scope,id,props={}){super(scope,id,{physicalName:props.policyName||core_1.Lazy.string({produce:()=>util_1.generatePolicyName(scope,resource.logicalId)})}),this.document=new policy_document_1.PolicyDocument,this.roles=new Array,this.users=new Array,this.groups=new Array,this.referenceTaken=!1;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Policy),error}const self=this;class CfnPolicyConditional extends iam_generated_1.CfnPolicy{shouldSynthesize(){return self.force||self.referenceTaken||!self.document.isEmpty&&self.isAttached}}props.document&&(this.document=props.document);const resource=new CfnPolicyConditional(this,"Resource",{policyDocument:this.document,policyName:this.physicalName,roles:util_1.undefinedIfEmpty(()=>this.roles.map(r=>r.roleName)),users:util_1.undefinedIfEmpty(()=>this.users.map(u=>u.userName)),groups:util_1.undefinedIfEmpty(()=>this.groups.map(g=>g.groupName))});this._policyName=this.physicalName,this.force=props.force??!1,props.users&&props.users.forEach(u=>this.attachToUser(u)),props.groups&&props.groups.forEach(g=>this.attachToGroup(g)),props.roles&&props.roles.forEach(r=>this.attachToRole(r)),props.statements&&props.statements.forEach(p=>this.addStatements(p)),this.node.addValidation({validate:()=>this.validatePolicy()})}static fromPolicyName(scope,id,policyName){class Import extends core_1.Resource{constructor(){super(...arguments),this.policyName=policyName}}return new Import(scope,id)}addStatements(...statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addStatements),error}this.document.addStatements(...statement)}attachToUser(user){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IUser(user)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToUser),error}this.users.find(u=>u===user)||(this.users.push(user),user.attachInlinePolicy(this))}attachToRole(role){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IRole(role)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToRole),error}this.roles.find(r=>r===role)||(this.roles.push(role),role.attachInlinePolicy(this))}attachToGroup(group){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IGroup(group)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachToGroup),error}this.groups.find(g=>g===group)||(this.groups.push(group),group.attachInlinePolicy(this))}get policyName(){return this.referenceTaken=!0,this._policyName}validatePolicy(){const result=new Array;return this.document.isEmpty&&(this.force&&result.push("Policy created with force=true is empty. You must add statements to the policy"),!this.force&&this.referenceTaken&&result.push("This Policy has been referenced by a resource, so it must contain at least one statement.")),this.isAttached||(this.force&&result.push("Policy created with force=true must be attached to at least one principal: user, group or role"),!this.force&&this.referenceTaken&&result.push("This Policy has been referenced by a resource, so it must be attached to at least one user, group or role.")),result.push(...this.document.validateForIdentityPolicy()),result}get isAttached(){return this.groups.length+this.users.length+this.roles.length>0}}exports.Policy=Policy,_a=JSII_RTTI_SYMBOL_1,Policy[_a]={fqn:"aws-cdk-lib.aws_iam.Policy",version:"2.34.2"};
 //# sourceMappingURL=policy.js.map

package/aws-iam/lib/principals.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a,_b,_c,_d,_e,_f,_g,_h,_j,_k,_l,_m,_o,_p,_q,_r,_s,_t,_u,_v;Object.defineProperty(exports,"__esModule",{value:!0}),exports.validateConditionObject=exports.CompositePrincipal=exports.StarPrincipal=exports.Anyone=exports.AnyPrincipal=exports.AccountRootPrincipal=exports.SamlConsolePrincipal=exports.SamlPrincipal=exports.OpenIdConnectPrincipal=exports.WebIdentityPrincipal=exports.FederatedPrincipal=exports.CanonicalUserPrincipal=exports.OrganizationPrincipal=exports.ServicePrincipal=exports.AccountPrincipal=exports.ArnPrincipal=exports.PrincipalPolicyFragment=exports.SessionTagsPrincipal=exports.PrincipalWithConditions=exports.PrincipalBase=exports.ComparablePrincipal=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),cdk=require("../../core"),region_info_1=require("../../region-info"),policy_statement_1=require("./policy-statement"),assume_role_policy_1=require("./private/assume-role-policy"),util_1=require("./util");class ComparablePrincipal{static isComparablePrincipal(x){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(x)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.isComparablePrincipal),error}return"dedupeString"in x}static dedupeStringFor(x){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(x)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.dedupeStringFor),error}return ComparablePrincipal.isComparablePrincipal(x)?x.dedupeString():void 0}}exports.ComparablePrincipal=ComparablePrincipal,_a=JSII_RTTI_SYMBOL_1,ComparablePrincipal[_a]={fqn:"aws-cdk-lib.aws_iam.ComparablePrincipal",version:"2.34.1"};class PrincipalBase{constructor(){this.grantPrincipal=this,this.principalAccount=void 0,this.assumeRoleAction="sts:AssumeRole"}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(_statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(_statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}return{statementAdded:!1}}addToAssumeRolePolicy(document){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(document)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}document.addStatements(new policy_statement_1.PolicyStatement({actions:[this.assumeRoleAction],principals:[this]}))}toString(){return JSON.stringify(this.policyFragment.principalJson)}toJSON(){return this.policyFragment.principalJson}withConditions(conditions){return new PrincipalWithConditions(this,conditions)}withSessionTags(){return new SessionTagsPrincipal(this)}}exports.PrincipalBase=PrincipalBase,_b=JSII_RTTI_SYMBOL_1,PrincipalBase[_b]={fqn:"aws-cdk-lib.aws_iam.PrincipalBase",version:"2.34.1"};class PrincipalAdapter extends PrincipalBase{constructor(wrapped){super(),this.wrapped=wrapped,this.assumeRoleAction=this.wrapped.assumeRoleAction,this.principalAccount=this.wrapped.principalAccount}get policyFragment(){return this.wrapped.policyFragment}addToPolicy(statement){return this.wrapped.addToPolicy(statement)}addToPrincipalPolicy(statement){return this.wrapped.addToPrincipalPolicy(statement)}appendDedupe(append){const inner=ComparablePrincipal.dedupeStringFor(this.wrapped);return inner!==void 0?`${this.constructor.name}:${inner}:${append}`:void 0}}class PrincipalWithConditions extends PrincipalAdapter{constructor(principal,conditions){super(principal);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principal)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,PrincipalWithConditions),error}this.additionalConditions=conditions}addCondition(key,value){validateConditionObject(value);const existingValue=this.additionalConditions[key];existingValue||(this.additionalConditions[key]=value),validateConditionObject(existingValue),this.additionalConditions[key]={...existingValue,...value}}addConditions(conditions){Object.entries(conditions).forEach(([key,value])=>{this.addCondition(key,value)})}get conditions(){return this.mergeConditions(this.wrapped.policyFragment.conditions,this.additionalConditions)}get policyFragment(){return new PrincipalPolicyFragment(this.wrapped.policyFragment.principalJson,this.conditions)}toString(){return this.wrapped.toString()}toJSON(){return this.policyFragment.principalJson}dedupeString(){return this.appendDedupe(JSON.stringify(this.conditions))}mergeConditions(principalConditions,additionalConditions){const mergedConditions={};return Object.entries(principalConditions).forEach(([operator,condition])=>{mergedConditions[operator]=condition}),Object.entries(additionalConditions).forEach(([operator,condition])=>{const existing=mergedConditions[operator];if(!existing){mergedConditions[operator]=condition;return}if(cdk.Token.isUnresolved(condition)||cdk.Token.isUnresolved(existing))throw new Error(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);validateConditionObject(existing),validateConditionObject(condition),mergedConditions[operator]={...existing,...condition}}),mergedConditions}}exports.PrincipalWithConditions=PrincipalWithConditions,_c=JSII_RTTI_SYMBOL_1,PrincipalWithConditions[_c]={fqn:"aws-cdk-lib.aws_iam.PrincipalWithConditions",version:"2.34.1"};class SessionTagsPrincipal extends PrincipalAdapter{constructor(principal){super(principal);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principal)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SessionTagsPrincipal),error}}addToAssumeRolePolicy(doc){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(doc)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}const adapter=require("./private/policydoc-adapter");assume_role_policy_1.defaultAddPrincipalToAssumeRole(this.wrapped,new adapter.MutatingPolicyDocumentAdapter(doc,statement=>(statement.addActions("sts:TagSession"),statement)))}dedupeString(){return this.appendDedupe("")}}exports.SessionTagsPrincipal=SessionTagsPrincipal,_d=JSII_RTTI_SYMBOL_1,SessionTagsPrincipal[_d]={fqn:"aws-cdk-lib.aws_iam.SessionTagsPrincipal",version:"2.34.1"};class PrincipalPolicyFragment{constructor(principalJson,conditions={}){this.principalJson=principalJson,this.conditions=conditions}}exports.PrincipalPolicyFragment=PrincipalPolicyFragment,_e=JSII_RTTI_SYMBOL_1,PrincipalPolicyFragment[_e]={fqn:"aws-cdk-lib.aws_iam.PrincipalPolicyFragment",version:"2.34.1"};class ArnPrincipal extends PrincipalBase{constructor(arn){super(),this.arn=arn}get policyFragment(){return new PrincipalPolicyFragment({AWS:[this.arn]})}toString(){return`ArnPrincipal(${this.arn})`}inOrganization(organizationId){return this.withConditions({StringEquals:{"aws:PrincipalOrgID":organizationId}})}dedupeString(){return`ArnPrincipal:${this.arn}`}}exports.ArnPrincipal=ArnPrincipal,_f=JSII_RTTI_SYMBOL_1,ArnPrincipal[_f]={fqn:"aws-cdk-lib.aws_iam.ArnPrincipal",version:"2.34.1"};class AccountPrincipal extends ArnPrincipal{constructor(accountId){if(super(new StackDependentToken(stack=>`arn:${stack.partition}:iam::${accountId}:root`).toString()),this.accountId=accountId,!cdk.Token.isUnresolved(accountId)&&typeof accountId!="string")throw new Error("accountId should be of type string");this.principalAccount=accountId}toString(){return`AccountPrincipal(${this.accountId})`}}exports.AccountPrincipal=AccountPrincipal,_g=JSII_RTTI_SYMBOL_1,AccountPrincipal[_g]={fqn:"aws-cdk-lib.aws_iam.AccountPrincipal",version:"2.34.1"};class ServicePrincipal extends PrincipalBase{constructor(service,opts={}){super(),this.service=service,this.opts=opts;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ServicePrincipalOpts(opts)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,ServicePrincipal),error}}static servicePrincipalName(service){return new ServicePrincipalToken(service,{}).toString()}get policyFragment(){return new PrincipalPolicyFragment({Service:[new ServicePrincipalToken(this.service,this.opts).toString()]},this.opts.conditions)}toString(){return`ServicePrincipal(${this.service})`}dedupeString(){return`ServicePrincipal:${this.service}:${JSON.stringify(this.opts)}`}}exports.ServicePrincipal=ServicePrincipal,_h=JSII_RTTI_SYMBOL_1,ServicePrincipal[_h]={fqn:"aws-cdk-lib.aws_iam.ServicePrincipal",version:"2.34.1"};class OrganizationPrincipal extends PrincipalBase{constructor(organizationId){super(),this.organizationId=organizationId}get policyFragment(){return new PrincipalPolicyFragment({AWS:["*"]},{StringEquals:{"aws:PrincipalOrgID":this.organizationId}})}toString(){return`OrganizationPrincipal(${this.organizationId})`}dedupeString(){return`OrganizationPrincipal:${this.organizationId}`}}exports.OrganizationPrincipal=OrganizationPrincipal,_j=JSII_RTTI_SYMBOL_1,OrganizationPrincipal[_j]={fqn:"aws-cdk-lib.aws_iam.OrganizationPrincipal",version:"2.34.1"};class CanonicalUserPrincipal extends PrincipalBase{constructor(canonicalUserId){super(),this.canonicalUserId=canonicalUserId}get policyFragment(){return new PrincipalPolicyFragment({CanonicalUser:[this.canonicalUserId]})}toString(){return`CanonicalUserPrincipal(${this.canonicalUserId})`}dedupeString(){return`CanonicalUserPrincipal:${this.canonicalUserId}`}}exports.CanonicalUserPrincipal=CanonicalUserPrincipal,_k=JSII_RTTI_SYMBOL_1,CanonicalUserPrincipal[_k]={fqn:"aws-cdk-lib.aws_iam.CanonicalUserPrincipal",version:"2.34.1"};class FederatedPrincipal extends PrincipalBase{constructor(federated,conditions={},assumeRoleAction="sts:AssumeRole"){super(),this.federated=federated,this.conditions=conditions,this.assumeRoleAction=assumeRoleAction}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`FederatedPrincipal(${this.federated})`}dedupeString(){return`FederatedPrincipal:${this.federated}:${this.assumeRoleAction}:${JSON.stringify(this.conditions)}`}}exports.FederatedPrincipal=FederatedPrincipal,_l=JSII_RTTI_SYMBOL_1,FederatedPrincipal[_l]={fqn:"aws-cdk-lib.aws_iam.FederatedPrincipal",version:"2.34.1"};class WebIdentityPrincipal extends FederatedPrincipal{constructor(identityProvider,conditions={}){super(identityProvider,conditions??{},"sts:AssumeRoleWithWebIdentity")}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`WebIdentityPrincipal(${this.federated})`}}exports.WebIdentityPrincipal=WebIdentityPrincipal,_m=JSII_RTTI_SYMBOL_1,WebIdentityPrincipal[_m]={fqn:"aws-cdk-lib.aws_iam.WebIdentityPrincipal",version:"2.34.1"};class OpenIdConnectPrincipal extends WebIdentityPrincipal{constructor(openIdConnectProvider,conditions={}){super(openIdConnectProvider.openIdConnectProviderArn,conditions??{});try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IOpenIdConnectProvider(openIdConnectProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,OpenIdConnectPrincipal),error}}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`OpenIdConnectPrincipal(${this.federated})`}}exports.OpenIdConnectPrincipal=OpenIdConnectPrincipal,_o=JSII_RTTI_SYMBOL_1,OpenIdConnectPrincipal[_o]={fqn:"aws-cdk-lib.aws_iam.OpenIdConnectPrincipal",version:"2.34.1"};class SamlPrincipal extends FederatedPrincipal{constructor(samlProvider,conditions){super(samlProvider.samlProviderArn,conditions,"sts:AssumeRoleWithSAML");try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ISamlProvider(samlProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlPrincipal),error}}toString(){return`SamlPrincipal(${this.federated})`}}exports.SamlPrincipal=SamlPrincipal,_p=JSII_RTTI_SYMBOL_1,SamlPrincipal[_p]={fqn:"aws-cdk-lib.aws_iam.SamlPrincipal",version:"2.34.1"};class SamlConsolePrincipal extends SamlPrincipal{constructor(samlProvider,conditions={}){super(samlProvider,{...conditions,StringEquals:{"SAML:aud":"https://signin.aws.amazon.com/saml"}});try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ISamlProvider(samlProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlConsolePrincipal),error}}toString(){return`SamlConsolePrincipal(${this.federated})`}}exports.SamlConsolePrincipal=SamlConsolePrincipal,_q=JSII_RTTI_SYMBOL_1,SamlConsolePrincipal[_q]={fqn:"aws-cdk-lib.aws_iam.SamlConsolePrincipal",version:"2.34.1"};class AccountRootPrincipal extends AccountPrincipal{constructor(){super(new StackDependentToken(stack=>stack.account).toString())}toString(){return"AccountRootPrincipal()"}}exports.AccountRootPrincipal=AccountRootPrincipal,_r=JSII_RTTI_SYMBOL_1,AccountRootPrincipal[_r]={fqn:"aws-cdk-lib.aws_iam.AccountRootPrincipal",version:"2.34.1"};class AnyPrincipal extends ArnPrincipal{constructor(){super("*")}toString(){return"AnyPrincipal()"}}exports.AnyPrincipal=AnyPrincipal,_s=JSII_RTTI_SYMBOL_1,AnyPrincipal[_s]={fqn:"aws-cdk-lib.aws_iam.AnyPrincipal",version:"2.34.1"};class Anyone extends AnyPrincipal{}exports.Anyone=Anyone,_t=JSII_RTTI_SYMBOL_1,Anyone[_t]={fqn:"aws-cdk-lib.aws_iam.Anyone",version:"2.34.1"};class StarPrincipal extends PrincipalBase{constructor(){super(...arguments),this.policyFragment={principalJson:{[util_1.LITERAL_STRING_KEY]:["*"]},conditions:{}}}toString(){return"StarPrincipal()"}dedupeString(){return"StarPrincipal"}}exports.StarPrincipal=StarPrincipal,_u=JSII_RTTI_SYMBOL_1,StarPrincipal[_u]={fqn:"aws-cdk-lib.aws_iam.StarPrincipal",version:"2.34.1"};class CompositePrincipal extends PrincipalBase{constructor(...principals){super(),this.principals=new Array;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,CompositePrincipal),error}if(principals.length===0)throw new Error("CompositePrincipals must be constructed with at least 1 Principal but none were passed.");this.assumeRoleAction=principals[0].assumeRoleAction,this.addPrincipals(...principals)}addPrincipals(...principals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addPrincipals),error}return this.principals.push(...principals),this}addToAssumeRolePolicy(doc){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(doc)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}for(const p of this.principals)assume_role_policy_1.defaultAddPrincipalToAssumeRole(p,doc)}get policyFragment(){for(const p of this.principals){const fragment=p.policyFragment;if(fragment.conditions&&Object.keys(fragment.conditions).length>0)throw new Error(`Components of a CompositePrincipal must not have conditions. Tried to add the following fragment: ${JSON.stringify(fragment)}`)}const principalJson={};for(const p of this.principals)util_1.mergePrincipal(principalJson,p.policyFragment.principalJson);return new PrincipalPolicyFragment(principalJson)}toString(){return`CompositePrincipal(${this.principals})`}dedupeString(){const inner=this.principals.map(ComparablePrincipal.dedupeStringFor);if(!inner.some(x=>x===void 0))return`CompositePrincipal[${inner.join(",")}]`}}exports.CompositePrincipal=CompositePrincipal,_v=JSII_RTTI_SYMBOL_1,CompositePrincipal[_v]={fqn:"aws-cdk-lib.aws_iam.CompositePrincipal",version:"2.34.1"};class StackDependentToken{constructor(fn){this.fn=fn,this.creationStack=cdk.captureStackTrace()}resolve(context){return this.fn(cdk.Stack.of(context.scope))}toString(){return cdk.Token.asString(this)}toJSON(){return"<unresolved-token>"}}class ServicePrincipalToken{constructor(service,opts){this.service=service,this.opts=opts,this.creationStack=cdk.captureStackTrace()}resolve(ctx){if(this.opts.region)return region_info_1.RegionInfo.get(this.opts.region).servicePrincipal(this.service)??region_info_1.Default.servicePrincipal(this.service,this.opts.region,cdk.Aws.URL_SUFFIX);const stack=cdk.Stack.of(ctx.scope);return stack.regionalFact(region_info_1.FactName.servicePrincipal(this.service),region_info_1.Default.servicePrincipal(this.service,stack.region,cdk.Aws.URL_SUFFIX))}toString(){return cdk.Token.asString(this,{displayHint:this.service})}toJSON(){return`<${this.service}>`}}function validateConditionObject(x){if(!x||typeof x!="object"||Array.isArray(x))throw new Error("A Condition should be represented as a map of operator to value")}exports.validateConditionObject=validateConditionObject;
+"use strict";var _a,_b,_c,_d,_e,_f,_g,_h,_j,_k,_l,_m,_o,_p,_q,_r,_s,_t,_u,_v;Object.defineProperty(exports,"__esModule",{value:!0}),exports.validateConditionObject=exports.CompositePrincipal=exports.StarPrincipal=exports.Anyone=exports.AnyPrincipal=exports.AccountRootPrincipal=exports.SamlConsolePrincipal=exports.SamlPrincipal=exports.OpenIdConnectPrincipal=exports.WebIdentityPrincipal=exports.FederatedPrincipal=exports.CanonicalUserPrincipal=exports.OrganizationPrincipal=exports.ServicePrincipal=exports.AccountPrincipal=exports.ArnPrincipal=exports.PrincipalPolicyFragment=exports.SessionTagsPrincipal=exports.PrincipalWithConditions=exports.PrincipalBase=exports.ComparablePrincipal=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),cdk=require("../../core"),region_info_1=require("../../region-info"),policy_statement_1=require("./policy-statement"),assume_role_policy_1=require("./private/assume-role-policy"),util_1=require("./util");class ComparablePrincipal{static isComparablePrincipal(x){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(x)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.isComparablePrincipal),error}return"dedupeString"in x}static dedupeStringFor(x){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(x)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.dedupeStringFor),error}return ComparablePrincipal.isComparablePrincipal(x)?x.dedupeString():void 0}}exports.ComparablePrincipal=ComparablePrincipal,_a=JSII_RTTI_SYMBOL_1,ComparablePrincipal[_a]={fqn:"aws-cdk-lib.aws_iam.ComparablePrincipal",version:"2.34.2"};class PrincipalBase{constructor(){this.grantPrincipal=this,this.principalAccount=void 0,this.assumeRoleAction="sts:AssumeRole"}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(_statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(_statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}return{statementAdded:!1}}addToAssumeRolePolicy(document){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(document)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}document.addStatements(new policy_statement_1.PolicyStatement({actions:[this.assumeRoleAction],principals:[this]}))}toString(){return JSON.stringify(this.policyFragment.principalJson)}toJSON(){return this.policyFragment.principalJson}withConditions(conditions){return new PrincipalWithConditions(this,conditions)}withSessionTags(){return new SessionTagsPrincipal(this)}}exports.PrincipalBase=PrincipalBase,_b=JSII_RTTI_SYMBOL_1,PrincipalBase[_b]={fqn:"aws-cdk-lib.aws_iam.PrincipalBase",version:"2.34.2"};class PrincipalAdapter extends PrincipalBase{constructor(wrapped){super(),this.wrapped=wrapped,this.assumeRoleAction=this.wrapped.assumeRoleAction,this.principalAccount=this.wrapped.principalAccount}get policyFragment(){return this.wrapped.policyFragment}addToPolicy(statement){return this.wrapped.addToPolicy(statement)}addToPrincipalPolicy(statement){return this.wrapped.addToPrincipalPolicy(statement)}appendDedupe(append){const inner=ComparablePrincipal.dedupeStringFor(this.wrapped);return inner!==void 0?`${this.constructor.name}:${inner}:${append}`:void 0}}class PrincipalWithConditions extends PrincipalAdapter{constructor(principal,conditions){super(principal);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principal)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,PrincipalWithConditions),error}this.additionalConditions=conditions}addCondition(key,value){validateConditionObject(value);const existingValue=this.additionalConditions[key];existingValue||(this.additionalConditions[key]=value),validateConditionObject(existingValue),this.additionalConditions[key]={...existingValue,...value}}addConditions(conditions){Object.entries(conditions).forEach(([key,value])=>{this.addCondition(key,value)})}get conditions(){return this.mergeConditions(this.wrapped.policyFragment.conditions,this.additionalConditions)}get policyFragment(){return new PrincipalPolicyFragment(this.wrapped.policyFragment.principalJson,this.conditions)}toString(){return this.wrapped.toString()}toJSON(){return this.policyFragment.principalJson}dedupeString(){return this.appendDedupe(JSON.stringify(this.conditions))}mergeConditions(principalConditions,additionalConditions){const mergedConditions={};return Object.entries(principalConditions).forEach(([operator,condition])=>{mergedConditions[operator]=condition}),Object.entries(additionalConditions).forEach(([operator,condition])=>{const existing=mergedConditions[operator];if(!existing){mergedConditions[operator]=condition;return}if(cdk.Token.isUnresolved(condition)||cdk.Token.isUnresolved(existing))throw new Error(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);validateConditionObject(existing),validateConditionObject(condition),mergedConditions[operator]={...existing,...condition}}),mergedConditions}}exports.PrincipalWithConditions=PrincipalWithConditions,_c=JSII_RTTI_SYMBOL_1,PrincipalWithConditions[_c]={fqn:"aws-cdk-lib.aws_iam.PrincipalWithConditions",version:"2.34.2"};class SessionTagsPrincipal extends PrincipalAdapter{constructor(principal){super(principal);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principal)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SessionTagsPrincipal),error}}addToAssumeRolePolicy(doc){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(doc)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}const adapter=require("./private/policydoc-adapter");assume_role_policy_1.defaultAddPrincipalToAssumeRole(this.wrapped,new adapter.MutatingPolicyDocumentAdapter(doc,statement=>(statement.addActions("sts:TagSession"),statement)))}dedupeString(){return this.appendDedupe("")}}exports.SessionTagsPrincipal=SessionTagsPrincipal,_d=JSII_RTTI_SYMBOL_1,SessionTagsPrincipal[_d]={fqn:"aws-cdk-lib.aws_iam.SessionTagsPrincipal",version:"2.34.2"};class PrincipalPolicyFragment{constructor(principalJson,conditions={}){this.principalJson=principalJson,this.conditions=conditions}}exports.PrincipalPolicyFragment=PrincipalPolicyFragment,_e=JSII_RTTI_SYMBOL_1,PrincipalPolicyFragment[_e]={fqn:"aws-cdk-lib.aws_iam.PrincipalPolicyFragment",version:"2.34.2"};class ArnPrincipal extends PrincipalBase{constructor(arn){super(),this.arn=arn}get policyFragment(){return new PrincipalPolicyFragment({AWS:[this.arn]})}toString(){return`ArnPrincipal(${this.arn})`}inOrganization(organizationId){return this.withConditions({StringEquals:{"aws:PrincipalOrgID":organizationId}})}dedupeString(){return`ArnPrincipal:${this.arn}`}}exports.ArnPrincipal=ArnPrincipal,_f=JSII_RTTI_SYMBOL_1,ArnPrincipal[_f]={fqn:"aws-cdk-lib.aws_iam.ArnPrincipal",version:"2.34.2"};class AccountPrincipal extends ArnPrincipal{constructor(accountId){if(super(new StackDependentToken(stack=>`arn:${stack.partition}:iam::${accountId}:root`).toString()),this.accountId=accountId,!cdk.Token.isUnresolved(accountId)&&typeof accountId!="string")throw new Error("accountId should be of type string");this.principalAccount=accountId}toString(){return`AccountPrincipal(${this.accountId})`}}exports.AccountPrincipal=AccountPrincipal,_g=JSII_RTTI_SYMBOL_1,AccountPrincipal[_g]={fqn:"aws-cdk-lib.aws_iam.AccountPrincipal",version:"2.34.2"};class ServicePrincipal extends PrincipalBase{constructor(service,opts={}){super(),this.service=service,this.opts=opts;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ServicePrincipalOpts(opts)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,ServicePrincipal),error}}static servicePrincipalName(service){return new ServicePrincipalToken(service,{}).toString()}get policyFragment(){return new PrincipalPolicyFragment({Service:[new ServicePrincipalToken(this.service,this.opts).toString()]},this.opts.conditions)}toString(){return`ServicePrincipal(${this.service})`}dedupeString(){return`ServicePrincipal:${this.service}:${JSON.stringify(this.opts)}`}}exports.ServicePrincipal=ServicePrincipal,_h=JSII_RTTI_SYMBOL_1,ServicePrincipal[_h]={fqn:"aws-cdk-lib.aws_iam.ServicePrincipal",version:"2.34.2"};class OrganizationPrincipal extends PrincipalBase{constructor(organizationId){super(),this.organizationId=organizationId}get policyFragment(){return new PrincipalPolicyFragment({AWS:["*"]},{StringEquals:{"aws:PrincipalOrgID":this.organizationId}})}toString(){return`OrganizationPrincipal(${this.organizationId})`}dedupeString(){return`OrganizationPrincipal:${this.organizationId}`}}exports.OrganizationPrincipal=OrganizationPrincipal,_j=JSII_RTTI_SYMBOL_1,OrganizationPrincipal[_j]={fqn:"aws-cdk-lib.aws_iam.OrganizationPrincipal",version:"2.34.2"};class CanonicalUserPrincipal extends PrincipalBase{constructor(canonicalUserId){super(),this.canonicalUserId=canonicalUserId}get policyFragment(){return new PrincipalPolicyFragment({CanonicalUser:[this.canonicalUserId]})}toString(){return`CanonicalUserPrincipal(${this.canonicalUserId})`}dedupeString(){return`CanonicalUserPrincipal:${this.canonicalUserId}`}}exports.CanonicalUserPrincipal=CanonicalUserPrincipal,_k=JSII_RTTI_SYMBOL_1,CanonicalUserPrincipal[_k]={fqn:"aws-cdk-lib.aws_iam.CanonicalUserPrincipal",version:"2.34.2"};class FederatedPrincipal extends PrincipalBase{constructor(federated,conditions={},assumeRoleAction="sts:AssumeRole"){super(),this.federated=federated,this.conditions=conditions,this.assumeRoleAction=assumeRoleAction}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`FederatedPrincipal(${this.federated})`}dedupeString(){return`FederatedPrincipal:${this.federated}:${this.assumeRoleAction}:${JSON.stringify(this.conditions)}`}}exports.FederatedPrincipal=FederatedPrincipal,_l=JSII_RTTI_SYMBOL_1,FederatedPrincipal[_l]={fqn:"aws-cdk-lib.aws_iam.FederatedPrincipal",version:"2.34.2"};class WebIdentityPrincipal extends FederatedPrincipal{constructor(identityProvider,conditions={}){super(identityProvider,conditions??{},"sts:AssumeRoleWithWebIdentity")}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`WebIdentityPrincipal(${this.federated})`}}exports.WebIdentityPrincipal=WebIdentityPrincipal,_m=JSII_RTTI_SYMBOL_1,WebIdentityPrincipal[_m]={fqn:"aws-cdk-lib.aws_iam.WebIdentityPrincipal",version:"2.34.2"};class OpenIdConnectPrincipal extends WebIdentityPrincipal{constructor(openIdConnectProvider,conditions={}){super(openIdConnectProvider.openIdConnectProviderArn,conditions??{});try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IOpenIdConnectProvider(openIdConnectProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,OpenIdConnectPrincipal),error}}get policyFragment(){return new PrincipalPolicyFragment({Federated:[this.federated]},this.conditions)}toString(){return`OpenIdConnectPrincipal(${this.federated})`}}exports.OpenIdConnectPrincipal=OpenIdConnectPrincipal,_o=JSII_RTTI_SYMBOL_1,OpenIdConnectPrincipal[_o]={fqn:"aws-cdk-lib.aws_iam.OpenIdConnectPrincipal",version:"2.34.2"};class SamlPrincipal extends FederatedPrincipal{constructor(samlProvider,conditions){super(samlProvider.samlProviderArn,conditions,"sts:AssumeRoleWithSAML");try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ISamlProvider(samlProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlPrincipal),error}}toString(){return`SamlPrincipal(${this.federated})`}}exports.SamlPrincipal=SamlPrincipal,_p=JSII_RTTI_SYMBOL_1,SamlPrincipal[_p]={fqn:"aws-cdk-lib.aws_iam.SamlPrincipal",version:"2.34.2"};class SamlConsolePrincipal extends SamlPrincipal{constructor(samlProvider,conditions={}){super(samlProvider,{...conditions,StringEquals:{"SAML:aud":"https://signin.aws.amazon.com/saml"}});try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_ISamlProvider(samlProvider)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlConsolePrincipal),error}}toString(){return`SamlConsolePrincipal(${this.federated})`}}exports.SamlConsolePrincipal=SamlConsolePrincipal,_q=JSII_RTTI_SYMBOL_1,SamlConsolePrincipal[_q]={fqn:"aws-cdk-lib.aws_iam.SamlConsolePrincipal",version:"2.34.2"};class AccountRootPrincipal extends AccountPrincipal{constructor(){super(new StackDependentToken(stack=>stack.account).toString())}toString(){return"AccountRootPrincipal()"}}exports.AccountRootPrincipal=AccountRootPrincipal,_r=JSII_RTTI_SYMBOL_1,AccountRootPrincipal[_r]={fqn:"aws-cdk-lib.aws_iam.AccountRootPrincipal",version:"2.34.2"};class AnyPrincipal extends ArnPrincipal{constructor(){super("*")}toString(){return"AnyPrincipal()"}}exports.AnyPrincipal=AnyPrincipal,_s=JSII_RTTI_SYMBOL_1,AnyPrincipal[_s]={fqn:"aws-cdk-lib.aws_iam.AnyPrincipal",version:"2.34.2"};class Anyone extends AnyPrincipal{}exports.Anyone=Anyone,_t=JSII_RTTI_SYMBOL_1,Anyone[_t]={fqn:"aws-cdk-lib.aws_iam.Anyone",version:"2.34.2"};class StarPrincipal extends PrincipalBase{constructor(){super(...arguments),this.policyFragment={principalJson:{[util_1.LITERAL_STRING_KEY]:["*"]},conditions:{}}}toString(){return"StarPrincipal()"}dedupeString(){return"StarPrincipal"}}exports.StarPrincipal=StarPrincipal,_u=JSII_RTTI_SYMBOL_1,StarPrincipal[_u]={fqn:"aws-cdk-lib.aws_iam.StarPrincipal",version:"2.34.2"};class CompositePrincipal extends PrincipalBase{constructor(...principals){super(),this.principals=new Array;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,CompositePrincipal),error}if(principals.length===0)throw new Error("CompositePrincipals must be constructed with at least 1 Principal but none were passed.");this.assumeRoleAction=principals[0].assumeRoleAction,this.addPrincipals(...principals)}addPrincipals(...principals){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(principals)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addPrincipals),error}return this.principals.push(...principals),this}addToAssumeRolePolicy(doc){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyDocument(doc)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToAssumeRolePolicy),error}for(const p of this.principals)assume_role_policy_1.defaultAddPrincipalToAssumeRole(p,doc)}get policyFragment(){for(const p of this.principals){const fragment=p.policyFragment;if(fragment.conditions&&Object.keys(fragment.conditions).length>0)throw new Error(`Components of a CompositePrincipal must not have conditions. Tried to add the following fragment: ${JSON.stringify(fragment)}`)}const principalJson={};for(const p of this.principals)util_1.mergePrincipal(principalJson,p.policyFragment.principalJson);return new PrincipalPolicyFragment(principalJson)}toString(){return`CompositePrincipal(${this.principals})`}dedupeString(){const inner=this.principals.map(ComparablePrincipal.dedupeStringFor);if(!inner.some(x=>x===void 0))return`CompositePrincipal[${inner.join(",")}]`}}exports.CompositePrincipal=CompositePrincipal,_v=JSII_RTTI_SYMBOL_1,CompositePrincipal[_v]={fqn:"aws-cdk-lib.aws_iam.CompositePrincipal",version:"2.34.2"};class StackDependentToken{constructor(fn){this.fn=fn,this.creationStack=cdk.captureStackTrace()}resolve(context){return this.fn(cdk.Stack.of(context.scope))}toString(){return cdk.Token.asString(this)}toJSON(){return"<unresolved-token>"}}class ServicePrincipalToken{constructor(service,opts){this.service=service,this.opts=opts,this.creationStack=cdk.captureStackTrace()}resolve(ctx){if(this.opts.region)return region_info_1.RegionInfo.get(this.opts.region).servicePrincipal(this.service)??region_info_1.Default.servicePrincipal(this.service,this.opts.region,cdk.Aws.URL_SUFFIX);const stack=cdk.Stack.of(ctx.scope);return stack.regionalFact(region_info_1.FactName.servicePrincipal(this.service),region_info_1.Default.servicePrincipal(this.service,stack.region,cdk.Aws.URL_SUFFIX))}toString(){return cdk.Token.asString(this,{displayHint:this.service})}toJSON(){return`<${this.service}>`}}function validateConditionObject(x){if(!x||typeof x!="object"||Array.isArray(x))throw new Error("A Condition should be represented as a map of operator to value")}exports.validateConditionObject=validateConditionObject;
 //# sourceMappingURL=principals.js.map

package/aws-iam/lib/role.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.Role=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),constructs_1=require("constructs"),grant_1=require("./grant"),iam_generated_1=require("./iam.generated"),managed_policy_1=require("./managed-policy"),policy_1=require("./policy"),policy_document_1=require("./policy-document"),principals_1=require("./principals"),assume_role_policy_1=require("./private/assume-role-policy"),immutable_role_1=require("./private/immutable-role"),policydoc_adapter_1=require("./private/policydoc-adapter"),util_1=require("./util"),MAX_INLINE_SIZE=1e4,MAX_MANAGEDPOL_SIZE=6e3;class Role extends core_1.Resource{constructor(scope,id,props){super(scope,id,{physicalName:props.roleName}),this.grantPrincipal=this,this.principalAccount=this.env.account,this.assumeRoleAction="sts:AssumeRole",this.managedPolicies=[],this.attachedPolicies=new util_1.AttachedPolicies,this.dependables=new Map,this._didSplit=!1;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_RoleProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Role),error}const externalIds=props.externalIds||[];props.externalId&&externalIds.push(props.externalId),this.assumeRolePolicy=createAssumeRolePolicy(props.assumedBy,externalIds),this.managedPolicies.push(...props.managedPolicies||[]),this.inlinePolicies=props.inlinePolicies||{},this.permissionsBoundary=props.permissionsBoundary;const maxSessionDuration=props.maxSessionDuration&&props.maxSessionDuration.toSeconds();validateMaxSessionDuration(maxSessionDuration);const description=props.description&&props.description?.length>0?props.description:void 0;if(description&&description.length>1e3)throw new Error("Role description must be no longer than 1000 characters.");validateRolePath(props.path);const role=new iam_generated_1.CfnRole(this,"Resource",{assumeRolePolicyDocument:this.assumeRolePolicy,managedPolicyArns:util_1.UniqueStringSet.from(()=>this.managedPolicies.map(p=>p.managedPolicyArn)),policies:_flatten(this.inlinePolicies),path:props.path,permissionsBoundary:this.permissionsBoundary?this.permissionsBoundary.managedPolicyArn:void 0,roleName:this.physicalName,maxSessionDuration,description});this.roleId=role.attrRoleId,this.roleArn=this.getResourceArnAttribute(role.attrArn,{region:"",service:"iam",resource:"role",resourceName:`${props.path?props.path.substr(props.path.charAt(0)==="/"?1:0):""}${this.physicalName}`}),this.roleName=this.getResourceNameAttribute(role.ref),this.policyFragment=new principals_1.ArnPrincipal(this.roleArn).policyFragment;function _flatten(policies){if(policies==null||Object.keys(policies).length===0)return;const result=new Array;for(const policyName of Object.keys(policies)){const policyDocument=policies[policyName];result.push({policyName,policyDocument})}return result}core_1.Aspects.of(this).add({visit:c=>{c===this&&this.splitLargePolicy()}}),this.node.addValidation({validate:()=>this.validateRole()})}static fromRoleArn(scope,id,roleArn,options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_FromRoleArnOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromRoleArn),error}const scopeStack=core_1.Stack.of(scope),parsedArn=scopeStack.splitArn(roleArn,core_1.ArnFormat.SLASH_RESOURCE_NAME),resourceName=parsedArn.resourceName,roleAccount=parsedArn.account,roleName=resourceName.split("/").pop();class Import extends core_1.Resource{constructor(_scope,_id){super(_scope,_id,{account:roleAccount}),this.grantPrincipal=this,this.principalAccount=roleAccount,this.assumeRoleAction="sts:AssumeRole",this.policyFragment=new principals_1.ArnPrincipal(roleArn).policyFragment,this.roleArn=roleArn,this.roleName=roleName,this.attachedPolicies=new util_1.AttachedPolicies,this.defaultPolicyName=options.defaultPolicyName}addToPolicy(statement){return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(statement){return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,this.defaultPolicyName??"Policy"),this.attachInlinePolicy(this.defaultPolicy)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}attachInlinePolicy(policy){const thisAndPolicyAccountComparison=core_1.Token.compareStrings(this.env.account,policy.env.account);(thisAndPolicyAccountComparison===core_1.TokenComparison.SAME||thisAndPolicyAccountComparison===core_1.TokenComparison.BOTH_UNRESOLVED||thisAndPolicyAccountComparison===core_1.TokenComparison.ONE_UNRESOLVED)&&(this.attachedPolicies.attach(policy),policy.attachToRole(this))}addManagedPolicy(_policy){}grantPassRole(identity){return this.grant(identity,"iam:PassRole")}grantAssumeRole(identity){return this.grant(identity,"sts:AssumeRole")}grant(grantee,...actions){return grant_1.Grant.addToPrincipal({grantee,actions,resourceArns:[this.roleArn],scope:this})}dedupeString(){return`ImportedRole:${roleArn}`}}if(options.addGrantsToResources!==void 0&&options.mutable!==!1)throw new Error("'addGrantsToResources' can only be passed if 'mutable: false'");const roleArnAndScopeStackAccountComparison=core_1.Token.compareStrings(roleAccount??"",scopeStack.account),equalOrAnyUnresolved=roleArnAndScopeStackAccountComparison===core_1.TokenComparison.SAME||roleArnAndScopeStackAccountComparison===core_1.TokenComparison.BOTH_UNRESOLVED||roleArnAndScopeStackAccountComparison===core_1.TokenComparison.ONE_UNRESOLVED,mutableRoleId=options.mutable!==!1&&equalOrAnyUnresolved?id:`MutableRole${id}`,importedRole=new Import(scope,mutableRoleId);return options.mutable!==!1&&equalOrAnyUnresolved?importedRole:new immutable_role_1.ImmutableRole(scope,id,importedRole,options.addGrantsToResources??!1)}static fromRoleName(scope,id,roleName,options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_FromRoleNameOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromRoleName),error}return Role.fromRoleArn(scope,id,core_1.Stack.of(scope).formatArn({region:"",service:"iam",resource:"role",resourceName:roleName}),options)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"DefaultPolicy"),this.attachInlinePolicy(this.defaultPolicy)),this.defaultPolicy.addStatements(statement);const policyDependable=new constructs_1.DependencyGroup;return this.dependables.set(statement,policyDependable),{statementAdded:!0,policyDependable}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}addManagedPolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IManagedPolicy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addManagedPolicy),error}this.managedPolicies.find(mp=>mp===policy)||this.managedPolicies.push(policy)}attachInlinePolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_Policy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachInlinePolicy),error}this.attachedPolicies.attach(policy),policy.attachToRole(this)}grant(grantee,...actions){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grant),error}return grant_1.Grant.addToPrincipal({grantee,actions,resourceArns:[this.roleArn],scope:this})}grantPassRole(identity){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grantPassRole),error}return this.grant(identity,"iam:PassRole")}grantAssumeRole(identity){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grantAssumeRole),error}return this.grant(identity,"sts:AssumeRole")}withoutPolicyUpdates(options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_WithoutPolicyUpdatesOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withoutPolicyUpdates),error}return this.immutableRole||(this.immutableRole=new immutable_role_1.ImmutableRole(constructs_1.Node.of(this).scope,`ImmutableRole${this.node.id}`,this,options.addGrantsToResources??!1)),this.immutableRole}validateRole(){const errors=new Array;errors.push(...this.assumeRolePolicy?.validateForResourcePolicy()??[]);for(const policy of Object.values(this.inlinePolicies))errors.push(...policy.validateForIdentityPolicy());return errors}splitLargePolicy(){if(!this.defaultPolicy||this._didSplit)return;this._didSplit=!0;const self=this,originalDoc=this.defaultPolicy.document,splitOffDocs=originalDoc._splitDocument(this,MAX_INLINE_SIZE,MAX_MANAGEDPOL_SIZE),mpCount=this.managedPolicies.length+(splitOffDocs.size-1);mpCount>20?core_1.Annotations.of(this).addWarning(`Policy too large: ${mpCount} exceeds the maximum of 20 managed policies attached to a Role`):mpCount>10&&core_1.Annotations.of(this).addWarning(`Policy large: ${mpCount} exceeds 10 managed policies attached to a Role, this requires a quota increase`),markDeclaringConstruct(originalDoc,this.defaultPolicy);let i=1;for(const newDoc of splitOffDocs.keys()){if(newDoc===originalDoc)continue;const mp=new managed_policy_1.ManagedPolicy(this,`OverflowPolicy${i++}`,{description:`Part of the policies for ${this.node.path}`,document:newDoc,roles:[this]});markDeclaringConstruct(newDoc,mp)}function markDeclaringConstruct(doc,declaringConstruct){for(const original of splitOffDocs.get(doc)??[])self.dependables.get(original)?.add(declaringConstruct)}}}exports.Role=Role,_a=JSII_RTTI_SYMBOL_1,Role[_a]={fqn:"aws-cdk-lib.aws_iam.Role",version:"2.34.1"};function createAssumeRolePolicy(principal,externalIds){const actualDoc=new policy_document_1.PolicyDocument,addDoc=externalIds.length===0?actualDoc:new policydoc_adapter_1.MutatingPolicyDocumentAdapter(actualDoc,statement=>(statement.addCondition("StringEquals",{"sts:ExternalId":externalIds.length===1?externalIds[0]:externalIds}),statement));return assume_role_policy_1.defaultAddPrincipalToAssumeRole(principal,addDoc),actualDoc}function validateRolePath(path){if(path===void 0||core_1.Token.isUnresolved(path))return;const validRolePath=/^(\/|\/[\u0021-\u007F]+\/)$/;if(path.length==0||path.length>512)throw new Error(`Role path must be between 1 and 512 characters. The provided role path is ${path.length} characters.`);if(!validRolePath.test(path))throw new Error(`Role path must be either a slash or valid characters (alphanumerics and symbols) surrounded by slashes. Valid characters are unicode characters in [\\u0021-\\u007F]. However, ${path} is provided.`)}function validateMaxSessionDuration(duration){if(duration!==void 0&&(duration<3600||duration>43200))throw new Error(`maxSessionDuration is set to ${duration}, but must be >= 3600sec (1hr) and <= 43200sec (12hrs)`)}
+"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.Role=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),constructs_1=require("constructs"),grant_1=require("./grant"),iam_generated_1=require("./iam.generated"),managed_policy_1=require("./managed-policy"),policy_1=require("./policy"),policy_document_1=require("./policy-document"),principals_1=require("./principals"),assume_role_policy_1=require("./private/assume-role-policy"),immutable_role_1=require("./private/immutable-role"),policydoc_adapter_1=require("./private/policydoc-adapter"),util_1=require("./util"),MAX_INLINE_SIZE=1e4,MAX_MANAGEDPOL_SIZE=6e3;class Role extends core_1.Resource{constructor(scope,id,props){super(scope,id,{physicalName:props.roleName}),this.grantPrincipal=this,this.principalAccount=this.env.account,this.assumeRoleAction="sts:AssumeRole",this.managedPolicies=[],this.attachedPolicies=new util_1.AttachedPolicies,this.dependables=new Map,this._didSplit=!1;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_RoleProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Role),error}const externalIds=props.externalIds||[];props.externalId&&externalIds.push(props.externalId),this.assumeRolePolicy=createAssumeRolePolicy(props.assumedBy,externalIds),this.managedPolicies.push(...props.managedPolicies||[]),this.inlinePolicies=props.inlinePolicies||{},this.permissionsBoundary=props.permissionsBoundary;const maxSessionDuration=props.maxSessionDuration&&props.maxSessionDuration.toSeconds();validateMaxSessionDuration(maxSessionDuration);const description=props.description&&props.description?.length>0?props.description:void 0;if(description&&description.length>1e3)throw new Error("Role description must be no longer than 1000 characters.");validateRolePath(props.path);const role=new iam_generated_1.CfnRole(this,"Resource",{assumeRolePolicyDocument:this.assumeRolePolicy,managedPolicyArns:util_1.UniqueStringSet.from(()=>this.managedPolicies.map(p=>p.managedPolicyArn)),policies:_flatten(this.inlinePolicies),path:props.path,permissionsBoundary:this.permissionsBoundary?this.permissionsBoundary.managedPolicyArn:void 0,roleName:this.physicalName,maxSessionDuration,description});this.roleId=role.attrRoleId,this.roleArn=this.getResourceArnAttribute(role.attrArn,{region:"",service:"iam",resource:"role",resourceName:`${props.path?props.path.substr(props.path.charAt(0)==="/"?1:0):""}${this.physicalName}`}),this.roleName=this.getResourceNameAttribute(role.ref),this.policyFragment=new principals_1.ArnPrincipal(this.roleArn).policyFragment;function _flatten(policies){if(policies==null||Object.keys(policies).length===0)return;const result=new Array;for(const policyName of Object.keys(policies)){const policyDocument=policies[policyName];result.push({policyName,policyDocument})}return result}core_1.Aspects.of(this).add({visit:c=>{c===this&&this.splitLargePolicy()}}),this.node.addValidation({validate:()=>this.validateRole()})}static fromRoleArn(scope,id,roleArn,options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_FromRoleArnOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromRoleArn),error}const scopeStack=core_1.Stack.of(scope),parsedArn=scopeStack.splitArn(roleArn,core_1.ArnFormat.SLASH_RESOURCE_NAME),resourceName=parsedArn.resourceName,roleAccount=parsedArn.account,roleName=resourceName.split("/").pop();class Import extends core_1.Resource{constructor(_scope,_id){super(_scope,_id,{account:roleAccount}),this.grantPrincipal=this,this.principalAccount=roleAccount,this.assumeRoleAction="sts:AssumeRole",this.policyFragment=new principals_1.ArnPrincipal(roleArn).policyFragment,this.roleArn=roleArn,this.roleName=roleName,this.attachedPolicies=new util_1.AttachedPolicies,this.defaultPolicyName=options.defaultPolicyName}addToPolicy(statement){return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(statement){return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,this.defaultPolicyName??"Policy"),this.attachInlinePolicy(this.defaultPolicy)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}attachInlinePolicy(policy){const thisAndPolicyAccountComparison=core_1.Token.compareStrings(this.env.account,policy.env.account);(thisAndPolicyAccountComparison===core_1.TokenComparison.SAME||thisAndPolicyAccountComparison===core_1.TokenComparison.BOTH_UNRESOLVED||thisAndPolicyAccountComparison===core_1.TokenComparison.ONE_UNRESOLVED)&&(this.attachedPolicies.attach(policy),policy.attachToRole(this))}addManagedPolicy(_policy){}grantPassRole(identity){return this.grant(identity,"iam:PassRole")}grantAssumeRole(identity){return this.grant(identity,"sts:AssumeRole")}grant(grantee,...actions){return grant_1.Grant.addToPrincipal({grantee,actions,resourceArns:[this.roleArn],scope:this})}dedupeString(){return`ImportedRole:${roleArn}`}}if(options.addGrantsToResources!==void 0&&options.mutable!==!1)throw new Error("'addGrantsToResources' can only be passed if 'mutable: false'");const roleArnAndScopeStackAccountComparison=core_1.Token.compareStrings(roleAccount??"",scopeStack.account),equalOrAnyUnresolved=roleArnAndScopeStackAccountComparison===core_1.TokenComparison.SAME||roleArnAndScopeStackAccountComparison===core_1.TokenComparison.BOTH_UNRESOLVED||roleArnAndScopeStackAccountComparison===core_1.TokenComparison.ONE_UNRESOLVED,mutableRoleId=options.mutable!==!1&&equalOrAnyUnresolved?id:`MutableRole${id}`,importedRole=new Import(scope,mutableRoleId);return options.mutable!==!1&&equalOrAnyUnresolved?importedRole:new immutable_role_1.ImmutableRole(scope,id,importedRole,options.addGrantsToResources??!1)}static fromRoleName(scope,id,roleName,options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_FromRoleNameOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromRoleName),error}return Role.fromRoleArn(scope,id,core_1.Stack.of(scope).formatArn({region:"",service:"iam",resource:"role",resourceName:roleName}),options)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"DefaultPolicy"),this.attachInlinePolicy(this.defaultPolicy)),this.defaultPolicy.addStatements(statement);const policyDependable=new constructs_1.DependencyGroup;return this.dependables.set(statement,policyDependable),{statementAdded:!0,policyDependable}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}addManagedPolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IManagedPolicy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addManagedPolicy),error}this.managedPolicies.find(mp=>mp===policy)||this.managedPolicies.push(policy)}attachInlinePolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_Policy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachInlinePolicy),error}this.attachedPolicies.attach(policy),policy.attachToRole(this)}grant(grantee,...actions){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grant),error}return grant_1.Grant.addToPrincipal({grantee,actions,resourceArns:[this.roleArn],scope:this})}grantPassRole(identity){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grantPassRole),error}return this.grant(identity,"iam:PassRole")}grantAssumeRole(identity){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IPrincipal(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grantAssumeRole),error}return this.grant(identity,"sts:AssumeRole")}withoutPolicyUpdates(options={}){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_WithoutPolicyUpdatesOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withoutPolicyUpdates),error}return this.immutableRole||(this.immutableRole=new immutable_role_1.ImmutableRole(constructs_1.Node.of(this).scope,`ImmutableRole${this.node.id}`,this,options.addGrantsToResources??!1)),this.immutableRole}validateRole(){const errors=new Array;errors.push(...this.assumeRolePolicy?.validateForResourcePolicy()??[]);for(const policy of Object.values(this.inlinePolicies))errors.push(...policy.validateForIdentityPolicy());return errors}splitLargePolicy(){if(!this.defaultPolicy||this._didSplit)return;this._didSplit=!0;const self=this,originalDoc=this.defaultPolicy.document,splitOffDocs=originalDoc._splitDocument(this,MAX_INLINE_SIZE,MAX_MANAGEDPOL_SIZE),mpCount=this.managedPolicies.length+(splitOffDocs.size-1);mpCount>20?core_1.Annotations.of(this).addWarning(`Policy too large: ${mpCount} exceeds the maximum of 20 managed policies attached to a Role`):mpCount>10&&core_1.Annotations.of(this).addWarning(`Policy large: ${mpCount} exceeds 10 managed policies attached to a Role, this requires a quota increase`),markDeclaringConstruct(originalDoc,this.defaultPolicy);let i=1;for(const newDoc of splitOffDocs.keys()){if(newDoc===originalDoc)continue;const mp=new managed_policy_1.ManagedPolicy(this,`OverflowPolicy${i++}`,{description:`Part of the policies for ${this.node.path}`,document:newDoc,roles:[this]});markDeclaringConstruct(newDoc,mp)}function markDeclaringConstruct(doc,declaringConstruct){for(const original of splitOffDocs.get(doc)??[])self.dependables.get(original)?.add(declaringConstruct)}}}exports.Role=Role,_a=JSII_RTTI_SYMBOL_1,Role[_a]={fqn:"aws-cdk-lib.aws_iam.Role",version:"2.34.2"};function createAssumeRolePolicy(principal,externalIds){const actualDoc=new policy_document_1.PolicyDocument,addDoc=externalIds.length===0?actualDoc:new policydoc_adapter_1.MutatingPolicyDocumentAdapter(actualDoc,statement=>(statement.addCondition("StringEquals",{"sts:ExternalId":externalIds.length===1?externalIds[0]:externalIds}),statement));return assume_role_policy_1.defaultAddPrincipalToAssumeRole(principal,addDoc),actualDoc}function validateRolePath(path){if(path===void 0||core_1.Token.isUnresolved(path))return;const validRolePath=/^(\/|\/[\u0021-\u007F]+\/)$/;if(path.length==0||path.length>512)throw new Error(`Role path must be between 1 and 512 characters. The provided role path is ${path.length} characters.`);if(!validRolePath.test(path))throw new Error(`Role path must be either a slash or valid characters (alphanumerics and symbols) surrounded by slashes. Valid characters are unicode characters in [\\u0021-\\u007F]. However, ${path} is provided.`)}function validateMaxSessionDuration(duration){if(duration!==void 0&&(duration<3600||duration>43200))throw new Error(`maxSessionDuration is set to ${duration}, but must be >= 3600sec (1hr) and <= 43200sec (12hrs)`)}
 //# sourceMappingURL=role.js.map

package/aws-iam/lib/saml-provider.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a,_b;Object.defineProperty(exports,"__esModule",{value:!0}),exports.SamlProvider=exports.SamlMetadataDocument=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),fs=require("fs"),core_1=require("../../core"),iam_generated_1=require("./iam.generated");class SamlMetadataDocument{static fromXml(xml){return{xml}}static fromFile(path){return{xml:fs.readFileSync(path,"utf-8")}}}exports.SamlMetadataDocument=SamlMetadataDocument,_a=JSII_RTTI_SYMBOL_1,SamlMetadataDocument[_a]={fqn:"aws-cdk-lib.aws_iam.SamlMetadataDocument",version:"2.34.1"};class SamlProvider extends core_1.Resource{constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_SamlProviderProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlProvider),error}if(props.name&&!core_1.Token.isUnresolved(props.name)&&!/^[\w+=,.@-]{1,128}$/.test(props.name))throw new Error("Invalid SAML provider name. The name must be a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. Length must be between 1 and 128 characters.");const samlProvider=new iam_generated_1.CfnSAMLProvider(this,"Resource",{name:props.name,samlMetadataDocument:props.metadataDocument.xml});this.samlProviderArn=samlProvider.ref}static fromSamlProviderArn(scope,id,samlProviderArn){class Import extends core_1.Resource{constructor(){super(...arguments),this.samlProviderArn=samlProviderArn}}return new Import(scope,id)}}exports.SamlProvider=SamlProvider,_b=JSII_RTTI_SYMBOL_1,SamlProvider[_b]={fqn:"aws-cdk-lib.aws_iam.SamlProvider",version:"2.34.1"};
+"use strict";var _a,_b;Object.defineProperty(exports,"__esModule",{value:!0}),exports.SamlProvider=exports.SamlMetadataDocument=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),fs=require("fs"),core_1=require("../../core"),iam_generated_1=require("./iam.generated");class SamlMetadataDocument{static fromXml(xml){return{xml}}static fromFile(path){return{xml:fs.readFileSync(path,"utf-8")}}}exports.SamlMetadataDocument=SamlMetadataDocument,_a=JSII_RTTI_SYMBOL_1,SamlMetadataDocument[_a]={fqn:"aws-cdk-lib.aws_iam.SamlMetadataDocument",version:"2.34.2"};class SamlProvider extends core_1.Resource{constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_SamlProviderProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,SamlProvider),error}if(props.name&&!core_1.Token.isUnresolved(props.name)&&!/^[\w+=,.@-]{1,128}$/.test(props.name))throw new Error("Invalid SAML provider name. The name must be a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. Length must be between 1 and 128 characters.");const samlProvider=new iam_generated_1.CfnSAMLProvider(this,"Resource",{name:props.name,samlMetadataDocument:props.metadataDocument.xml});this.samlProviderArn=samlProvider.ref}static fromSamlProviderArn(scope,id,samlProviderArn){class Import extends core_1.Resource{constructor(){super(...arguments),this.samlProviderArn=samlProviderArn}}return new Import(scope,id)}}exports.SamlProvider=SamlProvider,_b=JSII_RTTI_SYMBOL_1,SamlProvider[_b]={fqn:"aws-cdk-lib.aws_iam.SamlProvider",version:"2.34.2"};
 //# sourceMappingURL=saml-provider.js.map

package/aws-iam/lib/unknown-principal.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.UnknownPrincipal=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),constructs_1=require("constructs");class UnknownPrincipal{constructor(props){this.assumeRoleAction="sts:AssumeRole";try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UnknownPrincipalProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,UnknownPrincipal),error}this.resource=props.resource,this.grantPrincipal=this}get policyFragment(){throw new Error(`Cannot get policy fragment of ${constructs_1.Node.of(this.resource).path}, resource imported without a role`)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}const stack=core_1.Stack.of(this.resource),repr=JSON.stringify(stack.resolve(statement));return core_1.Annotations.of(this.resource).addWarning(`Add statement to this resource's role: ${repr}`),{statementAdded:!0,policyDependable:new constructs_1.DependencyGroup}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}}exports.UnknownPrincipal=UnknownPrincipal,_a=JSII_RTTI_SYMBOL_1,UnknownPrincipal[_a]={fqn:"aws-cdk-lib.aws_iam.UnknownPrincipal",version:"2.34.1"};
+"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.UnknownPrincipal=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),constructs_1=require("constructs");class UnknownPrincipal{constructor(props){this.assumeRoleAction="sts:AssumeRole";try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UnknownPrincipalProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,UnknownPrincipal),error}this.resource=props.resource,this.grantPrincipal=this}get policyFragment(){throw new Error(`Cannot get policy fragment of ${constructs_1.Node.of(this.resource).path}, resource imported without a role`)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}const stack=core_1.Stack.of(this.resource),repr=JSON.stringify(stack.resolve(statement));return core_1.Annotations.of(this.resource).addWarning(`Add statement to this resource's role: ${repr}`),{statementAdded:!0,policyDependable:new constructs_1.DependencyGroup}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}}exports.UnknownPrincipal=UnknownPrincipal,_a=JSII_RTTI_SYMBOL_1,UnknownPrincipal[_a]={fqn:"aws-cdk-lib.aws_iam.UnknownPrincipal",version:"2.34.2"};
 //# sourceMappingURL=unknown-principal.js.map

package/aws-iam/lib/user.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.User=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),iam_generated_1=require("./iam.generated"),policy_1=require("./policy"),principals_1=require("./principals"),util_1=require("./util");class User extends core_1.Resource{constructor(scope,id,props={}){super(scope,id,{physicalName:props.userName}),this.grantPrincipal=this,this.principalAccount=this.env.account,this.assumeRoleAction="sts:AssumeRole",this.groups=new Array,this.managedPolicies=new Array,this.attachedPolicies=new util_1.AttachedPolicies;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UserProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,User),error}this.managedPolicies.push(...props.managedPolicies||[]),this.permissionsBoundary=props.permissionsBoundary;const user=new iam_generated_1.CfnUser(this,"Resource",{userName:this.physicalName,groups:util_1.undefinedIfEmpty(()=>this.groups),managedPolicyArns:core_1.Lazy.list({produce:()=>this.managedPolicies.map(p=>p.managedPolicyArn)},{omitEmpty:!0}),path:props.path,permissionsBoundary:this.permissionsBoundary?this.permissionsBoundary.managedPolicyArn:void 0,loginProfile:this.parseLoginProfile(props)});this.userName=this.getResourceNameAttribute(user.ref),this.userArn=this.getResourceArnAttribute(user.attrArn,{region:"",service:"iam",resource:"user",resourceName:`${props.path?props.path.substr(props.path.charAt(0)==="/"?1:0):""}${this.physicalName}`}),this.policyFragment=new principals_1.ArnPrincipal(this.userArn).policyFragment,props.groups&&props.groups.forEach(g=>this.addToGroup(g))}static fromUserName(scope,id,userName){const userArn=core_1.Stack.of(scope).formatArn({service:"iam",region:"",resource:"user",resourceName:userName});return User.fromUserAttributes(scope,id,{userArn})}static fromUserArn(scope,id,userArn){return User.fromUserAttributes(scope,id,{userArn})}static fromUserAttributes(scope,id,attrs){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UserAttributes(attrs)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromUserAttributes),error}class Import extends core_1.Resource{constructor(){super(...arguments),this.grantPrincipal=this,this.principalAccount=core_1.Aws.ACCOUNT_ID,this.userName=core_1.Arn.extractResourceName(attrs.userArn,"user").split("/").pop(),this.userArn=attrs.userArn,this.assumeRoleAction="sts:AssumeRole",this.policyFragment=new principals_1.ArnPrincipal(attrs.userArn).policyFragment,this.attachedPolicies=new util_1.AttachedPolicies,this.groupId=0}addToPolicy(statement){return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(statement){return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"Policy"),this.defaultPolicy.attachToUser(this)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}addToGroup(group){new iam_generated_1.CfnUserToGroupAddition(core_1.Stack.of(group),`${this.userName}Group${this.groupId}`,{groupName:group.groupName,users:[this.userName]}),this.groupId+=1}attachInlinePolicy(policy){this.attachedPolicies.attach(policy),policy.attachToUser(this)}addManagedPolicy(_policy){throw new Error("Cannot add managed policy to imported User")}}return new Import(scope,id)}addToGroup(group){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IGroup(group)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToGroup),error}this.groups.push(group.groupName)}addManagedPolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IManagedPolicy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addManagedPolicy),error}this.managedPolicies.find(mp=>mp===policy)||this.managedPolicies.push(policy)}attachInlinePolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_Policy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachInlinePolicy),error}this.attachedPolicies.attach(policy),policy.attachToUser(this)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"DefaultPolicy"),this.defaultPolicy.attachToUser(this)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}parseLoginProfile(props){if(props.password)return{password:props.password.unsafeUnwrap(),passwordResetRequired:props.passwordResetRequired};if(props.passwordResetRequired)throw new Error('Cannot set "passwordResetRequired" without specifying "initialPassword"')}}exports.User=User,_a=JSII_RTTI_SYMBOL_1,User[_a]={fqn:"aws-cdk-lib.aws_iam.User",version:"2.34.1"};
+"use strict";var _a;Object.defineProperty(exports,"__esModule",{value:!0}),exports.User=void 0;const jsiiDeprecationWarnings=require("../../.warnings.jsii.js"),JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti"),core_1=require("../../core"),iam_generated_1=require("./iam.generated"),policy_1=require("./policy"),principals_1=require("./principals"),util_1=require("./util");class User extends core_1.Resource{constructor(scope,id,props={}){super(scope,id,{physicalName:props.userName}),this.grantPrincipal=this,this.principalAccount=this.env.account,this.assumeRoleAction="sts:AssumeRole",this.groups=new Array,this.managedPolicies=new Array,this.attachedPolicies=new util_1.AttachedPolicies;try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UserProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,User),error}this.managedPolicies.push(...props.managedPolicies||[]),this.permissionsBoundary=props.permissionsBoundary;const user=new iam_generated_1.CfnUser(this,"Resource",{userName:this.physicalName,groups:util_1.undefinedIfEmpty(()=>this.groups),managedPolicyArns:core_1.Lazy.list({produce:()=>this.managedPolicies.map(p=>p.managedPolicyArn)},{omitEmpty:!0}),path:props.path,permissionsBoundary:this.permissionsBoundary?this.permissionsBoundary.managedPolicyArn:void 0,loginProfile:this.parseLoginProfile(props)});this.userName=this.getResourceNameAttribute(user.ref),this.userArn=this.getResourceArnAttribute(user.attrArn,{region:"",service:"iam",resource:"user",resourceName:`${props.path?props.path.substr(props.path.charAt(0)==="/"?1:0):""}${this.physicalName}`}),this.policyFragment=new principals_1.ArnPrincipal(this.userArn).policyFragment,props.groups&&props.groups.forEach(g=>this.addToGroup(g))}static fromUserName(scope,id,userName){const userArn=core_1.Stack.of(scope).formatArn({service:"iam",region:"",resource:"user",resourceName:userName});return User.fromUserAttributes(scope,id,{userArn})}static fromUserArn(scope,id,userArn){return User.fromUserAttributes(scope,id,{userArn})}static fromUserAttributes(scope,id,attrs){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_UserAttributes(attrs)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromUserAttributes),error}class Import extends core_1.Resource{constructor(){super(...arguments),this.grantPrincipal=this,this.principalAccount=core_1.Aws.ACCOUNT_ID,this.userName=core_1.Arn.extractResourceName(attrs.userArn,"user").split("/").pop(),this.userArn=attrs.userArn,this.assumeRoleAction="sts:AssumeRole",this.policyFragment=new principals_1.ArnPrincipal(attrs.userArn).policyFragment,this.attachedPolicies=new util_1.AttachedPolicies,this.groupId=0}addToPolicy(statement){return this.addToPrincipalPolicy(statement).statementAdded}addToPrincipalPolicy(statement){return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"Policy"),this.defaultPolicy.attachToUser(this)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}addToGroup(group){new iam_generated_1.CfnUserToGroupAddition(core_1.Stack.of(group),`${this.userName}Group${this.groupId}`,{groupName:group.groupName,users:[this.userName]}),this.groupId+=1}attachInlinePolicy(policy){this.attachedPolicies.attach(policy),policy.attachToUser(this)}addManagedPolicy(_policy){throw new Error("Cannot add managed policy to imported User")}}return new Import(scope,id)}addToGroup(group){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IGroup(group)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToGroup),error}this.groups.push(group.groupName)}addManagedPolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_IManagedPolicy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addManagedPolicy),error}this.managedPolicies.find(mp=>mp===policy)||this.managedPolicies.push(policy)}attachInlinePolicy(policy){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_Policy(policy)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.attachInlinePolicy),error}this.attachedPolicies.attach(policy),policy.attachToUser(this)}addToPrincipalPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPrincipalPolicy),error}return this.defaultPolicy||(this.defaultPolicy=new policy_1.Policy(this,"DefaultPolicy"),this.defaultPolicy.attachToUser(this)),this.defaultPolicy.addStatements(statement),{statementAdded:!0,policyDependable:this.defaultPolicy}}addToPolicy(statement){try{jsiiDeprecationWarnings.aws_cdk_lib_aws_iam_PolicyStatement(statement)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addToPolicy),error}return this.addToPrincipalPolicy(statement).statementAdded}parseLoginProfile(props){if(props.password)return{password:props.password.unsafeUnwrap(),passwordResetRequired:props.passwordResetRequired};if(props.passwordResetRequired)throw new Error('Cannot set "passwordResetRequired" without specifying "initialPassword"')}}exports.User=User,_a=JSII_RTTI_SYMBOL_1,User[_a]={fqn:"aws-cdk-lib.aws_iam.User",version:"2.34.2"};
 //# sourceMappingURL=user.js.map