terraconstructs 0.0.8

package/lib/aws/iam/private/adapter.d.ts

@@ -0,0 +1,21 @@
+import { AwsConstructBase } from "../../aws-construct";
+import { IPolicyDocument, PolicyDocumentOutputs } from "../policy-document";
+import { PolicyStatement } from "../policy-statement";
+/**
+ * A PolicyDocument adapter that can modify statements flowing through it
+ */
+export declare class MutatingPolicyDocumentAdapter extends AwsConstructBase implements IPolicyDocument {
+    private readonly wrapped;
+    private readonly mutator;
+    constructor(wrapped: IPolicyDocument, mutator: (s: PolicyStatement) => PolicyStatement);
+    get policyDocumentOutputs(): PolicyDocumentOutputs;
+    get isEmpty(): boolean;
+    get outputs(): Record<string, any>;
+    get statementCount(): number;
+    get json(): string;
+    addStatements(...statements: PolicyStatement[]): void;
+    validateForAnyPolicy(): string[];
+    validateForIdentityPolicy(): string[];
+    validateForResourcePolicy(): string[];
+    toDocumentJson(): any;
+}

package/lib/aws/iam/private/adapter.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MutatingPolicyDocumentAdapter = void 0;
+const aws_construct_1 = require("../../aws-construct");
+/**
+ * A PolicyDocument adapter that can modify statements flowing through it
+ */
+class MutatingPolicyDocumentAdapter extends aws_construct_1.AwsConstructBase {
+    constructor(wrapped, mutator) {
+        if (wrapped.node.scope === undefined) {
+            throw new Error("The wrapped PolicyDocument must have a scope");
+        }
+        super(wrapped.node.scope, `Mutating${wrapped.node.id}`, {});
+        this.wrapped = wrapped;
+        this.mutator = mutator;
+    }
+    get policyDocumentOutputs() {
+        return this.wrapped.policyDocumentOutputs;
+    }
+    get isEmpty() {
+        return this.wrapped.isEmpty;
+    }
+    get outputs() {
+        return this.wrapped.outputs;
+    }
+    get statementCount() {
+        return this.wrapped.statementCount;
+    }
+    get json() {
+        return this.wrapped.json;
+    }
+    addStatements(...statements) {
+        for (const st of statements) {
+            this.wrapped.addStatements(this.mutator(st));
+        }
+    }
+    validateForAnyPolicy() {
+        return this.wrapped.validateForAnyPolicy();
+    }
+    validateForIdentityPolicy() {
+        return this.wrapped.validateForIdentityPolicy();
+    }
+    validateForResourcePolicy() {
+        return this.wrapped.validateForResourcePolicy();
+    }
+    toDocumentJson() {
+        return this.wrapped.toDocumentJson();
+    }
+}
+exports.MutatingPolicyDocumentAdapter = MutatingPolicyDocumentAdapter;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWRhcHRlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hd3MvaWFtL3ByaXZhdGUvYWRhcHRlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSx1REFBdUQ7QUFJdkQ7O0dBRUc7QUFDSCxNQUFhLDZCQUNYLFNBQVEsZ0NBQWdCO0lBR3hCLFlBQ21CLE9BQXdCLEVBQ3hCLE9BQWdEO1FBRWpFLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDckMsTUFBTSxJQUFJLEtBQUssQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFDRCxLQUFLLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLEVBQUUsV0FBVyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUUsRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBTjNDLFlBQU8sR0FBUCxPQUFPLENBQWlCO1FBQ3hCLFlBQU8sR0FBUCxPQUFPLENBQXlDO0lBTW5FLENBQUM7SUFDRCxJQUFXLHFCQUFxQjtRQUM5QixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMscUJBQXFCLENBQUM7SUFDNUMsQ0FBQztJQUNELElBQVcsT0FBTztRQUNoQixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO0lBQzlCLENBQUM7SUFDRCxJQUFXLE9BQU87UUFDaEIsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQztJQUM5QixDQUFDO0lBQ0QsSUFBVyxjQUFjO1FBQ3ZCLE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUM7SUFDckMsQ0FBQztJQUNELElBQVcsSUFBSTtRQUNiLE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7SUFDM0IsQ0FBQztJQUNNLGFBQWEsQ0FBQyxHQUFHLFVBQTZCO1FBQ25ELEtBQUssTUFBTSxFQUFFLElBQUksVUFBVSxFQUFFLENBQUM7WUFDNUIsSUFBSSxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQy9DLENBQUM7SUFDSCxDQUFDO0lBQ00sb0JBQW9CO1FBQ3pCLE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO0lBQzdDLENBQUM7SUFDTSx5QkFBeUI7UUFDOUIsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLHlCQUF5QixFQUFFLENBQUM7SUFDbEQsQ0FBQztJQUNNLHlCQUF5QjtRQUM5QixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMseUJBQXlCLEVBQUUsQ0FBQztJQUNsRCxDQUFDO0lBQ00sY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsY0FBYyxFQUFFLENBQUM7SUFDdkMsQ0FBQztDQUNGO0FBN0NELHNFQTZDQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IEF3c0NvbnN0cnVjdEJhc2UgfSBmcm9tIFwiLi4vLi4vYXdzLWNvbnN0cnVjdFwiO1xuaW1wb3J0IHsgSVBvbGljeURvY3VtZW50LCBQb2xpY3lEb2N1bWVudE91dHB1dHMgfSBmcm9tIFwiLi4vcG9saWN5LWRvY3VtZW50XCI7XG5pbXBvcnQgeyBQb2xpY3lTdGF0ZW1lbnQgfSBmcm9tIFwiLi4vcG9saWN5LXN0YXRlbWVudFwiO1xuXG4vKipcbiAqIEEgUG9saWN5RG9jdW1lbnQgYWRhcHRlciB0aGF0IGNhbiBtb2RpZnkgc3RhdGVtZW50cyBmbG93aW5nIHRocm91Z2ggaXRcbiAqL1xuZXhwb3J0IGNsYXNzIE11dGF0aW5nUG9saWN5RG9jdW1lbnRBZGFwdGVyXG4gIGV4dGVuZHMgQXdzQ29uc3RydWN0QmFzZVxuICBpbXBsZW1lbnRzIElQb2xpY3lEb2N1bWVudFxue1xuICBjb25zdHJ1Y3RvcihcbiAgICBwcml2YXRlIHJlYWRvbmx5IHdyYXBwZWQ6IElQb2xpY3lEb2N1bWVudCxcbiAgICBwcml2YXRlIHJlYWRvbmx5IG11dGF0b3I6IChzOiBQb2xpY3lTdGF0ZW1lbnQpID0+IFBvbGljeVN0YXRlbWVudCxcbiAgKSB7XG4gICAgaWYgKHdyYXBwZWQubm9kZS5zY29wZSA9PT0gdW5kZWZpbmVkKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXCJUaGUgd3JhcHBlZCBQb2xpY3lEb2N1bWVudCBtdXN0IGhhdmUgYSBzY29wZVwiKTtcbiAgICB9XG4gICAgc3VwZXIod3JhcHBlZC5ub2RlLnNjb3BlLCBgTXV0YXRpbmcke3dyYXBwZWQubm9kZS5pZH1gLCB7fSk7XG4gIH1cbiAgcHVibGljIGdldCBwb2xpY3lEb2N1bWVudE91dHB1dHMoKTogUG9saWN5RG9jdW1lbnRPdXRwdXRzIHtcbiAgICByZXR1cm4gdGhpcy53cmFwcGVkLnBvbGljeURvY3VtZW50T3V0cHV0cztcbiAgfVxuICBwdWJsaWMgZ2V0IGlzRW1wdHkoKTogYm9vbGVhbiB7XG4gICAgcmV0dXJuIHRoaXMud3JhcHBlZC5pc0VtcHR5O1xuICB9XG4gIHB1YmxpYyBnZXQgb3V0cHV0cygpIHtcbiAgICByZXR1cm4gdGhpcy53cmFwcGVkLm91dHB1dHM7XG4gIH1cbiAgcHVibGljIGdldCBzdGF0ZW1lbnRDb3VudCgpOiBudW1iZXIge1xuICAgIHJldHVybiB0aGlzLndyYXBwZWQuc3RhdGVtZW50Q291bnQ7XG4gIH1cbiAgcHVibGljIGdldCBqc29uKCk6IHN0cmluZyB7XG4gICAgcmV0dXJuIHRoaXMud3JhcHBlZC5qc29uO1xuICB9XG4gIHB1YmxpYyBhZGRTdGF0ZW1lbnRzKC4uLnN0YXRlbWVudHM6IFBvbGljeVN0YXRlbWVudFtdKTogdm9pZCB7XG4gICAgZm9yIChjb25zdCBzdCBvZiBzdGF0ZW1lbnRzKSB7XG4gICAgICB0aGlzLndyYXBwZWQuYWRkU3RhdGVtZW50cyh0aGlzLm11dGF0b3Ioc3QpKTtcbiAgICB9XG4gIH1cbiAgcHVibGljIHZhbGlkYXRlRm9yQW55UG9saWN5KCk6IHN0cmluZ1tdIHtcbiAgICByZXR1cm4gdGhpcy53cmFwcGVkLnZhbGlkYXRlRm9yQW55UG9saWN5KCk7XG4gIH1cbiAgcHVibGljIHZhbGlkYXRlRm9ySWRlbnRpdHlQb2xpY3koKTogc3RyaW5nW10ge1xuICAgIHJldHVybiB0aGlzLndyYXBwZWQudmFsaWRhdGVGb3JJZGVudGl0eVBvbGljeSgpO1xuICB9XG4gIHB1YmxpYyB2YWxpZGF0ZUZvclJlc291cmNlUG9saWN5KCk6IHN0cmluZ1tdIHtcbiAgICByZXR1cm4gdGhpcy53cmFwcGVkLnZhbGlkYXRlRm9yUmVzb3VyY2VQb2xpY3koKTtcbiAgfVxuICBwdWJsaWMgdG9Eb2N1bWVudEpzb24oKTogYW55IHtcbiAgICByZXR1cm4gdGhpcy53cmFwcGVkLnRvRG9jdW1lbnRKc29uKCk7XG4gIH1cbn1cbiJdfQ==

package/lib/aws/iam/private/assume-role-policy.d.ts

@@ -0,0 +1,8 @@
+import { IPolicyDocument } from "../policy-document";
+import { IPrincipal } from "../principals";
+/**
+ * Add a principal to an AssumeRolePolicyDocument in the right way
+ *
+ * Delegate to the principal if it can do the job itself, do a default job if it can't.
+ */
+export declare function defaultAddPrincipalToAssumeRole(principal: IPrincipal, doc: IPolicyDocument): void;

package/lib/aws/iam/private/assume-role-policy.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultAddPrincipalToAssumeRole = void 0;
+const policy_statement_1 = require("../policy-statement");
+/**
+ * Add a principal to an AssumeRolePolicyDocument in the right way
+ *
+ * Delegate to the principal if it can do the job itself, do a default job if it can't.
+ */
+function defaultAddPrincipalToAssumeRole(principal, doc) {
+    if (isAssumeRolePrincipal(principal)) {
+        // Principal knows how to add itself
+        principal.addToAssumeRolePolicy(doc);
+    }
+    else {
+        // Principal can't add itself, we do it for them
+        doc.addStatements(new policy_statement_1.PolicyStatement({
+            actions: [principal.assumeRoleAction],
+            principals: [principal],
+        }));
+    }
+}
+exports.defaultAddPrincipalToAssumeRole = defaultAddPrincipalToAssumeRole;
+function isAssumeRolePrincipal(principal) {
+    return !!principal.addToAssumeRolePolicy;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXNzdW1lLXJvbGUtcG9saWN5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F3cy9pYW0vcHJpdmF0ZS9hc3N1bWUtcm9sZS1wb2xpY3kudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQ0EsMERBQXNEO0FBR3REOzs7O0dBSUc7QUFDSCxTQUFnQiwrQkFBK0IsQ0FDN0MsU0FBcUIsRUFDckIsR0FBb0I7SUFFcEIsSUFBSSxxQkFBcUIsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO1FBQ3JDLG9DQUFvQztRQUNwQyxTQUFTLENBQUMscUJBQXFCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDdkMsQ0FBQztTQUFNLENBQUM7UUFDTixnREFBZ0Q7UUFDaEQsR0FBRyxDQUFDLGFBQWEsQ0FDZixJQUFJLGtDQUFlLENBQUM7WUFDbEIsT0FBTyxFQUFFLENBQUMsU0FBUyxDQUFDLGdCQUFnQixDQUFDO1lBQ3JDLFVBQVUsRUFBRSxDQUFDLFNBQVMsQ0FBQztTQUN4QixDQUFDLENBQ0gsQ0FBQztJQUNKLENBQUM7QUFDSCxDQUFDO0FBaEJELDBFQWdCQztBQUVELFNBQVMscUJBQXFCLENBQzVCLFNBQXFCO0lBRXJCLE9BQU8sQ0FBQyxDQUFFLFNBQWtDLENBQUMscUJBQXFCLENBQUM7QUFDckUsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IElQb2xpY3lEb2N1bWVudCB9IGZyb20gXCIuLi9wb2xpY3ktZG9jdW1lbnRcIjtcbmltcG9ydCB7IFBvbGljeVN0YXRlbWVudCB9IGZyb20gXCIuLi9wb2xpY3ktc3RhdGVtZW50XCI7XG5pbXBvcnQgeyBJUHJpbmNpcGFsLCBJQXNzdW1lUm9sZVByaW5jaXBhbCB9IGZyb20gXCIuLi9wcmluY2lwYWxzXCI7XG5cbi8qKlxuICogQWRkIGEgcHJpbmNpcGFsIHRvIGFuIEFzc3VtZVJvbGVQb2xpY3lEb2N1bWVudCBpbiB0aGUgcmlnaHQgd2F5XG4gKlxuICogRGVsZWdhdGUgdG8gdGhlIHByaW5jaXBhbCBpZiBpdCBjYW4gZG8gdGhlIGpvYiBpdHNlbGYsIGRvIGEgZGVmYXVsdCBqb2IgaWYgaXQgY2FuJ3QuXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBkZWZhdWx0QWRkUHJpbmNpcGFsVG9Bc3N1bWVSb2xlKFxuICBwcmluY2lwYWw6IElQcmluY2lwYWwsXG4gIGRvYzogSVBvbGljeURvY3VtZW50LFxuKSB7XG4gIGlmIChpc0Fzc3VtZVJvbGVQcmluY2lwYWwocHJpbmNpcGFsKSkge1xuICAgIC8vIFByaW5jaXBhbCBrbm93cyBob3cgdG8gYWRkIGl0c2VsZlxuICAgIHByaW5jaXBhbC5hZGRUb0Fzc3VtZVJvbGVQb2xpY3koZG9jKTtcbiAgfSBlbHNlIHtcbiAgICAvLyBQcmluY2lwYWwgY2FuJ3QgYWRkIGl0c2VsZiwgd2UgZG8gaXQgZm9yIHRoZW1cbiAgICBkb2MuYWRkU3RhdGVtZW50cyhcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbcHJpbmNpcGFsLmFzc3VtZVJvbGVBY3Rpb25dLFxuICAgICAgICBwcmluY2lwYWxzOiBbcHJpbmNpcGFsXSxcbiAgICAgIH0pLFxuICAgICk7XG4gIH1cbn1cblxuZnVuY3Rpb24gaXNBc3N1bWVSb2xlUHJpbmNpcGFsKFxuICBwcmluY2lwYWw6IElQcmluY2lwYWwsXG4pOiBwcmluY2lwYWwgaXMgSUFzc3VtZVJvbGVQcmluY2lwYWwge1xuICByZXR1cm4gISEocHJpbmNpcGFsIGFzIElBc3N1bWVSb2xlUHJpbmNpcGFsKS5hZGRUb0Fzc3VtZVJvbGVQb2xpY3k7XG59XG4iXX0=

package/lib/aws/iam/private/comparable-principal.d.ts

@@ -0,0 +1,6 @@
+import { IPrincipal } from "../principals";
+export declare function partitionPrincipals(xs: IPrincipal[]): PartitionResult;
+export interface PartitionResult {
+    readonly nonComparable: IPrincipal[];
+    readonly comparable: Record<string, IPrincipal>;
+}

package/lib/aws/iam/private/comparable-principal.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.partitionPrincipals = void 0;
+const principals_1 = require("../principals");
+function partitionPrincipals(xs) {
+    const nonComparable = [];
+    const comparable = {};
+    for (const x of xs) {
+        const dedupe = principals_1.ComparablePrincipal.dedupeStringFor(x);
+        if (dedupe) {
+            comparable[dedupe] = x;
+        }
+        else {
+            nonComparable.push(x);
+        }
+    }
+    return { comparable, nonComparable };
+}
+exports.partitionPrincipals = partitionPrincipals;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29tcGFyYWJsZS1wcmluY2lwYWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXdzL2lhbS9wcml2YXRlL2NvbXBhcmFibGUtcHJpbmNpcGFsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDhDQUFnRTtBQUVoRSxTQUFnQixtQkFBbUIsQ0FBQyxFQUFnQjtJQUNsRCxNQUFNLGFBQWEsR0FBaUIsRUFBRSxDQUFDO0lBQ3ZDLE1BQU0sVUFBVSxHQUErQixFQUFFLENBQUM7SUFFbEQsS0FBSyxNQUFNLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQztRQUNuQixNQUFNLE1BQU0sR0FBRyxnQ0FBbUIsQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEQsSUFBSSxNQUFNLEVBQUUsQ0FBQztZQUNYLFVBQVUsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDekIsQ0FBQzthQUFNLENBQUM7WUFDTixhQUFhLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3hCLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTyxFQUFFLFVBQVUsRUFBRSxhQUFhLEVBQUUsQ0FBQztBQUN2QyxDQUFDO0FBZEQsa0RBY0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBJUHJpbmNpcGFsLCBDb21wYXJhYmxlUHJpbmNpcGFsIH0gZnJvbSBcIi4uL3ByaW5jaXBhbHNcIjtcblxuZXhwb3J0IGZ1bmN0aW9uIHBhcnRpdGlvblByaW5jaXBhbHMoeHM6IElQcmluY2lwYWxbXSk6IFBhcnRpdGlvblJlc3VsdCB7XG4gIGNvbnN0IG5vbkNvbXBhcmFibGU6IElQcmluY2lwYWxbXSA9IFtdO1xuICBjb25zdCBjb21wYXJhYmxlOiBSZWNvcmQ8c3RyaW5nLCBJUHJpbmNpcGFsPiA9IHt9O1xuXG4gIGZvciAoY29uc3QgeCBvZiB4cykge1xuICAgIGNvbnN0IGRlZHVwZSA9IENvbXBhcmFibGVQcmluY2lwYWwuZGVkdXBlU3RyaW5nRm9yKHgpO1xuICAgIGlmIChkZWR1cGUpIHtcbiAgICAgIGNvbXBhcmFibGVbZGVkdXBlXSA9IHg7XG4gICAgfSBlbHNlIHtcbiAgICAgIG5vbkNvbXBhcmFibGUucHVzaCh4KTtcbiAgICB9XG4gIH1cblxuICByZXR1cm4geyBjb21wYXJhYmxlLCBub25Db21wYXJhYmxlIH07XG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgUGFydGl0aW9uUmVzdWx0IHtcbiAgcmVhZG9ubHkgbm9uQ29tcGFyYWJsZTogSVByaW5jaXBhbFtdO1xuICByZWFkb25seSBjb21wYXJhYmxlOiBSZWNvcmQ8c3RyaW5nLCBJUHJpbmNpcGFsPjtcbn1cbiJdfQ==

package/lib/aws/iam/private/immutable-role.d.ts

@@ -0,0 +1,43 @@
+import { Construct } from "constructs";
+import { AwsConstructBase, AwsStack } from "../..";
+import { Grant } from "../grant";
+import { IManagedPolicy } from "../managed-policy";
+import { Policy } from "../policy";
+import { PolicyStatement } from "../policy-statement";
+import { AddToPrincipalPolicyResult, IPrincipal, PrincipalPolicyFragment } from "../principals";
+import { IRole, RoleOutputs } from "../role";
+/**
+ * An immutable wrapper around an IRole
+ *
+ * This wrapper ignores all mutating operations, like attaching policies or
+ * adding policy statements.
+ *
+ * Useful in cases where you want to turn off CDK's automatic permissions
+ * management, and instead have full control over all permissions.
+ *
+ * Note: if you want to ignore all mutations for an externally defined role
+ * which was imported into the CDK with `Role.fromRoleArn`, you don't have to use this class -
+ * simply pass the property mutable = false when calling `Role.fromRoleArn`.
+ */
+export declare class ImmutableRole extends AwsConstructBase implements IRole {
+    private readonly addGrantsToResources;
+    readonly assumeRoleAction: string;
+    readonly policyFragment: PrincipalPolicyFragment;
+    readonly grantPrincipal: this;
+    readonly principalAccount: string | undefined;
+    readonly roleArn: string;
+    readonly roleName: string;
+    readonly stack: AwsStack;
+    private readonly _roleOutputs;
+    get roleOutputs(): RoleOutputs;
+    get outputs(): RoleOutputs;
+    private readonly role;
+    constructor(scope: Construct, id: string, role: IRole, addGrantsToResources: boolean);
+    attachInlinePolicy(_policy: Policy): void;
+    addManagedPolicy(_policy: IManagedPolicy): void;
+    addToPolicy(statement: PolicyStatement): boolean;
+    addToPrincipalPolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult;
+    grant(grantee: IPrincipal, ...actions: string[]): Grant;
+    grantPassRole(grantee: IPrincipal): Grant;
+    grantAssumeRole(identity: IPrincipal): Grant;
+}

package/lib/aws/iam/private/immutable-role.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ImmutableRole = void 0;
+const constructs_1 = require("constructs");
+const __1 = require("../..");
+/**
+ * An immutable wrapper around an IRole
+ *
+ * This wrapper ignores all mutating operations, like attaching policies or
+ * adding policy statements.
+ *
+ * Useful in cases where you want to turn off CDK's automatic permissions
+ * management, and instead have full control over all permissions.
+ *
+ * Note: if you want to ignore all mutations for an externally defined role
+ * which was imported into the CDK with `Role.fromRoleArn`, you don't have to use this class -
+ * simply pass the property mutable = false when calling `Role.fromRoleArn`.
+ */
+class ImmutableRole extends __1.AwsConstructBase {
+    get roleOutputs() {
+        return this._roleOutputs;
+    }
+    get outputs() {
+        return this.roleOutputs;
+    }
+    constructor(scope, id, role, addGrantsToResources) {
+        super(scope, id, {
+            account: role.env.account,
+            region: role.env.region,
+        });
+        this.addGrantsToResources = addGrantsToResources;
+        this.grantPrincipal = this;
+        this.role = role;
+        this.assumeRoleAction = role.assumeRoleAction;
+        this.policyFragment = this.role.policyFragment;
+        this.principalAccount = this.role.principalAccount;
+        this.roleArn = this.role.roleArn;
+        this.roleName = this.role.roleName;
+        this.stack = this.role.stack;
+        // implement IDependable privately
+        constructs_1.Dependable.implement(this, {
+            dependencyRoots: [role],
+        });
+        this.node.defaultChild = role.node.defaultChild;
+        this._roleOutputs = this.role.roleOutputs;
+    }
+    attachInlinePolicy(_policy) {
+        // do nothing
+    }
+    addManagedPolicy(_policy) {
+        // do nothing
+    }
+    addToPolicy(statement) {
+        return this.addToPrincipalPolicy(statement).statementAdded;
+    }
+    addToPrincipalPolicy(_statement) {
+        // If we return `false`, the grants will try to add the statement to the resource
+        // (if possible).
+        const pretendSuccess = !this.addGrantsToResources;
+        return {
+            statementAdded: pretendSuccess,
+            policyDependable: this.role,
+        };
+    }
+    grant(grantee, ...actions) {
+        return this.role.grant(grantee, ...actions);
+    }
+    grantPassRole(grantee) {
+        return this.role.grantPassRole(grantee);
+    }
+    grantAssumeRole(identity) {
+        return this.role.grantAssumeRole(identity);
+    }
+}
+exports.ImmutableRole = ImmutableRole;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW1tdXRhYmxlLXJvbGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXdzL2lhbS9wcml2YXRlL2ltbXV0YWJsZS1yb2xlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDJDQUFtRDtBQUNuRCw2QkFBbUQ7QUFZbkQ7Ozs7Ozs7Ozs7OztHQVlHO0FBQ0gsTUFBYSxhQUFjLFNBQVEsb0JBQWdCO0lBVWpELElBQVcsV0FBVztRQUNwQixPQUFPLElBQUksQ0FBQyxZQUFZLENBQUM7SUFDM0IsQ0FBQztJQUNELElBQVcsT0FBTztRQUNoQixPQUFPLElBQUksQ0FBQyxXQUFXLENBQUM7SUFDMUIsQ0FBQztJQUlELFlBQ0UsS0FBZ0IsRUFDaEIsRUFBVSxFQUNWLElBQVcsRUFDTSxvQkFBNkI7UUFFOUMsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUU7WUFDZixPQUFPLEVBQUUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPO1lBQ3pCLE1BQU0sRUFBRSxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU07U0FDeEIsQ0FBQyxDQUFDO1FBTGMseUJBQW9CLEdBQXBCLG9CQUFvQixDQUFTO1FBcEJoQyxtQkFBYyxHQUFHLElBQUksQ0FBQztRQTBCcEMsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFJLENBQUM7UUFDakIsSUFBSSxDQUFDLGdCQUFnQixHQUFHLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQztRQUM5QyxJQUFJLENBQUMsY0FBYyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxDQUFDO1FBQy9DLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDO1FBQ25ELElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7UUFDakMsSUFBSSxDQUFDLFFBQVEsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQztRQUNuQyxJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDO1FBQzdCLGtDQUFrQztRQUNsQyx1QkFBVSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUU7WUFDekIsZUFBZSxFQUFFLENBQUMsSUFBSSxDQUFDO1NBQ3hCLENBQUMsQ0FBQztRQUNILElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDO1FBQ2hELElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUM7SUFDNUMsQ0FBQztJQUVNLGtCQUFrQixDQUFDLE9BQWU7UUFDdkMsYUFBYTtJQUNmLENBQUM7SUFFTSxnQkFBZ0IsQ0FBQyxPQUF1QjtRQUM3QyxhQUFhO0lBQ2YsQ0FBQztJQUVNLFdBQVcsQ0FBQyxTQUEwQjtRQUMzQyxPQUFPLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLENBQUMsQ0FBQyxjQUFjLENBQUM7SUFDN0QsQ0FBQztJQUVNLG9CQUFvQixDQUN6QixVQUEyQjtRQUUzQixpRkFBaUY7UUFDakYsaUJBQWlCO1FBQ2pCLE1BQU0sY0FBYyxHQUFHLENBQUMsSUFBSSxDQUFDLG9CQUFvQixDQUFDO1FBQ2xELE9BQU87WUFDTCxjQUFjLEVBQUUsY0FBYztZQUM5QixnQkFBZ0IsRUFBRSxJQUFJLENBQUMsSUFBSTtTQUM1QixDQUFDO0lBQ0osQ0FBQztJQUVNLEtBQUssQ0FBQyxPQUFtQixFQUFFLEdBQUcsT0FBaUI7UUFDcEQsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLEVBQUUsR0FBRyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO0lBRU0sYUFBYSxDQUFDLE9BQW1CO1FBQ3RDLE9BQU8sSUFBSSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDMUMsQ0FBQztJQUVNLGVBQWUsQ0FBQyxRQUFvQjtRQUN6QyxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBQzdDLENBQUM7Q0FDRjtBQS9FRCxzQ0ErRUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBDb25zdHJ1Y3QsIERlcGVuZGFibGUgfSBmcm9tIFwiY29uc3RydWN0c1wiO1xuaW1wb3J0IHsgQXdzQ29uc3RydWN0QmFzZSwgQXdzU3RhY2sgfSBmcm9tIFwiLi4vLi5cIjtcbmltcG9ydCB7IEdyYW50IH0gZnJvbSBcIi4uL2dyYW50XCI7XG5pbXBvcnQgeyBJTWFuYWdlZFBvbGljeSB9IGZyb20gXCIuLi9tYW5hZ2VkLXBvbGljeVwiO1xuaW1wb3J0IHsgUG9saWN5IH0gZnJvbSBcIi4uL3BvbGljeVwiO1xuaW1wb3J0IHsgUG9saWN5U3RhdGVtZW50IH0gZnJvbSBcIi4uL3BvbGljeS1zdGF0ZW1lbnRcIjtcbmltcG9ydCB7XG4gIEFkZFRvUHJpbmNpcGFsUG9saWN5UmVzdWx0LFxuICBJUHJpbmNpcGFsLFxuICBQcmluY2lwYWxQb2xpY3lGcmFnbWVudCxcbn0gZnJvbSBcIi4uL3ByaW5jaXBhbHNcIjtcbmltcG9ydCB7IElSb2xlLCBSb2xlT3V0cHV0cyB9IGZyb20gXCIuLi9yb2xlXCI7XG5cbi8qKlxuICogQW4gaW1tdXRhYmxlIHdyYXBwZXIgYXJvdW5kIGFuIElSb2xlXG4gKlxuICogVGhpcyB3cmFwcGVyIGlnbm9yZXMgYWxsIG11dGF0aW5nIG9wZXJhdGlvbnMsIGxpa2UgYXR0YWNoaW5nIHBvbGljaWVzIG9yXG4gKiBhZGRpbmcgcG9saWN5IHN0YXRlbWVudHMuXG4gKlxuICogVXNlZnVsIGluIGNhc2VzIHdoZXJlIHlvdSB3YW50IHRvIHR1cm4gb2ZmIENESydzIGF1dG9tYXRpYyBwZXJtaXNzaW9uc1xuICogbWFuYWdlbWVudCwgYW5kIGluc3RlYWQgaGF2ZSBmdWxsIGNvbnRyb2wgb3ZlciBhbGwgcGVybWlzc2lvbnMuXG4gKlxuICogTm90ZTogaWYgeW91IHdhbnQgdG8gaWdub3JlIGFsbCBtdXRhdGlvbnMgZm9yIGFuIGV4dGVybmFsbHkgZGVmaW5lZCByb2xlXG4gKiB3aGljaCB3YXMgaW1wb3J0ZWQgaW50byB0aGUgQ0RLIHdpdGggYFJvbGUuZnJvbVJvbGVBcm5gLCB5b3UgZG9uJ3QgaGF2ZSB0byB1c2UgdGhpcyBjbGFzcyAtXG4gKiBzaW1wbHkgcGFzcyB0aGUgcHJvcGVydHkgbXV0YWJsZSA9IGZhbHNlIHdoZW4gY2FsbGluZyBgUm9sZS5mcm9tUm9sZUFybmAuXG4gKi9cbmV4cG9ydCBjbGFzcyBJbW11dGFibGVSb2xlIGV4dGVuZHMgQXdzQ29uc3RydWN0QmFzZSBpbXBsZW1lbnRzIElSb2xlIHtcbiAgcHVibGljIHJlYWRvbmx5IGFzc3VtZVJvbGVBY3Rpb246IHN0cmluZztcbiAgcHVibGljIHJlYWRvbmx5IHBvbGljeUZyYWdtZW50OiBQcmluY2lwYWxQb2xpY3lGcmFnbWVudDtcbiAgcHVibGljIHJlYWRvbmx5IGdyYW50UHJpbmNpcGFsID0gdGhpcztcbiAgcHVibGljIHJlYWRvbmx5IHByaW5jaXBhbEFjY291bnQ6IHN0cmluZyB8IHVuZGVmaW5lZDtcbiAgcHVibGljIHJlYWRvbmx5IHJvbGVBcm46IHN0cmluZztcbiAgcHVibGljIHJlYWRvbmx5IHJvbGVOYW1lOiBzdHJpbmc7XG4gIHB1YmxpYyByZWFkb25seSBzdGFjazogQXdzU3RhY2s7XG5cbiAgcHJpdmF0ZSByZWFkb25seSBfcm9sZU91dHB1dHM6IFJvbGVPdXRwdXRzO1xuICBwdWJsaWMgZ2V0IHJvbGVPdXRwdXRzKCk6IFJvbGVPdXRwdXRzIHtcbiAgICByZXR1cm4gdGhpcy5fcm9sZU91dHB1dHM7XG4gIH1cbiAgcHVibGljIGdldCBvdXRwdXRzKCkge1xuICAgIHJldHVybiB0aGlzLnJvbGVPdXRwdXRzO1xuICB9XG5cbiAgcHJpdmF0ZSByZWFkb25seSByb2xlOiBJUm9sZTtcblxuICBjb25zdHJ1Y3RvcihcbiAgICBzY29wZTogQ29uc3RydWN0LFxuICAgIGlkOiBzdHJpbmcsXG4gICAgcm9sZTogSVJvbGUsXG4gICAgcHJpdmF0ZSByZWFkb25seSBhZGRHcmFudHNUb1Jlc291cmNlczogYm9vbGVhbixcbiAgKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkLCB7XG4gICAgICBhY2NvdW50OiByb2xlLmVudi5hY2NvdW50LFxuICAgICAgcmVnaW9uOiByb2xlLmVudi5yZWdpb24sXG4gICAgfSk7XG4gICAgdGhpcy5yb2xlID0gcm9sZTtcbiAgICB0aGlzLmFzc3VtZVJvbGVBY3Rpb24gPSByb2xlLmFzc3VtZVJvbGVBY3Rpb247XG4gICAgdGhpcy5wb2xpY3lGcmFnbWVudCA9IHRoaXMucm9sZS5wb2xpY3lGcmFnbWVudDtcbiAgICB0aGlzLnByaW5jaXBhbEFjY291bnQgPSB0aGlzLnJvbGUucHJpbmNpcGFsQWNjb3VudDtcbiAgICB0aGlzLnJvbGVBcm4gPSB0aGlzLnJvbGUucm9sZUFybjtcbiAgICB0aGlzLnJvbGVOYW1lID0gdGhpcy5yb2xlLnJvbGVOYW1lO1xuICAgIHRoaXMuc3RhY2sgPSB0aGlzLnJvbGUuc3RhY2s7XG4gICAgLy8gaW1wbGVtZW50IElEZXBlbmRhYmxlIHByaXZhdGVseVxuICAgIERlcGVuZGFibGUuaW1wbGVtZW50KHRoaXMsIHtcbiAgICAgIGRlcGVuZGVuY3lSb290czogW3JvbGVdLFxuICAgIH0pO1xuICAgIHRoaXMubm9kZS5kZWZhdWx0Q2hpbGQgPSByb2xlLm5vZGUuZGVmYXVsdENoaWxkO1xuICAgIHRoaXMuX3JvbGVPdXRwdXRzID0gdGhpcy5yb2xlLnJvbGVPdXRwdXRzO1xuICB9XG5cbiAgcHVibGljIGF0dGFjaElubGluZVBvbGljeShfcG9saWN5OiBQb2xpY3kpOiB2b2lkIHtcbiAgICAvLyBkbyBub3RoaW5nXG4gIH1cblxuICBwdWJsaWMgYWRkTWFuYWdlZFBvbGljeShfcG9saWN5OiBJTWFuYWdlZFBvbGljeSk6IHZvaWQge1xuICAgIC8vIGRvIG5vdGhpbmdcbiAgfVxuXG4gIHB1YmxpYyBhZGRUb1BvbGljeShzdGF0ZW1lbnQ6IFBvbGljeVN0YXRlbWVudCk6IGJvb2xlYW4ge1xuICAgIHJldHVybiB0aGlzLmFkZFRvUHJpbmNpcGFsUG9saWN5KHN0YXRlbWVudCkuc3RhdGVtZW50QWRkZWQ7XG4gIH1cblxuICBwdWJsaWMgYWRkVG9QcmluY2lwYWxQb2xpY3koXG4gICAgX3N0YXRlbWVudDogUG9saWN5U3RhdGVtZW50LFxuICApOiBBZGRUb1ByaW5jaXBhbFBvbGljeVJlc3VsdCB7XG4gICAgLy8gSWYgd2UgcmV0dXJuIGBmYWxzZWAsIHRoZSBncmFudHMgd2lsbCB0cnkgdG8gYWRkIHRoZSBzdGF0ZW1lbnQgdG8gdGhlIHJlc291cmNlXG4gICAgLy8gKGlmIHBvc3NpYmxlKS5cbiAgICBjb25zdCBwcmV0ZW5kU3VjY2VzcyA9ICF0aGlzLmFkZEdyYW50c1RvUmVzb3VyY2VzO1xuICAgIHJldHVybiB7XG4gICAgICBzdGF0ZW1lbnRBZGRlZDogcHJldGVuZFN1Y2Nlc3MsXG4gICAgICBwb2xpY3lEZXBlbmRhYmxlOiB0aGlzLnJvbGUsXG4gICAgfTtcbiAgfVxuXG4gIHB1YmxpYyBncmFudChncmFudGVlOiBJUHJpbmNpcGFsLCAuLi5hY3Rpb25zOiBzdHJpbmdbXSk6IEdyYW50IHtcbiAgICByZXR1cm4gdGhpcy5yb2xlLmdyYW50KGdyYW50ZWUsIC4uLmFjdGlvbnMpO1xuICB9XG5cbiAgcHVibGljIGdyYW50UGFzc1JvbGUoZ3JhbnRlZTogSVByaW5jaXBhbCk6IEdyYW50IHtcbiAgICByZXR1cm4gdGhpcy5yb2xlLmdyYW50UGFzc1JvbGUoZ3JhbnRlZSk7XG4gIH1cblxuICBwdWJsaWMgZ3JhbnRBc3N1bWVSb2xlKGlkZW50aXR5OiBJUHJpbmNpcGFsKTogR3JhbnQge1xuICAgIHJldHVybiB0aGlzLnJvbGUuZ3JhbnRBc3N1bWVSb2xlKGlkZW50aXR5KTtcbiAgfVxufVxuIl19

package/lib/aws/iam/private/imported-role.d.ts

@@ -0,0 +1,49 @@
+import { Construct } from "constructs";
+import { AwsConstructBase } from "../..";
+import { Grant } from "../grant";
+import { IManagedPolicy } from "../managed-policy";
+import { Policy, IPolicy } from "../policy";
+import { PolicyStatement } from "../policy-statement";
+import { IComparablePrincipal, IPrincipal, AddToPrincipalPolicyResult, PrincipalPolicyFragment } from "../principals";
+import { IRole, FromRoleArnOptions, RoleOutputs } from "../role";
+export interface ImportedRoleProps extends FromRoleArnOptions {
+    readonly roleArn: string;
+    readonly roleName: string;
+    readonly account?: string;
+}
+export declare class ImportedRole extends AwsConstructBase implements IRole, IComparablePrincipal {
+    readonly grantPrincipal: IPrincipal;
+    readonly principalAccount?: string;
+    readonly assumeRoleAction: string;
+    readonly policyFragment: PrincipalPolicyFragment;
+    readonly roleArn: string;
+    readonly roleName: string;
+    private readonly attachedPolicies;
+    private readonly defaultPolicyName?;
+    private defaultPolicy?;
+    private _roleOutputs;
+    get roleOutputs(): RoleOutputs;
+    get outputs(): RoleOutputs;
+    constructor(scope: Construct, id: string, props: ImportedRoleProps);
+    addToPolicy(statement: PolicyStatement): boolean;
+    addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
+    attachInlinePolicy(policy: Policy): void;
+    addManagedPolicy(policy: IManagedPolicy): void;
+    grantPassRole(identity: IPrincipal): Grant;
+    grantAssumeRole(identity: IPrincipal): Grant;
+    grant(grantee: IPrincipal, ...actions: string[]): Grant;
+    dedupeString(): string | undefined;
+}
+/**
+ * Helper class that maintains the set of attached policies for a principal.
+ */
+export declare class AttachedPolicies {
+    private policies;
+    /**
+     * Adds a policy to the list of attached policies.
+     *
+     * If this policy is already, attached, returns false.
+     * If there is another policy attached with the same name, throws an exception.
+     */
+    attach(policy: IPolicy): void;
+}

package/lib/aws/iam/private/imported-role.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AttachedPolicies = exports.ImportedRole = void 0;
+const cdktf_1 = require("cdktf");
+const __1 = require("../..");
+const token_1 = require("../../../token");
+const grant_1 = require("../grant");
+const policy_1 = require("../policy");
+const principals_1 = require("../principals");
+class ImportedRole extends __1.AwsConstructBase {
+    get roleOutputs() {
+        return this._roleOutputs;
+    }
+    get outputs() {
+        return this.roleOutputs;
+    }
+    constructor(scope, id, props) {
+        super(scope, id, {
+            account: props.account,
+        });
+        this.grantPrincipal = this;
+        this.assumeRoleAction = "sts:AssumeRole";
+        this.attachedPolicies = new AttachedPolicies();
+        this.roleArn = props.roleArn;
+        this.roleName = props.roleName;
+        this.policyFragment = new principals_1.ArnPrincipal(this.roleArn).policyFragment;
+        this.defaultPolicyName = props.defaultPolicyName;
+        this.principalAccount = props.account;
+        this._roleOutputs = {
+            name: this.roleName,
+            arn: this.roleArn,
+        };
+    }
+    addToPolicy(statement) {
+        return this.addToPrincipalPolicy(statement).statementAdded;
+    }
+    addToPrincipalPolicy(statement) {
+        if (!this.defaultPolicy) {
+            this.defaultPolicy = new policy_1.Policy(this, this.defaultPolicyName ?? "Policy", {
+                policyName: undefined, // let the policy name be auto-generated
+            });
+            this.attachInlinePolicy(this.defaultPolicy);
+        }
+        this.defaultPolicy.addStatements(statement);
+        return { statementAdded: true, policyDependable: this.defaultPolicy };
+    }
+    attachInlinePolicy(policy) {
+        const thisAndPolicyAccountComparison = (0, token_1.tokenCompareStrings)(this.env.account, policy.env.account);
+        const equalOrAnyUnresolved = thisAndPolicyAccountComparison === token_1.TokenComparison.SAME ||
+            thisAndPolicyAccountComparison === token_1.TokenComparison.BOTH_UNRESOLVED ||
+            thisAndPolicyAccountComparison === token_1.TokenComparison.ONE_UNRESOLVED;
+        if (equalOrAnyUnresolved) {
+            this.attachedPolicies.attach(policy);
+            policy.attachToRole(this);
+        }
+    }
+    addManagedPolicy(policy) {
+        cdktf_1.Annotations.of(this).addWarning(`Not adding managed policy: ${policy.managedPolicyArn} to imported role: ${this.roleName}`);
+    }
+    grantPassRole(identity) {
+        return this.grant(identity, "iam:PassRole");
+    }
+    grantAssumeRole(identity) {
+        return this.grant(identity, "sts:AssumeRole");
+    }
+    grant(grantee, ...actions) {
+        return grant_1.Grant.addToPrincipal({
+            grantee,
+            actions,
+            resourceArns: [this.roleArn],
+            scope: this,
+        });
+    }
+    dedupeString() {
+        return `ImportedRole:${this.roleArn}`;
+    }
+}
+exports.ImportedRole = ImportedRole;
+/**
+ * Helper class that maintains the set of attached policies for a principal.
+ */
+class AttachedPolicies {
+    constructor() {
+        this.policies = new Array();
+    }
+    /**
+     * Adds a policy to the list of attached policies.
+     *
+     * If this policy is already, attached, returns false.
+     * If there is another policy attached with the same name, throws an exception.
+     */
+    attach(policy) {
+        if (this.policies.find((p) => p === policy)) {
+            return; // already attached
+        }
+        if (this.policies.find((p) => p.policyName === policy.policyName)) {
+            throw new Error(`A policy named "${policy.policyName}" is already attached`);
+        }
+        this.policies.push(policy);
+    }
+}
+exports.AttachedPolicies = AttachedPolicies;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW1wb3J0ZWQtcm9sZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hd3MvaWFtL3ByaXZhdGUvaW1wb3J0ZWQtcm9sZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxpQ0FBb0M7QUFFcEMsNkJBQXlDO0FBQ3pDLDBDQUFzRTtBQUN0RSxvQ0FBaUM7QUFFakMsc0NBQTRDO0FBRTVDLDhDQU11QjtBQVN2QixNQUFhLFlBQ1gsU0FBUSxvQkFBZ0I7SUFjeEIsSUFBVyxXQUFXO1FBQ3BCLE9BQU8sSUFBSSxDQUFDLFlBQVksQ0FBQztJQUMzQixDQUFDO0lBQ0QsSUFBVyxPQUFPO1FBQ2hCLE9BQU8sSUFBSSxDQUFDLFdBQVcsQ0FBQztJQUMxQixDQUFDO0lBRUQsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUF3QjtRQUNoRSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRTtZQUNmLE9BQU8sRUFBRSxLQUFLLENBQUMsT0FBTztTQUN2QixDQUFDLENBQUM7UUFyQlcsbUJBQWMsR0FBZSxJQUFJLENBQUM7UUFFbEMscUJBQWdCLEdBQVcsZ0JBQWdCLENBQUM7UUFJM0MscUJBQWdCLEdBQUcsSUFBSSxnQkFBZ0IsRUFBRSxDQUFDO1FBZ0J6RCxJQUFJLENBQUMsT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUM7UUFDN0IsSUFBSSxDQUFDLFFBQVEsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDO1FBQy9CLElBQUksQ0FBQyxjQUFjLEdBQUcsSUFBSSx5QkFBWSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQyxjQUFjLENBQUM7UUFDcEUsSUFBSSxDQUFDLGlCQUFpQixHQUFHLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQztRQUNqRCxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsS0FBSyxDQUFDLE9BQU8sQ0FBQztRQUN0QyxJQUFJLENBQUMsWUFBWSxHQUFHO1lBQ2xCLElBQUksRUFBRSxJQUFJLENBQUMsUUFBUTtZQUNuQixHQUFHLEVBQUUsSUFBSSxDQUFDLE9BQU87U0FDbEIsQ0FBQztJQUNKLENBQUM7SUFFTSxXQUFXLENBQUMsU0FBMEI7UUFDM0MsT0FBTyxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxDQUFDLENBQUMsY0FBYyxDQUFDO0lBQzdELENBQUM7SUFFTSxvQkFBb0IsQ0FDekIsU0FBMEI7UUFFMUIsSUFBSSxDQUFDLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUN4QixJQUFJLENBQUMsYUFBYSxHQUFHLElBQUksZUFBTSxDQUM3QixJQUFJLEVBQ0osSUFBSSxDQUFDLGlCQUFpQixJQUFJLFFBQVEsRUFDbEM7Z0JBQ0UsVUFBVSxFQUFFLFNBQVMsRUFBRSx3Q0FBd0M7YUFDaEUsQ0FDRixDQUFDO1lBQ0YsSUFBSSxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsQ0FBQztRQUM5QyxDQUFDO1FBQ0QsSUFBSSxDQUFDLGFBQWEsQ0FBQyxhQUFhLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDNUMsT0FBTyxFQUFFLGNBQWMsRUFBRSxJQUFJLEVBQUUsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO0lBQ3hFLENBQUM7SUFFTSxrQkFBa0IsQ0FBQyxNQUFjO1FBQ3RDLE1BQU0sOEJBQThCLEdBQUcsSUFBQSwyQkFBbUIsRUFDeEQsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQ2hCLE1BQU0sQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUNuQixDQUFDO1FBQ0YsTUFBTSxvQkFBb0IsR0FDeEIsOEJBQThCLEtBQUssdUJBQWUsQ0FBQyxJQUFJO1lBQ3ZELDhCQUE4QixLQUFLLHVCQUFlLENBQUMsZUFBZTtZQUNsRSw4QkFBOEIsS0FBSyx1QkFBZSxDQUFDLGNBQWMsQ0FBQztRQUNwRSxJQUFJLG9CQUFvQixFQUFFLENBQUM7WUFDekIsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNyQyxNQUFNLENBQUMsWUFBWSxDQUFDLElBQUksQ0FBQyxDQUFDO1FBQzVCLENBQUM7SUFDSCxDQUFDO0lBRU0sZ0JBQWdCLENBQUMsTUFBc0I7UUFDNUMsbUJBQVcsQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsVUFBVSxDQUM3Qiw4QkFBOEIsTUFBTSxDQUFDLGdCQUFnQixzQkFBc0IsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUMzRixDQUFDO0lBQ0osQ0FBQztJQUVNLGFBQWEsQ0FBQyxRQUFvQjtRQUN2QyxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUSxFQUFFLGNBQWMsQ0FBQyxDQUFDO0lBQzlDLENBQUM7SUFFTSxlQUFlLENBQUMsUUFBb0I7UUFDekMsT0FBTyxJQUFJLENBQUMsS0FBSyxDQUFDLFFBQVEsRUFBRSxnQkFBZ0IsQ0FBQyxDQUFDO0lBQ2hELENBQUM7SUFFTSxLQUFLLENBQUMsT0FBbUIsRUFBRSxHQUFHLE9BQWlCO1FBQ3BELE9BQU8sYUFBSyxDQUFDLGNBQWMsQ0FBQztZQUMxQixPQUFPO1lBQ1AsT0FBTztZQUNQLFlBQVksRUFBRSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7WUFDNUIsS0FBSyxFQUFFLElBQUk7U0FDWixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU0sWUFBWTtRQUNqQixPQUFPLGdCQUFnQixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7SUFDeEMsQ0FBQztDQUNGO0FBbkdELG9DQW1HQztBQUVEOztHQUVHO0FBQ0gsTUFBYSxnQkFBZ0I7SUFBN0I7UUFDVSxhQUFRLEdBQUcsSUFBSSxLQUFLLEVBQVcsQ0FBQztJQXFCMUMsQ0FBQztJQW5CQzs7Ozs7T0FLRztJQUNJLE1BQU0sQ0FBQyxNQUFlO1FBQzNCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQzVDLE9BQU8sQ0FBQyxtQkFBbUI7UUFDN0IsQ0FBQztRQUVELElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxVQUFVLEtBQUssTUFBTSxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUM7WUFDbEUsTUFBTSxJQUFJLEtBQUssQ0FDYixtQkFBbUIsTUFBTSxDQUFDLFVBQVUsdUJBQXVCLENBQzVELENBQUM7UUFDSixDQUFDO1FBRUQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDN0IsQ0FBQztDQUNGO0FBdEJELDRDQXNCQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IEFubm90YXRpb25zIH0gZnJvbSBcImNka3RmXCI7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tIFwiY29uc3RydWN0c1wiO1xuaW1wb3J0IHsgQXdzQ29uc3RydWN0QmFzZSB9IGZyb20gXCIuLi8uLlwiO1xuaW1wb3J0IHsgVG9rZW5Db21wYXJpc29uLCB0b2tlbkNvbXBhcmVTdHJpbmdzIH0gZnJvbSBcIi4uLy4uLy4uL3Rva2VuXCI7XG5pbXBvcnQgeyBHcmFudCB9IGZyb20gXCIuLi9ncmFudFwiO1xuaW1wb3J0IHsgSU1hbmFnZWRQb2xpY3kgfSBmcm9tIFwiLi4vbWFuYWdlZC1wb2xpY3lcIjtcbmltcG9ydCB7IFBvbGljeSwgSVBvbGljeSB9IGZyb20gXCIuLi9wb2xpY3lcIjtcbmltcG9ydCB7IFBvbGljeVN0YXRlbWVudCB9IGZyb20gXCIuLi9wb2xpY3ktc3RhdGVtZW50XCI7XG5pbXBvcnQge1xuICBJQ29tcGFyYWJsZVByaW5jaXBhbCxcbiAgSVByaW5jaXBhbCxcbiAgQXJuUHJpbmNpcGFsLFxuICBBZGRUb1ByaW5jaXBhbFBvbGljeVJlc3VsdCxcbiAgUHJpbmNpcGFsUG9saWN5RnJhZ21lbnQsXG59IGZyb20gXCIuLi9wcmluY2lwYWxzXCI7XG5pbXBvcnQgeyBJUm9sZSwgRnJvbVJvbGVBcm5PcHRpb25zLCBSb2xlT3V0cHV0cyB9IGZyb20gXCIuLi9yb2xlXCI7XG5cbmV4cG9ydCBpbnRlcmZhY2UgSW1wb3J0ZWRSb2xlUHJvcHMgZXh0ZW5kcyBGcm9tUm9sZUFybk9wdGlvbnMge1xuICByZWFkb25seSByb2xlQXJuOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHJvbGVOYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGFjY291bnQ/OiBzdHJpbmc7XG59XG5cbmV4cG9ydCBjbGFzcyBJbXBvcnRlZFJvbGVcbiAgZXh0ZW5kcyBBd3NDb25zdHJ1Y3RCYXNlXG4gIGltcGxlbWVudHMgSVJvbGUsIElDb21wYXJhYmxlUHJpbmNpcGFsXG57XG4gIHB1YmxpYyByZWFkb25seSBncmFudFByaW5jaXBhbDogSVByaW5jaXBhbCA9IHRoaXM7XG4gIHB1YmxpYyByZWFkb25seSBwcmluY2lwYWxBY2NvdW50Pzogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgYXNzdW1lUm9sZUFjdGlvbjogc3RyaW5nID0gXCJzdHM6QXNzdW1lUm9sZVwiO1xuICBwdWJsaWMgcmVhZG9ubHkgcG9saWN5RnJhZ21lbnQ6IFByaW5jaXBhbFBvbGljeUZyYWdtZW50O1xuICBwdWJsaWMgcmVhZG9ubHkgcm9sZUFybjogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgcm9sZU5hbWU6IHN0cmluZztcbiAgcHJpdmF0ZSByZWFkb25seSBhdHRhY2hlZFBvbGljaWVzID0gbmV3IEF0dGFjaGVkUG9saWNpZXMoKTtcbiAgcHJpdmF0ZSByZWFkb25seSBkZWZhdWx0UG9saWN5TmFtZT86IHN0cmluZztcbiAgcHJpdmF0ZSBkZWZhdWx0UG9saWN5PzogUG9saWN5O1xuXG4gIHByaXZhdGUgX3JvbGVPdXRwdXRzOiBSb2xlT3V0cHV0cztcbiAgcHVibGljIGdldCByb2xlT3V0cHV0cygpOiBSb2xlT3V0cHV0cyB7XG4gICAgcmV0dXJuIHRoaXMuX3JvbGVPdXRwdXRzO1xuICB9XG4gIHB1YmxpYyBnZXQgb3V0cHV0cygpIHtcbiAgICByZXR1cm4gdGhpcy5yb2xlT3V0cHV0cztcbiAgfVxuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBJbXBvcnRlZFJvbGVQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCwge1xuICAgICAgYWNjb3VudDogcHJvcHMuYWNjb3VudCxcbiAgICB9KTtcbiAgICB0aGlzLnJvbGVBcm4gPSBwcm9wcy5yb2xlQXJuO1xuICAgIHRoaXMucm9sZU5hbWUgPSBwcm9wcy5yb2xlTmFtZTtcbiAgICB0aGlzLnBvbGljeUZyYWdtZW50ID0gbmV3IEFyblByaW5jaXBhbCh0aGlzLnJvbGVBcm4pLnBvbGljeUZyYWdtZW50O1xuICAgIHRoaXMuZGVmYXVsdFBvbGljeU5hbWUgPSBwcm9wcy5kZWZhdWx0UG9saWN5TmFtZTtcbiAgICB0aGlzLnByaW5jaXBhbEFjY291bnQgPSBwcm9wcy5hY2NvdW50O1xuICAgIHRoaXMuX3JvbGVPdXRwdXRzID0ge1xuICAgICAgbmFtZTogdGhpcy5yb2xlTmFtZSxcbiAgICAgIGFybjogdGhpcy5yb2xlQXJuLFxuICAgIH07XG4gIH1cblxuICBwdWJsaWMgYWRkVG9Qb2xpY3koc3RhdGVtZW50OiBQb2xpY3lTdGF0ZW1lbnQpOiBib29sZWFuIHtcbiAgICByZXR1cm4gdGhpcy5hZGRUb1ByaW5jaXBhbFBvbGljeShzdGF0ZW1lbnQpLnN0YXRlbWVudEFkZGVkO1xuICB9XG5cbiAgcHVibGljIGFkZFRvUHJpbmNpcGFsUG9saWN5KFxuICAgIHN0YXRlbWVudDogUG9saWN5U3RhdGVtZW50LFxuICApOiBBZGRUb1ByaW5jaXBhbFBvbGljeVJlc3VsdCB7XG4gICAgaWYgKCF0aGlzLmRlZmF1bHRQb2xpY3kpIHtcbiAgICAgIHRoaXMuZGVmYXVsdFBvbGljeSA9IG5ldyBQb2xpY3koXG4gICAgICAgIHRoaXMsXG4gICAgICAgIHRoaXMuZGVmYXVsdFBvbGljeU5hbWUgPz8gXCJQb2xpY3lcIixcbiAgICAgICAge1xuICAgICAgICAgIHBvbGljeU5hbWU6IHVuZGVmaW5lZCwgLy8gbGV0IHRoZSBwb2xpY3kgbmFtZSBiZSBhdXRvLWdlbmVyYXRlZFxuICAgICAgICB9LFxuICAgICAgKTtcbiAgICAgIHRoaXMuYXR0YWNoSW5saW5lUG9saWN5KHRoaXMuZGVmYXVsdFBvbGljeSk7XG4gICAgfVxuICAgIHRoaXMuZGVmYXVsdFBvbGljeS5hZGRTdGF0ZW1lbnRzKHN0YXRlbWVudCk7XG4gICAgcmV0dXJuIHsgc3RhdGVtZW50QWRkZWQ6IHRydWUsIHBvbGljeURlcGVuZGFibGU6IHRoaXMuZGVmYXVsdFBvbGljeSB9O1xuICB9XG5cbiAgcHVibGljIGF0dGFjaElubGluZVBvbGljeShwb2xpY3k6IFBvbGljeSk6IHZvaWQge1xuICAgIGNvbnN0IHRoaXNBbmRQb2xpY3lBY2NvdW50Q29tcGFyaXNvbiA9IHRva2VuQ29tcGFyZVN0cmluZ3MoXG4gICAgICB0aGlzLmVudi5hY2NvdW50LFxuICAgICAgcG9saWN5LmVudi5hY2NvdW50LFxuICAgICk7XG4gICAgY29uc3QgZXF1YWxPckFueVVucmVzb2x2ZWQgPVxuICAgICAgdGhpc0FuZFBvbGljeUFjY291bnRDb21wYXJpc29uID09PSBUb2tlbkNvbXBhcmlzb24uU0FNRSB8fFxuICAgICAgdGhpc0FuZFBvbGljeUFjY291bnRDb21wYXJpc29uID09PSBUb2tlbkNvbXBhcmlzb24uQk9USF9VTlJFU09MVkVEIHx8XG4gICAgICB0aGlzQW5kUG9saWN5QWNjb3VudENvbXBhcmlzb24gPT09IFRva2VuQ29tcGFyaXNvbi5PTkVfVU5SRVNPTFZFRDtcbiAgICBpZiAoZXF1YWxPckFueVVucmVzb2x2ZWQpIHtcbiAgICAgIHRoaXMuYXR0YWNoZWRQb2xpY2llcy5hdHRhY2gocG9saWN5KTtcbiAgICAgIHBvbGljeS5hdHRhY2hUb1JvbGUodGhpcyk7XG4gICAgfVxuICB9XG5cbiAgcHVibGljIGFkZE1hbmFnZWRQb2xpY3kocG9saWN5OiBJTWFuYWdlZFBvbGljeSk6IHZvaWQge1xuICAgIEFubm90YXRpb25zLm9mKHRoaXMpLmFkZFdhcm5pbmcoXG4gICAgICBgTm90IGFkZGluZyBtYW5hZ2VkIHBvbGljeTogJHtwb2xpY3kubWFuYWdlZFBvbGljeUFybn0gdG8gaW1wb3J0ZWQgcm9sZTogJHt0aGlzLnJvbGVOYW1lfWAsXG4gICAgKTtcbiAgfVxuXG4gIHB1YmxpYyBncmFudFBhc3NSb2xlKGlkZW50aXR5OiBJUHJpbmNpcGFsKTogR3JhbnQge1xuICAgIHJldHVybiB0aGlzLmdyYW50KGlkZW50aXR5LCBcImlhbTpQYXNzUm9sZVwiKTtcbiAgfVxuXG4gIHB1YmxpYyBncmFudEFzc3VtZVJvbGUoaWRlbnRpdHk6IElQcmluY2lwYWwpOiBHcmFudCB7XG4gICAgcmV0dXJuIHRoaXMuZ3JhbnQoaWRlbnRpdHksIFwic3RzOkFzc3VtZVJvbGVcIik7XG4gIH1cblxuICBwdWJsaWMgZ3JhbnQoZ3JhbnRlZTogSVByaW5jaXBhbCwgLi4uYWN0aW9uczogc3RyaW5nW10pOiBHcmFudCB7XG4gICAgcmV0dXJuIEdyYW50LmFkZFRvUHJpbmNpcGFsKHtcbiAgICAgIGdyYW50ZWUsXG4gICAgICBhY3Rpb25zLFxuICAgICAgcmVzb3VyY2VBcm5zOiBbdGhpcy5yb2xlQXJuXSxcbiAgICAgIHNjb3BlOiB0aGlzLFxuICAgIH0pO1xuICB9XG5cbiAgcHVibGljIGRlZHVwZVN0cmluZygpOiBzdHJpbmcgfCB1bmRlZmluZWQge1xuICAgIHJldHVybiBgSW1wb3J0ZWRSb2xlOiR7dGhpcy5yb2xlQXJufWA7XG4gIH1cbn1cblxuLyoqXG4gKiBIZWxwZXIgY2xhc3MgdGhhdCBtYWludGFpbnMgdGhlIHNldCBvZiBhdHRhY2hlZCBwb2xpY2llcyBmb3IgYSBwcmluY2lwYWwuXG4gKi9cbmV4cG9ydCBjbGFzcyBBdHRhY2hlZFBvbGljaWVzIHtcbiAgcHJpdmF0ZSBwb2xpY2llcyA9IG5ldyBBcnJheTxJUG9saWN5PigpO1xuXG4gIC8qKlxuICAgKiBBZGRzIGEgcG9saWN5IHRvIHRoZSBsaXN0IG9mIGF0dGFjaGVkIHBvbGljaWVzLlxuICAgKlxuICAgKiBJZiB0aGlzIHBvbGljeSBpcyBhbHJlYWR5LCBhdHRhY2hlZCwgcmV0dXJucyBmYWxzZS5cbiAgICogSWYgdGhlcmUgaXMgYW5vdGhlciBwb2xpY3kgYXR0YWNoZWQgd2l0aCB0aGUgc2FtZSBuYW1lLCB0aHJvd3MgYW4gZXhjZXB0aW9uLlxuICAgKi9cbiAgcHVibGljIGF0dGFjaChwb2xpY3k6IElQb2xpY3kpIHtcbiAgICBpZiAodGhpcy5wb2xpY2llcy5maW5kKChwKSA9PiBwID09PSBwb2xpY3kpKSB7XG4gICAgICByZXR1cm47IC8vIGFscmVhZHkgYXR0YWNoZWRcbiAgICB9XG5cbiAgICBpZiAodGhpcy5wb2xpY2llcy5maW5kKChwKSA9PiBwLnBvbGljeU5hbWUgPT09IHBvbGljeS5wb2xpY3lOYW1lKSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKFxuICAgICAgICBgQSBwb2xpY3kgbmFtZWQgXCIke3BvbGljeS5wb2xpY3lOYW1lfVwiIGlzIGFscmVhZHkgYXR0YWNoZWRgLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICB0aGlzLnBvbGljaWVzLnB1c2gocG9saWN5KTtcbiAgfVxufVxuIl19

package/lib/aws/iam/private/merge-statements.d.ts

@@ -0,0 +1,44 @@
+import { IConstruct } from "constructs";
+import { PolicyStatement } from "../policy-statement";
+/**
+ * Options for the mergeStatement command
+ */
+export interface MergeStatementOptions {
+    /**
+     * Scope to derive configuration flags from
+     */
+    readonly scope: IConstruct;
+    /**
+     * Do not merge statements if the result would be bigger than MAX_MERGE_SIZE
+     *
+     * @default false
+     */
+    readonly limitSize?: boolean;
+    /**
+     * Merge statements if they can be combined to produce the same effects.
+     *
+     * If false, statements are only merged if they are exactly equal.
+     *
+     * @default true
+     */
+    readonly mergeIfCombinable?: boolean;
+}
+/**
+ * Merge as many statements as possible to shrink the total policy doc, modifying the input array in place
+ *
+ * We compare and merge all pairs of statements (O(N^2) complexity), opportunistically
+ * merging them. This is not guaranteed to produce the optimal output, but it's probably
+ * Good Enough(tm). If it merges anything, it's at least going to produce a smaller output
+ * than the input.
+ */
+export declare function mergeStatements(statements: PolicyStatement[], options: MergeStatementOptions): MergeStatementResult;
+export interface MergeStatementResult {
+    /**
+     * The list of maximally merged statements
+     */
+    readonly mergedStatements: PolicyStatement[];
+    /**
+     * Mapping of old to new statements
+     */
+    readonly originsMap: Map<PolicyStatement, PolicyStatement[]>;
+}