aws-cdk 2.1025.0 → 2.1026.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +143 -0
- package/THIRD_PARTY_LICENSES +56 -130
- package/build-info.json +2 -2
- package/db.json.gz +0 -0
- package/lib/api/bootstrap/bootstrap-template.yaml +152 -22
- package/lib/cli/cdk-toolkit.js +4 -4
- package/lib/cli/cli-config.js +4 -2
- package/lib/cli/cli-type-registry.json +14 -2
- package/lib/cli/cli.js +6 -2
- package/lib/cli/convert-to-user-input.js +5 -1
- package/lib/cli/parse-command-line-arguments.js +16 -2
- package/lib/cli/user-input.d.ts +13 -0
- package/lib/cli/user-input.js +1 -1
- package/lib/commands/flag-operations.js +5 -1
- package/lib/commands/init/init.js +12 -8
- package/lib/index.js +1631 -2947
- package/lib/index_bg.wasm +0 -0
- package/lib/init-templates/.init-version.json +1 -1
- package/lib/init-templates/app/typescript/tsconfig.json +1 -0
- package/lib/init-templates/lib/typescript/tsconfig.json +1 -0
- package/lib/init-templates/sample-app/javascript/tsconfig.json +1 -0
- package/lib/init-templates/sample-app/typescript/tsconfig.json +1 -0
- package/package.json +15 -15
|
@@ -56,6 +56,18 @@ Parameters:
|
|
|
56
56
|
Description: Describe the provenance of the resources in this bootstrap
|
|
57
57
|
stack. Change this when you customize the template. To prevent accidents,
|
|
58
58
|
the CDK CLI will not overwrite bootstrap stacks with a different variant.
|
|
59
|
+
DenyExternalId:
|
|
60
|
+
# By default, CDK Bootstrap roles are not designed to be deputized.
|
|
61
|
+
# Deputized means that you give an external entity access to assume roles on
|
|
62
|
+
# your behalf. They will supply an ExternalId to avoid Confused Deputy
|
|
63
|
+
# attacks (https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
|
|
64
|
+
#
|
|
65
|
+
# AssumeRole calls with ExternalIds will be denied by default, set this to 'false'
|
|
66
|
+
# if you need this functionality for some reason.
|
|
67
|
+
Type: String
|
|
68
|
+
Default: 'true'
|
|
69
|
+
AllowedValues: ['true', 'false']
|
|
70
|
+
Description: Whether to deny AssumeRole calls with an ExternalId. This prevents calls that are intended to be deputized from accidentally assuming CDK Roles.
|
|
59
71
|
Conditions:
|
|
60
72
|
HasTrustedAccounts:
|
|
61
73
|
Fn::Not:
|
|
@@ -109,6 +121,10 @@ Conditions:
|
|
|
109
121
|
Fn::Equals:
|
|
110
122
|
- 'true'
|
|
111
123
|
- Ref: PublicAccessBlockConfiguration
|
|
124
|
+
ShouldDenyExternalId:
|
|
125
|
+
Fn::Equals:
|
|
126
|
+
- 'true'
|
|
127
|
+
- Ref: DenyExternalId
|
|
112
128
|
Resources:
|
|
113
129
|
FileAssetsBucketEncryptionKey:
|
|
114
130
|
Type: AWS::KMS::Key
|
|
@@ -296,21 +312,45 @@ Resources:
|
|
|
296
312
|
Properties:
|
|
297
313
|
AssumeRolePolicyDocument:
|
|
298
314
|
Statement:
|
|
299
|
-
#
|
|
300
|
-
|
|
301
|
-
- Action: sts:TagSession
|
|
315
|
+
# AssumeRole for same account (no ExternalId)
|
|
316
|
+
- Action: sts:AssumeRole
|
|
302
317
|
Effect: Allow
|
|
303
318
|
Principal:
|
|
304
319
|
AWS:
|
|
305
320
|
Ref: AWS::AccountId
|
|
306
|
-
|
|
321
|
+
Condition:
|
|
322
|
+
Fn::If:
|
|
323
|
+
- ShouldDenyExternalId
|
|
324
|
+
- "Null":
|
|
325
|
+
"sts:ExternalId": "true"
|
|
326
|
+
- Ref: AWS::NoValue
|
|
327
|
+
# TagSession for same account
|
|
328
|
+
- Action: sts:TagSession
|
|
307
329
|
Effect: Allow
|
|
308
330
|
Principal:
|
|
309
331
|
AWS:
|
|
310
332
|
Ref: AWS::AccountId
|
|
333
|
+
# AssumeRole for regular Trust account (no ExternalId)
|
|
311
334
|
- Fn::If:
|
|
312
335
|
- HasTrustedAccounts
|
|
313
|
-
- Action:
|
|
336
|
+
- Action:
|
|
337
|
+
- sts:AssumeRole
|
|
338
|
+
Effect: Allow
|
|
339
|
+
Principal:
|
|
340
|
+
AWS:
|
|
341
|
+
Ref: TrustedAccounts
|
|
342
|
+
Condition:
|
|
343
|
+
Fn::If:
|
|
344
|
+
- ShouldDenyExternalId
|
|
345
|
+
- "Null":
|
|
346
|
+
"sts:ExternalId": "true"
|
|
347
|
+
- Ref: AWS::NoValue
|
|
348
|
+
- Ref: AWS::NoValue
|
|
349
|
+
# TagSession for regular Trust
|
|
350
|
+
- Fn::If:
|
|
351
|
+
- HasTrustedAccounts
|
|
352
|
+
- Action:
|
|
353
|
+
- sts:TagSession
|
|
314
354
|
Effect: Allow
|
|
315
355
|
Principal:
|
|
316
356
|
AWS:
|
|
@@ -326,21 +366,45 @@ Resources:
|
|
|
326
366
|
Properties:
|
|
327
367
|
AssumeRolePolicyDocument:
|
|
328
368
|
Statement:
|
|
329
|
-
#
|
|
330
|
-
|
|
331
|
-
- Action: sts:TagSession
|
|
369
|
+
# AssumeRole for same account (no ExternalId)
|
|
370
|
+
- Action: sts:AssumeRole
|
|
332
371
|
Effect: Allow
|
|
333
372
|
Principal:
|
|
334
373
|
AWS:
|
|
335
374
|
Ref: AWS::AccountId
|
|
336
|
-
|
|
375
|
+
Condition:
|
|
376
|
+
Fn::If:
|
|
377
|
+
- ShouldDenyExternalId
|
|
378
|
+
- "Null":
|
|
379
|
+
"sts:ExternalId": "true"
|
|
380
|
+
- Ref: AWS::NoValue
|
|
381
|
+
# TagSession for same account
|
|
382
|
+
- Action: sts:TagSession
|
|
337
383
|
Effect: Allow
|
|
338
384
|
Principal:
|
|
339
385
|
AWS:
|
|
340
386
|
Ref: AWS::AccountId
|
|
387
|
+
# AssumeRole for Trusted account (no ExternalId)
|
|
388
|
+
- Fn::If:
|
|
389
|
+
- HasTrustedAccounts
|
|
390
|
+
- Action:
|
|
391
|
+
- sts:AssumeRole
|
|
392
|
+
Effect: Allow
|
|
393
|
+
Principal:
|
|
394
|
+
AWS:
|
|
395
|
+
Ref: TrustedAccounts
|
|
396
|
+
Condition:
|
|
397
|
+
Fn::If:
|
|
398
|
+
- ShouldDenyExternalId
|
|
399
|
+
- "Null":
|
|
400
|
+
"sts:ExternalId": "true"
|
|
401
|
+
- Ref: AWS::NoValue
|
|
402
|
+
- Ref: AWS::NoValue
|
|
403
|
+
# TagSession for Trusted account
|
|
341
404
|
- Fn::If:
|
|
342
405
|
- HasTrustedAccounts
|
|
343
|
-
- Action:
|
|
406
|
+
- Action:
|
|
407
|
+
- sts:TagSession
|
|
344
408
|
Effect: Allow
|
|
345
409
|
Principal:
|
|
346
410
|
AWS:
|
|
@@ -356,29 +420,71 @@ Resources:
|
|
|
356
420
|
Properties:
|
|
357
421
|
AssumeRolePolicyDocument:
|
|
358
422
|
Statement:
|
|
359
|
-
#
|
|
360
|
-
|
|
361
|
-
- Action: sts:TagSession
|
|
423
|
+
# AssumeRole for same account (no ExternalId)
|
|
424
|
+
- Action: sts:AssumeRole
|
|
362
425
|
Effect: Allow
|
|
363
426
|
Principal:
|
|
364
427
|
AWS:
|
|
365
428
|
Ref: AWS::AccountId
|
|
366
|
-
|
|
429
|
+
Condition:
|
|
430
|
+
Fn::If:
|
|
431
|
+
- ShouldDenyExternalId
|
|
432
|
+
- "Null":
|
|
433
|
+
"sts:ExternalId": "true"
|
|
434
|
+
- Ref: AWS::NoValue
|
|
435
|
+
# TagSession for same account
|
|
436
|
+
- Action: sts:TagSession
|
|
367
437
|
Effect: Allow
|
|
368
438
|
Principal:
|
|
369
439
|
AWS:
|
|
370
440
|
Ref: AWS::AccountId
|
|
441
|
+
# Assume Role for Lookup Trust (no ExternalId)
|
|
371
442
|
- Fn::If:
|
|
372
443
|
- HasTrustedAccountsForLookup
|
|
373
|
-
- Action:
|
|
444
|
+
- Action:
|
|
445
|
+
- sts:AssumeRole
|
|
374
446
|
Effect: Allow
|
|
375
447
|
Principal:
|
|
376
448
|
AWS:
|
|
377
449
|
Ref: TrustedAccountsForLookup
|
|
450
|
+
Condition:
|
|
451
|
+
Fn::If:
|
|
452
|
+
- ShouldDenyExternalId
|
|
453
|
+
- "Null":
|
|
454
|
+
"sts:ExternalId": "true"
|
|
455
|
+
- Ref: AWS::NoValue
|
|
378
456
|
- Ref: AWS::NoValue
|
|
457
|
+
# TagSession for Lookup Trust
|
|
458
|
+
- Fn::If:
|
|
459
|
+
- HasTrustedAccountsForLookup
|
|
460
|
+
- Action:
|
|
461
|
+
- sts:TagSession
|
|
462
|
+
Effect: Allow
|
|
463
|
+
Principal:
|
|
464
|
+
AWS:
|
|
465
|
+
Ref: TrustedAccountsForLookup
|
|
466
|
+
- Ref: AWS::NoValue
|
|
467
|
+
# Assume Role for regular Trust (no ExternalId)
|
|
379
468
|
- Fn::If:
|
|
380
469
|
- HasTrustedAccounts
|
|
381
|
-
- Action:
|
|
470
|
+
- Action:
|
|
471
|
+
- sts:AssumeRole
|
|
472
|
+
Effect: Allow
|
|
473
|
+
Principal:
|
|
474
|
+
AWS:
|
|
475
|
+
Ref: TrustedAccounts
|
|
476
|
+
Condition:
|
|
477
|
+
Fn::If:
|
|
478
|
+
- ShouldDenyExternalId
|
|
479
|
+
- "Null":
|
|
480
|
+
"sts:ExternalId": "true"
|
|
481
|
+
- Ref: AWS::NoValue
|
|
482
|
+
- Ref: AWS::NoValue
|
|
483
|
+
# TagSession for regular Trust
|
|
484
|
+
- Fn::If:
|
|
485
|
+
- HasTrustedAccounts
|
|
486
|
+
- Action:
|
|
487
|
+
- sts:TagSession
|
|
382
488
|
Effect: Allow
|
|
383
489
|
Principal:
|
|
384
490
|
AWS:
|
|
@@ -471,21 +577,45 @@ Resources:
|
|
|
471
577
|
Properties:
|
|
472
578
|
AssumeRolePolicyDocument:
|
|
473
579
|
Statement:
|
|
474
|
-
#
|
|
475
|
-
|
|
476
|
-
- Action: sts:TagSession
|
|
580
|
+
# AssumeRole for same account (no ExternalId)
|
|
581
|
+
- Action: sts:AssumeRole
|
|
477
582
|
Effect: Allow
|
|
478
583
|
Principal:
|
|
479
584
|
AWS:
|
|
480
585
|
Ref: AWS::AccountId
|
|
481
|
-
|
|
586
|
+
Condition:
|
|
587
|
+
Fn::If:
|
|
588
|
+
- ShouldDenyExternalId
|
|
589
|
+
- "Null":
|
|
590
|
+
"sts:ExternalId": "true"
|
|
591
|
+
- Ref: AWS::NoValue
|
|
592
|
+
# TagSession for same account
|
|
593
|
+
- Action: sts:TagSession
|
|
482
594
|
Effect: Allow
|
|
483
595
|
Principal:
|
|
484
596
|
AWS:
|
|
485
597
|
Ref: AWS::AccountId
|
|
598
|
+
# AssumeRole for Trusted accounts (no ExternalId)
|
|
599
|
+
- Fn::If:
|
|
600
|
+
- HasTrustedAccounts
|
|
601
|
+
- Action:
|
|
602
|
+
- sts:AssumeRole
|
|
603
|
+
Effect: Allow
|
|
604
|
+
Principal:
|
|
605
|
+
AWS:
|
|
606
|
+
Ref: TrustedAccounts
|
|
607
|
+
Condition:
|
|
608
|
+
Fn::If:
|
|
609
|
+
- ShouldDenyExternalId
|
|
610
|
+
- "Null":
|
|
611
|
+
"sts:ExternalId": "true"
|
|
612
|
+
- Ref: AWS::NoValue
|
|
613
|
+
- Ref: AWS::NoValue
|
|
614
|
+
# TagSession for Trusted accounts
|
|
486
615
|
- Fn::If:
|
|
487
616
|
- HasTrustedAccounts
|
|
488
|
-
- Action:
|
|
617
|
+
- Action:
|
|
618
|
+
- sts:TagSession
|
|
489
619
|
Effect: Allow
|
|
490
620
|
Principal:
|
|
491
621
|
AWS:
|
|
@@ -683,7 +813,7 @@ Resources:
|
|
|
683
813
|
Type: String
|
|
684
814
|
Name:
|
|
685
815
|
Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
|
|
686
|
-
Value: '
|
|
816
|
+
Value: '29'
|
|
687
817
|
Outputs:
|
|
688
818
|
BucketName:
|
|
689
819
|
Description: The name of the S3 bucket owned by the CDK toolkit stack
|