terraconstructs 0.0.8

package/lib/aws/encryption/private/perms.d.ts

@@ -0,0 +1,5 @@
+export declare const ADMIN_ACTIONS: string[];
+export declare const ENCRYPT_ACTIONS: string[];
+export declare const DECRYPT_ACTIONS: string[];
+export declare const GENERATE_HMAC_ACTIONS: string[];
+export declare const VERIFY_HMAC_ACTIONS: string[];

package/lib/aws/encryption/private/perms.js

@@ -0,0 +1,30 @@
+"use strict";
+// https://github.com/aws/aws-cdk/blob/v2.170.0/packages/aws-cdk-lib/aws-kms/lib/private/perms.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VERIFY_HMAC_ACTIONS = exports.GENERATE_HMAC_ACTIONS = exports.DECRYPT_ACTIONS = exports.ENCRYPT_ACTIONS = exports.ADMIN_ACTIONS = void 0;
+// https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+exports.ADMIN_ACTIONS = [
+    "kms:Create*",
+    "kms:Describe*",
+    "kms:Enable*",
+    "kms:List*",
+    "kms:Put*",
+    "kms:Update*",
+    "kms:Revoke*",
+    "kms:Disable*",
+    "kms:Get*",
+    "kms:Delete*",
+    "kms:TagResource",
+    "kms:UntagResource",
+    "kms:ScheduleKeyDeletion",
+    "kms:CancelKeyDeletion",
+];
+exports.ENCRYPT_ACTIONS = [
+    "kms:Encrypt",
+    "kms:ReEncrypt*",
+    "kms:GenerateDataKey*",
+];
+exports.DECRYPT_ACTIONS = ["kms:Decrypt"];
+exports.GENERATE_HMAC_ACTIONS = ["kms:GenerateMac"];
+exports.VERIFY_HMAC_ACTIONS = ["kms:VerifyMac"];
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGVybXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXdzL2VuY3J5cHRpb24vcHJpdmF0ZS9wZXJtcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUEsaUdBQWlHOzs7QUFFakcsMEVBQTBFO0FBRTdELFFBQUEsYUFBYSxHQUFHO0lBQzNCLGFBQWE7SUFDYixlQUFlO0lBQ2YsYUFBYTtJQUNiLFdBQVc7SUFDWCxVQUFVO0lBQ1YsYUFBYTtJQUNiLGFBQWE7SUFDYixjQUFjO0lBQ2QsVUFBVTtJQUNWLGFBQWE7SUFDYixpQkFBaUI7SUFDakIsbUJBQW1CO0lBQ25CLHlCQUF5QjtJQUN6Qix1QkFBdUI7Q0FDeEIsQ0FBQztBQUVXLFFBQUEsZUFBZSxHQUFHO0lBQzdCLGFBQWE7SUFDYixnQkFBZ0I7SUFDaEIsc0JBQXNCO0NBQ3ZCLENBQUM7QUFFVyxRQUFBLGVBQWUsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDO0FBRWxDLFFBQUEscUJBQXFCLEdBQUcsQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0FBRTVDLFFBQUEsbUJBQW1CLEdBQUcsQ0FBQyxlQUFlLENBQUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8vIGh0dHBzOi8vZ2l0aHViLmNvbS9hd3MvYXdzLWNkay9ibG9iL3YyLjE3MC4wL3BhY2thZ2VzL2F3cy1jZGstbGliL2F3cy1rbXMvbGliL3ByaXZhdGUvcGVybXMudHNcblxuLy8gaHR0cHM6Ly9kb2NzLmF3cy5hbWF6b24uY29tL2ttcy9sYXRlc3QvZGV2ZWxvcGVyZ3VpZGUva2V5LXBvbGljaWVzLmh0bWxcblxuZXhwb3J0IGNvbnN0IEFETUlOX0FDVElPTlMgPSBbXG4gIFwia21zOkNyZWF0ZSpcIixcbiAgXCJrbXM6RGVzY3JpYmUqXCIsXG4gIFwia21zOkVuYWJsZSpcIixcbiAgXCJrbXM6TGlzdCpcIixcbiAgXCJrbXM6UHV0KlwiLFxuICBcImttczpVcGRhdGUqXCIsXG4gIFwia21zOlJldm9rZSpcIixcbiAgXCJrbXM6RGlzYWJsZSpcIixcbiAgXCJrbXM6R2V0KlwiLFxuICBcImttczpEZWxldGUqXCIsXG4gIFwia21zOlRhZ1Jlc291cmNlXCIsXG4gIFwia21zOlVudGFnUmVzb3VyY2VcIixcbiAgXCJrbXM6U2NoZWR1bGVLZXlEZWxldGlvblwiLFxuICBcImttczpDYW5jZWxLZXlEZWxldGlvblwiLFxuXTtcblxuZXhwb3J0IGNvbnN0IEVOQ1JZUFRfQUNUSU9OUyA9IFtcbiAgXCJrbXM6RW5jcnlwdFwiLFxuICBcImttczpSZUVuY3J5cHQqXCIsXG4gIFwia21zOkdlbmVyYXRlRGF0YUtleSpcIixcbl07XG5cbmV4cG9ydCBjb25zdCBERUNSWVBUX0FDVElPTlMgPSBbXCJrbXM6RGVjcnlwdFwiXTtcblxuZXhwb3J0IGNvbnN0IEdFTkVSQVRFX0hNQUNfQUNUSU9OUyA9IFtcImttczpHZW5lcmF0ZU1hY1wiXTtcblxuZXhwb3J0IGNvbnN0IFZFUklGWV9ITUFDX0FDVElPTlMgPSBbXCJrbXM6VmVyaWZ5TWFjXCJdO1xuIl19

package/lib/aws/encryption/via-service-principal.d.ts

@@ -0,0 +1,11 @@
+import * as iam from "../iam";
+/**
+ * A principal to allow access to a key if it's being used through another AWS service
+ */
+export declare class ViaServicePrincipal extends iam.PrincipalBase {
+    private readonly serviceName;
+    private readonly basePrincipal;
+    constructor(serviceName: string, basePrincipal?: iam.IPrincipal);
+    get policyFragment(): iam.PrincipalPolicyFragment;
+    dedupeString(): string | undefined;
+}

package/lib/aws/encryption/via-service-principal.js

@@ -0,0 +1,39 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ViaServicePrincipal = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+// https://github.com/aws/aws-cdk/blob/2.170.0/packages/aws-cdk-lib/aws-kms/lib/via-service-principal.ts
+const iam = require("../iam");
+/**
+ * A principal to allow access to a key if it's being used through another AWS service
+ */
+class ViaServicePrincipal extends iam.PrincipalBase {
+    constructor(serviceName, basePrincipal) {
+        super();
+        this.serviceName = serviceName;
+        this.basePrincipal = basePrincipal ? basePrincipal : new iam.AnyPrincipal();
+    }
+    get policyFragment() {
+        // Make a copy of the base policyFragment to add a condition to it
+        const base = this.basePrincipal.policyFragment;
+        const conditions = [...base.conditions];
+        const principals = [...base.principals];
+        conditions.push({
+            test: "StringEquals",
+            variable: "kms:ViaService",
+            values: [this.serviceName],
+        });
+        return new iam.PrincipalPolicyFragment(principals, conditions);
+    }
+    dedupeString() {
+        const base = iam.ComparablePrincipal.dedupeStringFor(this.basePrincipal);
+        return base !== undefined
+            ? `ViaServicePrincipal:${this.serviceName}:${base}`
+            : undefined;
+    }
+}
+exports.ViaServicePrincipal = ViaServicePrincipal;
+_a = JSII_RTTI_SYMBOL_1;
+ViaServicePrincipal[_a] = { fqn: "terraconstructs.aws.encryption.ViaServicePrincipal", version: "0.0.8" };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmlhLXNlcnZpY2UtcHJpbmNpcGFsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2F3cy9lbmNyeXB0aW9uL3ZpYS1zZXJ2aWNlLXByaW5jaXBhbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLHdHQUF3RztBQUV4Ryw4QkFBOEI7QUFFOUI7O0dBRUc7QUFDSCxNQUFhLG1CQUFvQixTQUFRLEdBQUcsQ0FBQyxhQUFhO0lBR3hELFlBQ21CLFdBQW1CLEVBQ3BDLGFBQThCO1FBRTlCLEtBQUssRUFBRSxDQUFDO1FBSFMsZ0JBQVcsR0FBWCxXQUFXLENBQVE7UUFJcEMsSUFBSSxDQUFDLGFBQWEsR0FBRyxhQUFhLENBQUMsQ0FBQyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsSUFBSSxHQUFHLENBQUMsWUFBWSxFQUFFLENBQUM7SUFDOUUsQ0FBQztJQUVELElBQVcsY0FBYztRQUN2QixrRUFBa0U7UUFDbEUsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQyxjQUFjLENBQUM7UUFDL0MsTUFBTSxVQUFVLEdBQUcsQ0FBQyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUN4QyxNQUFNLFVBQVUsR0FBRyxDQUFDLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBRXhDLFVBQVUsQ0FBQyxJQUFJLENBQUM7WUFDZCxJQUFJLEVBQUUsY0FBYztZQUNwQixRQUFRLEVBQUUsZ0JBQWdCO1lBQzFCLE1BQU0sRUFBRSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUM7U0FDM0IsQ0FBQyxDQUFDO1FBRUgsT0FBTyxJQUFJLEdBQUcsQ0FBQyx1QkFBdUIsQ0FBQyxVQUFVLEVBQUUsVUFBVSxDQUFDLENBQUM7SUFDakUsQ0FBQztJQUVNLFlBQVk7UUFDakIsTUFBTSxJQUFJLEdBQUcsR0FBRyxDQUFDLG1CQUFtQixDQUFDLGVBQWUsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDekUsT0FBTyxJQUFJLEtBQUssU0FBUztZQUN2QixDQUFDLENBQUMsdUJBQXVCLElBQUksQ0FBQyxXQUFXLElBQUksSUFBSSxFQUFFO1lBQ25ELENBQUMsQ0FBQyxTQUFTLENBQUM7SUFDaEIsQ0FBQzs7QUEvQkgsa0RBZ0NDIiwic291cmNlc0NvbnRlbnQiOlsiLy8gaHR0cHM6Ly9naXRodWIuY29tL2F3cy9hd3MtY2RrL2Jsb2IvMi4xNzAuMC9wYWNrYWdlcy9hd3MtY2RrLWxpYi9hd3Mta21zL2xpYi92aWEtc2VydmljZS1wcmluY2lwYWwudHNcblxuaW1wb3J0ICogYXMgaWFtIGZyb20gXCIuLi9pYW1cIjtcblxuLyoqXG4gKiBBIHByaW5jaXBhbCB0byBhbGxvdyBhY2Nlc3MgdG8gYSBrZXkgaWYgaXQncyBiZWluZyB1c2VkIHRocm91Z2ggYW5vdGhlciBBV1Mgc2VydmljZVxuICovXG5leHBvcnQgY2xhc3MgVmlhU2VydmljZVByaW5jaXBhbCBleHRlbmRzIGlhbS5QcmluY2lwYWxCYXNlIHtcbiAgcHJpdmF0ZSByZWFkb25seSBiYXNlUHJpbmNpcGFsOiBpYW0uSVByaW5jaXBhbDtcblxuICBjb25zdHJ1Y3RvcihcbiAgICBwcml2YXRlIHJlYWRvbmx5IHNlcnZpY2VOYW1lOiBzdHJpbmcsXG4gICAgYmFzZVByaW5jaXBhbD86IGlhbS5JUHJpbmNpcGFsLFxuICApIHtcbiAgICBzdXBlcigpO1xuICAgIHRoaXMuYmFzZVByaW5jaXBhbCA9IGJhc2VQcmluY2lwYWwgPyBiYXNlUHJpbmNpcGFsIDogbmV3IGlhbS5BbnlQcmluY2lwYWwoKTtcbiAgfVxuXG4gIHB1YmxpYyBnZXQgcG9saWN5RnJhZ21lbnQoKTogaWFtLlByaW5jaXBhbFBvbGljeUZyYWdtZW50IHtcbiAgICAvLyBNYWtlIGEgY29weSBvZiB0aGUgYmFzZSBwb2xpY3lGcmFnbWVudCB0byBhZGQgYSBjb25kaXRpb24gdG8gaXRcbiAgICBjb25zdCBiYXNlID0gdGhpcy5iYXNlUHJpbmNpcGFsLnBvbGljeUZyYWdtZW50O1xuICAgIGNvbnN0IGNvbmRpdGlvbnMgPSBbLi4uYmFzZS5jb25kaXRpb25zXTtcbiAgICBjb25zdCBwcmluY2lwYWxzID0gWy4uLmJhc2UucHJpbmNpcGFsc107XG5cbiAgICBjb25kaXRpb25zLnB1c2goe1xuICAgICAgdGVzdDogXCJTdHJpbmdFcXVhbHNcIixcbiAgICAgIHZhcmlhYmxlOiBcImttczpWaWFTZXJ2aWNlXCIsXG4gICAgICB2YWx1ZXM6IFt0aGlzLnNlcnZpY2VOYW1lXSxcbiAgICB9KTtcblxuICAgIHJldHVybiBuZXcgaWFtLlByaW5jaXBhbFBvbGljeUZyYWdtZW50KHByaW5jaXBhbHMsIGNvbmRpdGlvbnMpO1xuICB9XG5cbiAgcHVibGljIGRlZHVwZVN0cmluZygpOiBzdHJpbmcgfCB1bmRlZmluZWQge1xuICAgIGNvbnN0IGJhc2UgPSBpYW0uQ29tcGFyYWJsZVByaW5jaXBhbC5kZWR1cGVTdHJpbmdGb3IodGhpcy5iYXNlUHJpbmNpcGFsKTtcbiAgICByZXR1cm4gYmFzZSAhPT0gdW5kZWZpbmVkXG4gICAgICA/IGBWaWFTZXJ2aWNlUHJpbmNpcGFsOiR7dGhpcy5zZXJ2aWNlTmFtZX06JHtiYXNlfWBcbiAgICAgIDogdW5kZWZpbmVkO1xuICB9XG59XG4iXX0=

package/lib/aws/iam/grant.d.ts

@@ -0,0 +1,221 @@
+import { IConstruct, IDependable } from "constructs";
+import { IAwsConstruct } from "../aws-construct";
+import { PolicyStatement, Conditions } from "./policy-statement";
+import { IGrantable, IPrincipal } from "./principals";
+/**
+ * Basic options for a grant operation
+ *
+ */
+export interface CommonGrantOptions {
+    /**
+     * The principal to grant to
+     *
+     * @default if principal is undefined, no work is done.
+     */
+    readonly grantee: IGrantable;
+    /**
+     * The actions to grant
+     */
+    readonly actions: string[];
+    /**
+     * The resource ARNs to grant to
+     */
+    readonly resourceArns: string[];
+    /**
+     * Any conditions to attach to the grant
+     *
+     * @default - No conditions
+     */
+    readonly conditions?: Conditions;
+}
+/**
+ * Options for a grant operation
+ *
+ */
+export interface GrantWithResourceOptions extends CommonGrantOptions {
+    /**
+     * The resource with a resource policy
+     *
+     * The statement will be added to the resource policy if it couldn't be
+     * added to the principal policy.
+     */
+    readonly resource: IAwsConstructWithPolicy;
+    /**
+     * When referring to the resource in a resource policy, use this as ARN.
+     *
+     * (Depending on the resource type, this needs to be '*' in a resource policy).
+     *
+     * @default Same as regular resource ARNs
+     */
+    readonly resourceSelfArns?: string[];
+}
+/**
+ * Options for a grant operation that only applies to principals
+ *
+ */
+export interface GrantOnPrincipalOptions extends CommonGrantOptions {
+    /**
+     * Construct to report warnings on in case grant could not be registered
+     *
+     * @default - the construct in which this construct is defined
+     */
+    readonly scope?: IConstruct;
+}
+/**
+ * Options for a grant operation to both identity and resource
+ *
+ */
+export interface GrantOnPrincipalAndResourceOptions extends CommonGrantOptions {
+    /**
+     * The resource with a resource policy
+     *
+     * The statement will always be added to the resource policy.
+     */
+    readonly resource: IAwsConstructWithPolicy;
+    /**
+     * When referring to the resource in a resource policy, use this as ARN.
+     *
+     * (Depending on the resource type, this needs to be '*' in a resource policy).
+     *
+     * @default Same as regular resource ARNs
+     */
+    readonly resourceSelfArns?: string[];
+    /**
+     * The principal to use in the statement for the resource policy.
+     *
+     * @default - the principal of the grantee will be used
+     */
+    readonly resourcePolicyPrincipal?: IPrincipal;
+}
+/**
+ * Result of a grant() operation
+ *
+ * This class is not instantiable by consumers on purpose, so that they will be
+ * required to call the Grant factory functions.
+ */
+export declare class Grant implements IDependable {
+    /**
+     * Grant the given permissions to the principal
+     *
+     * The permissions will be added to the principal policy primarily, falling
+     * back to the resource policy if necessary. The permissions must be granted
+     * somewhere.
+     *
+     * - Trying to grant permissions to a principal that does not admit adding to
+     *   the principal policy while not providing a resource with a resource policy
+     *   is an error.
+     * - Trying to grant permissions to an absent principal (possible in the
+     *   case of imported resources) leads to a warning being added to the
+     *   resource construct.
+     */
+    static addToPrincipalOrResource(options: GrantWithResourceOptions): Grant;
+    /**
+     * Try to grant the given permissions to the given principal
+     *
+     * Absence of a principal leads to a warning, but failing to add
+     * the permissions to a present principal is not an error.
+     */
+    static addToPrincipal(options: GrantOnPrincipalOptions): Grant;
+    /**
+     * Add a grant both on the principal and on the resource
+     *
+     * As long as any principal is given, granting on the principal may fail (in
+     * case of a non-identity principal), but granting on the resource will
+     * never fail.
+     *
+     * Statement will be the resource statement.
+     */
+    static addToPrincipalAndResource(options: GrantOnPrincipalAndResourceOptions): Grant;
+    /**
+     * Returns a "no-op" `Grant` object which represents a "dropped grant".
+     *
+     * This can be used for e.g. imported resources where you may not be able to modify
+     * the resource's policy or some underlying policy which you don't know about.
+     *
+     * @param grantee The intended grantee
+     * @param _intent The user's intent (will be ignored at the moment)
+     */
+    static drop(grantee: IGrantable, _intent: string): Grant;
+    /**
+     * The statement that was added to the principal's policy
+     *
+     * @deprecated Use `principalStatements` instead
+     */
+    readonly principalStatement?: PolicyStatement;
+    /**
+     * The statements that were added to the principal's policy
+     */
+    readonly principalStatements: PolicyStatement[];
+    /**
+     * The statement that was added to the resource policy
+     *
+     * @deprecated Use `resourceStatements` instead
+     */
+    readonly resourceStatement?: PolicyStatement;
+    /**
+     * The statements that were added to the principal's policy
+     */
+    readonly resourceStatements: PolicyStatement[];
+    /**
+     * The options originally used to set this result
+     *
+     * Private member doubles as a way to make it impossible for an object literal to
+     * be structurally the same as this class.
+     */
+    private readonly options;
+    private readonly dependables;
+    private constructor();
+    /**
+     * Whether the grant operation was successful
+     */
+    get success(): boolean;
+    /**
+     * Throw an error if this grant wasn't successful
+     */
+    assertSuccess(): void;
+    /**
+     * Make sure this grant is applied before the given constructs are deployed
+     *
+     * The same as construct.node.addDependency(grant), but slightly nicer to read.
+     */
+    applyBefore(...constructs: IConstruct[]): void;
+    /**
+     * Combine two grants into a new one
+     */
+    combine(rhs: Grant): Grant;
+}
+/**
+ * A resource with a resource policy that can be added to
+ */
+export interface IAwsConstructWithPolicy extends IAwsConstruct {
+    /**
+     * Add a statement to the resource's resource policy
+     */
+    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
+}
+/**
+ * Result of calling addToResourcePolicy
+ */
+export interface AddToResourcePolicyResult {
+    /**
+     * Whether the statement was added
+     */
+    readonly statementAdded: boolean;
+    /**
+     * Dependable which allows depending on the policy change being applied
+     *
+     * @default - If `statementAdded` is true, the resource object itself.
+     * Otherwise, no dependable.
+     */
+    readonly policyDependable?: IDependable;
+}
+/**
+ * Composite dependable
+ *
+ * Not as simple as eagerly getting the dependency roots from the
+ * inner dependables, as they may be mutable so we need to defer
+ * the query.
+ */
+export declare class CompositeDependable implements IDependable {
+    constructor(...dependables: IDependable[]);
+}

package/lib/aws/iam/grant.js

@@ -0,0 +1,239 @@
+"use strict";
+var _a, _b;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CompositeDependable = exports.Grant = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+const constructs_1 = require("constructs");
+const policy_statement_1 = require("./policy-statement");
+const token_1 = require("../../token");
+/**
+ * Result of a grant() operation
+ *
+ * This class is not instantiable by consumers on purpose, so that they will be
+ * required to call the Grant factory functions.
+ */
+class Grant {
+    /**
+     * Grant the given permissions to the principal
+     *
+     * The permissions will be added to the principal policy primarily, falling
+     * back to the resource policy if necessary. The permissions must be granted
+     * somewhere.
+     *
+     * - Trying to grant permissions to a principal that does not admit adding to
+     *   the principal policy while not providing a resource with a resource policy
+     *   is an error.
+     * - Trying to grant permissions to an absent principal (possible in the
+     *   case of imported resources) leads to a warning being added to the
+     *   resource construct.
+     */
+    static addToPrincipalOrResource(options) {
+        const result = Grant.addToPrincipal({
+            ...options,
+            scope: options.resource,
+        });
+        const resourceAndPrincipalAccountComparison = options.grantee.grantPrincipal
+            .principalAccount
+            ? (0, token_1.tokenCompareStrings)(options.resource.env.account, options.grantee.grantPrincipal.principalAccount)
+            : undefined;
+        // if both accounts are tokens, we assume here they are the same
+        const equalOrBothUnresolved = resourceAndPrincipalAccountComparison === token_1.TokenComparison.SAME ||
+            resourceAndPrincipalAccountComparison == token_1.TokenComparison.BOTH_UNRESOLVED;
+        const sameAccount = resourceAndPrincipalAccountComparison
+            ? equalOrBothUnresolved
+            : // if the principal doesn't have an account (for example, a service principal),
+                // we should modify the resource's trust policy
+                false;
+        // If we added to the principal AND we're in the same account, then we're done.
+        // If not, it's a different account and we must also add a trust policy on the resource.
+        if (result.success && sameAccount) {
+            return result;
+        }
+        const statement = new policy_statement_1.PolicyStatement({
+            actions: options.actions,
+            resources: options.resourceSelfArns || options.resourceArns,
+            principals: [options.grantee.grantPrincipal],
+        });
+        const resourceResult = options.resource.addToResourcePolicy(statement);
+        return new Grant({
+            resourceStatement: statement,
+            options,
+            policyDependable: resourceResult.statementAdded
+                ? (resourceResult.policyDependable ?? options.resource)
+                : undefined,
+        });
+    }
+    /**
+     * Try to grant the given permissions to the given principal
+     *
+     * Absence of a principal leads to a warning, but failing to add
+     * the permissions to a present principal is not an error.
+     */
+    static addToPrincipal(options) {
+        const statement = new policy_statement_1.PolicyStatement({
+            actions: options.actions,
+            resources: options.resourceArns,
+            condition: options.conditions,
+        });
+        const addedToPrincipal = options.grantee.grantPrincipal.addToPrincipalPolicy(statement);
+        if (!addedToPrincipal.statementAdded) {
+            return new Grant({ principalStatement: undefined, options });
+        }
+        if (!addedToPrincipal.policyDependable) {
+            throw new Error("Contract violation: when Principal returns statementAdded=true, it should return a dependable");
+        }
+        return new Grant({
+            principalStatement: statement,
+            options,
+            policyDependable: addedToPrincipal.policyDependable,
+        });
+    }
+    /**
+     * Add a grant both on the principal and on the resource
+     *
+     * As long as any principal is given, granting on the principal may fail (in
+     * case of a non-identity principal), but granting on the resource will
+     * never fail.
+     *
+     * Statement will be the resource statement.
+     */
+    static addToPrincipalAndResource(options) {
+        const result = Grant.addToPrincipal({
+            ...options,
+            scope: options.resource,
+        });
+        const statement = new policy_statement_1.PolicyStatement({
+            actions: options.actions,
+            resources: options.resourceSelfArns || options.resourceArns,
+            principals: [
+                options.resourcePolicyPrincipal || options.grantee.grantPrincipal,
+            ],
+        });
+        const resourceResult = options.resource.addToResourcePolicy(statement);
+        const resourceDependable = resourceResult.statementAdded
+            ? (resourceResult.policyDependable ?? options.resource)
+            : undefined;
+        return new Grant({
+            principalStatement: statement,
+            resourceStatement: result.resourceStatement,
+            options,
+            policyDependable: resourceDependable
+                ? new CompositeDependable(result, resourceDependable)
+                : result,
+        });
+    }
+    /**
+     * Returns a "no-op" `Grant` object which represents a "dropped grant".
+     *
+     * This can be used for e.g. imported resources where you may not be able to modify
+     * the resource's policy or some underlying policy which you don't know about.
+     *
+     * @param grantee The intended grantee
+     * @param _intent The user's intent (will be ignored at the moment)
+     */
+    static drop(grantee, _intent) {
+        return new Grant({
+            options: { grantee, actions: [], resourceArns: [] },
+        });
+    }
+    constructor(props) {
+        /**
+         * The statements that were added to the principal's policy
+         */
+        this.principalStatements = new Array();
+        /**
+         * The statements that were added to the principal's policy
+         */
+        this.resourceStatements = new Array();
+        this.dependables = new Array();
+        this.options = props.options;
+        this.principalStatement = props.principalStatement;
+        this.resourceStatement = props.resourceStatement;
+        if (this.principalStatement) {
+            this.principalStatements.push(this.principalStatement);
+        }
+        if (this.resourceStatement) {
+            this.resourceStatements.push(this.resourceStatement);
+        }
+        if (props.policyDependable) {
+            this.dependables.push(props.policyDependable);
+        }
+        const self = this;
+        constructs_1.Dependable.implement(this, {
+            get dependencyRoots() {
+                return Array.from(new Set(self.dependables.flatMap((d) => constructs_1.Dependable.of(d).dependencyRoots)));
+            },
+        });
+    }
+    /**
+     * Whether the grant operation was successful
+     */
+    get success() {
+        return (this.principalStatement !== undefined ||
+            this.resourceStatement !== undefined);
+    }
+    /**
+     * Throw an error if this grant wasn't successful
+     */
+    assertSuccess() {
+        if (!this.success) {
+            // eslint-disable-next-line max-len
+            throw new Error(`${describeGrant(this.options)} could not be added on either identity or resource policy.`);
+        }
+    }
+    /**
+     * Make sure this grant is applied before the given constructs are deployed
+     *
+     * The same as construct.node.addDependency(grant), but slightly nicer to read.
+     */
+    applyBefore(...constructs) {
+        for (const construct of constructs) {
+            construct.node.addDependency(this);
+        }
+    }
+    /**
+     * Combine two grants into a new one
+     */
+    combine(rhs) {
+        const combinedPrinc = [
+            ...this.principalStatements,
+            ...rhs.principalStatements,
+        ];
+        const combinedRes = [...this.resourceStatements, ...rhs.resourceStatements];
+        const ret = new Grant({
+            options: this.options,
+            principalStatement: combinedPrinc[0],
+            resourceStatement: combinedRes[0],
+        });
+        ret.principalStatements.splice(0, ret.principalStatements.length, ...combinedPrinc);
+        ret.resourceStatements.splice(0, ret.resourceStatements.length, ...combinedRes);
+        ret.dependables.push(...this.dependables, ...rhs.dependables);
+        return ret;
+    }
+}
+exports.Grant = Grant;
+_a = JSII_RTTI_SYMBOL_1;
+Grant[_a] = { fqn: "terraconstructs.aws.iam.Grant", version: "0.0.8" };
+function describeGrant(options) {
+    return `Permissions for '${options.grantee}' to call '${options.actions}' on '${options.resourceArns}'`;
+}
+/**
+ * Composite dependable
+ *
+ * Not as simple as eagerly getting the dependency roots from the
+ * inner dependables, as they may be mutable so we need to defer
+ * the query.
+ */
+class CompositeDependable {
+    constructor(...dependables) {
+        constructs_1.Dependable.implement(this, {
+            get dependencyRoots() {
+                return Array.prototype.concat.apply([], dependables.map((d) => constructs_1.Dependable.of(d).dependencyRoots));
+            },
+        });
+    }
+}
+exports.CompositeDependable = CompositeDependable;
+_b = JSII_RTTI_SYMBOL_1;
+CompositeDependable[_b] = { fqn: "terraconstructs.aws.iam.CompositeDependable", version: "0.0.8" };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ3JhbnQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYXdzL2lhbS9ncmFudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLDJDQUFpRTtBQUVqRSx5REFBaUU7QUFFakUsdUNBQW1FO0FBaUduRTs7Ozs7R0FLRztBQUNILE1BQWEsS0FBSztJQUNoQjs7Ozs7Ozs7Ozs7OztPQWFHO0lBQ0ksTUFBTSxDQUFDLHdCQUF3QixDQUNwQyxPQUFpQztRQUVqQyxNQUFNLE1BQU0sR0FBRyxLQUFLLENBQUMsY0FBYyxDQUFDO1lBQ2xDLEdBQUcsT0FBTztZQUNWLEtBQUssRUFBRSxPQUFPLENBQUMsUUFBUTtTQUN4QixDQUFDLENBQUM7UUFFSCxNQUFNLHFDQUFxQyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsY0FBYzthQUN6RSxnQkFBZ0I7WUFDakIsQ0FBQyxDQUFDLElBQUEsMkJBQW1CLEVBQ2pCLE9BQU8sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFDNUIsT0FBTyxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsZ0JBQWdCLENBQ2hEO1lBQ0gsQ0FBQyxDQUFDLFNBQVMsQ0FBQztRQUNkLGdFQUFnRTtRQUNoRSxNQUFNLHFCQUFxQixHQUN6QixxQ0FBcUMsS0FBSyx1QkFBZSxDQUFDLElBQUk7WUFDOUQscUNBQXFDLElBQUksdUJBQWUsQ0FBQyxlQUFlLENBQUM7UUFDM0UsTUFBTSxXQUFXLEdBQVkscUNBQXFDO1lBQ2hFLENBQUMsQ0FBQyxxQkFBcUI7WUFDdkIsQ0FBQyxDQUFDLCtFQUErRTtnQkFDL0UsK0NBQStDO2dCQUMvQyxLQUFLLENBQUM7UUFDViwrRUFBK0U7UUFDL0Usd0ZBQXdGO1FBQ3hGLElBQUksTUFBTSxDQUFDLE9BQU8sSUFBSSxXQUFXLEVBQUUsQ0FBQztZQUNsQyxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsSUFBSSxrQ0FBZSxDQUFDO1lBQ3BDLE9BQU8sRUFBRSxPQUFPLENBQUMsT0FBTztZQUN4QixTQUFTLEVBQUUsT0FBTyxDQUFDLGdCQUFnQixJQUFJLE9BQU8sQ0FBQyxZQUFZO1lBQzNELFVBQVUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxPQUFRLENBQUMsY0FBYyxDQUFDO1NBQzlDLENBQUMsQ0FBQztRQUVILE1BQU0sY0FBYyxHQUFHLE9BQU8sQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUMsU0FBUyxDQUFDLENBQUM7UUFFdkUsT0FBTyxJQUFJLEtBQUssQ0FBQztZQUNmLGlCQUFpQixFQUFFLFNBQVM7WUFDNUIsT0FBTztZQUNQLGdCQUFnQixFQUFFLGNBQWMsQ0FBQyxjQUFjO2dCQUM3QyxDQUFDLENBQUMsQ0FBQyxjQUFjLENBQUMsZ0JBQWdCLElBQUksT0FBTyxDQUFDLFFBQVEsQ0FBQztnQkFDdkQsQ0FBQyxDQUFDLFNBQVM7U0FDZCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSSxNQUFNLENBQUMsY0FBYyxDQUFDLE9BQWdDO1FBQzNELE1BQU0sU0FBUyxHQUFHLElBQUksa0NBQWUsQ0FBQztZQUNwQyxPQUFPLEVBQUUsT0FBTyxDQUFDLE9BQU87WUFDeEIsU0FBUyxFQUFFLE9BQU8sQ0FBQyxZQUFZO1lBQy9CLFNBQVMsRUFBRSxPQUFPLENBQUMsVUFBVTtTQUM5QixDQUFDLENBQUM7UUFFSCxNQUFNLGdCQUFnQixHQUNwQixPQUFPLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUNqRSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDckMsT0FBTyxJQUFJLEtBQUssQ0FBQyxFQUFFLGtCQUFrQixFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQy9ELENBQUM7UUFFRCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUN2QyxNQUFNLElBQUksS0FBSyxDQUNiLCtGQUErRixDQUNoRyxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sSUFBSSxLQUFLLENBQUM7WUFDZixrQkFBa0IsRUFBRSxTQUFTO1lBQzdCLE9BQU87WUFDUCxnQkFBZ0IsRUFBRSxnQkFBZ0IsQ0FBQyxnQkFBZ0I7U0FDcEQsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7Ozs7OztPQVFHO0lBQ0ksTUFBTSxDQUFDLHlCQUF5QixDQUNyQyxPQUEyQztRQUUzQyxNQUFNLE1BQU0sR0FBRyxLQUFLLENBQUMsY0FBYyxDQUFDO1lBQ2xDLEdBQUcsT0FBTztZQUNWLEtBQUssRUFBRSxPQUFPLENBQUMsUUFBUTtTQUN4QixDQUFDLENBQUM7UUFFSCxNQUFNLFNBQVMsR0FBRyxJQUFJLGtDQUFlLENBQUM7WUFDcEMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO1lBQ3hCLFNBQVMsRUFBRSxPQUFPLENBQUMsZ0JBQWdCLElBQUksT0FBTyxDQUFDLFlBQVk7WUFDM0QsVUFBVSxFQUFFO2dCQUNWLE9BQU8sQ0FBQyx1QkFBdUIsSUFBSSxPQUFPLENBQUMsT0FBUSxDQUFDLGNBQWM7YUFDbkU7U0FDRixDQUFDLENBQUM7UUFFSCxNQUFNLGNBQWMsR0FBRyxPQUFPLENBQUMsUUFBUSxDQUFDLG1CQUFtQixDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ3ZFLE1BQU0sa0JBQWtCLEdBQUcsY0FBYyxDQUFDLGNBQWM7WUFDdEQsQ0FBQyxDQUFDLENBQUMsY0FBYyxDQUFDLGdCQUFnQixJQUFJLE9BQU8sQ0FBQyxRQUFRLENBQUM7WUFDdkQsQ0FBQyxDQUFDLFNBQVMsQ0FBQztRQUVkLE9BQU8sSUFBSSxLQUFLLENBQUM7WUFDZixrQkFBa0IsRUFBRSxTQUFTO1lBQzdCLGlCQUFpQixFQUFFLE1BQU0sQ0FBQyxpQkFBaUI7WUFDM0MsT0FBTztZQUNQLGdCQUFnQixFQUFFLGtCQUFrQjtnQkFDbEMsQ0FBQyxDQUFDLElBQUksbUJBQW1CLENBQUMsTUFBTSxFQUFFLGtCQUFrQixDQUFDO2dCQUNyRCxDQUFDLENBQUMsTUFBTTtTQUNYLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7Ozs7T0FRRztJQUNJLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBbUIsRUFBRSxPQUFlO1FBQ3JELE9BQU8sSUFBSSxLQUFLLENBQUM7WUFDZixPQUFPLEVBQUUsRUFBRSxPQUFPLEVBQUUsT0FBTyxFQUFFLEVBQUUsRUFBRSxZQUFZLEVBQUUsRUFBRSxFQUFFO1NBQ3BELENBQUMsQ0FBQztJQUNMLENBQUM7SUFvQ0QsWUFBb0IsS0FBaUI7UUEzQnJDOztXQUVHO1FBQ2Esd0JBQW1CLEdBQUcsSUFBSSxLQUFLLEVBQW1CLENBQUM7UUFTbkU7O1dBRUc7UUFDYSx1QkFBa0IsR0FBRyxJQUFJLEtBQUssRUFBbUIsQ0FBQztRQVVqRCxnQkFBVyxHQUFHLElBQUksS0FBSyxFQUFlLENBQUM7UUFHdEQsSUFBSSxDQUFDLE9BQU8sR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDO1FBQzdCLElBQUksQ0FBQyxrQkFBa0IsR0FBRyxLQUFLLENBQUMsa0JBQWtCLENBQUM7UUFDbkQsSUFBSSxDQUFDLGlCQUFpQixHQUFHLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQztRQUNqRCxJQUFJLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQzVCLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDekQsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFDM0IsSUFBSSxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsQ0FBQztRQUN2RCxDQUFDO1FBQ0QsSUFBSSxLQUFLLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMzQixJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUNoRCxDQUFDO1FBRUQsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDO1FBQ2xCLHVCQUFVLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRTtZQUN6QixJQUFJLGVBQWU7Z0JBQ2pCLE9BQU8sS0FBSyxDQUFDLElBQUksQ0FDZixJQUFJLEdBQUcsQ0FDTCxJQUFJLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsdUJBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDLENBQ2xFLENBQ0YsQ0FBQztZQUNKLENBQUM7U0FDRixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7O09BRUc7SUFDSCxJQUFXLE9BQU87UUFDaEIsT0FBTyxDQUNMLElBQUksQ0FBQyxrQkFBa0IsS0FBSyxTQUFTO1lBQ3JDLElBQUksQ0FBQyxpQkFBaUIsS0FBSyxTQUFTLENBQ3JDLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSSxhQUFhO1FBQ2xCLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDbEIsbUNBQW1DO1lBQ25DLE1BQU0sSUFBSSxLQUFLLENBQ2IsR0FBRyxhQUFhLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyw0REFBNEQsQ0FDM0YsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLFdBQVcsQ0FBQyxHQUFHLFVBQXdCO1FBQzVDLEtBQUssTUFBTSxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7WUFDbkMsU0FBUyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDckMsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLE9BQU8sQ0FBQyxHQUFVO1FBQ3ZCLE1BQU0sYUFBYSxHQUFHO1lBQ3BCLEdBQUcsSUFBSSxDQUFDLG1CQUFtQjtZQUMzQixHQUFHLEdBQUcsQ0FBQyxtQkFBbUI7U0FDM0IsQ0FBQztRQUNGLE1BQU0sV0FBVyxHQUFHLENBQUMsR0FBRyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsR0FBRyxHQUFHLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUU1RSxNQUFNLEdBQUcsR0FBRyxJQUFJLEtBQUssQ0FBQztZQUNwQixPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU87WUFDckIsa0JBQWtCLEVBQUUsYUFBYSxDQUFDLENBQUMsQ0FBQztZQUNwQyxpQkFBaUIsRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1NBQ2xDLENBQUMsQ0FBQztRQUNILEdBQUcsQ0FBQyxtQkFBbUIsQ0FBQyxNQUFNLENBQzVCLENBQUMsRUFDRCxHQUFHLENBQUMsbUJBQW1CLENBQUMsTUFBTSxFQUM5QixHQUFHLGFBQWEsQ0FDakIsQ0FBQztRQUNGLEdBQUcsQ0FBQyxrQkFBa0IsQ0FBQyxNQUFNLENBQzNCLENBQUMsRUFDRCxHQUFHLENBQUMsa0JBQWtCLENBQUMsTUFBTSxFQUM3QixHQUFHLFdBQVcsQ0FDZixDQUFDO1FBQ0YsR0FBRyxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsV0FBVyxFQUFFLEdBQUcsR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzlELE9BQU8sR0FBRyxDQUFDO0lBQ2IsQ0FBQzs7QUE3UUgsc0JBOFFDOzs7QUFFRCxTQUFTLGFBQWEsQ0FBQyxPQUEyQjtJQUNoRCxPQUFPLG9CQUFvQixPQUFPLENBQUMsT0FBTyxjQUFjLE9BQU8sQ0FBQyxPQUFPLFNBQVMsT0FBTyxDQUFDLFlBQVksR0FBRyxDQUFDO0FBQzFHLENBQUM7QUEyQ0Q7Ozs7OztHQU1HO0FBQ0gsTUFBYSxtQkFBbUI7SUFDOUIsWUFBWSxHQUFHLFdBQTBCO1FBQ3ZDLHVCQUFVLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRTtZQUN6QixJQUFJLGVBQWU7Z0JBQ2pCLE9BQU8sS0FBSyxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUNqQyxFQUFFLEVBQ0YsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsdUJBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDLENBQ3pELENBQUM7WUFDSixDQUFDO1NBQ0YsQ0FBQyxDQUFDO0lBQ0wsQ0FBQzs7QUFWSCxrREFXQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IERlcGVuZGFibGUsIElDb25zdHJ1Y3QsIElEZXBlbmRhYmxlIH0gZnJvbSBcImNvbnN0cnVjdHNcIjtcbmltcG9ydCB7IElBd3NDb25zdHJ1Y3QgfSBmcm9tIFwiLi4vYXdzLWNvbnN0cnVjdFwiO1xuaW1wb3J0IHsgUG9saWN5U3RhdGVtZW50LCBDb25kaXRpb25zIH0gZnJvbSBcIi4vcG9saWN5LXN0YXRlbWVudFwiO1xuaW1wb3J0IHsgSUdyYW50YWJsZSwgSVByaW5jaXBhbCB9IGZyb20gXCIuL3ByaW5jaXBhbHNcIjtcbmltcG9ydCB7IFRva2VuQ29tcGFyaXNvbiwgdG9rZW5Db21wYXJlU3RyaW5ncyB9IGZyb20gXCIuLi8uLi90b2tlblwiO1xuXG4vKipcbiAqIEJhc2ljIG9wdGlvbnMgZm9yIGEgZ3JhbnQgb3BlcmF0aW9uXG4gKlxuICovXG5leHBvcnQgaW50ZXJmYWNlIENvbW1vbkdyYW50T3B0aW9ucyB7XG4gIC8qKlxuICAgKiBUaGUgcHJpbmNpcGFsIHRvIGdyYW50IHRvXG4gICAqXG4gICAqIEBkZWZhdWx0IGlmIHByaW5jaXBhbCBpcyB1bmRlZmluZWQsIG5vIHdvcmsgaXMgZG9uZS5cbiAgICovXG4gIHJlYWRvbmx5IGdyYW50ZWU6IElHcmFudGFibGU7XG5cbiAgLyoqXG4gICAqIFRoZSBhY3Rpb25zIHRvIGdyYW50XG4gICAqL1xuICByZWFkb25seSBhY3Rpb25zOiBzdHJpbmdbXTtcblxuICAvKipcbiAgICogVGhlIHJlc291cmNlIEFSTnMgdG8gZ3JhbnQgdG9cbiAgICovXG4gIHJlYWRvbmx5IHJlc291cmNlQXJuczogc3RyaW5nW107XG5cbiAgLyoqXG4gICAqIEFueSBjb25kaXRpb25zIHRvIGF0dGFjaCB0byB0aGUgZ3JhbnRcbiAgICpcbiAgICogQGRlZmF1bHQgLSBObyBjb25kaXRpb25zXG4gICAqL1xuICByZWFkb25seSBjb25kaXRpb25zPzogQ29uZGl0aW9ucztcbn1cblxuLyoqXG4gKiBPcHRpb25zIGZvciBhIGdyYW50IG9wZXJhdGlvblxuICpcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBHcmFudFdpdGhSZXNvdXJjZU9wdGlvbnMgZXh0ZW5kcyBDb21tb25HcmFudE9wdGlvbnMge1xuICAvKipcbiAgICogVGhlIHJlc291cmNlIHdpdGggYSByZXNvdXJjZSBwb2xpY3lcbiAgICpcbiAgICogVGhlIHN0YXRlbWVudCB3aWxsIGJlIGFkZGVkIHRvIHRoZSByZXNvdXJjZSBwb2xpY3kgaWYgaXQgY291bGRuJ3QgYmVcbiAgICogYWRkZWQgdG8gdGhlIHByaW5jaXBhbCBwb2xpY3kuXG4gICAqL1xuICByZWFkb25seSByZXNvdXJjZTogSUF3c0NvbnN0cnVjdFdpdGhQb2xpY3k7XG5cbiAgLyoqXG4gICAqIFdoZW4gcmVmZXJyaW5nIHRvIHRoZSByZXNvdXJjZSBpbiBhIHJlc291cmNlIHBvbGljeSwgdXNlIHRoaXMgYXMgQVJOLlxuICAgKlxuICAgKiAoRGVwZW5kaW5nIG9uIHRoZSByZXNvdXJjZSB0eXBlLCB0aGlzIG5lZWRzIHRvIGJlICcqJyBpbiBhIHJlc291cmNlIHBvbGljeSkuXG4gICAqXG4gICAqIEBkZWZhdWx0IFNhbWUgYXMgcmVndWxhciByZXNvdXJjZSBBUk5zXG4gICAqL1xuICByZWFkb25seSByZXNvdXJjZVNlbGZBcm5zPzogc3RyaW5nW107XG59XG5cbi8qKlxuICogT3B0aW9ucyBmb3IgYSBncmFudCBvcGVyYXRpb24gdGhhdCBvbmx5IGFwcGxpZXMgdG8gcHJpbmNpcGFsc1xuICpcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBHcmFudE9uUHJpbmNpcGFsT3B0aW9ucyBleHRlbmRzIENvbW1vbkdyYW50T3B0aW9ucyB7XG4gIC8qKlxuICAgKiBDb25zdHJ1Y3QgdG8gcmVwb3J0IHdhcm5pbmdzIG9uIGluIGNhc2UgZ3JhbnQgY291bGQgbm90IGJlIHJlZ2lzdGVyZWRcbiAgICpcbiAgICogQGRlZmF1bHQgLSB0aGUgY29uc3RydWN0IGluIHdoaWNoIHRoaXMgY29uc3RydWN0IGlzIGRlZmluZWRcbiAgICovXG4gIHJlYWRvbmx5IHNjb3BlPzogSUNvbnN0cnVjdDtcbn1cblxuLyoqXG4gKiBPcHRpb25zIGZvciBhIGdyYW50IG9wZXJhdGlvbiB0byBib3RoIGlkZW50aXR5IGFuZCByZXNvdXJjZVxuICpcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBHcmFudE9uUHJpbmNpcGFsQW5kUmVzb3VyY2VPcHRpb25zIGV4dGVuZHMgQ29tbW9uR3JhbnRPcHRpb25zIHtcbiAgLyoqXG4gICAqIFRoZSByZXNvdXJjZSB3aXRoIGEgcmVzb3VyY2UgcG9saWN5XG4gICAqXG4gICAqIFRoZSBzdGF0ZW1lbnQgd2lsbCBhbHdheXMgYmUgYWRkZWQgdG8gdGhlIHJlc291cmNlIHBvbGljeS5cbiAgICovXG4gIHJlYWRvbmx5IHJlc291cmNlOiBJQXdzQ29uc3RydWN0V2l0aFBvbGljeTtcblxuICAvKipcbiAgICogV2hlbiByZWZlcnJpbmcgdG8gdGhlIHJlc291cmNlIGluIGEgcmVzb3VyY2UgcG9saWN5LCB1c2UgdGhpcyBhcyBBUk4uXG4gICAqXG4gICAqIChEZXBlbmRpbmcgb24gdGhlIHJlc291cmNlIHR5cGUsIHRoaXMgbmVlZHMgdG8gYmUgJyonIGluIGEgcmVzb3VyY2UgcG9saWN5KS5cbiAgICpcbiAgICogQGRlZmF1bHQgU2FtZSBhcyByZWd1bGFyIHJlc291cmNlIEFSTnNcbiAgICovXG4gIHJlYWRvbmx5IHJlc291cmNlU2VsZkFybnM/OiBzdHJpbmdbXTtcblxuICAvKipcbiAgICogVGhlIHByaW5jaXBhbCB0byB1c2UgaW4gdGhlIHN0YXRlbWVudCBmb3IgdGhlIHJlc291cmNlIHBvbGljeS5cbiAgICpcbiAgICogQGRlZmF1bHQgLSB0aGUgcHJpbmNpcGFsIG9mIHRoZSBncmFudGVlIHdpbGwgYmUgdXNlZFxuICAgKi9cbiAgcmVhZG9ubHkgcmVzb3VyY2VQb2xpY3lQcmluY2lwYWw/OiBJUHJpbmNpcGFsO1xufVxuXG4vKipcbiAqIFJlc3VsdCBvZiBhIGdyYW50KCkgb3BlcmF0aW9uXG4gKlxuICogVGhpcyBjbGFzcyBpcyBub3QgaW5zdGFudGlhYmxlIGJ5IGNvbnN1bWVycyBvbiBwdXJwb3NlLCBzbyB0aGF0IHRoZXkgd2lsbCBiZVxuICogcmVxdWlyZWQgdG8gY2FsbCB0aGUgR3JhbnQgZmFjdG9yeSBmdW5jdGlvbnMuXG4gKi9cbmV4cG9ydCBjbGFzcyBHcmFudCBpbXBsZW1lbnRzIElEZXBlbmRhYmxlIHtcbiAgLyoqXG4gICAqIEdyYW50IHRoZSBnaXZlbiBwZXJtaXNzaW9ucyB0byB0aGUgcHJpbmNpcGFsXG4gICAqXG4gICAqIFRoZSBwZXJtaXNzaW9ucyB3aWxsIGJlIGFkZGVkIHRvIHRoZSBwcmluY2lwYWwgcG9saWN5IHByaW1hcmlseSwgZmFsbGluZ1xuICAgKiBiYWNrIHRvIHRoZSByZXNvdXJjZSBwb2xpY3kgaWYgbmVjZXNzYXJ5LiBUaGUgcGVybWlzc2lvbnMgbXVzdCBiZSBncmFudGVkXG4gICAqIHNvbWV3aGVyZS5cbiAgICpcbiAgICogLSBUcnlpbmcgdG8gZ3JhbnQgcGVybWlzc2lvbnMgdG8gYSBwcmluY2lwYWwgdGhhdCBkb2VzIG5vdCBhZG1pdCBhZGRpbmcgdG9cbiAgICogICB0aGUgcHJpbmNpcGFsIHBvbGljeSB3aGlsZSBub3QgcHJvdmlkaW5nIGEgcmVzb3VyY2Ugd2l0aCBhIHJlc291cmNlIHBvbGljeVxuICAgKiAgIGlzIGFuIGVycm9yLlxuICAgKiAtIFRyeWluZyB0byBncmFudCBwZXJtaXNzaW9ucyB0byBhbiBhYnNlbnQgcHJpbmNpcGFsIChwb3NzaWJsZSBpbiB0aGVcbiAgICogICBjYXNlIG9mIGltcG9ydGVkIHJlc291cmNlcykgbGVhZHMgdG8gYSB3YXJuaW5nIGJlaW5nIGFkZGVkIHRvIHRoZVxuICAgKiAgIHJlc291cmNlIGNvbnN0cnVjdC5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgYWRkVG9QcmluY2lwYWxPclJlc291cmNlKFxuICAgIG9wdGlvbnM6IEdyYW50V2l0aFJlc291cmNlT3B0aW9ucyxcbiAgKTogR3JhbnQge1xuICAgIGNvbnN0IHJlc3VsdCA9IEdyYW50LmFkZFRvUHJpbmNpcGFsKHtcbiAgICAgIC4uLm9wdGlvbnMsXG4gICAgICBzY29wZTogb3B0aW9ucy5yZXNvdXJjZSxcbiAgICB9KTtcblxuICAgIGNvbnN0IHJlc291cmNlQW5kUHJpbmNpcGFsQWNjb3VudENvbXBhcmlzb24gPSBvcHRpb25zLmdyYW50ZWUuZ3JhbnRQcmluY2lwYWxcbiAgICAgIC5wcmluY2lwYWxBY2NvdW50XG4gICAgICA/IHRva2VuQ29tcGFyZVN0cmluZ3MoXG4gICAgICAgICAgb3B0aW9ucy5yZXNvdXJjZS5lbnYuYWNjb3VudCxcbiAgICAgICAgICBvcHRpb25zLmdyYW50ZWUuZ3JhbnRQcmluY2lwYWwucHJpbmNpcGFsQWNjb3VudCxcbiAgICAgICAgKVxuICAgICAgOiB1bmRlZmluZWQ7XG4gICAgLy8gaWYgYm90aCBhY2NvdW50cyBhcmUgdG9rZW5zLCB3ZSBhc3N1bWUgaGVyZSB0aGV5IGFyZSB0aGUgc2FtZVxuICAgIGNvbnN0IGVxdWFsT3JCb3RoVW5yZXNvbHZlZCA9XG4gICAgICByZXNvdXJjZUFuZFByaW5jaXBhbEFjY291bnRDb21wYXJpc29uID09PSBUb2tlbkNvbXBhcmlzb24uU0FNRSB8fFxuICAgICAgcmVzb3VyY2VBbmRQcmluY2lwYWxBY2NvdW50Q29tcGFyaXNvbiA9PSBUb2tlbkNvbXBhcmlzb24uQk9USF9VTlJFU09MVkVEO1xuICAgIGNvbnN0IHNhbWVBY2NvdW50OiBib29sZWFuID0gcmVzb3VyY2VBbmRQcmluY2lwYWxBY2NvdW50Q29tcGFyaXNvblxuICAgICAgPyBlcXVhbE9yQm90aFVucmVzb2x2ZWRcbiAgICAgIDogLy8gaWYgdGhlIHByaW5jaXBhbCBkb2Vzbid0IGhhdmUgYW4gYWNjb3VudCAoZm9yIGV4YW1wbGUsIGEgc2VydmljZSBwcmluY2lwYWwpLFxuICAgICAgICAvLyB3ZSBzaG91bGQgbW9kaWZ5IHRoZSByZXNvdXJjZSdzIHRydXN0IHBvbGljeVxuICAgICAgICBmYWxzZTtcbiAgICAvLyBJZiB3ZSBhZGRlZCB0byB0aGUgcHJpbmNpcGFsIEFORCB3ZSdyZSBpbiB0aGUgc2FtZSBhY2NvdW50LCB0aGVuIHdlJ3JlIGRvbmUuXG4gICAgLy8gSWYgbm90LCBpdCdzIGEgZGlmZmVyZW50IGFjY291bnQgYW5kIHdlIG11c3QgYWxzbyBhZGQgYSB0cnVzdCBwb2xpY3kgb24gdGhlIHJlc291cmNlLlxuICAgIGlmIChyZXN1bHQuc3VjY2VzcyAmJiBzYW1lQWNjb3VudCkge1xuICAgICAgcmV0dXJuIHJlc3VsdDtcbiAgICB9XG5cbiAgICBjb25zdCBzdGF0ZW1lbnQgPSBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIGFjdGlvbnM6IG9wdGlvbnMuYWN0aW9ucyxcbiAgICAgIHJlc291cmNlczogb3B0aW9ucy5yZXNvdXJjZVNlbGZBcm5zIHx8IG9wdGlvbnMucmVzb3VyY2VBcm5zLFxuICAgICAgcHJpbmNpcGFsczogW29wdGlvbnMuZ3JhbnRlZSEuZ3JhbnRQcmluY2lwYWxdLFxuICAgIH0pO1xuXG4gICAgY29uc3QgcmVzb3VyY2VSZXN1bHQgPSBvcHRpb25zLnJlc291cmNlLmFkZFRvUmVzb3VyY2VQb2xpY3koc3RhdGVtZW50KTtcblxuICAgIHJldHVybiBuZXcgR3JhbnQoe1xuICAgICAgcmVzb3VyY2VTdGF0ZW1lbnQ6IHN0YXRlbWVudCxcbiAgICAgIG9wdGlvbnMsXG4gICAgICBwb2xpY3lEZXBlbmRhYmxlOiByZXNvdXJjZVJlc3VsdC5zdGF0ZW1lbnRBZGRlZFxuICAgICAgICA/IChyZXNvdXJjZVJlc3VsdC5wb2xpY3lEZXBlbmRhYmxlID8/IG9wdGlvbnMucmVzb3VyY2UpXG4gICAgICAgIDogdW5kZWZpbmVkLFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIFRyeSB0byBncmFudCB0aGUgZ2l2ZW4gcGVybWlzc2lvbnMgdG8gdGhlIGdpdmVuIHByaW5jaXBhbFxuICAgKlxuICAgKiBBYnNlbmNlIG9mIGEgcHJpbmNpcGFsIGxlYWRzIHRvIGEgd2FybmluZywgYnV0IGZhaWxpbmcgdG8gYWRkXG4gICAqIHRoZSBwZXJtaXNzaW9ucyB0byBhIHByZXNlbnQgcHJpbmNpcGFsIGlzIG5vdCBhbiBlcnJvci5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgYWRkVG9QcmluY2lwYWwob3B0aW9uczogR3JhbnRPblByaW5jaXBhbE9wdGlvbnMpOiBHcmFudCB7XG4gICAgY29uc3Qgc3RhdGVtZW50ID0gbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICBhY3Rpb25zOiBvcHRpb25zLmFjdGlvbnMsXG4gICAgICByZXNvdXJjZXM6IG9wdGlvbnMucmVzb3VyY2VBcm5zLFxuICAgICAgY29uZGl0aW9uOiBvcHRpb25zLmNvbmRpdGlvbnMsXG4gICAgfSk7XG5cbiAgICBjb25zdCBhZGRlZFRvUHJpbmNpcGFsID1cbiAgICAgIG9wdGlvbnMuZ3JhbnRlZS5ncmFudFByaW5jaXBhbC5hZGRUb1ByaW5jaXBhbFBvbGljeShzdGF0ZW1lbnQpO1xuICAgIGlmICghYWRkZWRUb1ByaW5jaXBhbC5zdGF0ZW1lbnRBZGRlZCkge1xuICAgICAgcmV0dXJuIG5ldyBHcmFudCh7IHByaW5jaXBhbFN0YXRlbWVudDogdW5kZWZpbmVkLCBvcHRpb25zIH0pO1xuICAgIH1cblxuICAgIGlmICghYWRkZWRUb1ByaW5jaXBhbC5wb2xpY3lEZXBlbmRhYmxlKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXG4gICAgICAgIFwiQ29udHJhY3QgdmlvbGF0aW9uOiB3aGVuIFByaW5jaXBhbCByZXR1cm5zIHN0YXRlbWVudEFkZGVkPXRydWUsIGl0IHNob3VsZCByZXR1cm4gYSBkZXBlbmRhYmxlXCIsXG4gICAgICApO1xuICAgIH1cblxuICAgIHJldHVybiBuZXcgR3JhbnQoe1xuICAgICAgcHJpbmNpcGFsU3RhdGVtZW50OiBzdGF0ZW1lbnQsXG4gICAgICBvcHRpb25zLFxuICAgICAgcG9saWN5RGVwZW5kYWJsZTogYWRkZWRUb1ByaW5jaXBhbC5wb2xpY3lEZXBlbmRhYmxlLFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIEFkZCBhIGdyYW50IGJvdGggb24gdGhlIHByaW5jaXBhbCBhbmQgb24gdGhlIHJlc291cmNlXG4gICAqXG4gICAqIEFzIGxvbmcgYXMgYW55IHByaW5jaXBhbCBpcyBnaXZlbiwgZ3JhbnRpbmcgb24gdGhlIHByaW5jaXBhbCBtYXkgZmFpbCAoaW5cbiAgICogY2FzZSBvZiBhIG5vbi1pZGVudGl0eSBwcmluY2lwYWwpLCBidXQgZ3JhbnRpbmcgb24gdGhlIHJlc291cmNlIHdpbGxcbiAgICogbmV2ZXIgZmFpbC5cbiAgICpcbiAgICogU3RhdGVtZW50IHdpbGwgYmUgdGhlIHJlc291cmNlIHN0YXRlbWVudC5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgYWRkVG9QcmluY2lwYWxBbmRSZXNvdXJjZShcbiAgICBvcHRpb25zOiBHcmFudE9uUHJpbmNpcGFsQW5kUmVzb3VyY2VPcHRpb25zLFxuICApOiBHcmFudCB7XG4gICAgY29uc3QgcmVzdWx0ID0gR3JhbnQuYWRkVG9QcmluY2lwYWwoe1xuICAgICAgLi4ub3B0aW9ucyxcbiAgICAgIHNjb3BlOiBvcHRpb25zLnJlc291cmNlLFxuICAgIH0pO1xuXG4gICAgY29uc3Qgc3RhdGVtZW50ID0gbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICBhY3Rpb25zOiBvcHRpb25zLmFjdGlvbnMsXG4gICAgICByZXNvdXJjZXM6IG9wdGlvbnMucmVzb3VyY2VTZWxmQXJucyB8fCBvcHRpb25zLnJlc291cmNlQXJucyxcbiAgICAgIHByaW5jaXBhbHM6IFtcbiAgICAgICAgb3B0aW9ucy5yZXNvdXJjZVBvbGljeVByaW5jaXBhbCB8fCBvcHRpb25zLmdyYW50ZWUhLmdyYW50UHJpbmNpcGFsLFxuICAgICAgXSxcbiAgICB9KTtcblxuICAgIGNvbnN0IHJlc291cmNlUmVzdWx0ID0gb3B0aW9ucy5yZXNvdXJjZS5hZGRUb1Jlc291cmNlUG9saWN5KHN0YXRlbWVudCk7XG4gICAgY29uc3QgcmVzb3VyY2VEZXBlbmRhYmxlID0gcmVzb3VyY2VSZXN1bHQuc3RhdGVtZW50QWRkZWRcbiAgICAgID8gKHJlc291cmNlUmVzdWx0LnBvbGljeURlcGVuZGFibGUgPz8gb3B0aW9ucy5yZXNvdXJjZSlcbiAgICAgIDogdW5kZWZpbmVkO1xuXG4gICAgcmV0dXJuIG5ldyBHcmFudCh7XG4gICAgICBwcmluY2lwYWxTdGF0ZW1lbnQ6IHN0YXRlbWVudCxcbiAgICAgIHJlc291cmNlU3RhdGVtZW50OiByZXN1bHQucmVzb3VyY2VTdGF0ZW1lbnQsXG4gICAgICBvcHRpb25zLFxuICAgICAgcG9saWN5RGVwZW5kYWJsZTogcmVzb3VyY2VEZXBlbmRhYmxlXG4gICAgICAgID8gbmV3IENvbXBvc2l0ZURlcGVuZGFibGUocmVzdWx0LCByZXNvdXJjZURlcGVuZGFibGUpXG4gICAgICAgIDogcmVzdWx0LFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIFJldHVybnMgYSBcIm5vLW9wXCIgYEdyYW50YCBvYmplY3Qgd2hpY2ggcmVwcmVzZW50cyBhIFwiZHJvcHBlZCBncmFudFwiLlxuICAgKlxuICAgKiBUaGlzIGNhbiBiZSB1c2VkIGZvciBlLmcuIGltcG9ydGVkIHJlc291cmNlcyB3aGVyZSB5b3UgbWF5IG5vdCBiZSBhYmxlIHRvIG1vZGlmeVxuICAgKiB0aGUgcmVzb3VyY2UncyBwb2xpY3kgb3Igc29tZSB1bmRlcmx5aW5nIHBvbGljeSB3aGljaCB5b3UgZG9uJ3Qga25vdyBhYm91dC5cbiAgICpcbiAgICogQHBhcmFtIGdyYW50ZWUgVGhlIGludGVuZGVkIGdyYW50ZWVcbiAgICogQHBhcmFtIF9pbnRlbnQgVGhlIHVzZXIncyBpbnRlbnQgKHdpbGwgYmUgaWdub3JlZCBhdCB0aGUgbW9tZW50KVxuICAgKi9cbiAgcHVibGljIHN0YXRpYyBkcm9wKGdyYW50ZWU6IElHcmFudGFibGUsIF9pbnRlbnQ6IHN0cmluZyk6IEdyYW50IHtcbiAgICByZXR1cm4gbmV3IEdyYW50KHtcbiAgICAgIG9wdGlvbnM6IHsgZ3JhbnRlZSwgYWN0aW9uczogW10sIHJlc291cmNlQXJuczogW10gfSxcbiAgICB9KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBUaGUgc3RhdGVtZW50IHRoYXQgd2FzIGFkZGVkIHRvIHRoZSBwcmluY2lwYWwncyBwb2xpY3lcbiAgICpcbiAgICogQGRlcHJlY2F0ZWQgVXNlIGBwcmluY2lwYWxTdGF0ZW1lbnRzYCBpbnN0ZWFkXG4gICAqL1xuICBwdWJsaWMgcmVhZG9ubHkgcHJpbmNpcGFsU3RhdGVtZW50PzogUG9saWN5U3RhdGVtZW50O1xuXG4gIC8qKlxuICAgKiBUaGUgc3RhdGVtZW50cyB0aGF0IHdlcmUgYWRkZWQgdG8gdGhlIHByaW5jaXBhbCdzIHBvbGljeVxuICAgKi9cbiAgcHVibGljIHJlYWRvbmx5IHByaW5jaXBhbFN0YXRlbWVudHMgPSBuZXcgQXJyYXk8UG9saWN5U3RhdGVtZW50PigpO1xuXG4gIC8qKlxuICAgKiBUaGUgc3RhdGVtZW50IHRoYXQgd2FzIGFkZGVkIHRvIHRoZSByZXNvdXJjZSBwb2xpY3lcbiAgICpcbiAgICogQGRlcHJlY2F0ZWQgVXNlIGByZXNvdXJjZVN0YXRlbWVudHNgIGluc3RlYWRcbiAgICovXG4gIHB1YmxpYyByZWFkb25seSByZXNvdXJjZVN0YXRlbWVudD86IFBvbGljeVN0YXRlbWVudDtcblxuICAvKipcbiAgICogVGhlIHN0YXRlbWVudHMgdGhhdCB3ZXJlIGFkZGVkIHRvIHRoZSBwcmluY2lwYWwncyBwb2xpY3lcbiAgICovXG4gIHB1YmxpYyByZWFkb25seSByZXNvdXJjZVN0YXRlbWVudHMgPSBuZXcgQXJyYXk8UG9saWN5U3RhdGVtZW50PigpO1xuXG4gIC8qKlxuICAgKiBUaGUgb3B0aW9ucyBvcmlnaW5hbGx5IHVzZWQgdG8gc2V0IHRoaXMgcmVzdWx0XG4gICAqXG4gICAqIFByaXZhdGUgbWVtYmVyIGRvdWJsZXMgYXMgYSB3YXkgdG8gbWFrZSBpdCBpbXBvc3NpYmxlIGZvciBhbiBvYmplY3QgbGl0ZXJhbCB0b1xuICAgKiBiZSBzdHJ1Y3R1cmFsbHkgdGhlIHNhbWUgYXMgdGhpcyBjbGFzcy5cbiAgICovXG4gIHByaXZhdGUgcmVhZG9ubHkgb3B0aW9uczogQ29tbW9uR3JhbnRPcHRpb25zO1xuXG4gIHByaXZhdGUgcmVhZG9ubHkgZGVwZW5kYWJsZXMgPSBuZXcgQXJyYXk8SURlcGVuZGFibGU+KCk7XG5cbiAgcHJpdmF0ZSBjb25zdHJ1Y3Rvcihwcm9wczogR3JhbnRQcm9wcykge1xuICAgIHRoaXMub3B0aW9ucyA9IHByb3BzLm9wdGlvbnM7XG4gICAgdGhpcy5wcmluY2lwYWxTdGF0ZW1lbnQgPSBwcm9wcy5wcmluY2lwYWxTdGF0ZW1lbnQ7XG4gICAgdGhpcy5yZXNvdXJjZVN0YXRlbWVudCA9IHByb3BzLnJlc291cmNlU3RhdGVtZW50O1xuICAgIGlmICh0aGlzLnByaW5jaXBhbFN0YXRlbWVudCkge1xuICAgICAgdGhpcy5wcmluY2lwYWxTdGF0ZW1lbnRzLnB1c2godGhpcy5wcmluY2lwYWxTdGF0ZW1lbnQpO1xuICAgIH1cbiAgICBpZiAodGhpcy5yZXNvdXJjZVN0YXRlbWVudCkge1xuICAgICAgdGhpcy5yZXNvdXJjZVN0YXRlbWVudHMucHVzaCh0aGlzLnJlc291cmNlU3RhdGVtZW50KTtcbiAgICB9XG4gICAgaWYgKHByb3BzLnBvbGljeURlcGVuZGFibGUpIHtcbiAgICAgIHRoaXMuZGVwZW5kYWJsZXMucHVzaChwcm9wcy5wb2xpY3lEZXBlbmRhYmxlKTtcbiAgICB9XG5cbiAgICBjb25zdCBzZWxmID0gdGhpcztcbiAgICBEZXBlbmRhYmxlLmltcGxlbWVudCh0aGlzLCB7XG4gICAgICBnZXQgZGVwZW5kZW5jeVJvb3RzKCkge1xuICAgICAgICByZXR1cm4gQXJyYXkuZnJvbShcbiAgICAgICAgICBuZXcgU2V0KFxuICAgICAgICAgICAgc2VsZi5kZXBlbmRhYmxlcy5mbGF0TWFwKChkKSA9PiBEZXBlbmRhYmxlLm9mKGQpLmRlcGVuZGVuY3lSb290cyksXG4gICAgICAgICAgKSxcbiAgICAgICAgKTtcbiAgICAgIH0sXG4gICAgfSk7XG4gIH1cblxuICAvKipcbiAgICogV2hldGhlciB0aGUgZ3JhbnQgb3BlcmF0aW9uIHdhcyBzdWNjZXNzZnVsXG4gICAqL1xuICBwdWJsaWMgZ2V0IHN1Y2Nlc3MoKTogYm9vbGVhbiB7XG4gICAgcmV0dXJuIChcbiAgICAgIHRoaXMucHJpbmNpcGFsU3RhdGVtZW50ICE9PSB1bmRlZmluZWQgfHxcbiAgICAgIHRoaXMucmVzb3VyY2VTdGF0ZW1lbnQgIT09IHVuZGVmaW5lZFxuICAgICk7XG4gIH1cblxuICAvKipcbiAgICogVGhyb3cgYW4gZXJyb3IgaWYgdGhpcyBncmFudCB3YXNuJ3Qgc3VjY2Vzc2Z1bFxuICAgKi9cbiAgcHVibGljIGFzc2VydFN1Y2Nlc3MoKTogdm9pZCB7XG4gICAgaWYgKCF0aGlzLnN1Y2Nlc3MpIHtcbiAgICAgIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBtYXgtbGVuXG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXG4gICAgICAgIGAke2Rlc2NyaWJlR3JhbnQodGhpcy5vcHRpb25zKX0gY291bGQgbm90IGJlIGFkZGVkIG9uIGVpdGhlciBpZGVudGl0eSBvciByZXNvdXJjZSBwb2xpY3kuYCxcbiAgICAgICk7XG4gICAgfVxuICB9XG5cbiAgLyoqXG4gICAqIE1ha2Ugc3VyZSB0aGlzIGdyYW50IGlzIGFwcGxpZWQgYmVmb3JlIHRoZSBnaXZlbiBjb25zdHJ1Y3RzIGFyZSBkZXBsb3llZFxuICAgKlxuICAgKiBUaGUgc2FtZSBhcyBjb25zdHJ1Y3Qubm9kZS5hZGREZXBlbmRlbmN5KGdyYW50KSwgYnV0IHNsaWdodGx5IG5pY2VyIHRvIHJlYWQuXG4gICAqL1xuICBwdWJsaWMgYXBwbHlCZWZvcmUoLi4uY29uc3RydWN0czogSUNvbnN0cnVjdFtdKSB7XG4gICAgZm9yIChjb25zdCBjb25zdHJ1Y3Qgb2YgY29uc3RydWN0cykge1xuICAgICAgY29uc3RydWN0Lm5vZGUuYWRkRGVwZW5kZW5jeSh0aGlzKTtcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogQ29tYmluZSB0d28gZ3JhbnRzIGludG8gYSBuZXcgb25lXG4gICAqL1xuICBwdWJsaWMgY29tYmluZShyaHM6IEdyYW50KSB7XG4gICAgY29uc3QgY29tYmluZWRQcmluYyA9IFtcbiAgICAgIC4uLnRoaXMucHJpbmNpcGFsU3RhdGVtZW50cyxcbiAgICAgIC4uLnJocy5wcmluY2lwYWxTdGF0ZW1lbnRzLFxuICAgIF07XG4gICAgY29uc3QgY29tYmluZWRSZXMgPSBbLi4udGhpcy5yZXNvdXJjZVN0YXRlbWVudHMsIC4uLnJocy5yZXNvdXJjZVN0YXRlbWVudHNdO1xuXG4gICAgY29uc3QgcmV0ID0gbmV3IEdyYW50KHtcbiAgICAgIG9wdGlvbnM6IHRoaXMub3B0aW9ucyxcbiAgICAgIHByaW5jaXBhbFN0YXRlbWVudDogY29tYmluZWRQcmluY1swXSxcbiAgICAgIHJlc291cmNlU3RhdGVtZW50OiBjb21iaW5lZFJlc1swXSxcbiAgICB9KTtcbiAgICByZXQucHJpbmNpcGFsU3RhdGVtZW50cy5zcGxpY2UoXG4gICAgICAwLFxuICAgICAgcmV0LnByaW5jaXBhbFN0YXRlbWVudHMubGVuZ3RoLFxuICAgICAgLi4uY29tYmluZWRQcmluYyxcbiAgICApO1xuICAgIHJldC5yZXNvdXJjZVN0YXRlbWVudHMuc3BsaWNlKFxuICAgICAgMCxcbiAgICAgIHJldC5yZXNvdXJjZVN0YXRlbWVudHMubGVuZ3RoLFxuICAgICAgLi4uY29tYmluZWRSZXMsXG4gICAgKTtcbiAgICByZXQuZGVwZW5kYWJsZXMucHVzaCguLi50aGlzLmRlcGVuZGFibGVzLCAuLi5yaHMuZGVwZW5kYWJsZXMpO1xuICAgIHJldHVybiByZXQ7XG4gIH1cbn1cblxuZnVuY3Rpb24gZGVzY3JpYmVHcmFudChvcHRpb25zOiBDb21tb25HcmFudE9wdGlvbnMpIHtcbiAgcmV0dXJuIGBQZXJtaXNzaW9ucyBmb3IgJyR7b3B0aW9ucy5ncmFudGVlfScgdG8gY2FsbCAnJHtvcHRpb25zLmFjdGlvbnN9JyBvbiAnJHtvcHRpb25zLnJlc291cmNlQXJuc30nYDtcbn1cblxuaW50ZXJmYWNlIEdyYW50UHJvcHMge1xuICByZWFkb25seSBvcHRpb25zOiBDb21tb25HcmFudE9wdGlvbnM7XG4gIHJlYWRvbmx5IHByaW5jaXBhbFN0YXRlbWVudD86IFBvbGljeVN0YXRlbWVudDtcbiAgcmVhZG9ubHkgcmVzb3VyY2VTdGF0ZW1lbnQ/OiBQb2xpY3lTdGF0ZW1lbnQ7XG5cbiAgLyoqXG4gICAqIENvbnN0cnVjdHMgd2hvc2UgZGVwbG95bWVudCBhcHBsaWVzIHRoZSBncmFudFxuICAgKlxuICAgKiBVc2VkIHRvIGFkZCBkZXBlbmRlbmNpZXMgb24gZ3JhbnRzXG4gICAqL1xuICByZWFkb25seSBwb2xpY3lEZXBlbmRhYmxlPzogSURlcGVuZGFibGU7XG59XG5cbi8qKlxuICogQSByZXNvdXJjZSB3aXRoIGEgcmVzb3VyY2UgcG9saWN5IHRoYXQgY2FuIGJlIGFkZGVkIHRvXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgSUF3c0NvbnN0cnVjdFdpdGhQb2xpY3kgZXh0ZW5kcyBJQXdzQ29uc3RydWN0IHtcbiAgLyoqXG4gICAqIEFkZCBhIHN0YXRlbWVudCB0byB0aGUgcmVzb3VyY2UncyByZXNvdXJjZSBwb2xpY3lcbiAgICovXG4gIGFkZFRvUmVzb3VyY2VQb2xpY3koc3RhdGVtZW50OiBQb2xpY3lTdGF0ZW1lbnQpOiBBZGRUb1Jlc291cmNlUG9saWN5UmVzdWx0O1xufVxuXG4vKipcbiAqIFJlc3VsdCBvZiBjYWxsaW5nIGFkZFRvUmVzb3VyY2VQb2xpY3lcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBBZGRUb1Jlc291cmNlUG9saWN5UmVzdWx0IHtcbiAgLyoqXG4gICAqIFdoZXRoZXIgdGhlIHN0YXRlbWVudCB3YXMgYWRkZWRcbiAgICovXG4gIHJlYWRvbmx5IHN0YXRlbWVudEFkZGVkOiBib29sZWFuO1xuXG4gIC8qKlxuICAgKiBEZXBlbmRhYmxlIHdoaWNoIGFsbG93cyBkZXBlbmRpbmcgb24gdGhlIHBvbGljeSBjaGFuZ2UgYmVpbmcgYXBwbGllZFxuICAgKlxuICAgKiBAZGVmYXVsdCAtIElmIGBzdGF0ZW1lbnRBZGRlZGAgaXMgdHJ1ZSwgdGhlIHJlc291cmNlIG9iamVjdCBpdHNlbGYuXG4gICAqIE90aGVyd2lzZSwgbm8gZGVwZW5kYWJsZS5cbiAgICovXG4gIHJlYWRvbmx5IHBvbGljeURlcGVuZGFibGU/OiBJRGVwZW5kYWJsZTtcbn1cblxuLyoqXG4gKiBDb21wb3NpdGUgZGVwZW5kYWJsZVxuICpcbiAqIE5vdCBhcyBzaW1wbGUgYXMgZWFnZXJseSBnZXR0aW5nIHRoZSBkZXBlbmRlbmN5IHJvb3RzIGZyb20gdGhlXG4gKiBpbm5lciBkZXBlbmRhYmxlcywgYXMgdGhleSBtYXkgYmUgbXV0YWJsZSBzbyB3ZSBuZWVkIHRvIGRlZmVyXG4gKiB0aGUgcXVlcnkuXG4gKi9cbmV4cG9ydCBjbGFzcyBDb21wb3NpdGVEZXBlbmRhYmxlIGltcGxlbWVudHMgSURlcGVuZGFibGUge1xuICBjb25zdHJ1Y3RvciguLi5kZXBlbmRhYmxlczogSURlcGVuZGFibGVbXSkge1xuICAgIERlcGVuZGFibGUuaW1wbGVtZW50KHRoaXMsIHtcbiAgICAgIGdldCBkZXBlbmRlbmN5Um9vdHMoKTogSUNvbnN0cnVjdFtdIHtcbiAgICAgICAgcmV0dXJuIEFycmF5LnByb3RvdHlwZS5jb25jYXQuYXBwbHkoXG4gICAgICAgICAgW10sXG4gICAgICAgICAgZGVwZW5kYWJsZXMubWFwKChkKSA9PiBEZXBlbmRhYmxlLm9mKGQpLmRlcGVuZGVuY3lSb290cyksXG4gICAgICAgICk7XG4gICAgICB9LFxuICAgIH0pO1xuICB9XG59XG4iXX0=

package/lib/aws/iam/identity-base.d.ts

@@ -0,0 +1,20 @@
+import { IManagedPolicy } from "./managed-policy";
+import { Policy } from "./policy";
+import { IPrincipal } from "./principals";
+import { IAwsConstruct } from "../";
+/**
+ * A construct that represents an IAM principal, such as a user, group or role.
+ */
+export interface IIdentity extends IPrincipal, IAwsConstruct {
+    /**
+     * Attaches an inline policy to this principal.
+     * This is the same as calling `policy.addToXxx(principal)`.
+     * @param policy The policy resource to attach to this principal [disable-awslint:ref-via-interface]
+     */
+    attachInlinePolicy(policy: Policy): void;
+    /**
+     * Attaches a managed policy to this principal.
+     * @param policy The managed policy
+     */
+    addManagedPolicy(policy: IManagedPolicy): void;
+}

package/lib/aws/iam/identity-base.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaWRlbnRpdHktYmFzZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9hd3MvaWFtL2lkZW50aXR5LWJhc2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IElNYW5hZ2VkUG9saWN5IH0gZnJvbSBcIi4vbWFuYWdlZC1wb2xpY3lcIjtcbmltcG9ydCB7IFBvbGljeSB9IGZyb20gXCIuL3BvbGljeVwiO1xuaW1wb3J0IHsgSVByaW5jaXBhbCB9IGZyb20gXCIuL3ByaW5jaXBhbHNcIjtcbmltcG9ydCB7IElBd3NDb25zdHJ1Y3QgfSBmcm9tIFwiLi4vXCI7XG5cbi8qKlxuICogQSBjb25zdHJ1Y3QgdGhhdCByZXByZXNlbnRzIGFuIElBTSBwcmluY2lwYWwsIHN1Y2ggYXMgYSB1c2VyLCBncm91cCBvciByb2xlLlxuICovXG5leHBvcnQgaW50ZXJmYWNlIElJZGVudGl0eSBleHRlbmRzIElQcmluY2lwYWwsIElBd3NDb25zdHJ1Y3Qge1xuICAvKipcbiAgICogQXR0YWNoZXMgYW4gaW5saW5lIHBvbGljeSB0byB0aGlzIHByaW5jaXBhbC5cbiAgICogVGhpcyBpcyB0aGUgc2FtZSBhcyBjYWxsaW5nIGBwb2xpY3kuYWRkVG9YeHgocHJpbmNpcGFsKWAuXG4gICAqIEBwYXJhbSBwb2xpY3kgVGhlIHBvbGljeSByZXNvdXJjZSB0byBhdHRhY2ggdG8gdGhpcyBwcmluY2lwYWwgW2Rpc2FibGUtYXdzbGludDpyZWYtdmlhLWludGVyZmFjZV1cbiAgICovXG4gIGF0dGFjaElubGluZVBvbGljeShwb2xpY3k6IFBvbGljeSk6IHZvaWQ7XG5cbiAgLyoqXG4gICAqIEF0dGFjaGVzIGEgbWFuYWdlZCBwb2xpY3kgdG8gdGhpcyBwcmluY2lwYWwuXG4gICAqIEBwYXJhbSBwb2xpY3kgVGhlIG1hbmFnZWQgcG9saWN5XG4gICAqL1xuICBhZGRNYW5hZ2VkUG9saWN5KHBvbGljeTogSU1hbmFnZWRQb2xpY3kpOiB2b2lkO1xufVxuIl19

package/lib/aws/iam/index.d.ts

@@ -0,0 +1,16 @@
+export * from "./grant";
+export * from "./identity-base";
+export * from "./managed-policy";
+export * from "./oidc-provider";
+export * from "./policy-document-config.generated";
+export * from "./policy-document";
+export * from "./policy-statement-props.generated";
+export * from "./policy-statement";
+export * from "./policy";
+export * from "./principals";
+export * from "./role";
+export * from "./saml-provider";
+export * from "./unknown-principal";
+export * from "./utils";
+export * from "./policy-statement-props.generated";
+export * from "./policy-document-config.generated";