Skip to content

Commit

Permalink
refactor(aws-iam): move IAM classes cdk to aws-iam (#866)
Browse files Browse the repository at this point in the history
Fixes #196

BREAKING CHANGE

This change moves the `PolicyDocument`, `PolicyStatement` and
all `PolicyPrincipal` classes from the @aws-cdk/cdk module
and into the @aws-cdk/aws-iam module.
  • Loading branch information
Elad Ben-Israel authored Oct 8, 2018
1 parent d17911e commit 2d63a35
Show file tree
Hide file tree
Showing 72 changed files with 194 additions and 171 deletions.
4 changes: 2 additions & 2 deletions examples/cdk-examples-typescript/advanced-usage/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@ class PolicyExample extends cdk.Stack {
// here's how to create an IAM Role with an assume policy for the Lambda
// service principal.
const role = new iam.Role(this, 'Role', {
assumedBy: new cdk.ServicePrincipal('lambda.amazon.aws.com')
assumedBy: new iam.ServicePrincipal('lambda.amazon.aws.com')
});

// when you call `addToPolicy`, a default policy is defined and attached
// to the bucket.
const bucket = new s3.Bucket(this, 'MyBucket');

// the role also has a policy attached to it.
role.addToPolicy(new cdk.PolicyStatement()
role.addToPolicy(new iam.PolicyStatement()
.addResource(bucket.arnForObjects('*'))
.addResource(bucket.bucketArn)
.addActions('s3:*'));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ class ConsumerConstruct extends cdk.Construct {
constructor(parent: cdk.Construct, name: string, props: ConsumerConstructProps) {
super(parent, name);

props.bucket.addToResourcePolicy(new cdk.PolicyStatement().addAction('*'));
props.bucket.addToResourcePolicy(new iam.PolicyStatement().addAction('*'));
}
}

Expand Down
5 changes: 3 additions & 2 deletions examples/cdk-examples-typescript/sns-sqs/index.ts
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import iam = require('@aws-cdk/aws-iam');
import sns = require('@aws-cdk/aws-sns');
import sqs = require('@aws-cdk/aws-sqs');
import cdk = require('@aws-cdk/cdk');
Expand Down Expand Up @@ -28,8 +29,8 @@ class CFN extends cdk.Stack {
protocol: 'sqs'
});

const policyDocument = new cdk.PolicyDocument();
policyDocument.addStatement(new cdk.PolicyStatement()
const policyDocument = new iam.PolicyDocument();
policyDocument.addStatement(new iam.PolicyStatement()
.addResource(queue.queueArn)
.addAction('sqs:SendMessage')
.addServicePrincipal('sns.amazonaws.com')
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import iam = require('@aws-cdk/aws-iam');
import lambda = require('@aws-cdk/aws-lambda');
import cdk = require('@aws-cdk/cdk');
import { IntegrationOptions } from '../integration';
import { Method } from '../method';
import { AwsIntegration } from './aws';
Expand Down Expand Up @@ -52,7 +52,7 @@ export class LambdaIntegration extends AwsIntegration {
}

public bind(method: Method) {
const principal = new cdk.ServicePrincipal('apigateway.amazonaws.com');
const principal = new iam.ServicePrincipal('apigateway.amazonaws.com');

const desc = `${method.httpMethod}.${method.resource.resourcePath.replace(/\//g, '.')}`;

Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-apigateway/lib/restapi.ts
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ export interface RestApiProps extends ResourceOptions {
/**
* A policy document that contains the permissions for this RestApi
*/
policy?: cdk.PolicyDocument;
policy?: iam.PolicyDocument;

/**
* A description of the purpose of this API Gateway RestApi resource.
Expand Down Expand Up @@ -314,7 +314,7 @@ export class RestApi extends RestApiRef implements cdk.IDependable {

private configureCloudWatchRole(apiResource: cloudformation.RestApiResource) {
const role = new iam.Role(this, 'CloudWatchRole', {
assumedBy: new cdk.ServicePrincipal('apigateway.amazonaws.com'),
assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
managedPolicyArns: [ cdk.ArnUtils.fromComponents({
service: 'iam',
region: '',
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-apigateway/test/test.method.ts
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ export = {
// GIVEN
const stack = new cdk.Stack();
const api = new apigateway.RestApi(stack, 'test-api', { deploy: false });
const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') });
const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') });

// WHEN
api.root.addMethod('GET', new apigateway.Integration({
Expand Down Expand Up @@ -251,7 +251,7 @@ export = {
// GIVEN
const stack = new cdk.Stack();
const api = new apigateway.RestApi(stack, 'test-api', { deploy: false });
const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') });
const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') });

// WHEN
const integration = new apigateway.Integration({
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el
}

this.role = new iam.Role(this, 'InstanceRole', {
assumedBy: new cdk.ServicePrincipal('ec2.amazonaws.com')
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
});

const iamProfile = new iam.cloudformation.InstanceProfileResource(this, 'InstanceProfile', {
Expand Down Expand Up @@ -302,7 +302,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el
/**
* Adds a statement to the IAM role assumed by instances of this fleet.
*/
public addToRolePolicy(statement: cdk.PolicyStatement) {
public addToRolePolicy(statement: iam.PolicyStatement) {
this.role.addToPolicy(statement);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { expect, haveResource, ResourcePart } from '@aws-cdk/assert';
import ec2 = require('@aws-cdk/aws-ec2');
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');
import { Test } from 'nodeunit';
import autoscaling = require('../lib');
Expand Down Expand Up @@ -137,7 +138,7 @@ export = {
vpc
});

fleet.addToRolePolicy(new cdk.PolicyStatement()
fleet.addToRolePolicy(new iam.PolicyStatement()
.addAction('test:SpecialName')
.addAllResources());

Expand Down
14 changes: 7 additions & 7 deletions packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ export class PipelineExecuteChangeSetAction extends PipelineCloudFormationAction
ChangeSetName: props.changeSetName,
});

props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addAction('cloudformation:ExecuteChangeSet')
.addResource(stackArnFromName(props.stackName))
.addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
Expand Down Expand Up @@ -201,19 +201,19 @@ export abstract class PipelineCloudFormationDeployAction extends PipelineCloudFo
this.role = props.role;
} else {
this.role = new iam.Role(this, 'Role', {
assumedBy: new cdk.ServicePrincipal('cloudformation.amazonaws.com')
assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com')
});

if (props.fullPermissions) {
this.role.addToPolicy(new cdk.PolicyStatement().addAction('*').addAllResources());
this.role.addToPolicy(new iam.PolicyStatement().addAction('*').addAllResources());
}
}
}

/**
* Add statement to the service role assumed by CloudFormation while executing this action.
*/
public addToRolePolicy(statement: cdk.PolicyStatement) {
public addToRolePolicy(statement: iam.PolicyStatement) {
return this.role.addToPolicy(statement);
}
}
Expand Down Expand Up @@ -254,16 +254,16 @@ export class PipelineCreateReplaceChangeSetAction extends PipelineCloudFormation

const stackArn = stackArnFromName(props.stackName);
// Allow the pipeline to check for Stack & ChangeSet existence
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addAction('cloudformation:DescribeStacks')
.addResource(stackArn));
// Allow the pipeline to create & delete the specified ChangeSet
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addActions('cloudformation:CreateChangeSet', 'cloudformation:DeleteChangeSet', 'cloudformation:DescribeChangeSet')
.addResource(stackArn)
.addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
// Allow the pipeline to pass this actions' role to CloudFormation
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addAction('iam:PassRole')
.addResource(this.role.roleArn));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,11 @@ class StageDouble implements cpapi.IStage {
class RoleDouble extends iam.Role {
public readonly statements = new Array<PolicyStatementJson>();

constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new cdk.ServicePrincipal('test') }) {
constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new iam.ServicePrincipal('test') }) {
super(parent, id, props);
}

public addToPolicy(statement: cdk.PolicyStatement) {
public addToPolicy(statement: iam.PolicyStatement) {
super.addToPolicy(statement);
this.statements.push(statement.toJson());
}
Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-cloudtrail/lib/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -132,12 +132,12 @@ export class CloudTrail extends cdk.Construct {
const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.Unencrypted});
const cloudTrailPrincipal = "cloudtrail.amazonaws.com";

s3bucket.addToResourcePolicy(new cdk.PolicyStatement()
s3bucket.addToResourcePolicy(new iam.PolicyStatement()
.addResource(s3bucket.bucketArn)
.addActions('s3:GetBucketAcl')
.addServicePrincipal(cloudTrailPrincipal));

s3bucket.addToResourcePolicy(new cdk.PolicyStatement()
s3bucket.addToResourcePolicy(new iam.PolicyStatement()
.addResource(s3bucket.arnForObjects(new cdk.FnConcat('/AWSLogs/', new cdk.AwsAccountId())))
.addActions("s3:PutObject")
.addServicePrincipal(cloudTrailPrincipal)
Expand All @@ -149,10 +149,10 @@ export class CloudTrail extends cdk.Construct {
});
this.cloudWatchLogsGroupArn = logGroup.logGroupArn;

const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new cdk.ServicePrincipal(cloudTrailPrincipal) });
const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });

const streamArn = `${this.cloudWatchLogsRoleArn}:log-stream:*`;
logsRole.addToPolicy(new cdk.PolicyStatement()
logsRole.addToPolicy(new iam.PolicyStatement()
.addActions("logs:PutLogEvents", "logs:CreateLogStream")
.addResource(streamArn));
this.cloudWatchLogsRoleArn = logsRole.roleArn;
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cloudwatch/lib/metric.ts
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ export class Metric {
public static grantPutMetricData(identity?: iam.IIdentityResource) {
if (!identity) { return; }

identity.addToPolicy(new cdk.PolicyStatement()
identity.addToPolicy(new iam.PolicyStatement()
.addAllResources()
.addAction("cloudwatch:PutMetricData"));
}
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export = {
// GIVEN
const stack = new cdk.Stack();
const role = new iam.Role(stack, 'SomeRole', {
assumedBy: new cdk.Anyone()
assumedBy: new iam.Anyone()
});

// WHEN
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import codepipeline = require('@aws-cdk/aws-codepipeline-api');
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');
import { ProjectRef } from './project';

Expand Down Expand Up @@ -53,7 +54,7 @@ export class PipelineBuildAction extends codepipeline.BuildAction {
'codebuild:StopBuild',
];

props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addResource(props.project.projectArn)
.addActions(...actions));

Expand Down
10 changes: 5 additions & 5 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -279,10 +279,10 @@ export abstract class ProjectRef extends cdk.Construct implements events.IEventR
public asEventRuleTarget(_ruleArn: string, _ruleId: string): events.EventRuleTargetProps {
if (!this.eventsRole) {
this.eventsRole = new iam.Role(this, 'EventsRole', {
assumedBy: new cdk.ServicePrincipal('events.amazonaws.com')
assumedBy: new iam.ServicePrincipal('events.amazonaws.com')
});

this.eventsRole.addToPolicy(new cdk.PolicyStatement()
this.eventsRole.addToPolicy(new iam.PolicyStatement()
.addAction('codebuild:StartBuild')
.addResource(this.projectArn));
}
Expand Down Expand Up @@ -446,7 +446,7 @@ export class Project extends ProjectRef {
}

this.role = props.role || new iam.Role(this, 'Role', {
assumedBy: new cdk.ServicePrincipal('codebuild.amazonaws.com')
assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com')
});

let cache: cloudformation.ProjectResource.ProjectCacheProperty | undefined;
Expand Down Expand Up @@ -515,7 +515,7 @@ export class Project extends ProjectRef {
* Add a permission only if there's a policy attached.
* @param statement The permissions statement to add
*/
public addToRolePolicy(statement: cdk.PolicyStatement) {
public addToRolePolicy(statement: iam.PolicyStatement) {
if (this.role) {
this.role.addToPolicy(statement);
}
Expand All @@ -531,7 +531,7 @@ export class Project extends ProjectRef {

const logGroupStarArn = `${logGroupArn}:*`;

const p = new cdk.PolicyStatement();
const p = new iam.PolicyStatement();
p.allow();
p.addResource(logGroupArn);
p.addResource(logGroupStarArn);
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-codebuild/lib/source.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import codecommit = require('@aws-cdk/aws-codecommit');
import iam = require('@aws-cdk/aws-iam');
import s3 = require('@aws-cdk/aws-s3');
import cdk = require('@aws-cdk/cdk');
import { cloudformation } from './codebuild.generated';
Expand Down Expand Up @@ -43,7 +44,7 @@ export class CodeCommitSource extends BuildSource {

public bind(project: Project) {
// https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html
project.addToRolePolicy(new cdk.PolicyStatement()
project.addToRolePolicy(new iam.PolicyStatement()
.addAction('codecommit:GitPull')
.addResource(this.repo.repositoryArn));
}
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import codepipeline = require('@aws-cdk/aws-codepipeline-api');
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');
import { RepositoryRef } from './repository';

Expand Down Expand Up @@ -63,7 +64,7 @@ export class PipelineSourceAction extends codepipeline.SourceAction {
'codecommit:CancelUploadArchive',
];

props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addResource(props.repository.repositoryArn)
.addActions(...actions));
}
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
import autoscaling = require("@aws-cdk/aws-autoscaling");
import codedeploylb = require("@aws-cdk/aws-codedeploy-api");
import ec2 = require("@aws-cdk/aws-ec2");
import iam = require('@aws-cdk/aws-iam');
import s3 = require("@aws-cdk/aws-s3");
import cdk = require("@aws-cdk/cdk");
import iam = require("../../aws-iam/lib/role");
import { ServerApplication, ServerApplicationRef } from "./application";
import { cloudformation } from './codedeploy.generated';
import { IServerDeploymentConfig, ServerDeploymentConfig } from "./deployment-config";
Expand Down Expand Up @@ -174,7 +174,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupRef {
this.application = props.application || new ServerApplication(this, 'Application');

this.role = props.role || new iam.Role(this, 'Role', {
assumedBy: new cdk.ServicePrincipal('codedeploy.amazonaws.com'),
assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole'],
});

Expand Down
7 changes: 4 additions & 3 deletions packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import actions = require('@aws-cdk/aws-codepipeline-api');
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');

/**
Expand Down Expand Up @@ -49,7 +50,7 @@ export class PipelineDeployAction extends actions.DeployAction {
resourceName: props.applicationName,
sep: ':',
});
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addResource(applicationArn)
.addActions(
'codedeploy:GetApplicationRevision',
Expand All @@ -62,7 +63,7 @@ export class PipelineDeployAction extends actions.DeployAction {
resourceName: `${props.applicationName}/${props.deploymentGroupName}`,
sep: ':',
});
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addResource(deploymentGroupArn)
.addActions(
'codedeploy:CreateDeployment',
Expand All @@ -75,7 +76,7 @@ export class PipelineDeployAction extends actions.DeployAction {
resourceName: '*',
sep: ':',
});
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
.addResource(deployConfigArn)
.addActions(
'codedeploy:GetDeploymentConfig',
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-codedeploy/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
},
"dependencies": {
"@aws-cdk/aws-autoscaling": "^0.10.0",
"@aws-cdk/aws-iam": "^0.10.0",
"@aws-cdk/aws-codedeploy-api": "^0.10.0",
"@aws-cdk/aws-codepipeline-api": "^0.10.0",
"@aws-cdk/aws-s3": "^0.10.0",
Expand Down
Loading

0 comments on commit 2d63a35

Please sign in to comment.