aws-cdk-lib 2.165.0__py3-none-any.whl → 2.167.0__py3-none-any.whl

aws_cdk/aws_kinesis/__init__.py

@@ -17,6 +17,7 @@ intake and aggregation.
     * [Write Permissions](#write-permissions)
     * [Custom Permissions](#custom-permissions)
   * [Metrics](#metrics)
+  * [Resource Policy](#resource-policy)
 
 ## Streams
 
@@ -184,6 +185,52 @@ stream.metric_get_records_success()
 # using pre-defined and overriding the statistic
 stream.metric_get_records_success(statistic="Maximum")
 ```
+
+### Resource Policy
+
+You can create a resource policy for a data stream.
+For more information, see [Controlling access to Amazon Kinesis Data Streams resources using IAM](https://docs.aws.amazon.com/streams/latest/dev/controlling-access.html).
+
+A resource policy is automatically created when `addToResourcePolicy` is called, if one doesn't already exist.
+
+Using `addToResourcePolicy` is the simplest way to add a resource policy:
+
+```python
+stream = kinesis.Stream(self, "MyStream")
+
+# create a resource policy via addToResourcePolicy method
+stream.add_to_resource_policy(iam.PolicyStatement(
+    resources=[stream.stream_arn],
+    actions=["kinesis:GetRecords"],
+    principals=[iam.AnyPrincipal()]
+))
+```
+
+You can create a resource manually by using `ResourcePolicy`.
+Also, you can set a custom policy document to `ResourcePolicy`.
+If not, a blank policy document will be set.
+
+```python
+stream = kinesis.Stream(self, "MyStream")
+
+# create a custom policy document
+policy_document = iam.PolicyDocument(
+    assign_sids=True,
+    statements=[
+        iam.PolicyStatement(
+            actions=["kinesis:GetRecords"],
+            resources=[stream.stream_arn],
+            principals=[iam.AnyPrincipal()]
+        )
+    ]
+)
+
+# create a resource policy manually
+kinesis.ResourcePolicy(self, "ResourcePolicy",
+    stream=stream,
+    policy_document=policy_document
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -236,7 +283,13 @@ from ..aws_cloudwatch import (
     MetricOptions as _MetricOptions_1788b62f,
     Unit as _Unit_61bc6f70,
 )
-from ..aws_iam import Grant as _Grant_a7ae64f8, IGrantable as _IGrantable_71c4f5de
+from ..aws_iam import (
+    AddToResourcePolicyResult as _AddToResourcePolicyResult_1d0a53ad,
+    Grant as _Grant_a7ae64f8,
+    IGrantable as _IGrantable_71c4f5de,
+    PolicyDocument as _PolicyDocument_3ac34393,
+    PolicyStatement as _PolicyStatement_0fe33853,
+)
 from ..aws_kms import IKey as _IKey_5f11635f
 
 
@@ -1233,6 +1286,21 @@ class IStream(_IResource_c80c4260, typing_extensions.Protocol):
         '''Optional KMS encryption key associated with this stream.'''
         ...
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Adds a statement to the IAM resource policy associated with this stream.
+
+        If this stream was created in this stack (``new Stream``), a resource policy
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
+        the stream is imported (``Stream.import``), then this is a no-op.
+
+        :param statement: -
+        '''
+        ...
+
     @jsii.member(jsii_name="grant")
     def grant(
         self,
@@ -1914,6 +1982,24 @@ class _IStreamProxy(
         '''Optional KMS encryption key associated with this stream.'''
         return typing.cast(typing.Optional[_IKey_5f11635f], jsii.get(self, "encryptionKey"))
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Adds a statement to the IAM resource policy associated with this stream.
+
+        If this stream was created in this stack (``new Stream``), a resource policy
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
+        the stream is imported (``Stream.import``), then this is a no-op.
+
+        :param statement: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8f2bc2272d75f698f14f87a303fdf13c87275a121d59d5fa5df4a16bb120598b)
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        return typing.cast(_AddToResourcePolicyResult_1d0a53ad, jsii.invoke(self, "addToResourcePolicy", [statement]))
+
     @jsii.member(jsii_name="grant")
     def grant(
         self,
@@ -2803,6 +2889,157 @@ class _IStreamProxy(
 typing.cast(typing.Any, IStream).__jsii_proxy_class__ = lambda : _IStreamProxy
 
 
+class ResourcePolicy(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_kinesis.ResourcePolicy",
+):
+    '''The policy for a data stream or registered consumer.
+
+    Policies define the operations that are allowed on this resource.
+
+    You almost never need to define this construct directly.
+
+    All AWS resources that support resource policies have a method called
+    ``addToResourcePolicy()``, which will automatically create a new resource
+    policy if one doesn't exist yet, otherwise it will add to the existing
+    policy.
+
+    Prefer to use ``addToResourcePolicy()`` instead.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        stream = kinesis.Stream(self, "MyStream")
+        
+        # create a custom policy document
+        policy_document = iam.PolicyDocument(
+            assign_sids=True,
+            statements=[
+                iam.PolicyStatement(
+                    actions=["kinesis:GetRecords"],
+                    resources=[stream.stream_arn],
+                    principals=[iam.AnyPrincipal()]
+                )
+            ]
+        )
+        
+        # create a resource policy manually
+        kinesis.ResourcePolicy(self, "ResourcePolicy",
+            stream=stream,
+            policy_document=policy_document
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        stream: IStream,
+        policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param stream: The stream this policy applies to.
+        :param policy_document: IAM policy document to apply to a data stream. Default: - empty policy document
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4488fc34b1387c696011cd138108f10e13139cd2d56365a8ba9602ad6ba244f0)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = ResourcePolicyProps(stream=stream, policy_document=policy_document)
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @builtins.property
+    @jsii.member(jsii_name="document")
+    def document(self) -> _PolicyDocument_3ac34393:
+        '''The IAM policy document for this policy.'''
+        return typing.cast(_PolicyDocument_3ac34393, jsii.get(self, "document"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_kinesis.ResourcePolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={"stream": "stream", "policy_document": "policyDocument"},
+)
+class ResourcePolicyProps:
+    def __init__(
+        self,
+        *,
+        stream: IStream,
+        policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
+    ) -> None:
+        '''Properties to associate a data stream with a policy.
+
+        :param stream: The stream this policy applies to.
+        :param policy_document: IAM policy document to apply to a data stream. Default: - empty policy document
+
+        :exampleMetadata: infused
+
+        Example::
+
+            stream = kinesis.Stream(self, "MyStream")
+            
+            # create a custom policy document
+            policy_document = iam.PolicyDocument(
+                assign_sids=True,
+                statements=[
+                    iam.PolicyStatement(
+                        actions=["kinesis:GetRecords"],
+                        resources=[stream.stream_arn],
+                        principals=[iam.AnyPrincipal()]
+                    )
+                ]
+            )
+            
+            # create a resource policy manually
+            kinesis.ResourcePolicy(self, "ResourcePolicy",
+                stream=stream,
+                policy_document=policy_document
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b4f61add9bc5e3d367f841a39ff9a752c7eed270f05849d0b5f9dc5e5ad3382a)
+            check_type(argname="argument stream", value=stream, expected_type=type_hints["stream"])
+            check_type(argname="argument policy_document", value=policy_document, expected_type=type_hints["policy_document"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "stream": stream,
+        }
+        if policy_document is not None:
+            self._values["policy_document"] = policy_document
+
+    @builtins.property
+    def stream(self) -> IStream:
+        '''The stream this policy applies to.'''
+        result = self._values.get("stream")
+        assert result is not None, "Required property 'stream' is missing"
+        return typing.cast(IStream, result)
+
+    @builtins.property
+    def policy_document(self) -> typing.Optional[_PolicyDocument_3ac34393]:
+        '''IAM policy document to apply to a data stream.
+
+        :default: - empty policy document
+        '''
+        result = self._values.get("policy_document")
+        return typing.cast(typing.Optional[_PolicyDocument_3ac34393], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "ResourcePolicyProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(IStream)
 class Stream(
     _Resource_45bc6135,
@@ -2911,6 +3148,24 @@ class Stream(
 
         return typing.cast(IStream, jsii.sinvoke(cls, "fromStreamAttributes", [scope, id, attrs]))
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Adds a statement to the IAM resource policy associated with this stream.
+
+        If this stream was created in this stack (``new Strem``), a resource policy
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
+        the stream is imported (``Stream.import``), then this is a no-op.
+
+        :param statement: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a7e5618d0b21ec8f8ee6f75c9ce4726b0e2f49cca4d61efdf76bb36d81eedef9)
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        return typing.cast(_AddToResourcePolicyResult_1d0a53ad, jsii.invoke(self, "addToResourcePolicy", [statement]))
+
     @jsii.member(jsii_name="grant")
     def grant(
         self,
@@ -3797,6 +4052,15 @@ class Stream(
 
         return typing.cast(_Metric_e396a4dc, jsii.invoke(self, "metricWriteProvisionedThroughputExceeded", [props]))
 
+    @builtins.property
+    @jsii.member(jsii_name="autoCreatePolicy")
+    def _auto_create_policy(self) -> builtins.bool:
+        '''Indicates if a stream resource policy should automatically be created upon the first call to ``addToResourcePolicy``.
+
+        Set by subclasses.
+        '''
+        return typing.cast(builtins.bool, jsii.get(self, "autoCreatePolicy"))
+
     @builtins.property
     @jsii.member(jsii_name="streamArn")
     def stream_arn(self) -> builtins.str:
@@ -4098,6 +4362,8 @@ __all__ = [
     "CfnStreamConsumerProps",
     "CfnStreamProps",
     "IStream",
+    "ResourcePolicy",
+    "ResourcePolicyProps",
     "Stream",
     "StreamAttributes",
     "StreamEncryption",
@@ -4280,6 +4546,12 @@ def _typecheckingstub__d3bac625363d3769acb567c00e5b48d63afe09fd6d0305829f157ffcc
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__8f2bc2272d75f698f14f87a303fdf13c87275a121d59d5fa5df4a16bb120598b(
+    statement: _PolicyStatement_0fe33853,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__144c672e53e3086b23a7fab80cf6f8440b56b13da782550703291ecf8e7ee03c(
     grantee: _IGrantable_71c4f5de,
     *actions: builtins.str,
@@ -4320,6 +4592,24 @@ def _typecheckingstub__bd578f4ca8facd0463f7e56d3d2cea7e56ba9ad274338af8f84fa661d
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__4488fc34b1387c696011cd138108f10e13139cd2d56365a8ba9602ad6ba244f0(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    stream: IStream,
+    policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b4f61add9bc5e3d367f841a39ff9a752c7eed270f05849d0b5f9dc5e5ad3382a(
+    *,
+    stream: IStream,
+    policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d9e4f581406090d861e3fe8214f939eedc5d1ccaffe122a7542878ec423959f9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -4353,6 +4643,12 @@ def _typecheckingstub__b96a6f7eaad7642c3b76701b21a0f3785de9e62fe0775dc42bcd732de
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a7e5618d0b21ec8f8ee6f75c9ce4726b0e2f49cca4d61efdf76bb36d81eedef9(
+    statement: _PolicyStatement_0fe33853,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__697192e2b3dde0e9d7ea188584de9b7bc6b68afbd4b7ab621caa32eaeecfb0fe(
     grantee: _IGrantable_71c4f5de,
     *actions: builtins.str,

aws_cdk/aws_kms/__init__.py

@@ -2957,6 +2957,8 @@ class KeyUsage(enum.Enum):
     '''Signing and verification.'''
     GENERATE_VERIFY_MAC = "GENERATE_VERIFY_MAC"
     '''Generating and verifying MACs.'''
+    KEY_AGREEMENT = "KEY_AGREEMENT"
+    '''Deriving shared secrets.'''
 
 
 class ViaServicePrincipal(