From 5bb7c93f283274263fb77445f8ffd529c37cd74b Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 18 Oct 2018 09:37:30 +0300 Subject: [PATCH] Revert "feat(IAM): Optimize IAM policy statements for size (#916)" (#958) This reverts commit 59964427939e0a5b5aebef2359bc418a4bd29236. Fixes #957 Reverts #916 --- packages/@aws-cdk/applet-js/package-lock.json | 124 +- packages/@aws-cdk/assert/package-lock.json | 2 +- .../integ.assets.directory.lit.expected.json | 30 +- .../test/integ.assets.file.lit.expected.json | 30 +- ...integ.assets.permissions.lit.expected.json | 30 +- .../test/integ.assets.refs.lit.expected.json | 33 +- packages/@aws-cdk/assets/test/test.asset.ts | 18 +- .../test/integ.restapi.books.expected.json | 234 +++- .../test/integ.restapi.defaults.expected.json | 20 +- .../test/integ.restapi.expected.json | 134 ++- .../aws-apigateway/test/test.lambda-api.ts | 15 +- .../aws-apigateway/test/test.lambda.ts | 41 +- .../aws-apigateway/test/test.method.ts | 23 +- .../aws-apigateway/test/test.restapi.ts | 31 +- .../lib/pipeline-actions.ts | 13 +- .../aws-cloudformation/package-lock.json | 2 +- ...nteg.trivial-lambda-resource.expected.json | 20 +- .../test/test.pipeline-actions.ts | 2 +- .../aws-cloudformation/test/test.resource.ts | 4 +- .../@aws-cdk/aws-cloudfront/package-lock.json | 2 +- .../@aws-cdk/aws-cloudtrail/package-lock.json | 2 +- .../@aws-cdk/aws-codebuild/package-lock.json | 2 +- .../test/integ.caching.expected.json | 57 +- .../test/integ.project-bucket.expected.json | 54 +- .../test/integ.project-events.expected.json | 72 +- .../test/integ.project-shell.expected.json | 70 +- .../aws-codebuild/test/test.codebuild.ts | 836 +++++++------- .../@aws-cdk/aws-codecommit/package-lock.json | 2 +- .../test/integ.deployment-group.expected.json | 45 +- ...g.cfn-template-from-repo.lit.expected.json | 122 +- .../test/integ.lambda-pipeline.expected.json | 82 +- .../test/integ.pipeline-cfn.expected.json | 111 +- ...g.pipeline-code-commit-build.expected.json | 88 +- .../integ.pipeline-code-commit.expected.json | 29 +- .../integ.pipeline-code-deploy.expected.json | 100 +- .../test/integ.pipeline-events.expected.json | 123 +- .../aws-codepipeline/test/test.pipeline.ts | 11 +- .../aws-dynamodb/test/test.dynamodb.ts | 36 +- .../test/alb/test.load-balancer.ts | 2 +- .../test/integ.alb.expected.json | 48 +- .../test/integ.nlb.expected.json | 48 +- .../@aws-cdk/aws-events/test/test.rule.ts | 100 +- .../aws-iam/lib/optimize-statements.ts | 284 ----- .../@aws-cdk/aws-iam/lib/policy-document.ts | 48 +- packages/@aws-cdk/aws-iam/lib/role.ts | 26 +- packages/@aws-cdk/aws-iam/package.json | 7 - .../aws-iam/test/test.managed-policy.ts | 14 +- .../aws-iam/test/test.optimize-statements.ts | 162 --- .../test.optimize-statements/pass-through.yml | 10 - .../remove-duplicates.yml | 15 - .../remove-globbed-duplicates.yml | 12 - .../very-large-input.yml | 1007 ----------------- .../aws-iam/test/test.policy-document.ts | 39 +- .../@aws-cdk/aws-kinesis/test/test.stream.ts | 154 +-- .../aws-kms/test/integ.key.expected.json | 26 +- packages/@aws-cdk/aws-kms/test/test.key.ts | 68 +- .../aws-lambda/test/inline.expected.json | 13 +- .../test/integ.assets.file.expected.json | 22 +- .../test/integ.assets.lit.expected.json | 22 +- .../integ.bucket-notifications.expected.json | 72 +- .../test/integ.events.expected.json | 20 +- .../test/integ.lambda.expected.json | 26 +- .../test/integ.vpc-lambda.expected.json | 82 +- .../@aws-cdk/aws-lambda/test/test.lambda.ts | 88 +- .../aws-lambda/test/test.singleton-lambda.ts | 3 +- .../aws-rds/test/integ.cluster.expected.json | 68 +- .../@aws-cdk/aws-route53/package-lock.json | 2 +- .../notifications-resource-handler.ts | 14 +- .../integ.bucket.domain-name.expected.json | 8 +- .../aws-s3/test/integ.bucket.expected.json | 104 +- .../test/integ.bucket.url.lit.expected.json | 9 +- .../test/integ.notifications.expected.json | 112 +- packages/@aws-cdk/aws-s3/test/test.bucket.ts | 113 +- packages/@aws-cdk/aws-s3/test/test.util.ts | 14 +- ...teg.sns-bucket-notifications.expected.json | 96 +- .../integ.sns-event-rule-target.expected.json | 36 +- .../test/integ.sns-lambda.expected.json | 21 +- .../test/integ.sns-sqs.lit.expected.json | 24 +- packages/@aws-cdk/aws-sns/test/test.sns.ts | 47 +- packages/@aws-cdk/aws-sqs/package-lock.json | 2 +- .../integ.bucket-notifications.expected.json | 146 +-- packages/@aws-cdk/aws-sqs/test/test.sqs.ts | 12 +- .../@aws-cdk/cdk/lib/cloudformation/arn.ts | 2 +- .../@aws-cdk/cdk/lib/cloudformation/fn.ts | 81 +- packages/@aws-cdk/cdk/package-lock.json | 46 +- packages/@aws-cdk/cdk/package.json | 3 - .../cdk/test/cloudformation/test.arn.ts | 57 +- .../cdk/test/cloudformation/test.fn.ts | 85 +- .../@aws-cdk/cdk/test/core/test.tokens.ts | 4 +- packages/@aws-cdk/cfnspec/package-lock.json | 2 +- .../cloudformation-diff/package-lock.json | 2 +- .../test/integ.rtv.lambda.expected.json | 41 +- .../@aws-cdk/runtime-values/test/test.rtv.ts | 7 +- packages/aws-cdk/package-lock.json | 2 +- .../simple-resource-bundler/package-lock.json | 2 +- tools/cdk-build-tools/package-lock.json | 2 +- tools/cdk-integ-tools/package-lock.json | 2 +- tools/cfn2ts/package-lock.json | 2 +- tools/merkle-build/package-lock.json | 2 +- tools/pkglint/package-lock.json | 2 +- tools/pkgtools/package-lock.json | 2 +- tools/y-npm/package-lock.json | 2 +- 102 files changed, 2775 insertions(+), 3469 deletions(-) delete mode 100644 packages/@aws-cdk/aws-iam/lib/optimize-statements.ts delete mode 100644 packages/@aws-cdk/aws-iam/test/test.optimize-statements.ts delete mode 100644 packages/@aws-cdk/aws-iam/test/test.optimize-statements/pass-through.yml delete mode 100644 packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-duplicates.yml delete mode 100644 packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-globbed-duplicates.yml delete mode 100644 packages/@aws-cdk/aws-iam/test/test.optimize-statements/very-large-input.yml diff --git a/packages/@aws-cdk/applet-js/package-lock.json b/packages/@aws-cdk/applet-js/package-lock.json index 3a8b2a7aca9ff..5fbbaff225f51 100644 --- a/packages/@aws-cdk/applet-js/package-lock.json +++ b/packages/@aws-cdk/applet-js/package-lock.json @@ -1,9 +1,27 @@ { "name": "@aws-cdk/applet-js", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { + "@types/fs-extra": { + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/@types/fs-extra/-/fs-extra-5.0.4.tgz", + "integrity": "sha512-DsknoBvD8s+RFfSGjmERJ7ZOP1HI0UZRA3FSI+Zakhrc/Gy26YQsLI+m5V5DHxroHRJqCDLKJp7Hixn8zyaF7g==", + "requires": { + "@types/node": "*" + } + }, + "@types/js-yaml": { + "version": "3.11.2", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.11.2.tgz", + "integrity": "sha512-JRDtMPEqXrzfuYAdqbxLot1GvAr/QvicIZAnOAigZaj8xVMhuSJTg/xsv9E1TvyL+wujYhRLx9ZsQ0oFOSmwyA==" + }, + "@types/node": { + "version": "10.12.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-10.12.0.tgz", + "integrity": "sha512-3TUHC3jsBAB7qVRGxT6lWyYo2v96BMmD2PTcl47H25Lu7UXtFH/2qqmKiVrnel6Ne//0TFYf6uvNX+HW2FRkLQ==" + }, "@types/yamljs": { "version": "0.2.30", "resolved": "https://registry.npmjs.org/@types/yamljs/-/yamljs-0.2.30.tgz", @@ -18,83 +36,48 @@ "sprintf-js": "~1.0.2" } }, - "balanced-match": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz", - "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=" - }, - "brace-expansion": { - "version": "1.1.11", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", - "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", - "requires": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" - } - }, "buffer-from": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==" }, - "concat-map": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=" - }, - "fs.realpath": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", - "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=" + "esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==" }, - "glob": { - "version": "7.1.3", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.3.tgz", - "integrity": "sha512-vcfuiIxogLV4DlGBHIUOwI0IbrJ8HWPc4MU7HzviGeNho/UJDfi6B5p3sHeWIQ0KGIU0Jpxi5ZHxemQfLkkAwQ==", + "fs-extra": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-7.0.0.tgz", + "integrity": "sha512-EglNDLRpmaTWiD/qraZn6HREAEAHJcJOmxNEYwq6xeMKnVMAy3GUcFB+wXt2C6k4CNvB/mP1y/U3dzvKKj5OtQ==", "requires": { - "fs.realpath": "^1.0.0", - "inflight": "^1.0.4", - "inherits": "2", - "minimatch": "^3.0.4", - "once": "^1.3.0", - "path-is-absolute": "^1.0.0" + "graceful-fs": "^4.1.2", + "jsonfile": "^4.0.0", + "universalify": "^0.1.0" } }, - "inflight": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", - "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", - "requires": { - "once": "^1.3.0", - "wrappy": "1" - } - }, - "inherits": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz", - "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=" + "graceful-fs": { + "version": "4.1.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.1.11.tgz", + "integrity": "sha1-Dovf5NHduIVNZOBOp8AOKgJuVlg=" }, - "minimatch": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", - "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "js-yaml": { + "version": "3.12.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz", + "integrity": "sha512-PIt2cnwmPfL4hKNwqeiuz4bKfnzHTBv6HyVgjahA6mPLwPDzjDWrplJBMjHUFxku/N3FlmrbyPclad+I+4mJ3A==", "requires": { - "brace-expansion": "^1.1.7" + "argparse": "^1.0.7", + "esprima": "^4.0.0" } }, - "once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=", + "jsonfile": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz", + "integrity": "sha1-h3Gq4HmbZAdrdmQPygWPnBDjPss=", "requires": { - "wrappy": "1" + "graceful-fs": "^4.1.6" } }, - "path-is-absolute": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", - "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=" - }, "source-map": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", @@ -114,19 +97,10 @@ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" }, - "wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" - }, - "yamljs": { - "version": "0.2.10", - "resolved": "https://registry.npmjs.org/yamljs/-/yamljs-0.2.10.tgz", - "integrity": "sha1-SBzHwlynOvWfWR8MluPOVsdXpA8=", - "requires": { - "argparse": "^1.0.7", - "glob": "^7.0.5" - } + "universalify": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz", + "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==" } } } diff --git a/packages/@aws-cdk/assert/package-lock.json b/packages/@aws-cdk/assert/package-lock.json index 04eba934a2dfe..9581434817722 100644 --- a/packages/@aws-cdk/assert/package-lock.json +++ b/packages/@aws-cdk/assert/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/assert", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/assets/test/integ.assets.directory.lit.expected.json b/packages/@aws-cdk/assets/test/integ.assets.directory.lit.expected.json index 30a6ebd4db155..0b84b721fffae 100644 --- a/packages/@aws-cdk/assets/test/integ.assets.directory.lit.expected.json +++ b/packages/@aws-cdk/assets/test/integ.assets.directory.lit.expected.json @@ -17,25 +17,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -50,11 +56,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -88,7 +101,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ diff --git a/packages/@aws-cdk/assets/test/integ.assets.file.lit.expected.json b/packages/@aws-cdk/assets/test/integ.assets.file.lit.expected.json index b53b099cece1c..c62111674435a 100644 --- a/packages/@aws-cdk/assets/test/integ.assets.file.lit.expected.json +++ b/packages/@aws-cdk/assets/test/integ.assets.file.lit.expected.json @@ -17,25 +17,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -50,11 +56,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -88,7 +101,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ diff --git a/packages/@aws-cdk/assets/test/integ.assets.permissions.lit.expected.json b/packages/@aws-cdk/assets/test/integ.assets.permissions.lit.expected.json index 4fc59e2763e36..c39bebcc10145 100644 --- a/packages/@aws-cdk/assets/test/integ.assets.permissions.lit.expected.json +++ b/packages/@aws-cdk/assets/test/integ.assets.permissions.lit.expected.json @@ -17,25 +17,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "MyFileS3BucketACE13C36" } @@ -50,11 +56,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "MyFileS3BucketACE13C36" } @@ -88,7 +101,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserGroupDefaultPolicy50C5D742", "Groups": [ diff --git a/packages/@aws-cdk/assets/test/integ.assets.refs.lit.expected.json b/packages/@aws-cdk/assets/test/integ.assets.refs.lit.expected.json index c47937609d7b1..9539e0a25879a 100644 --- a/packages/@aws-cdk/assets/test/integ.assets.refs.lit.expected.json +++ b/packages/@aws-cdk/assets/test/integ.assets.refs.lit.expected.json @@ -61,7 +61,8 @@ "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -123,25 +124,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -156,11 +163,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "SampleAssetS3BucketE6B2908E" } @@ -194,7 +208,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ diff --git a/packages/@aws-cdk/assets/test/test.asset.ts b/packages/@aws-cdk/assets/test/test.asset.ts index 55b6cdb256d5f..b8b34de11f59a 100644 --- a/packages/@aws-cdk/assets/test/test.asset.ts +++ b/packages/@aws-cdk/assets/test/test.asset.ts @@ -71,17 +71,17 @@ export = { PolicyDocument: { Statement: [ { - Action: ["s3:GetBucket*", "s3:GetObject*", "s3:List*"], + Action: ["s3:GetObject*", "s3:GetBucket*", "s3:List*"], Resource: [ - {"Fn::Join": ["", ["arn:", {Ref: "AWS::Partition"}, ":s3:::", {Ref: "MyAssetS3Bucket68C9B344"}]]}, + {"Fn::Join": ["", ["arn", ":", {Ref: "AWS::Partition"}, ":", "s3", ":", "", ":", "", ":", {Ref: "MyAssetS3Bucket68C9B344"}]]}, {"Fn::Join": [ "", [ - {"Fn::Join": ["", [ "arn:", {Ref: "AWS::Partition"}, ":s3:::", {Ref: "MyAssetS3Bucket68C9B344"}]]}, - "/", - {"Fn::Join": ["", [ - {"Fn::Select": [ - 0, - {"Fn::Split": [ "||", { Ref: "MyAssetS3VersionKey68E1A45D"}]} - ]}, + {"Fn::Join": ["", [ "arn", ":", {Ref: "AWS::Partition"}, ":", "s3", ":", "", ":", "", ":", {Ref: "MyAssetS3Bucket68C9B344"}]]}, + "/", + {"Fn::Join": ["", [ + {"Fn::Select": [ + 0, + {"Fn::Split": [ "||", { Ref: "MyAssetS3VersionKey68E1A45D"}]} + ]}, "*" ]]} ]]} diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.books.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.books.expected.json index bcce8cd4c2cca..93459c98efb7d 100644 --- a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.books.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.books.expected.json @@ -4,27 +4,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -62,11 +72,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -107,11 +120,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -123,7 +139,8 @@ { "Ref": "booksapiE1885304" }, - "/test-invoke-stage/GET/books" + "/", + "test-invoke-stage/GET/books" ] ] } @@ -141,11 +158,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -186,11 +206,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -202,7 +225,8 @@ { "Ref": "booksapiE1885304" }, - "/test-invoke-stage/POST/books" + "/", + "test-invoke-stage/POST/books" ] ] } @@ -212,27 +236,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -270,11 +304,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -315,11 +352,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -331,7 +371,8 @@ { "Ref": "booksapiE1885304" }, - "/test-invoke-stage/GET/books/{book_id}" + "/", + "test-invoke-stage/GET/books/{book_id}" ] ] } @@ -349,11 +390,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -394,11 +438,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -410,7 +457,8 @@ { "Ref": "booksapiE1885304" }, - "/test-invoke-stage/DELETE/books/{book_id}" + "/", + "test-invoke-stage/DELETE/books/{book_id}" ] ] } @@ -420,27 +468,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -478,11 +536,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -523,11 +584,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -539,7 +603,8 @@ { "Ref": "booksapiE1885304" }, - "/test-invoke-stage/*/" + "/", + "test-invoke-stage/*/" ] ] } @@ -551,7 +616,7 @@ "Name": "books-api" } }, - "booksapiDeployment308B08F1f7b468f166aada3ba8cfaeb29858fe3b": { + "booksapiDeployment308B08F19d5655c7356bb9d23943b328416b2f5e": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -576,7 +641,7 @@ "Ref": "booksapiE1885304" }, "DeploymentId": { - "Ref": "booksapiDeployment308B08F1f7b468f166aada3ba8cfaeb29858fe3b" + "Ref": "booksapiDeployment308B08F19d5655c7356bb9d23943b328416b2f5e" }, "StageName": "prod" } @@ -585,27 +650,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AmazonAPIGatewayPushToCloudWatchLogs" ] ] } @@ -647,15 +722,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -710,15 +792,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -758,15 +847,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -818,15 +914,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -866,15 +969,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.defaults.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.defaults.expected.json index baf99daf6d18a..4138766758c77 100644 --- a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.defaults.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.defaults.expected.json @@ -34,27 +34,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AmazonAPIGatewayPushToCloudWatchLogs" ] ] } diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.expected.json index 4ae9e999f79bc..24b0cedfd60d1 100644 --- a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.expected.json @@ -6,7 +6,7 @@ "Name": "my-api" } }, - "myapiDeployment92F2CB49b0e416d9836c2cb90a9e2244b6360281": { + "myapiDeployment92F2CB49f9d1ede876fcb76aa1d523f34f91d373": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -37,7 +37,7 @@ "CacheClusterEnabled": true, "CacheClusterSize": "0.5", "DeploymentId": { - "Ref": "myapiDeployment92F2CB49b0e416d9836c2cb90a9e2244b6360281" + "Ref": "myapiDeployment92F2CB49f9d1ede876fcb76aa1d523f34f91d373" }, "Description": "beta stage", "MethodSettings": [ @@ -60,27 +60,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AmazonAPIGatewayPushToCloudWatchLogs" ] ] } @@ -146,15 +156,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -266,15 +283,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -314,15 +338,22 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -348,27 +379,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -406,11 +447,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -451,11 +495,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -467,7 +514,8 @@ { "Ref": "myapi4C7BF186" }, - "/test-invoke-stage/GET/v1/toys" + "/", + "test-invoke-stage/GET/v1/toys" ] ] } @@ -485,11 +533,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -530,11 +581,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -546,7 +600,8 @@ { "Ref": "myapi4C7BF186" }, - "/test-invoke-stage/GET/v1/books" + "/", + "test-invoke-stage/GET/v1/books" ] ] } @@ -564,11 +619,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -609,11 +667,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { "Ref": "AWS::Region" }, @@ -625,7 +686,8 @@ { "Ref": "myapi4C7BF186" }, - "/test-invoke-stage/POST/v1/books" + "/", + "test-invoke-stage/POST/v1/books" ] ] } diff --git a/packages/@aws-cdk/aws-apigateway/test/test.lambda-api.ts b/packages/@aws-cdk/aws-apigateway/test/test.lambda-api.ts index 7a355f063ad2b..2c9ebfb2f21a8 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.lambda-api.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.lambda-api.ts @@ -41,15 +41,22 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { "Ref": "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -156,4 +163,4 @@ export = { test.done(); } -}; +}; \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/test.lambda.ts b/packages/@aws-cdk/aws-apigateway/test/test.lambda.ts index 27efe7cbb20eb..8c2c9b8588fc0 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.lambda.ts @@ -28,15 +28,22 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":apigateway:", + ":", + "apigateway", + ":", { Ref: "AWS::Region" }, - ":lambda:path/", + ":", + "lambda", + ":", + "path", + "/", { "Fn::Join": [ "", @@ -81,7 +88,7 @@ export = { "Fn::Join": [ "", [ - "arn:", { Ref: "AWS::Partition" }, ":execute-api:", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":", + "arn", ":", { Ref: "AWS::Partition" }, ":", "execute-api", ":", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":", { Ref: "apiC8550315" }, "/", { "Fn::Join": [ "", [ { Ref: "apiDeploymentStageprod896C8101" }, "/GET/" ] ] } ] ] @@ -93,15 +100,19 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":", { Ref: "apiC8550315" }, - "/test-invoke-stage/GET/" + "/", + "test-invoke-stage/GET/" ] ] } @@ -154,15 +165,18 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", ":", { Ref: "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":", { Ref: "testapiD6451F70" }, - "/test-invoke-stage/*/" + "/", + "test-invoke-stage/*/" ] ] } @@ -173,11 +187,14 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { Ref: "AWS::Region" }, diff --git a/packages/@aws-cdk/aws-apigateway/test/test.method.ts b/packages/@aws-cdk/aws-apigateway/test/test.method.ts index d0613c4fba303..031d4f748741a 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.method.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.method.ts @@ -78,8 +78,8 @@ export = { "Fn::Join": [ "", [ - "arn:", { Ref: "AWS::Partition" }, ":apigateway:", - { Ref: "AWS::Region" }, ":s3:path/bucket/key" + "arn", ":", { Ref: "AWS::Partition" }, ":", "apigateway", ":", + { Ref: "AWS::Region" }, ":", "s3", ":", "path", "/", "bucket/key" ] ] } @@ -133,9 +133,12 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, @@ -166,15 +169,19 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":execute-api:", + ":", + "execute-api", + ":", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":", { Ref: "testapiD6451F70" }, - "/test-invoke-stage/POST/" + "/", + "test-invoke-stage/POST/" ] ] }); @@ -234,7 +241,7 @@ export = { // THEN expect(stack).to(haveResource('AWS::ApiGateway::Method', { Integration: { - Credentials: { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::*:user/*" ] ] } + Credentials: { "Fn::Join": [ "", [ "arn", ":", { Ref: "AWS::Partition" }, ":", "iam", ":", "", ":", "*", ":", "user", "/", "*" ] ] } } })); test.done(); diff --git a/packages/@aws-cdk/aws-apigateway/test/test.restapi.ts b/packages/@aws-cdk/aws-apigateway/test/test.restapi.ts index d835e6ea3381f..c27a4dc00efff 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.restapi.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.restapi.ts @@ -85,11 +85,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { Ref: "AWS::Partition" }, - ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AmazonAPIGatewayPushToCloudWatchLogs" ] ] } @@ -459,15 +469,19 @@ export = { // THEN test.deepEqual(cdk.resolve(arn), { 'Fn::Join': [ '', - [ 'arn:', + [ 'arn', + ':', { Ref: 'AWS::Partition' }, - ':execute-api:', + ':', + 'execute-api', + ':', { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, ':', { Ref: 'apiC8550315' }, - '/stage/method/path' ] ] }); + '/', + 'stage/method/path' ] ] }); test.done(); }, @@ -492,9 +506,12 @@ export = { // THEN test.deepEqual(cdk.resolve(method.methodArn), { 'Fn::Join': [ '', - [ 'arn:', + [ 'arn', + ':', { Ref: 'AWS::Partition' }, - ':execute-api:', + ':', + 'execute-api', + ':', { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, diff --git a/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts b/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts index 1c6272bb1eab0..776d3fa694afa 100644 --- a/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts +++ b/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts @@ -262,14 +262,15 @@ export class PipelineCreateReplaceChangeSetAction extends PipelineCloudFormation } const stackArn = stackArnFromName(props.stackName); - // Allow the pipeline to check for Stack & ChangeSet existence, and to create & delete the specified ChangeSet + // Allow the pipeline to check for Stack & ChangeSet existence props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() - .addActions('cloudformation:CreateChangeSet', - 'cloudformation:DeleteChangeSet', - 'cloudformation:DescribeChangeSet', - 'cloudformation:DescribeStacks') + .addAction('cloudformation:DescribeStacks') + .addResource(stackArn)); + // Allow the pipeline to create & delete the specified ChangeSet + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() + .addActions('cloudformation:CreateChangeSet', 'cloudformation:DeleteChangeSet', 'cloudformation:DescribeChangeSet') .addResource(stackArn) - .addCondition('StringEqualsIfExists', { 'cloudformation:ChangeSetName': props.changeSetName })); + .addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName })); } } diff --git a/packages/@aws-cdk/aws-cloudformation/package-lock.json b/packages/@aws-cdk/aws-cloudformation/package-lock.json index ae3a3501eeb94..c03ee11b008f0 100644 --- a/packages/@aws-cdk/aws-cloudformation/package-lock.json +++ b/packages/@aws-cdk/aws-cloudformation/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-cloudformation", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-cloudformation/test/integ.trivial-lambda-resource.expected.json b/packages/@aws-cdk/aws-cloudformation/test/integ.trivial-lambda-resource.expected.json index 6c7e7c3cfb885..5b543d5de14b5 100644 --- a/packages/@aws-cdk/aws-cloudformation/test/integ.trivial-lambda-resource.expected.json +++ b/packages/@aws-cdk/aws-cloudformation/test/integ.trivial-lambda-resource.expected.json @@ -16,27 +16,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } diff --git a/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts b/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts index dc7efdfe79e8f..2b7efef528937 100644 --- a/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts +++ b/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts @@ -22,7 +22,7 @@ export = nodeunit.testCase({ _assertPermissionGranted(test, pipelineRole.statements, 'iam:PassRole', action.role.roleArn); const stackArn = _stackArn('MyStack'); - const changeSetCondition = { StringEqualsIfExists: { 'cloudformation:ChangeSetName': 'MyChangeSet' } }; + const changeSetCondition = { StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } }; _assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:DescribeStacks', stackArn); _assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:DescribeChangeSet', stackArn, changeSetCondition); _assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:CreateChangeSet', stackArn, changeSetCondition); diff --git a/packages/@aws-cdk/aws-cloudformation/test/test.resource.ts b/packages/@aws-cdk/aws-cloudformation/test/test.resource.ts index af607cfcca50a..e460dce095f8e 100644 --- a/packages/@aws-cdk/aws-cloudformation/test/test.resource.ts +++ b/packages/@aws-cdk/aws-cloudformation/test/test.resource.ts @@ -36,8 +36,8 @@ export = { }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ]} + "arn", ":", { "Ref": "AWS::Partition" }, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", + "service-role/AWSLambdaBasicExecutionRole" ] ]} ] } }, diff --git a/packages/@aws-cdk/aws-cloudfront/package-lock.json b/packages/@aws-cdk/aws-cloudfront/package-lock.json index 24a1523f21939..db740ad53299a 100644 --- a/packages/@aws-cdk/aws-cloudfront/package-lock.json +++ b/packages/@aws-cdk/aws-cloudfront/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-cloudfront", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-cloudtrail/package-lock.json b/packages/@aws-cdk/aws-cloudtrail/package-lock.json index 913fc60318de7..0a3e1cb7ad1f6 100644 --- a/packages/@aws-cdk/aws-cloudtrail/package-lock.json +++ b/packages/@aws-cdk/aws-cloudtrail/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-cloudtrail", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-codebuild/package-lock.json b/packages/@aws-cdk/aws-codebuild/package-lock.json index 53970f847b8c8..871a46b18dedd 100644 --- a/packages/@aws-cdk/aws-codebuild/package-lock.json +++ b/packages/@aws-cdk/aws-codebuild/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-codebuild", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.caching.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.caching.expected.json index 745b1472e8b5e..42e04c47317a6 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.caching.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.caching.expected.json @@ -7,16 +7,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -24,18 +24,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -53,29 +52,33 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -83,7 +86,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -102,11 +107,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -114,9 +122,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "MyProject39F7B0AE" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] }, ":*" ] @@ -124,7 +142,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", "Roles": [ diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-bucket.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-bucket.expected.json index 633d6f1c279f2..6133bf2f84897 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.project-bucket.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.project-bucket.expected.json @@ -7,16 +7,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -24,15 +24,14 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -50,29 +49,33 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -80,7 +83,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -99,11 +104,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -111,9 +119,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "MyProject39F7B0AE" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] }, ":*" ] @@ -121,7 +139,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", "Roles": [ @@ -157,7 +176,8 @@ { "Ref": "MyBucketF68F3FF0" }, - "/path/to/my/source.zip" + "/", + "path/to/my/source.zip" ] ] }, diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-events.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-events.expected.json index 909e427b4887a..efb9d2ba2fe5e 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.project-events.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.project-events.expected.json @@ -71,16 +71,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -88,11 +88,10 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "codecommit:GitPull", + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyRepoF4F48043", @@ -101,22 +100,25 @@ } }, { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -124,7 +126,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -143,11 +147,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -155,9 +162,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "MyProject39F7B0AE" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] }, ":*" ] @@ -165,7 +182,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", "Roles": [ @@ -272,16 +290,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -289,11 +307,10 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "codebuild:StartBuild", + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyProject39F7B0AE", @@ -301,7 +318,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyProjectEventsRoleDefaultPolicy397DCBF8", "Roles": [ @@ -328,20 +346,20 @@ "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "0", "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, "Resource": { "Ref": "MyTopic86869434" }, - "Principal": { - "Service": "events.amazonaws.com" - } + "Sid": "0" } - ] + ], + "Version": "2012-10-17" }, "Topics": [ { diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-shell.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-shell.expected.json index 45b5182e7bb79..dc13039e82083 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.project-shell.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.project-shell.expected.json @@ -14,16 +14,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -31,25 +31,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "BundleS3Bucket0EFC11B0" } @@ -64,11 +70,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Ref": "BundleS3Bucket0EFC11B0" } @@ -103,22 +116,25 @@ ] }, { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -126,7 +142,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -145,11 +163,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -157,9 +178,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "MyProject39F7B0AE" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] }, ":*" ] @@ -167,7 +198,8 @@ } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", "Roles": [ diff --git a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts index 5d40d3119a5df..ceb14b97ac873 100644 --- a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts +++ b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts @@ -19,128 +19,146 @@ export = { expect(stack).toMatch({ "Resources": { - "MyProjectRole9BBE5233": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ] + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" } } - }, - "MyProjectRoleDefaultPolicyB19B7C29": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:", - { - "Fn::Join": [ - "", - [ - "/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - } - ] - ] - } + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "logs", + ":", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - }, - ":*" + } + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "logs", + ":", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] ] - ] - } + }, + ":*" + ] ] } ] - }, - "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", - "Roles": [ - { - "Ref": "MyProjectRole9BBE5233" - } - ] - } - }, - "MyProject39F7B0AE": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/ubuntu-base:14.04", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "MyProjectRole9BBE5233", - "Arn" - ] - }, - "Source": { - "Type": "CODEPIPELINE" } + ], + "Version": "2012-10-17" + }, + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" } + ] + } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Source": { + "Type": "CODEPIPELINE" + }, + "Artifacts": { + "Type": "CODEPIPELINE" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Environment": { + "Type": "LINUX_CONTAINER", + "PrivilegedMode": false, + "Image": "aws/codebuild/ubuntu-base:14.04", + "ComputeType": "BUILD_GENERAL1_SMALL" + } } } + } }); test.done(); @@ -158,151 +176,169 @@ export = { expect(stack).toMatch({ "Resources": { - "MyRepoF4F48043": { - "Type": "AWS::CodeCommit::Repository", - "Properties": { - "RepositoryName": "hello-cdk", - "Triggers": [] + "MyRepoF4F48043": { + "Type": "AWS::CodeCommit::Repository", + "Properties": { + "RepositoryName": "hello-cdk", + "Triggers": [] + } + }, + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } } - }, - "MyProjectRole9BBE5233": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "codecommit:GitPull", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyRepoF4F48043", + "Arn" + ] + } + }, + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "logs", + ":", + { + "Ref": "AWS::Region" + }, + ":", { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "codebuild.amazonaws.com" + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" } + ] + ] } ] - } - } - }, - "MyProjectRoleDefaultPolicyB19B7C29": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + ] + }, + { + "Fn::Join": [ + "", + [ + "arn", + ":", { - "Effect": "Allow", - "Action": "codecommit:GitPull", - "Resource": { - "Fn::GetAtt": [ - "MyRepoF4F48043", - "Arn" - ] - } + "Ref": "AWS::Partition" }, + ":", + "logs", + ":", { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:", - { - "Fn::Join": [ - "", - [ - "/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - } - ] - ] - } - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - }, - ":*" - ] - ] - } + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } ] - } + ] + }, + ":*" ] - }, - "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", - "Roles": [ - { - "Ref": "MyProjectRole9BBE5233" - } + ] + } ] } + ], + "Version": "2012-10-17" }, - "MyProject39F7B0AE": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/ubuntu-base:14.04", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "MyProjectRole9BBE5233", - "Arn" - ] - }, - "Source": { - "Location": { - "Fn::GetAtt": [ - "MyRepoF4F48043", - "CloneUrlHttp" - ] - }, - "Type": "CODECOMMIT" - } + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" } + ] + } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "NO_ARTIFACTS" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/ubuntu-base:14.04", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Source": { + "Location": { + "Fn::GetAtt": [ + "MyRepoF4F48043", + "CloneUrlHttp" + ] + }, + "Type": "CODECOMMIT" + } } } + } }); test.done(); }, @@ -319,171 +355,191 @@ export = { expect(stack).toMatch({ "Resources": { - "MyBucketF68F3FF0": { - "Type": "AWS::S3::Bucket" - }, - "MyProjectRole9BBE5233": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "MyBucketF68F3FF0": { + "Type": "AWS::S3::Bucket" + }, + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + "/", + "*" + ] ] } - } - }, - "MyProjectRoleDefaultPolicyB19B7C29": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + ] + }, + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn", + ":", { - "Effect": "Allow", - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Resource": [ - { - "Fn::GetAtt": [ - "MyBucketF68F3FF0", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "MyBucketF68F3FF0", - "Arn" - ] - }, - "/*" - ] - ] - } - ] + "Ref": "AWS::Partition" }, + ":", + "logs", + ":", { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:", - { - "Fn::Join": [ - "", - [ - "/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - } - ] - ] - } - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "MyProject39F7B0AE" - }, - ":*" - ] - ] - } + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } ] + ] } ] - }, - "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", - "Roles": [ - { - "Ref": "MyProjectRole9BBE5233" - } - ] - } - }, - "MyProject39F7B0AE": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_MEDIUM", - "Image": "aws/codebuild/windows-base:1.0", - "PrivilegedMode": false, - "Type": "WINDOWS_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "MyProjectRole9BBE5233", - "Arn" ] }, - "Source": { - "Location": { + { + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "logs", + ":", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "log-group", + ":", + { "Fn::Join": [ "", [ - { - "Ref": "MyBucketF68F3FF0" - }, - "/path/to/source.zip" + "/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } ] ] - }, - "Type": "S3" + }, + ":*" + ] + ] } + ] } + ], + "Version": "2012-10-17" + }, + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" + } + ] } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "NO_ARTIFACTS" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_MEDIUM", + "Image": "aws/codebuild/windows-base:1.0", + "PrivilegedMode": false, + "Type": "WINDOWS_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Source": { + "Location": { + "Fn::Join": [ + "", + [ + { + "Ref": "MyBucketF68F3FF0" + }, + "/", + "path/to/source.zip" + ] + ] + }, + "Type": "S3" + } + } + } } }); test.done(); @@ -732,7 +788,15 @@ export = { }, { "Type": "PARAMETER_STORE", - "Value": "111222", + "Value": { + "Fn::Join": [ + "", + [ + "111", + "222" + ] + ] + }, "Name": "BAR" }, { diff --git a/packages/@aws-cdk/aws-codecommit/package-lock.json b/packages/@aws-cdk/aws-codecommit/package-lock.json index d0b7f414abfd1..6e021f7e804e3 100644 --- a/packages/@aws-cdk/aws-codecommit/package-lock.json +++ b/packages/@aws-cdk/aws-codecommit/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-codecommit", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-codedeploy/test/integ.deployment-group.expected.json b/packages/@aws-cdk/aws-codedeploy/test/integ.deployment-group.expected.json index c318b9b63782e..78d6d61b60339 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/integ.deployment-group.expected.json +++ b/packages/@aws-cdk/aws-codedeploy/test/integ.deployment-group.expected.json @@ -468,16 +468,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -485,25 +485,31 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Fn::Join": [ "", @@ -526,11 +532,18 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":s3:::", + ":", + "s3", + ":", + "", + ":", + "", + ":", { "Fn::Join": [ "", @@ -545,13 +558,15 @@ ] ] }, - "/latest/*" + "/", + "latest/*" ] ] } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "ASGInstanceRoleDefaultPolicy7636D8BF", "Roles": [ @@ -719,16 +734,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codedeploy.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole" diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.cfn-template-from-repo.lit.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.cfn-template-from-repo.lit.expected.json index 768f7a798ca0a..44c5ab51b6830 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.cfn-template-from-repo.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.cfn-template-from-repo.lit.expected.json @@ -8,16 +8,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -25,18 +25,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -54,21 +53,22 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ - "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", + "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", - "codecommit:UploadArchive" + "codecommit:CancelUploadArchive" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "TemplateRepo2326F199", @@ -77,8 +77,8 @@ } }, { - "Effect": "Allow", "Action": "iam:PassRole", + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PipelineDeployPrepareChangesRoleD28C853C", @@ -87,22 +87,20 @@ } }, { + "Action": "cloudformation:DescribeStacks", "Effect": "Allow", - "Action": [ - "cloudformation:CreateChangeSet", - "cloudformation:DeleteChangeSet", - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStacks" - ], "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":cloudformation:", + ":", + "cloudformation", + ":", { "Ref": "AWS::Region" }, @@ -110,28 +108,38 @@ { "Ref": "AWS::AccountId" }, - ":stack/OurStack/*" + ":", + "stack", + "/", + "OurStack/*" ] ] - }, - "Condition": { - "StringEqualsIfExists": { - "cloudformation:ChangeSetName": "StagedChangeSet" - } } }, { + "Action": [ + "cloudformation:CreateChangeSet", + "cloudformation:DeleteChangeSet", + "cloudformation:DescribeChangeSet" + ], + "Condition": { + "StringEquals": { + "cloudformation:ChangeSetName": "StagedChangeSet" + } + }, "Effect": "Allow", - "Action": "cloudformation:ExecuteChangeSet", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":cloudformation:", + ":", + "cloudformation", + ":", { "Ref": "AWS::Region" }, @@ -139,17 +147,51 @@ { "Ref": "AWS::AccountId" }, - ":stack/OurStack/*" + ":", + "stack", + "/", + "OurStack/*" ] ] - }, + } + }, + { + "Action": "cloudformation:ExecuteChangeSet", "Condition": { "StringEquals": { "cloudformation:ChangeSetName": "StagedChangeSet" } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "cloudformation", + ":", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "stack", + "/", + "OurStack/*" + ] + ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ @@ -280,16 +322,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -297,14 +339,14 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "*", + "Effect": "Allow", "Resource": "*" } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineDeployPrepareChangesRoleDefaultPolicy8CDCCD73", "Roles": [ diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.lambda-pipeline.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.lambda-pipeline.expected.json index 3f55ac2a23f86..47a30bf5f1139 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.lambda-pipeline.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.lambda-pipeline.expected.json @@ -8,16 +8,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -25,18 +25,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -44,12 +43,6 @@ "Arn" ] }, - { - "Fn::GetAtt": [ - "PipelineBucketB967BD35", - "Arn" - ] - }, { "Fn::Join": [ "", @@ -60,9 +53,26 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] + } + ] + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineBucketB967BD35", + "Arn" + ] }, { "Fn::Join": [ @@ -74,20 +84,21 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": "lambda:ListFunctions", + "Effect": "Allow", "Resource": "*" }, { - "Effect": "Allow", "Action": "lambda:InvokeFunction", + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "LambdaFun98622869", @@ -95,7 +106,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ @@ -190,27 +202,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -221,17 +243,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "codepipeline:PutJobFailureResult", - "codepipeline:PutJobSuccessResult" + "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobFailureResult" ], + "Effect": "Allow", "Resource": "*" } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "LambdaFunServiceRoleDefaultPolicy217FED83", "Roles": [ diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.expected.json index 3a268e390f54a..7c61e17478119 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.expected.json @@ -8,16 +8,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -25,18 +25,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -44,12 +43,6 @@ "Arn" ] }, - { - "Fn::GetAtt": [ - "PipelineBucketB967BD35", - "Arn" - ] - }, { "Fn::Join": [ "", @@ -60,9 +53,26 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] + } + ] + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineBucketB967BD35", + "Arn" + ] }, { "Fn::Join": [ @@ -74,15 +84,16 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": "iam:PassRole", + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CfnChangeSetRole6F05F6FC", @@ -91,22 +102,59 @@ } }, { + "Action": "cloudformation:DescribeStacks", "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn", + ":", + { + "Ref": "AWS::Partition" + }, + ":", + "cloudformation", + ":", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + "stack", + "/", + "IntegTest-TestActionStack/*" + ] + ] + } + }, + { "Action": [ "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStacks" + "cloudformation:DescribeChangeSet" ], + "Condition": { + "StringEquals": { + "cloudformation:ChangeSetName": "ChangeSetIntegTest" + } + }, + "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":cloudformation:", + ":", + "cloudformation", + ":", { "Ref": "AWS::Region" }, @@ -114,17 +162,16 @@ { "Ref": "AWS::AccountId" }, - ":stack/IntegTest-TestActionStack/*" + ":", + "stack", + "/", + "IntegTest-TestActionStack/*" ] ] - }, - "Condition": { - "StringEqualsIfExists": { - "cloudformation:ChangeSetName": "ChangeSetIntegTest" - } } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ @@ -230,16 +277,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } } diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit-build.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit-build.expected.json index f7dee296300d3..f8b7694208759 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit-build.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit-build.expected.json @@ -15,16 +15,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -32,18 +32,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -61,21 +60,22 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ - "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", + "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", - "codecommit:UploadArchive" + "codecommit:CancelUploadArchive" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyRepoF4F48043", @@ -84,12 +84,12 @@ } }, { - "Effect": "Allow", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyBuildProject30DB9D6E", @@ -97,7 +97,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ @@ -195,16 +196,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -212,25 +213,27 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -238,7 +241,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -257,11 +262,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -269,9 +277,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "MyBuildProject30DB9D6E" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "MyBuildProject30DB9D6E" + } + ] + ] }, ":*" ] @@ -280,15 +298,15 @@ ] }, { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -306,13 +324,15 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyBuildProjectRoleDefaultPolicy5604AA87", "Roles": [ diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit.expected.json index 01654fea99ec8..36b68b9f5b721 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-commit.expected.json @@ -15,16 +15,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -32,18 +32,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -61,21 +60,22 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ - "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", + "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", - "codecommit:UploadArchive" + "codecommit:CancelUploadArchive" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyRepoF4F48043", @@ -83,7 +83,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-deploy.expected.json index 2c7caa6bf0d79..6d331d9f379e3 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-code-deploy.expected.json @@ -20,16 +20,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codedeploy.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole" @@ -72,16 +72,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -89,18 +89,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -118,27 +117,62 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "CodeDeployPipelineIntegTest9F618D61", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CodeDeployPipelineIntegTest9F618D61", + "Arn" + ] + }, + "/", + "*" + ] + ] + } + ] + }, + { "Action": [ "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision" ], + "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codedeploy:", + ":", + "codedeploy", + ":", { "Ref": "AWS::Region" }, @@ -146,26 +180,32 @@ { "Ref": "AWS::AccountId" }, - ":application:IntegTestDeployApp" + ":", + "application", + ":", + "IntegTestDeployApp" ] ] } }, { - "Effect": "Allow", "Action": [ "codedeploy:CreateDeployment", "codedeploy:GetDeployment" ], + "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codedeploy:", + ":", + "codedeploy", + ":", { "Ref": "AWS::Region" }, @@ -173,23 +213,29 @@ { "Ref": "AWS::AccountId" }, - ":deploymentgroup:IntegTestDeployApp/IntegTestDeploymentGroup" + ":", + "deploymentgroup", + ":", + "IntegTestDeployApp/IntegTestDeploymentGroup" ] ] } }, { - "Effect": "Allow", "Action": "codedeploy:GetDeploymentConfig", + "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codedeploy:", + ":", + "codedeploy", + ":", { "Ref": "AWS::Region" }, @@ -197,12 +243,16 @@ { "Ref": "AWS::AccountId" }, - ":deploymentconfig:*" + ":", + "deploymentconfig", + ":", + "*" ] ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "PipelineRoleDefaultPolicyC7A05455", "Roles": [ diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-events.expected.json b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-events.expected.json index c56c60bed6d17..71f870df83040 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-events.expected.json +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-events.expected.json @@ -8,16 +8,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -25,18 +25,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -54,21 +53,22 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ - "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", + "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", - "codecommit:UploadArchive" + "codecommit:CancelUploadArchive" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CodeCommitRepoDC6A41F9", @@ -77,12 +77,12 @@ } }, { - "Effect": "Allow", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "BuildProject097C5DB7", @@ -90,7 +90,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyPipelineRoleDefaultPolicy34F09EFA", "Roles": [ @@ -199,11 +200,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codepipeline:", + ":", + "codepipeline", + ":", { "Ref": "AWS::Region" }, @@ -253,11 +257,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codepipeline:", + ":", + "codepipeline", + ":", { "Ref": "AWS::Region" }, @@ -305,11 +312,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codepipeline:", + ":", + "codepipeline", + ":", { "Ref": "AWS::Region" }, @@ -359,16 +369,16 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" } } }, @@ -376,25 +386,27 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], + "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -402,7 +414,9 @@ { "Ref": "AWS::AccountId" }, - ":log-group:", + ":", + "log-group", + ":", { "Fn::Join": [ "", @@ -421,11 +435,14 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":logs:", + ":", + "logs", + ":", { "Ref": "AWS::Region" }, @@ -433,9 +450,19 @@ { "Ref": "AWS::AccountId" }, - ":log-group:/aws/codebuild/", + ":", + "log-group", + ":", { - "Ref": "BuildProject097C5DB7" + "Fn::Join": [ + "", + [ + "/aws/codebuild/", + { + "Ref": "BuildProject097C5DB7" + } + ] + ] }, ":*" ] @@ -444,15 +471,15 @@ ] }, { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -470,13 +497,15 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "BuildProjectRoleDefaultPolicy3E9F248C", "Roles": [ @@ -516,20 +545,20 @@ "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "0", "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, "Resource": { "Ref": "MyTopic86869434" }, - "Principal": { - "Service": "events.amazonaws.com" - } + "Sid": "0" } - ] + ], + "Version": "2012-10-17" }, "Topics": [ { diff --git a/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts b/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts index ffc38e2aaa09b..8b6c20f74f5cd 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts @@ -177,11 +177,14 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":codepipeline:", + ":", + "codepipeline", + ":", { "Ref": "AWS::Region" }, @@ -314,8 +317,8 @@ export = { "Statement": [ { "Action": [ - "codepipeline:PutJobFailureResult", - "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobFailureResult" ], "Effect": "Allow", "Resource": "*" diff --git a/packages/@aws-cdk/aws-dynamodb/test/test.dynamodb.ts b/packages/@aws-cdk/aws-dynamodb/test/test.dynamodb.ts index 6c27d92daf6d0..20cb222e33032 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/test.dynamodb.ts +++ b/packages/@aws-cdk/aws-dynamodb/test/test.dynamodb.ts @@ -1069,8 +1069,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableReadAutoScalingRoleDefaultPolicyF6A1975F', @@ -1149,8 +1149,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableReadAutoScalingRoleDefaultPolicyF6A1975F', @@ -1257,8 +1257,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableReadAutoScalingRoleDefaultPolicyF6A1975F', @@ -1335,8 +1335,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableReadAutoScalingRoleDefaultPolicyF6A1975F', @@ -1538,8 +1538,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableWriteAutoScalingRoleDefaultPolicyBF1A7EBB', @@ -1618,8 +1618,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableWriteAutoScalingRoleDefaultPolicyBF1A7EBB', @@ -1726,8 +1726,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableWriteAutoScalingRoleDefaultPolicyBF1A7EBB', @@ -1804,8 +1804,8 @@ export = { [ { Action: [ 'dynamodb:DescribeTable', 'dynamodb:UpdateTable' ], Effect: 'Allow', Resource: { 'Fn::GetAtt': [ 'MyTable794EDED1', 'Arn' ] } }, - { Action: [ 'cloudwatch:DeleteAlarms', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', - 'cloudwatch:PutMetricAlarm', 'cloudwatch:SetAlarmState' ], + { Action: [ 'cloudwatch:PutMetricAlarm', 'cloudwatch:DescribeAlarms', 'cloudwatch:GetMetricStatistics', + 'cloudwatch:SetAlarmState', 'cloudwatch:DeleteAlarms' ], Effect: 'Allow', Resource: '*' } ], Version: '2012-10-17' }, PolicyName: 'MyTableWriteAutoScalingRoleDefaultPolicyBF1A7EBB', @@ -2011,7 +2011,7 @@ function testGrant(test: Test, expectedActions: string[], invocation: (user: iam invocation(user, table); // THEN - const action = expectedActions.length > 1 ? expectedActions.map(a => `dynamodb:${a}`).sort() : `dynamodb:${expectedActions[0]}`; + const action = expectedActions.length > 1 ? expectedActions.map(a => `dynamodb:${a}`) : `dynamodb:${expectedActions[0]}`; expect(stack).to(haveResource('AWS::IAM::Policy', { "PolicyDocument": { "Statement": [ @@ -2031,4 +2031,4 @@ function testGrant(test: Test, expectedActions: string[], invocation: (user: iam "Users": [ { "Ref": "user2C2B57AE" } ] })); test.done(); -} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.load-balancer.ts index d1a4de47b3f4d..d7d91f43c4adb 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.load-balancer.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.load-balancer.ts @@ -116,7 +116,7 @@ export = { { Action: "s3:PutObject", Principal: { AWS: { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::127311923021:root" ] ] } }, - Resource: { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLoggingBucketA6D88F29", "Arn" ] }, "/*" ] ] } + Resource: { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLoggingBucketA6D88F29", "Arn" ] }, "/", "", "*" ] ] } } ] } diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.alb.expected.json b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.alb.expected.json index 63ad10fb58380..47090c4d5e411 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.alb.expected.json +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.alb.expected.json @@ -57,18 +57,6 @@ } } }, - "VPCPublicSubnet1DefaultRoute91CEF279": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet1RouteTableFEE4B781" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet1EIP6AD938E8": { "Type": "AWS::EC2::EIP", "Properties": { @@ -95,6 +83,18 @@ ] } }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPublicSubnet2Subnet74179F39": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -137,18 +137,6 @@ } } }, - "VPCPublicSubnet2DefaultRouteB7481BBA": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet2EIP4947BC00": { "Type": "AWS::EC2::EIP", "Properties": { @@ -175,6 +163,18 @@ ] } }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPrivateSubnet1Subnet8BCA10E0": { "Type": "AWS::EC2::Subnet", "Properties": { diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.nlb.expected.json b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.nlb.expected.json index 72fedd601edc2..a27c8b8c2db10 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.nlb.expected.json +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/integ.nlb.expected.json @@ -57,18 +57,6 @@ } } }, - "VPCPublicSubnet1DefaultRoute91CEF279": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet1RouteTableFEE4B781" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet1EIP6AD938E8": { "Type": "AWS::EC2::EIP", "Properties": { @@ -95,6 +83,18 @@ ] } }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPublicSubnet2Subnet74179F39": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -137,18 +137,6 @@ } } }, - "VPCPublicSubnet2DefaultRouteB7481BBA": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet2EIP4947BC00": { "Type": "AWS::EC2::EIP", "Properties": { @@ -175,6 +163,18 @@ ] } }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPrivateSubnet1Subnet8BCA10E0": { "Type": "AWS::EC2::Subnet", "Properties": { diff --git a/packages/@aws-cdk/aws-events/test/test.rule.ts b/packages/@aws-cdk/aws-events/test/test.rule.ts index f2d05ab315576..161bbac169b30 100644 --- a/packages/@aws-cdk/aws-events/test/test.rule.ts +++ b/packages/@aws-cdk/aws-events/test/test.rule.ts @@ -258,48 +258,68 @@ export = { expect(stack).toMatch({ "Resources": { "EventRule5A491D2C": { - "Type": "AWS::Events::Rule", - "Properties": { - "ScheduleExpression": "rate(1 minute)", - "State": "ENABLED", - "Targets": [ - { - "Arn": "ARN2", - "Id": "T2", - "InputTransformer": { - "InputTemplate": "\"Hello, \\\"world\\\"\"" - }, - "RoleArn": "IAM-ROLE-ARN" - }, - { - "Arn": "ARN1", - "Id": "T1", - "InputTransformer": { - "InputTemplate": "\"ab\"" - }, - "KinesisParameters": { - "PartitionKeyPath": "partitionKeyPath" - } - }, - { - "Arn": "ARN3", - "Id": "T3", - "InputTransformer": { - "InputPathsMap": { - "bar": "$.detail.bar" - }, - "InputTemplate": "{ \"foo\": }" - } + "Type": "AWS::Events::Rule", + "Properties": { + "State": "ENABLED", + "ScheduleExpression": "rate(1 minute)", + "Targets": [ + { + "Arn": "ARN2", + "Id": "T2", + "InputTransformer": { + "InputTemplate": "\"Hello, \\\"world\\\"\"" + }, + "RoleArn": "IAM-ROLE-ARN" + }, + { + "Arn": "ARN1", + "Id": "T1", + "InputTransformer": { + "InputTemplate": { + "Fn::Join": [ + "", + [ + "\"", + "a", + "b", + "\"" + ] + ] + } + }, + "KinesisParameters": { + "PartitionKeyPath": "partitionKeyPath" + } + }, + { + "Arn": "ARN3", + "Id": "T3", + "InputTransformer": { + "InputPathsMap": { + "bar": "$.detail.bar" }, - { - "Arn": "ARN4", - "Id": "T4", - "InputTransformer": { - "InputTemplate": "\" hello \"world\" \"" - } + "InputTemplate": "{ \"foo\": }" + } + }, + { + "Arn": "ARN4", + "Id": "T4", + "InputTransformer": { + "InputTemplate": { + "Fn::Join": [ + " ", + [ + "\"", + "hello", + "\"world\"", + "\"" + ] + ] } - ] - } + } + } + ] + } } } }); diff --git a/packages/@aws-cdk/aws-iam/lib/optimize-statements.ts b/packages/@aws-cdk/aws-iam/lib/optimize-statements.ts deleted file mode 100644 index 871a32b0ea497..0000000000000 --- a/packages/@aws-cdk/aws-iam/lib/optimize-statements.ts +++ /dev/null @@ -1,284 +0,0 @@ -/** - * Optimizes a list of objects containing IAM policy statements in order to reduce the total size of the rendered JSON - * object. The following optimizations are performed: - * - Canonicalization of globs in (Not)Resource & (Not)Action: removal entries that are matched by another entry's glob - * - De-duplication: removal of statements that have no SID, and are subsets of another statement - * - Merging: merging of statements that have no SID, and differ only in either ``Resource`` - * - * Additionally, normalization is performed: - * - (Not)Resource & (Not)Action are sorted in alphanumerical order (of the JSON object, if the values are not String) - * - * @param statements the list of rendered statements to optimize. Those may contain CloudFormation intrinsics. - * - * @returns a list of equivalents (and hopefylly smaller) statements. - */ -export function optimizeStatements(statements: any[]): any[] { - const parsed = statements.map(statement => new Statement(statement)); - return _deduplicate(parsed).map(statement => statement.toJson()); -} - -/** - * A Policy statement, with convenience functions make it easier to de-duplicate, normalize, ... - */ -class Statement implements Deduplicable { - private readonly sid?: string; - - private readonly effect: 'Allow' | 'Deny'; - - private readonly actions: Glob[]; - private readonly resources: Glob[]; - - private readonly principal: unknown; - - private readonly condition: { [operator: string]: unknown }; - - constructor(statement: any) { - this.sid = statement.Sid; - - if (statement.Effect !== 'Allow' && statement.Effect !== 'Deny') { - throw new Error(`Illegal policy statement effect: ${JSON.stringify(statement.Effect)}`); - } - this.effect = statement.Effect; - - this.actions = _makeGlobs(statement.Action, false); - this.resources = _makeGlobs(statement.Resource, true); - - this.principal = statement.Principal || {}; - - this.condition = statement.Condition || {}; - - function _makeGlobs(expressions: unknown, arnGlob: boolean): Glob[] { - if (!expressions) { return []; } - if (!Array.isArray(expressions)) { return _makeGlobs([expressions], arnGlob); } - return expressions.map(expression => new Glob(expression, arnGlob)); - } - } - - public subsumes(other: Statement): boolean { - return this.sid == null - && this.sid === other.sid - && this.effect === other.effect - && _allSuperceded(other.actions, this.actions) - && _deepEqual(this.condition, other.condition) - && _deepEqual(this.principal, other.principal); - } - - public merge(other: Statement): this { - this.actions.push(...other.actions); - this.resources.push(...other.resources); - return this; - } - - /** - * @returns the "optimized" object to be inlined in the IAM policy document. - */ - public toJson(): any { - const result: any = { Effect: this.effect }; - if (this.sid) { result.Sid = this.sid; } - if (!_blank(this.actions)) { result.Action = _flatten(this.actions); } - if (!_blank(this.resources.length)) { result.Resource = _flatten(this.resources); } - if (!_blank(this.principal)) { result.Principal = _flattenPrincipal(this.principal); } - if (!_blank(this.condition)) { result.Condition = this.condition; } - return result; - - /** - * Determines whether a value is "blank" for the context of a policy entry. - * @param value the value to be checked. - * @returns ``true`` if the ``value`` is ``null``, ``undefined``, an empty array or an empty object. - */ - function _blank(value: unknown): boolean { - if (value == null) { return true; } - if (Array.isArray(value)) { return value.length === 0; } - return typeof value === 'object' && Object.keys(value as object).length === 0; - } - - /** - * Removes duplicates from a glob list, and returns the shortest IAM expression for the value. - * @param globs the list of globs to be flattened. - * @returns the smallest entity to represent all the globs. - */ - function _flatten(globs: Glob[]): any { - const expressions = _deduplicate(globs).map(glob => glob.expression); - if (expressions.length === 0) { return undefined; } - if (expressions.length === 1) { return expressions[0]; } - return expressions.sort(_compare); - - /** - * Function to sort items alphanumerically, that works also when items are not strings. - * @param a the left value to compare - * @param b the right value to compare - * @returns the result of the comparison - */ - function _compare(a: unknown, b: unknown): number { - return _asString(a).localeCompare(_asString(b)); - - function _asString(value: unknown): string { - if (typeof value === 'string') { return value; } - return JSON.stringify(value); - } - } - } - - /** - * Reduces a principal to it's most compact expression. - * @param principal the principal to be compacted. - * @returns the most compact expression of the principal. - */ - function _flattenPrincipal(principal: any): any { - if (typeof principal !== 'object') { return principal; } - const compact: any = {}; - for (const key of Object.keys(principal)) { - const value = principal[key]; - if (Array.isArray(value)) { - if (value.length === 0) { continue; } - if (value.length === 1) { compact[key] = value[0]; } - } else { - compact[key] = value; - } - } - if (_deepEqual(compact, { AWS: '*' })) { return '*'; } - return compact; - } - } -} - -/** - * A glob expression, which can be either a string with ``*`` wildcards or a CloudFormation intrinsic. - */ -class Glob implements Deduplicable { - private regexp?: RegExp; - - /** - * @param expression the expression from the policy statement. - * @param arnGlob defines whether globs matches ARNs or not. - */ - constructor(public expression: unknown, arnGlob: boolean) { - this.regexp = _toRegExp(this.expression, arnGlob); - } - - public subsumes(other: Glob): boolean { - if (!this.regexp || typeof other.expression !== 'string') { - return _deepEqual(this.expression, other.expression); - } - return this.regexp.test(other.expression) - // Use the shortest expression (** matches what * does, and * is better) - && (this.expression as string).length <= other.expression.length; - } - - public merge(_other: Glob): this { - // Nothing to do - subsumance here means this is a more compact expression of other - return this; - } -} - -/** - * Entities that can be de-duplicated - */ -interface Deduplicable { - /** - * Checks whether an entity can safely replace another (ie: it is a superset). - * @param other the other entity to check. - * @returns ``true`` if this entry supercedes (can safely replace) ``other``. - */ - subsumes(other: this): boolean; - - /** - * Merges ``other`` in this entity. It is the caller's responsibility to have - * verified the safety of doing so by having called ``mergeable`` before. - * @param other the entity to merge in. - */ - merge(other: this): this; -} - -/** - * Verifies if a list of entities is entirely covered by another. - * @param left a list of de-duplicable entities - * @param right a list of de-duplicable entities. - * @returns ``true`` if all entries from ``left`` are superceded by at least one entry from ``right``. - */ -function _allSuperceded(left: T[], right: T[]): boolean { - if (left.length === 0) { return right.length === 0; } - return left.find(item => right.find(e => e.subsumes(item)) == null) == null; -} - -/** - * Removes duplicate entities from a list. - * @param array the list to be de-duplciated. - * @returns a new list containing the minimum set of entities. - */ -function _deduplicate(array: T[]): T[] { - if (array.length <= 1) { return array; } - const result = [...array]; - for (let i = 0 ; i < result.length ; ) { - const current = result[i]; - for (let j = i + 1 ; j < result.length ; ) { - if (result[i].subsumes(result[j])) { - result[i] = result[i].merge(result.splice(j, 1)[0]); - } else if (result[j].subsumes(result[i])) { - result[i] = result.splice(j, 1)[0].merge(result[i]); - } else { - j++; - } - } - // If we haven't replaced the current element, we can move on to the next, - // otherwise we need to re-assess the current element. - if (current === result[i]) { - i++; - } - } - return result; -} - -/** - * Checks if two entities are equal. - * @param e1 one of the entities. - * @param e2 the other entity. - * @returns true if both entities are identical. - */ -function _deepEqual(e1: unknown, e2: unknown): boolean { - if (typeof e1 !== typeof e2) { return false; } - if (Array.isArray(e1)) { - if (!Array.isArray(e2)) { return false; } - if (e1.length !== e2.length) { return false; } - return e1.find(e => e2.find(c => _deepEqual(e, c)) == null) == null; - } - if (typeof e1 === 'object' && typeof e2 === 'object') { - if (e1 == null || e2 == null) { return e1 === e2; } - const e1k = Object.keys(e1 as any); - const e2k = new Set(Object.keys(e2 as any)); - if (e1k.length !== e2k.size) { return false; } - for (const key of e1k) { - if (!e2k.has(key)) { return false; } - if (!_deepEqual((e1 as any)[key], (e2 as any)[key])) { return false; } - } - return true; - } - return e1 === e2; -} - -/** - * Makes a regular expression from a glob pattern. - * - * @param glob a glob pattern that uses '*' to denote wild cards. - * @param arnGlob defines whether the glob is for ARNs (wild-cards cannot span across segments) or not. - * - * @returns ``undefined`` if ``glob`` is not a string, otherwise a ``RegExp`` corresponding to the glob pattern. - */ -function _toRegExp(glob: unknown, arnGlob: boolean): RegExp | undefined { - if (typeof glob !== 'string') { return undefined; } - // Special-case for the '*' glob, as it always matches everything. - if (glob === '*') { return /^.*$/; } - const parts = glob.split('*'); - return new RegExp('^' + parts.map(_globQuestionMark).join(arnGlob ? '[^:]*' : '.*') + '$'); - - function _globQuestionMark(text: string): string { - if (!arnGlob) { return text; } - const segments = text.split('?'); - return segments.map(_quote).join('[^:]'); - } - - function _quote(text: string): string { - // RegExp special characters: \ ^$ . | ? * + ( ) [ ] { } - return text.replace(/[\\^$.|?*+()[\]{}]/g, '\\$1'); - } -} diff --git a/packages/@aws-cdk/aws-iam/lib/policy-document.ts b/packages/@aws-cdk/aws-iam/lib/policy-document.ts index b2268a7edb83f..dba222ab5817b 100644 --- a/packages/@aws-cdk/aws-iam/lib/policy-document.ts +++ b/packages/@aws-cdk/aws-iam/lib/policy-document.ts @@ -1,15 +1,14 @@ -import cdk = require('@aws-cdk/cdk'); -import { optimizeStatements } from './optimize-statements'; +import { AwsAccountId, AwsPartition, Token } from '@aws-cdk/cdk'; -export class PolicyDocument extends cdk.Token { - private readonly statements = new Array(); +export class PolicyDocument extends Token { + private statements = new Array(); /** * Creates a new IAM policy document. * @param defaultDocument An IAM policy document to use as an initial * policy. All statements of this document will be copied in. */ - constructor(private readonly baseDocument: any = {}) { + constructor(private readonly baseDocument?: any) { super(); } @@ -18,9 +17,10 @@ export class PolicyDocument extends cdk.Token { return undefined; } - const doc = { ...this.baseDocument }; + const doc = this.baseDocument || { }; + doc.Statement = doc.Statement || [ ]; doc.Version = doc.Version || '2012-10-17'; - doc.Statement = optimizeStatements(cdk.resolve([...(doc.Statement || []), ...this.statements.map(s => s.resolve())])); + doc.Statement = doc.Statement.concat(this.statements); return doc; } @@ -65,7 +65,7 @@ export abstract class PolicyPrincipal { */ export class PrincipalPolicyFragment { constructor( - public readonly principalJson: { [key: string]: any }, + public readonly principalJson: any, public readonly conditions: {[key: string]: any} = {}) { } } @@ -82,7 +82,7 @@ export class ArnPrincipal extends PolicyPrincipal { export class AccountPrincipal extends ArnPrincipal { constructor(public readonly accountId: any) { - super(`arn:${new cdk.AwsPartition()}:iam::${accountId}:root`); + super(`arn:${new AwsPartition()}:iam::${accountId}:root`); } } @@ -137,7 +137,7 @@ export class FederatedPrincipal extends PolicyPrincipal { export class AccountRootPrincipal extends AccountPrincipal { constructor() { - super(new cdk.AwsAccountId()); + super(new AwsAccountId()); } } @@ -155,19 +155,19 @@ export class Anyone extends PolicyPrincipal { public readonly accountId = '*'; public policyFragment(): PrincipalPolicyFragment { - return new PrincipalPolicyFragment({ AWS: '*' }); + return new PrincipalPolicyFragment('*'); } } /** * Represents a statement in an IAM policy document. */ -export class PolicyStatement extends cdk.Token { - private readonly action = new Array(); - private readonly resource = new Array(); - private readonly principal: { [key: string]: any[] } = {}; - private readonly condition: { [key: string]: any } = {}; - private effect: PolicyStatementEffect; +export class PolicyStatement extends Token { + private action = new Array(); + private principal = new Array(); + private resource = new Array(); + private condition: { [key: string]: any } = { }; + private effect?: PolicyStatementEffect; private sid?: any; constructor(effect: PolicyStatementEffect = PolicyStatementEffect.Allow) { @@ -197,20 +197,12 @@ export class PolicyStatement extends cdk.Token { * Indicates if this permission has a "Principal" section. */ public get hasPrincipal() { - return this.principal != null && Object.keys(this.principal).length > 0; + return this.principal && this.principal.length > 0; } public addPrincipal(principal: PolicyPrincipal): PolicyStatement { const fragment = principal.policyFragment(); - for (const key of Object.keys(fragment.principalJson)) { - this.principal[key] = this.principal[key] || []; - const value = fragment.principalJson[key]; - if (Array.isArray(value)) { - this.principal[key].push(...value); - } else { - this.principal[key].push(value); - } - } + this.principal.push(fragment.principalJson); this.addConditions(fragment.conditions); return this; } @@ -320,7 +312,7 @@ export class PolicyStatement extends cdk.Token { } public limitToAccount(accountId: string): PolicyStatement { - return this.addCondition('StringEquals', new cdk.Token(() => { + return this.addCondition('StringEquals', new Token(() => { return { 'sts:ExternalId': accountId }; })); } diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts index 44c6d4f29a78d..1853f28952f7d 100644 --- a/packages/@aws-cdk/aws-iam/lib/role.ts +++ b/packages/@aws-cdk/aws-iam/lib/role.ts @@ -16,20 +16,11 @@ export interface RoleProps { /** * A list of ARNs for managed policies associated with this role. - * You can add managed policies later using ``attachManagedPolicy(arn)``. + * You can add managed policies later using `attachManagedPolicy(arn)`. * @default No managed policies. */ managedPolicyArns?: string[]; - /** - * A list of named policies to inline into this role. These policies will - * be created with the role, whereas those added by ``addToPolicy`` are - * added using a separate CloudFormation resource (allowing a way around - * cicrular dependencies that could otherwise be introduced). - * @default No inline policies. - */ - inlinePolicies?: { [name: string]: PolicyDocument }; - /** * The path associated with this role. For information about IAM paths, see * Friendly Names and Paths in IAM User Guide. @@ -121,28 +112,15 @@ export class Role extends Construct implements IIdentityResource, IPrincipal, ID const role = new cloudformation.RoleResource(this, 'Resource', { assumeRolePolicyDocument: this.assumeRolePolicy as any, managedPolicyArns: undefinedIfEmpty(() => this.managedPolicyArns), - policies: _flatten(props.inlinePolicies), path: props.path, roleName: props.roleName, - maxSessionDuration: props.maxSessionDurationSec, + maxSessionDuration: props.maxSessionDurationSec }); this.roleArn = role.roleArn; this.principal = new ArnPrincipal(this.roleArn); this.roleName = role.roleName; this.dependencyElements = [ role ]; - - function _flatten(policies?: { [name: string]: PolicyDocument }) { - if (policies == null || Object.keys(policies).length === 0) { - return undefined; - } - const result = new Array(); - for (const policyName of Object.keys(policies)) { - const policyDocument = policies[policyName]; - result.push({ policyName, policyDocument }); - } - return result; - } } /** diff --git a/packages/@aws-cdk/aws-iam/package.json b/packages/@aws-cdk/aws-iam/package.json index 41a1bd66ca4aa..cf2af4fa2e291 100644 --- a/packages/@aws-cdk/aws-iam/package.json +++ b/packages/@aws-cdk/aws-iam/package.json @@ -55,16 +55,9 @@ "license": "Apache-2.0", "devDependencies": { "@aws-cdk/assert": "^0.12.0", - "@types/fs-extra": "^5.0.4", - "@types/js-yaml": "^3.11.2", - "@types/lodash": "^4.14.117", "cdk-build-tools": "^0.12.0", "cdk-integ-tools": "^0.12.0", "cfn2ts": "^0.12.0", - "fast-check": "^1.7.0", - "fs-extra": "^7.0.0", - "js-yaml": "^3.12.0", - "lodash": "^4.17.11", "pkglint": "^0.12.0" }, "dependencies": { diff --git a/packages/@aws-cdk/aws-iam/test/test.managed-policy.ts b/packages/@aws-cdk/aws-iam/test/test.managed-policy.ts index 49989eecc870a..4f5de46bf9664 100644 --- a/packages/@aws-cdk/aws-iam/test/test.managed-policy.ts +++ b/packages/@aws-cdk/aws-iam/test/test.managed-policy.ts @@ -8,9 +8,19 @@ export = { test.deepEqual(cdk.resolve(mp.policyArn), { "Fn::Join": ['', [ - 'arn:', + 'arn', + ':', { Ref: 'AWS::Partition' }, - ':iam::aws:policy/service-role/SomePolicy' + ':', + 'iam', + ':', + '', + ':', + 'aws', + ':', + 'policy', + '/', + 'service-role/SomePolicy' ]] }); diff --git a/packages/@aws-cdk/aws-iam/test/test.optimize-statements.ts b/packages/@aws-cdk/aws-iam/test/test.optimize-statements.ts deleted file mode 100644 index 6fb36a477013f..0000000000000 --- a/packages/@aws-cdk/aws-iam/test/test.optimize-statements.ts +++ /dev/null @@ -1,162 +0,0 @@ -import fc = require('fast-check'); -import fs = require('fs-extra'); -import YAML = require('js-yaml'); -import _ = require('lodash'); -import nodeunit = require('nodeunit'); -import path = require('path'); - -import { optimizeStatements } from '../lib/optimize-statements'; -import { PolicyStatement } from '../lib/policy-document'; - -function asyncTest(cb: (test: nodeunit.Test) => void | Promise): (test: nodeunit.Test) => Promise { - return async (test: nodeunit.Test) => { - let error: Error; - try { - return await cb(test); - } catch (e) { - error = e; - } finally { - test.doesNotThrow(() => { if (error) { throw error; } }); - test.done(); - } - }; -} - -// Stuff that should be valid in a policy document, excluding * and : -const safeCharacters = fc.ascii().filter(c => /^[a-z0-9/-]$/i.test(c)); -const safeString = fc.stringOf(safeCharacters, 1, 16); - -const tests: { [name: string]: { [name: string]: (test: nodeunit.Test) => void } } = { - optimizeStatements: { - 'replaces a list of resources including a wild-card with just the wild-card': asyncTest(async () => { - await fc.assert( - fc.property( - fc.array(safeString, 1, 3), - (resources) => { - const statement = new PolicyStatement().addResources(...resources, '*'); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && optimized.Resource === '*'; - } - ), - { verbose: true } - ); - }), - 'removes resources that are globbed by a wild-card': asyncTest(async () => { - await fc.assert( - fc.property( - safeString, fc.array(safeString, 1, 3), - (prefix, resources) => { - const statement = new PolicyStatement().addResources(...resources.map(r => `${prefix}:${r}`), `${prefix}:*`); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && optimized.Resource === `${prefix}:*`; - } - ), - { verbose: true } - ); - }), - 'sorts resources': asyncTest(async () => { - await fc.assert( - fc.property( - fc.array(safeString, 2, 3), - (resources) => { - const statement = new PolicyStatement().addResources(...resources); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && _.isEqual(optimized.Resource, [...new Set(resources)].sort(_localeCompare)); - } - ), - { verbose: true } - ); - }), - - 'replaces a list of actions including a wild-card with just the wild-card': asyncTest(async () => { - await fc.assert( - fc.property( - fc.array(safeString, 1, 3), - (actions) => { - const statement = new PolicyStatement().addActions(...actions, '*'); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && optimized.Action === '*'; - } - ), - { verbose: true } - ); - }), - 'removes actions that are globbed by a wild-card': asyncTest(async () => { - await fc.assert( - fc.property( - safeString, fc.array(safeString, 1, 3), - (prefix, actions) => { - const statement = new PolicyStatement().addActions(...actions.map(a => `${prefix}:${a}`), `${prefix}:*`); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && optimized.Action === `${prefix}:*`; - } - ), - { verbose: true } - ); - }), - 'sorts actions': asyncTest(async () => { - await fc.assert( - fc.property( - fc.array(safeString, 2, 3), - (actions) => { - const statement = new PolicyStatement().addActions(...actions); - const optimized = optimizeStatements([statement.resolve()])[0]; - return optimized && _.isEqual(optimized.Action, [... new Set(actions)].sort(_localeCompare)); - } - ), - { verbose: true } - ); - }), - - 'merges statements that differ only in resources': asyncTest(async () => { - await fc.assert( - fc.property( - fc.array(safeString, 1, 3), fc.array(safeString, 1, 3), - fc.array(safeString, 2, 3), safeString, fc.string(), fc.string(), fc.string(), - (resourcesA, resourcesB, actions, account, condOp, condKey, condVal) => { - const statementA = new PolicyStatement().addActions(...actions) - .addResources(...resourcesA) - .addAwsPrincipal(account) - .addCondition(condOp, { [condKey]: condVal }); - const statementB = new PolicyStatement().addActions(...actions) - .addResources(...resourcesB) - .addAwsPrincipal(account) - .addCondition(condOp, { [condKey]: condVal }); - const optimized = optimizeStatements([statementA.resolve(), statementB.resolve()]); - return optimized.length === 1 - && _.isEqual(optimized[0].Action, actions.sort(_localeCompare)) - && _.isEqual(optimized[0].Principal, { AWS: account }) - && _.isEqual(optimized[0].Condition, { [condOp]: { [condKey]: condVal } }) - && _.isEqual(optimized[0].Resource, [...new Set([...resourcesA, ...resourcesB])].sort(_localeCompare)); - } - ), - { verbose: true } - ); - }), - } -}; - -const EXAMPLES_DIR = path.resolve(__dirname, 'test.optimize-statements'); -for (const file of fs.readdirSync(EXAMPLES_DIR)) { - const example = YAML.safeLoad(fs.readFileSync(path.join(EXAMPLES_DIR, file), { encoding: 'utf-8' })); - if (example.name in tests.optimizeStatements) { - throw new Error(`Attempted to overwrite test function ${example.name} with example ${file}!`); - } - tests.optimizeStatements[`${example.name} (${file})`] = async (test: nodeunit.Test) => { - try { - const sizeBefore = JSON.stringify(example.input).length; - const optimized = optimizeStatements(example.input); - const sizeAfter = JSON.stringify(optimized).length; - test.deepEqual(optimized, example.expectedOutput); - test.ok(sizeAfter <= sizeBefore, `Statements size should reduce, but it went from ${sizeBefore} to ${sizeAfter}`); - } catch (e) { - test.doesNotThrow(() => { throw e; }); - } finally { - test.done(); - } - }; -} - -export = nodeunit.testCase(tests); - -function _localeCompare(l: string, r: string): number { return l.localeCompare(r); } diff --git a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/pass-through.yml b/packages/@aws-cdk/aws-iam/test/test.optimize-statements/pass-through.yml deleted file mode 100644 index fe9053f175ae8..0000000000000 --- a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/pass-through.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: passes statements through when no optimization is possible -input: &input - - Sid: FooStatement - Effect: Allow - Action: '*' - Resource: '*' - Principal: '*' -expectedOutput: - - <<: *input diff --git a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-duplicates.yml b/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-duplicates.yml deleted file mode 100644 index 9a577b6297e51..0000000000000 --- a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-duplicates.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -name: removes duplicated statements -input: - - Effect: Allow - # Intentionally non-canonical: - Action: ['iam:PassRole'] - Resource: ['some::role::arn'] - Principal: { AWS: '123456789012' } - - &normal - Effect: Allow - Action: 'iam:PassRole' - Resource: 'some::role::arn' - Principal: { AWS: '123456789012' } -expectedOutput: - - <<: *normal diff --git a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-globbed-duplicates.yml b/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-globbed-duplicates.yml deleted file mode 100644 index 5f708a0e9a0b6..0000000000000 --- a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/remove-globbed-duplicates.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -name: removes entries that are redundant due to globbing stars -input: - - Effect: Allow - Action: ['s3:GetObject', 's3:Get*'] - Resource: ['aws:s3:bucket:arn', '*'] - Principal: '*' -expectedOutput: - - Effect: Allow - Action: s3:Get* - Resource: '*' - Principal: '*' diff --git a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/very-large-input.yml b/packages/@aws-cdk/aws-iam/test/test.optimize-statements/very-large-input.yml deleted file mode 100644 index bf0c7278b957d..0000000000000 --- a/packages/@aws-cdk/aws-iam/test/test.optimize-statements/very-large-input.yml +++ /dev/null @@ -1,1007 +0,0 @@ ---- -name: significantly reduces extremely repetitive statements -input: - - Action: - - s3:GetObject* - - s3:GetBucket* - - s3:List* - - s3:DeleteObject* - - s3:PutObject* - - s3:Abort* - Effect: Allow - Resource: - - Fn::GetAtt: - - ArtifactBucket7410C9EF - - Arn - - Fn::Join: - - '' - - - Fn::GetAtt: - - ArtifactBucket7410C9EF - - Arn - - / - - '*' - - Action: - - codebuild:BatchGetBuilds - - codebuild:StartBuild - - codebuild:StopBuild - Effect: Allow - Resource: - Fn::GetAtt: - - ProjectC78D97AD - - Arn - - Action: - - codebuild:BatchGetBuilds - - codebuild:StartBuild - - codebuild:StopBuild - Effect: Allow - Resource: - Fn::GetAtt: - - CDKSynthSynthesizerE2B03922 - - Arn - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/MetaPipeline/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - SelfUpdatePrepareSelfUpdateRole27F83A32 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/MetaPipeline/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-master/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiimasterPrepareDeployjsiimasterRole06A5505C - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-master/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-master/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkmasterPrepareDeploycdkmasterRole4BB0C3BA - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-master/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-rmuller/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevrmullerPrepareDeployjsiidevrmullerRole5E35A68F - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-rmuller/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-rmuller/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevrmullerPrepareDeploycdkdevrmullerRoleCCE27FE2 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-rmuller/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-benisrae/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevbenisraePrepareDeployjsiidevbenisraeRole14DB0442 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-benisrae/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-benisrae/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevbenisraePrepareDeploycdkdevbenisraeRole197244B9 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-benisrae/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-huijbers/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevhuijbersPrepareDeployjsiidevhuijbersRoleC932EF87 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-huijbers/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-huijbers/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevhuijbersPrepareDeploycdkdevhuijbersRole7C55591C - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-huijbers/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-brelandm/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevbrelandmPrepareDeployjsiidevbrelandmRole2CF6DCA9 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-brelandm/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-brelandm/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevbrelandmPrepareDeploycdkdevbrelandmRoleD3672586 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-brelandm/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-pirocchi/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevpirocchiPrepareDeployjsiidevpirocchiRoleF7963214 - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-pirocchi/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-pirocchi/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevpirocchiPrepareDeploycdkdevpirocchiRoleA498977A - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-pirocchi/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-costleya/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeployjsiidevcostleyaPrepareDeployjsiidevcostleyaRole58E786FE - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/jsii-dev-costleya/* - - Action: - - cloudformation:CreateChangeSet - - cloudformation:DeleteChangeSet - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStacks - Condition: - StringEqualsIfExists: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-costleya/* - - Action: iam:PassRole - Effect: Allow - Resource: - Fn::GetAtt: - - DeploycdkdevcostleyaPrepareDeploycdkdevcostleyaRoleD602396C - - Arn - - Action: cloudformation:ExecuteChangeSet - Condition: - StringEquals: - cloudformation:ChangeSetName: Provided-ChangeSet-Name - Effect: Allow - Resource: - Fn::Join: - - '' - - - 'arn:' - - Ref: AWS::Partition - - ':cloudformation:' - - Ref: AWS::Region - - ':' - - Ref: AWS::AccountId - - :stack/cdk-dev-costleya/* - -expectedOutput: - - Effect: Allow - Action: - - 's3:Abort*' - - 's3:DeleteObject*' - - 's3:GetBucket*' - - 's3:GetObject*' - - 's3:List*' - - 's3:PutObject*' - Resource: - - 'Fn::GetAtt': - - ArtifactBucket7410C9EF - - Arn - - 'Fn::Join': - - '' - - - 'Fn::GetAtt': - - ArtifactBucket7410C9EF - - Arn - - / - - '*' - - Effect: Allow - Action: - - 'codebuild:BatchGetBuilds' - - 'codebuild:StartBuild' - - 'codebuild:StopBuild' - Resource: - - 'Fn::GetAtt': - - CDKSynthSynthesizerE2B03922 - - Arn - - 'Fn::GetAtt': - - ProjectC78D97AD - - Arn - - Effect: Allow - Action: - - 'cloudformation:CreateChangeSet' - - 'cloudformation:DeleteChangeSet' - - 'cloudformation:DescribeChangeSet' - - 'cloudformation:DescribeStacks' - Resource: - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-benisrae/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-brelandm/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-costleya/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-huijbers/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-pirocchi/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-rmuller/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-master/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-benisrae/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-brelandm/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-costleya/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-huijbers/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-pirocchi/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-rmuller/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-master/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/MetaPipeline/*' - Condition: - StringEqualsIfExists: - 'cloudformation:ChangeSetName': Provided-ChangeSet-Name - - Effect: Allow - Action: 'iam:PassRole' - Resource: - - 'Fn::GetAtt': - - DeploycdkdevbenisraePrepareDeploycdkdevbenisraeRole197244B9 - - Arn - - 'Fn::GetAtt': - - DeploycdkdevbrelandmPrepareDeploycdkdevbrelandmRoleD3672586 - - Arn - - 'Fn::GetAtt': - - DeploycdkdevcostleyaPrepareDeploycdkdevcostleyaRoleD602396C - - Arn - - 'Fn::GetAtt': - - DeploycdkdevhuijbersPrepareDeploycdkdevhuijbersRole7C55591C - - Arn - - 'Fn::GetAtt': - - DeploycdkdevpirocchiPrepareDeploycdkdevpirocchiRoleA498977A - - Arn - - 'Fn::GetAtt': - - DeploycdkdevrmullerPrepareDeploycdkdevrmullerRoleCCE27FE2 - - Arn - - 'Fn::GetAtt': - - DeploycdkmasterPrepareDeploycdkmasterRole4BB0C3BA - - Arn - - 'Fn::GetAtt': - - DeployjsiidevbenisraePrepareDeployjsiidevbenisraeRole14DB0442 - - Arn - - 'Fn::GetAtt': - - DeployjsiidevbrelandmPrepareDeployjsiidevbrelandmRole2CF6DCA9 - - Arn - - 'Fn::GetAtt': - - DeployjsiidevcostleyaPrepareDeployjsiidevcostleyaRole58E786FE - - Arn - - 'Fn::GetAtt': - - DeployjsiidevhuijbersPrepareDeployjsiidevhuijbersRoleC932EF87 - - Arn - - 'Fn::GetAtt': - - DeployjsiidevpirocchiPrepareDeployjsiidevpirocchiRoleF7963214 - - Arn - - 'Fn::GetAtt': - - DeployjsiidevrmullerPrepareDeployjsiidevrmullerRole5E35A68F - - Arn - - 'Fn::GetAtt': - - DeployjsiimasterPrepareDeployjsiimasterRole06A5505C - - Arn - - 'Fn::GetAtt': - - SelfUpdatePrepareSelfUpdateRole27F83A32 - - Arn - - Effect: Allow - Action: 'cloudformation:ExecuteChangeSet' - Resource: - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-benisrae/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-brelandm/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-costleya/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-huijbers/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-pirocchi/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-dev-rmuller/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/cdk-master/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-benisrae/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-brelandm/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-costleya/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-huijbers/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-pirocchi/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-dev-rmuller/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/jsii-master/*' - - 'Fn::Join': - - '' - - - 'arn:' - - Ref: 'AWS::Partition' - - ':cloudformation:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':stack/MetaPipeline/*' - Condition: - StringEquals: - 'cloudformation:ChangeSetName': Provided-ChangeSet-Name diff --git a/packages/@aws-cdk/aws-iam/test/test.policy-document.ts b/packages/@aws-cdk/aws-iam/test/test.policy-document.ts index 1fe7deec297bb..f43bb5e41c6a0 100644 --- a/packages/@aws-cdk/aws-iam/test/test.policy-document.ts +++ b/packages/@aws-cdk/aws-iam/test/test.policy-document.ts @@ -18,15 +18,17 @@ export = { [ 'sqs:SendMessage', 'dynamodb:CreateTable', 'dynamodb:DeleteTable' ], - Resource: ['myQueue', 'yourQueue', '*'], + Resource: [ 'myQueue', 'yourQueue', '*' ], Effect: 'Allow', Principal: - { AWS: [ + { AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::myaccountname:root' ] ] } ] }, + ':iam::', + { 'Fn::Join': [ '', [ 'my', 'account', 'name' ] ] }, + ':root' ] ] } }, Condition: { StringEquals: { 'sts:ExternalId': '12221121221' } } }); test.done(); @@ -59,8 +61,8 @@ export = { Version: 'Foo', Something: 123, Statement: [ - { Effect: 'Allow' }, - { Effect: 'Deny' }, + { Statement1: 1 }, + { Statement2: 2 } ] }; const doc = new PolicyDocument(base); @@ -69,7 +71,8 @@ export = { test.deepEqual(resolve(doc), { Version: 'Foo', Something: 123, Statement: - [ ...base.Statement, + [ { Statement1: 1 }, + { Statement2: 2 }, { Effect: 'Allow', Action: 'action', Resource: 'resource' } ] }); test.done(); }, @@ -96,7 +99,7 @@ export = { test.deepEqual(resolve(p), { Effect: "Allow", Principal: { - CanonicalUser: [canoncialUser] + CanonicalUser: canoncialUser } }); test.done(); @@ -108,7 +111,7 @@ export = { test.deepEqual(resolve(p), { Effect: "Allow", Principal: { - AWS: [{ + AWS: { "Fn::Join": [ "", [ @@ -119,7 +122,7 @@ export = { ":root" ] ] - }] + } } }); test.done(); @@ -131,7 +134,7 @@ export = { test.deepEqual(resolve(p), { Effect: "Allow", Principal: { - Federated: ["com.amazon.cognito"] + Federated: "com.amazon.cognito" }, Condition: { StringEquals: { key: 'value' } @@ -140,22 +143,6 @@ export = { test.done(); }, - 'addAccountPrincipal can be used multiple times'(test: Test) { - const p = new PolicyStatement(); - p.addAwsAccountPrincipal('1234'); - p.addAwsAccountPrincipal('5678'), - test.deepEqual(resolve(p), { - Effect: 'Allow', - Principal: { - AWS: [ - { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::1234:root']] }, - { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::5678:root']] } - ] - } - }); - test.done(); - }, - 'hasResource': { 'false if there are no resources'(test: Test) { test.equal(new PolicyStatement().hasResource, false, 'hasResource should be false for an empty permission'); diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index 461321b34e4cb..99c0fd22888d1 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -107,18 +107,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -190,18 +190,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -272,18 +272,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -390,26 +390,25 @@ export = { "MyStreamKey76F3300E": { "Type": "AWS::KMS::Key", "Properties": { + "Description": "Created by MyStream", "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -427,19 +426,20 @@ export = { ] ] } - } + }, + "Resource": "*" } - ] - }, - "Description": "Created by MyStream" + ], + "Version": "2012-10-17" + } }, "DeletionPolicy": "Retain" }, "MyStream5C050E93": { "Type": "AWS::Kinesis::Stream", "Properties": { - "ShardCount": 1, "RetentionPeriodHours": 24, + "ShardCount": 1, "StreamEncryption": { "EncryptionType": "KMS", "KeyId": { @@ -458,15 +458,14 @@ export = { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:PutRecord", "kinesis:PutRecords" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyStream5C050E93", @@ -475,11 +474,11 @@ export = { } }, { - "Effect": "Allow", "Action": [ - "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey", + "kms:Encrypt" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyStreamKey76F3300E", @@ -487,7 +486,8 @@ export = { ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ @@ -516,26 +516,25 @@ export = { "MyStreamKey76F3300E": { "Type": "AWS::KMS::Key", "Properties": { + "Description": "Created by MyStream", "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -553,19 +552,20 @@ export = { ] ] } - } + }, + "Resource": "*" } - ] - }, - "Description": "Created by MyStream" + ], + "Version": "2012-10-17" + } }, "DeletionPolicy": "Retain" }, "MyStream5C050E93": { "Type": "AWS::Kinesis::Stream", "Properties": { - "ShardCount": 1, "RetentionPeriodHours": 24, + "ShardCount": 1, "StreamEncryption": { "EncryptionType": "KMS", "KeyId": { @@ -584,10 +584,8 @@ export = { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", @@ -595,6 +593,7 @@ export = { "kinesis:PutRecord", "kinesis:PutRecords" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyStream5C050E93", @@ -603,12 +602,12 @@ export = { } }, { - "Effect": "Allow", "Action": [ "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey", + "kms:Encrypt" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyStreamKey76F3300E", @@ -616,7 +615,8 @@ export = { ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ @@ -889,26 +889,25 @@ export = { "MyStreamKey76F3300E": { "Type": "AWS::KMS::Key", "Properties": { + "Description": "Created by MyStream", "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -926,30 +925,31 @@ export = { ] ] } - } + }, + "Resource": "*" } - ] - }, - "Description": "Created by MyStream" + ], + "Version": "2012-10-17" + } }, "DeletionPolicy": "Retain" }, "MyStream5C050E93": { - "Type": "AWS::Kinesis::Stream", - "Properties": { - "ShardCount": 1, - "RetentionPeriodHours": 24, - "StreamEncryption": { - "EncryptionType": "KMS", - "KeyId": { - "Fn::GetAtt": [ - "MyStreamKey76F3300E", - "Arn" - ] - } + "Type": "AWS::Kinesis::Stream", + "Properties": { + "RetentionPeriodHours": 24, + "ShardCount": 1, + "StreamEncryption": { + "EncryptionType": "KMS", + "KeyId": { + "Fn::GetAtt": [ + "MyStreamKey76F3300E", + "Arn" + ] } } } + } }, "Outputs": { "MyStreamKeyKeyArn967BCB03": { diff --git a/packages/@aws-cdk/aws-kms/test/integ.key.expected.json b/packages/@aws-cdk/aws-kms/test/integ.key.expected.json index dc304c9a37f2f..5394998c556aa 100644 --- a/packages/@aws-cdk/aws-kms/test/integ.key.expected.json +++ b/packages/@aws-cdk/aws-kms/test/integ.key.expected.json @@ -4,25 +4,23 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -40,19 +38,21 @@ ] ] } - } + }, + "Resource": "*" }, { - "Effect": "Allow", "Action": "kms:encrypt", - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Ref": "AWS::AccountId" } - } + }, + "Resource": "*" } - ] + ], + "Version": "2012-10-17" } }, "DeletionPolicy": "Retain" diff --git a/packages/@aws-cdk/aws-kms/test/test.key.ts b/packages/@aws-cdk/aws-kms/test/test.key.ts index 92917cd43b65d..5805b1fa315d9 100644 --- a/packages/@aws-cdk/aws-kms/test/test.key.ts +++ b/packages/@aws-cdk/aws-kms/test/test.key.ts @@ -20,18 +20,18 @@ export = { Statement: [ { Action: [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" ], Effect: "Allow", Principal: { @@ -83,18 +83,18 @@ export = { Statement: [ { Action: [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], Effect: "Allow", Principal: { @@ -160,18 +160,18 @@ export = { Statement: [ { Action: [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], Effect: "Allow", Principal: { @@ -237,18 +237,18 @@ export = { Statement: [ { Action: [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" ], Effect: "Allow", Principal: { diff --git a/packages/@aws-cdk/aws-lambda/test/inline.expected.json b/packages/@aws-cdk/aws-lambda/test/inline.expected.json index de8e58be53d32..fd1c0abac77c2 100644 --- a/packages/@aws-cdk/aws-lambda/test/inline.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/inline.expected.json @@ -19,7 +19,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - {"Fn::Join": ["", ["arn:", {"Ref": "AWS::Partition"}, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]} + {"Fn::Join": ["", ["arn", ":", {"Ref": "AWS::Partition"}, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", "service-role/AWSLambdaBasicExecutionRole"]]} ] } @@ -31,12 +31,12 @@ "Statement": [ { "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], "Effect": "Allow", "Resource": [ @@ -56,7 +56,8 @@ "Arn" ] }, - "/*" + "/", + "*" ] ] } diff --git a/packages/@aws-cdk/aws-lambda/test/integ.assets.file.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.assets.file.expected.json index fecdce9a68e42..866f127940b61 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.assets.file.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.assets.file.expected.json @@ -4,27 +4,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -96,4 +106,4 @@ "Description": "S3 key for asset version \"lambda-test-assets-file/MyLambda/Code\"" } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-lambda/test/integ.assets.lit.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.assets.lit.expected.json index 78036f8ce9951..e983ee0f5922f 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.assets.lit.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.assets.lit.expected.json @@ -4,27 +4,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -96,4 +106,4 @@ "Description": "S3 key for asset version \"lambda-test-assets/MyLambda/Code\"" } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-lambda/test/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.bucket-notifications.expected.json index a3f17805ead53..67b30b027eb0f 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.bucket-notifications.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.bucket-notifications.expected.json @@ -49,27 +49,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -172,44 +182,60 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } - ], - "Policies": [ + ] + } + }, + "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:PutBucketNotification", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", + "Roles": [ { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:PutBucketNotification", - "Resource": "*" - } - ] - }, - "PolicyName": "allowPutBucketNotification" + "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] } diff --git a/packages/@aws-cdk/aws-lambda/test/integ.events.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.events.expected.json index 5cbc2f8add41a..82097f0e2e730 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.events.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.events.expected.json @@ -4,27 +4,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } diff --git a/packages/@aws-cdk/aws-lambda/test/integ.lambda.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.lambda.expected.json index 638edbd1e9fd2..1fa4ce735d35b 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.lambda.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.lambda.expected.json @@ -4,27 +4,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -35,14 +45,14 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "*", + "Effect": "Allow", "Resource": "*" } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyLambdaServiceRoleDefaultPolicy5BBC6F68", "Roles": [ diff --git a/packages/@aws-cdk/aws-lambda/test/integ.vpc-lambda.expected.json b/packages/@aws-cdk/aws-lambda/test/integ.vpc-lambda.expected.json index c0f395d3f6eee..84f1345239c11 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.vpc-lambda.expected.json +++ b/packages/@aws-cdk/aws-lambda/test/integ.vpc-lambda.expected.json @@ -57,18 +57,6 @@ } } }, - "VPCPublicSubnet1DefaultRoute91CEF279": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet1RouteTableFEE4B781" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet1EIP6AD938E8": { "Type": "AWS::EC2::EIP", "Properties": { @@ -95,6 +83,18 @@ ] } }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPublicSubnet2Subnet74179F39": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -137,18 +137,6 @@ } } }, - "VPCPublicSubnet2DefaultRouteB7481BBA": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet2EIP4947BC00": { "Type": "AWS::EC2::EIP", "Properties": { @@ -175,6 +163,18 @@ ] } }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPrivateSubnet1Subnet8BCA10E0": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -309,27 +309,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] }, @@ -337,11 +347,21 @@ "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaVPCAccessExecutionRole" ] ] } diff --git a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts index 1887191a8c794..4c2b2d42ee716 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts @@ -32,7 +32,7 @@ export = { ManagedPolicyArns: // arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole // tslint:disable-next-line:max-line-length - [{'Fn::Join': ['', ['arn:', {Ref: 'AWS::Partition'}, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']]}], + [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}], }}, MyLambdaCCE802FB: { Type: 'AWS::Lambda::Function', @@ -65,7 +65,7 @@ export = { Version: '2012-10-17' }, ManagedPolicyArns: // tslint:disable-next-line:max-line-length - [{'Fn::Join': ['', ['arn:', {Ref: 'AWS::Partition'}, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']]}], + [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}], }}, MyLambdaServiceRoleDefaultPolicy5BBC6F68: { Type: "AWS::IAM::Policy", @@ -141,7 +141,7 @@ export = { }, "ManagedPolicyArns": // tslint:disable-next-line:max-line-length - [{'Fn::Join': ['', ['arn:', {Ref: 'AWS::Partition'}, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']]}], + [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}], } }, "MyLambdaCCE802FB": { @@ -360,11 +360,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -471,11 +481,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -581,11 +601,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -657,11 +687,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -769,11 +809,21 @@ export = { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -876,8 +926,8 @@ export = { "Statement": [ { "Action": [ - "xray:PutTelemetryRecords", - "xray:PutTraceSegments", + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" @@ -934,8 +984,8 @@ export = { "Statement": [ { "Action": [ - "xray:PutTelemetryRecords", - "xray:PutTraceSegments", + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" @@ -992,8 +1042,8 @@ export = { "Statement": [ { "Action": [ - "xray:PutTelemetryRecords", - "xray:PutTraceSegments", + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" diff --git a/packages/@aws-cdk/aws-lambda/test/test.singleton-lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.singleton-lambda.ts index 30aff6e53b7f9..054ee63a44ace 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.singleton-lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.singleton-lambda.ts @@ -37,7 +37,8 @@ export = { }, ManagedPolicyArns: [ { - "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] + "Fn::Join": [ "", [ "arn", ":", { Ref: "AWS::Partition" }, ":", "iam", ":", "", + ":", "aws", ":", "policy", "/", "service-role/AWSLambdaBasicExecutionRole" ] ] } ] } diff --git a/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json b/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json index 67b856f39828e..c95a923aec045 100644 --- a/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json +++ b/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json @@ -57,18 +57,6 @@ } } }, - "VPCPublicSubnet1DefaultRoute91CEF279": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet1RouteTableFEE4B781" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet1EIP6AD938E8": { "Type": "AWS::EC2::EIP", "Properties": { @@ -95,6 +83,18 @@ ] } }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPublicSubnet2Subnet74179F39": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -137,18 +137,6 @@ } } }, - "VPCPublicSubnet2DefaultRouteB7481BBA": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VPCIGWB7E252D3" - } - } - }, "VPCPublicSubnet2EIP4947BC00": { "Type": "AWS::EC2::EIP", "Properties": { @@ -175,6 +163,18 @@ ] } }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + } + } + }, "VPCPrivateSubnet1Subnet8BCA10E0": { "Type": "AWS::EC2::Subnet", "Properties": { @@ -319,25 +319,23 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -355,9 +353,11 @@ ] ] } - } + }, + "Resource": "*" } - ] + ], + "Version": "2012-10-17" } }, "DeletionPolicy": "Retain" diff --git a/packages/@aws-cdk/aws-route53/package-lock.json b/packages/@aws-cdk/aws-route53/package-lock.json index 363b11e8ec30d..64c6162fb30a5 100644 --- a/packages/@aws-cdk/aws-route53/package-lock.json +++ b/packages/@aws-cdk/aws-route53/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-route53", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts b/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts index 32014251c6db8..dd0f1a91d8101 100644 --- a/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts +++ b/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts @@ -57,16 +57,14 @@ export class NotificationsResourceHandler extends cdk.Construct { resource: 'policy', resourceName: 'service-role/AWSLambdaBasicExecutionRole', }) - ], - inlinePolicies: { - // handler allows to put bucket notification on s3 buckets. - allowPutBucketNotification: new iam.PolicyDocument() - .addStatement(new iam.PolicyStatement() - .addAction('s3:PutBucketNotification') - .addAllResources()) - } + ] }); + // handler allows to put bucket notification on s3 buckets. + role.addToPolicy(new iam.PolicyStatement() + .addAction('s3:PutBucketNotification') + .addAllResources()); + const resource = new cdk.Resource(this, 'Resource', { type: 'AWS::Lambda::Function', properties: { diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket.domain-name.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket.domain-name.expected.json index 96449b326fafa..01c6536296847 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.bucket.domain-name.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.bucket.domain-name.expected.json @@ -7,10 +7,7 @@ "Outputs": { "RealBucketDomain": { "Value": { - "Fn::GetAtt": [ - "MyBucketF68F3FF0", - "DomainName" - ] + "Fn::GetAtt":["MyBucketF68F3FF0","DomainName"] }, "Export": { "Name": "aws-cdk-s3-urls:RealBucketDomain" @@ -23,4 +20,5 @@ } } } -} \ No newline at end of file +} + diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json index 82abcbe1431ba..5f0af8b0f8c9c 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json @@ -4,25 +4,23 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -40,18 +38,18 @@ ] ] } - } + }, + "Resource": "*" }, { - "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" + "kms:ReEncrypt*", + "kms:GenerateDataKey*" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ @@ -59,9 +57,11 @@ "Arn" ] } - } + }, + "Resource": "*" } - ] + ], + "Version": "2012-10-17" }, "Description": "Created by aws-cdk-s3/MyBucket" }, @@ -108,18 +108,17 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], + "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ @@ -127,12 +126,6 @@ "Arn" ] }, - { - "Fn::GetAtt": [ - "MyOtherBucket543F3540", - "Arn" - ] - }, { "Fn::Join": [ "", @@ -143,43 +136,62 @@ "Arn" ] }, - "/*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "MyOtherBucket543F3540", - "Arn" - ] - }, - "/*" + "/", + "*" ] ] } ] }, { - "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" + "kms:ReEncrypt*", + "kms:GenerateDataKey*" ], + "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MyBucketKeyC17130CF", "Arn" ] } + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "MyOtherBucket543F3540", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyOtherBucket543F3540", + "Arn" + ] + }, + "/", + "*" + ] + ] + } + ] } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyUserDefaultPolicy7B897426", "Users": [ diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket.url.lit.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket.url.lit.expected.json index 75f9b0523546d..5e673cd26b405 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.bucket.url.lit.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.bucket.url.lit.expected.json @@ -10,7 +10,8 @@ "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -34,7 +35,8 @@ "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -46,7 +48,8 @@ { "Ref": "MyBucketF68F3FF0" }, - "/myfolder/myfile.txt" + "/", + "myfolder/myfile.txt" ] ] }, diff --git a/packages/@aws-cdk/aws-s3/test/integ.notifications.expected.json b/packages/@aws-cdk/aws-s3/test/integ.notifications.expected.json index d7bb4618ede72..5a06b33722f90 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.notifications.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.notifications.expected.json @@ -59,18 +59,9 @@ } ], "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "sid0", "Action": "sns:Publish", - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -80,9 +71,18 @@ ] } } - } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "TopicBFC7AF6E" + }, + "Sid": "sid0" } - ] + ], + "Version": "2012-10-17" } } }, @@ -98,18 +98,9 @@ } ], "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "sid0", "Action": "sns:Publish", - "Resource": { - "Ref": "Topic3DEAE47A7" - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -119,18 +110,18 @@ ] } } - } - }, - { - "Effect": "Allow", - "Sid": "sid1", - "Action": "sns:Publish", - "Resource": { - "Ref": "Topic3DEAE47A7" }, + "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, + "Resource": { + "Ref": "Topic3DEAE47A7" + }, + "Sid": "sid0" + }, + { + "Action": "sns:Publish", "Condition": { "ArnLike": { "aws:SourceArn": { @@ -140,9 +131,18 @@ ] } } - } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "Topic3DEAE47A7" + }, + "Sid": "sid1" } - ] + ], + "Version": "2012-10-17" } } }, @@ -150,44 +150,60 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } - ], - "Policies": [ + ] + } + }, + "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:PutBucketNotification", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", + "Roles": [ { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:PutBucketNotification", - "Resource": "*" - } - ] - }, - "PolicyName": "allowPutBucketNotification" + "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] } diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts index 42a2c0dc85696..104adae3e287e 100644 --- a/packages/@aws-cdk/aws-s3/test/test.bucket.ts +++ b/packages/@aws-cdk/aws-s3/test/test.bucket.ts @@ -110,18 +110,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -262,7 +262,7 @@ export = { Resource: { 'Fn::Join': [ '', - [ { 'Fn::GetAtt': [ 'MyBucketF68F3FF0', 'Arn' ] }, '/hello/world' ] + [ { 'Fn::GetAtt': [ 'MyBucketF68F3FF0', 'Arn' ] }, '/', 'hello/world' ] ] } }); @@ -290,7 +290,8 @@ export = { '', [ { 'Fn::GetAtt': [ 'MyBucketF68F3FF0', 'Arn' ] }, - '/home/', + '/', + 'home/', { Ref: 'MyTeam01DD6685' }, '/', { Ref: 'MyUserDC45028B' }, @@ -398,7 +399,17 @@ export = { { "Action": "s3:*", "Effect": "Allow", - "Resource": "arn:aws:s3:::my-bucket/my/folder/my-bucket" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::my-bucket", + "/", + "my/folder/", + "my-bucket" + ] + ] + } } ], "Version": "2012-10-17" @@ -479,9 +490,9 @@ export = { "Statement": [ { "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" ], "Effect": "Allow", "Resource": [ @@ -495,7 +506,8 @@ export = { { "Fn::ImportValue": "S1:MyBucketBucketArnE260558C" }, - "/*" + "/", + "*" ] ] } @@ -536,9 +548,9 @@ export = { "Statement": [ { "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" ], "Effect": "Allow", "Resource": [ @@ -558,7 +570,8 @@ export = { "Arn" ] }, - "/*" + "/", + "*" ] ] } @@ -605,12 +618,12 @@ export = { "Statement": [ { "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", + "s3:DeleteObject*", "s3:PutObject*", + "s3:Abort*" ], "Effect": "Allow", "Resource": [ @@ -630,7 +643,8 @@ export = { "Arn" ] }, - "/*" + "/", + "*" ] ] } @@ -669,18 +683,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -708,8 +722,8 @@ export = { "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", - "kms:GenerateDataKey*", "kms:ReEncrypt*", + "kms:GenerateDataKey*", ], "Effect": "Allow", "Principal": { @@ -758,12 +772,12 @@ export = { "Statement": [ { "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", + "s3:DeleteObject*", "s3:PutObject*", + "s3:Abort*" ], "Effect": "Allow", "Resource": [ @@ -783,7 +797,8 @@ export = { "Arn" ] }, - "/*" + "/", + "*" ] ] } @@ -794,8 +809,8 @@ export = { "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", - "kms:GenerateDataKey*", "kms:ReEncrypt*", + "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { @@ -837,8 +852,8 @@ export = { const resources = stack.toCloudFormation().Resources; const actions = (id: string) => resources[id].Properties.PolicyDocument.Statement[0].Action; - test.deepEqual(actions('WriterDefaultPolicyDC585BCE'), [ 's3:Abort*', 's3:DeleteObject*', 's3:PutObject*' ]); - test.deepEqual(actions('PutterDefaultPolicyAB138DD3'), [ 's3:Abort*', 's3:PutObject*' ]); + test.deepEqual(actions('WriterDefaultPolicyDC585BCE'), [ 's3:DeleteObject*', 's3:PutObject*', 's3:Abort*' ]); + test.deepEqual(actions('PutterDefaultPolicyAB138DD3'), [ 's3:PutObject*', 's3:Abort*' ]); test.deepEqual(actions('DeleterDefaultPolicyCD33B8A0'), 's3:DeleteObject*'); test.done(); }, @@ -905,9 +920,9 @@ export = { "Statement": [ { "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" ], "Effect": "Allow", "Resource": [ @@ -921,7 +936,8 @@ export = { { "Fn::ImportValue": "MyBucketBucketArnE260558C" }, - "/*" + "/", + "*" ] ] } @@ -964,7 +980,8 @@ export = { "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -988,7 +1005,8 @@ export = { "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -1000,7 +1018,8 @@ export = { { "Ref": "MyBucketF68F3FF0" }, - "/my/file.txt" + "/", + "my/file.txt" ] ] }, @@ -1013,7 +1032,8 @@ export = { "Fn::Join": [ "", [ - "https://s3.", + "https://", + "s3.", { "Ref": "AWS::Region" }, @@ -1025,7 +1045,8 @@ export = { { "Ref": "MyBucketF68F3FF0" }, - "/your/file.txt" + "/", + "your/file.txt" ] ] }, @@ -1056,7 +1077,7 @@ export = { "Action": "s3:GetObject", "Effect": "Allow", "Principal": "*", - "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/*" ] ] } + "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/", "*" ] ] } } ], "Version": "2012-10-17" @@ -1081,7 +1102,7 @@ export = { "Action": "s3:GetObject", "Effect": "Allow", "Principal": "*", - "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/only/access/these/*" ] ] } + "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/", "only/access/these/*" ] ] } } ], "Version": "2012-10-17" @@ -1106,7 +1127,7 @@ export = { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Principal": "*", - "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/*" ] ] } + "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/", "*" ] ] } } ], "Version": "2012-10-17" @@ -1132,7 +1153,7 @@ export = { "Action": "s3:GetObject", "Effect": "Allow", "Principal": "*", - "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/*" ] ] }, + "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "bC3BBCC65", "Arn" ] }, "/", "*" ] ] }, "Condition": { "IpAddress": { "aws:SourceIp": "54.240.143.0/24" } } diff --git a/packages/@aws-cdk/aws-s3/test/test.util.ts b/packages/@aws-cdk/aws-s3/test/test.util.ts index e6550bb1217a2..fe647c2275c80 100644 --- a/packages/@aws-cdk/aws-s3/test/test.util.ts +++ b/packages/@aws-cdk/aws-s3/test/test.util.ts @@ -14,9 +14,17 @@ export = { const bucketName = 'hello'; test.deepEqual(cdk.resolve(parseBucketArn({ bucketName })), { 'Fn::Join': [ '', - [ 'arn:', + [ 'arn', + ':', { Ref: 'AWS::Partition' }, - ':s3:::hello' ] ] }); + ':', + 's3', + ':', + '', + ':', + '', + ':', + 'hello' ] ] }); test.done(); }, @@ -41,7 +49,7 @@ export = { }, 'undefined if cannot extract name from a non-string arn'(test: Test) { - const bucketArn = new cdk.FnConcat('arn:aws:s3:::', { Ref: 'BucketName' }).toString(); + const bucketArn = new cdk.FnConcat('arn:aws:s3:::', 'my-bucket').toString(); test.deepEqual(cdk.resolve(parseBucketName({ bucketArn })), undefined); test.done(); }, diff --git a/packages/@aws-cdk/aws-sns/test/integ.sns-bucket-notifications.expected.json b/packages/@aws-cdk/aws-sns/test/integ.sns-bucket-notifications.expected.json index ad5f92189fdd4..f282f4ce68fad 100644 --- a/packages/@aws-cdk/aws-sns/test/integ.sns-bucket-notifications.expected.json +++ b/packages/@aws-cdk/aws-sns/test/integ.sns-bucket-notifications.expected.json @@ -7,18 +7,9 @@ "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "0", "Action": "sns:Publish", - "Resource": { - "Ref": "ObjectCreatedTopic92F47E19" - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -28,9 +19,18 @@ ] } } - } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "ObjectCreatedTopic92F47E19" + }, + "Sid": "0" } - ] + ], + "Version": "2012-10-17" }, "Topics": [ { @@ -46,18 +46,9 @@ "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Sid": "0", "Action": "sns:Publish", - "Resource": { - "Ref": "ObjectDeletedTopic2A914EC0" - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -67,9 +58,18 @@ ] } } - } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "ObjectDeletedTopic2A914EC0" + }, + "Sid": "0" } - ] + ], + "Version": "2012-10-17" }, "Topics": [ { @@ -137,44 +137,60 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } - ], - "Policies": [ + ] + } + }, + "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:PutBucketNotification", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", + "Roles": [ { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:PutBucketNotification", - "Resource": "*" - } - ] - }, - "PolicyName": "allowPutBucketNotification" + "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] } diff --git a/packages/@aws-cdk/aws-sns/test/integ.sns-event-rule-target.expected.json b/packages/@aws-cdk/aws-sns/test/integ.sns-event-rule-target.expected.json index f5e941cf768d7..afa32e0b0348a 100644 --- a/packages/@aws-cdk/aws-sns/test/integ.sns-event-rule-target.expected.json +++ b/packages/@aws-cdk/aws-sns/test/integ.sns-event-rule-target.expected.json @@ -22,20 +22,20 @@ "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Sid": "0", "Action": "sns:Publish", - "Resource": { - "Ref": "MyTopic86869434" - }, + "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" + }, + "Resource": { + "Ref": "MyTopic86869434" } } - ] + ], + "Version": "2012-10-17" }, "Topics": [ { @@ -66,29 +66,29 @@ "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sqs:SendMessage", - "Resource": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" - ] - }, - "Principal": { - "Service": "sns.amazonaws.com" - }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MyTopic86869434" } } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "MyQueueE6CA6235", + "Arn" + ] } } - ] + ], + "Version": "2012-10-17" }, "Queues": [ { diff --git a/packages/@aws-cdk/aws-sns/test/integ.sns-lambda.expected.json b/packages/@aws-cdk/aws-sns/test/integ.sns-lambda.expected.json index a3847b565a4cf..4164cc8b24d84 100644 --- a/packages/@aws-cdk/aws-sns/test/integ.sns-lambda.expected.json +++ b/packages/@aws-cdk/aws-sns/test/integ.sns-lambda.expected.json @@ -22,30 +22,19 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } + {"Fn::Join":["",["arn",":",{"Ref":"AWS::Partition"},":","iam",":","",":","aws",":","policy","/","service-role/AWSLambdaBasicExecutionRole"]]} ] } }, @@ -82,4 +71,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-sns/test/integ.sns-sqs.lit.expected.json b/packages/@aws-cdk/aws-sns/test/integ.sns-sqs.lit.expected.json index 0ecd4a612d85f..40b6fbae330d0 100644 --- a/packages/@aws-cdk/aws-sns/test/integ.sns-sqs.lit.expected.json +++ b/packages/@aws-cdk/aws-sns/test/integ.sns-sqs.lit.expected.json @@ -25,29 +25,29 @@ "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sqs:SendMessage", - "Resource": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" - ] - }, - "Principal": { - "Service": "sns.amazonaws.com" - }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MyTopic86869434" } } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "MyQueueE6CA6235", + "Arn" + ] } } - ] + ], + "Version": "2012-10-17" }, "Queues": [ { diff --git a/packages/@aws-cdk/aws-sns/test/test.sns.ts b/packages/@aws-cdk/aws-sns/test/test.sns.ts index 4821284793e31..9a45223a3c56e 100644 --- a/packages/@aws-cdk/aws-sns/test/test.sns.ts +++ b/packages/@aws-cdk/aws-sns/test/test.sns.ts @@ -265,7 +265,8 @@ export = { "Version": "2012-10-17" }, "ManagedPolicyArns": [ - { "Fn::Join": ["", ["arn:", {"Ref": "AWS::Partition"}, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]} + { "Fn::Join": ["", ["arn", ":", {"Ref": "AWS::Partition"}, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", + "service-role/AWSLambdaBasicExecutionRole"]]} ] } }, @@ -406,29 +407,29 @@ export = { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sqs:SendMessage", - "Resource": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" - ] - }, - "Principal": { - "Service": "sns.amazonaws.com" - }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MyTopic86869434" } } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "MyQueueE6CA6235", + "Arn" + ] } } - ] + ], + "Version": "2012-10-17" }, "Queues": [ { @@ -441,27 +442,37 @@ export = { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } diff --git a/packages/@aws-cdk/aws-sqs/package-lock.json b/packages/@aws-cdk/aws-sqs/package-lock.json index bdeec986f6773..b41fc983f66c1 100644 --- a/packages/@aws-cdk/aws-sqs/package-lock.json +++ b/packages/@aws-cdk/aws-sqs/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/aws-sqs", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/aws-sqs/test/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-sqs/test/integ.bucket-notifications.expected.json index e058db97fab2c..9bca049124ab9 100644 --- a/packages/@aws-cdk/aws-sqs/test/integ.bucket-notifications.expected.json +++ b/packages/@aws-cdk/aws-sqs/test/integ.bucket-notifications.expected.json @@ -54,20 +54,9 @@ "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sqs:SendMessage", - "Resource": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" - ] - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -77,20 +66,20 @@ ] } } - } - }, - { + }, "Effect": "Allow", - "Action": "sqs:SendMessage", + "Principal": { + "Service": "s3.amazonaws.com" + }, "Resource": { "Fn::GetAtt": [ "MyQueueE6CA6235", "Arn" ] - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, + } + }, + { + "Action": "sqs:SendMessage", "Condition": { "ArnLike": { "aws:SourceArn": { @@ -100,9 +89,20 @@ ] } } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "MyQueueE6CA6235", + "Arn" + ] } } - ] + ], + "Version": "2012-10-17" }, "Queues": [ { @@ -115,44 +115,60 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } - ], - "Policies": [ + ] + } + }, + "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:PutBucketNotification", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", + "Roles": [ { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:PutBucketNotification", - "Resource": "*" - } - ] - }, - "PolicyName": "allowPutBucketNotification" + "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC" } ] } @@ -224,25 +240,23 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*" + "kms:CancelKeyDeletion" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ @@ -260,20 +274,22 @@ ] ] } - } + }, + "Resource": "*" }, { - "Effect": "Allow", "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey", + "kms:Decrypt" ], - "Resource": "*", + "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" - } + }, + "Resource": "*" } - ] + ], + "Version": "2012-10-17" }, "Description": "Created by sqs-bucket-notifications/EncryptedQueue" }, @@ -294,20 +310,9 @@ "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sqs:SendMessage", - "Resource": { - "Fn::GetAtt": [ - "EncryptedQueue0428C61A", - "Arn" - ] - }, - "Principal": { - "Service": "s3.amazonaws.com" - }, "Condition": { "ArnLike": { "aws:SourceArn": { @@ -317,9 +322,20 @@ ] } } + }, + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "EncryptedQueue0428C61A", + "Arn" + ] } } - ] + ], + "Version": "2012-10-17" }, "Queues": [ { diff --git a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts index c132e98122b49..d6a0b3cdca289 100644 --- a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts +++ b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts @@ -348,18 +348,18 @@ export = { "Statement": [ { "Action": [ - "kms:CancelKeyDeletion", "kms:Create*", - "kms:Delete*", "kms:Describe*", - "kms:Disable*", "kms:Enable*", - "kms:Get*", "kms:List*", "kms:Put*", + "kms:Update*", "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:Update*", + "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { @@ -384,8 +384,8 @@ export = { }, { "Action": [ - "kms:Decrypt", "kms:GenerateDataKey", + "kms:Decrypt" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/cdk/lib/cloudformation/arn.ts b/packages/@aws-cdk/cdk/lib/cloudformation/arn.ts index 8aec7d684143d..01ce8c7a7b53a 100644 --- a/packages/@aws-cdk/cdk/lib/cloudformation/arn.ts +++ b/packages/@aws-cdk/cdk/lib/cloudformation/arn.ts @@ -33,7 +33,7 @@ export class ArnUtils { ? new AwsAccountId() : components.account; - const values = ['arn:', partition, ':', components.service, ':', region, ':', account, ':', components.resource]; + const values = [ 'arn', ':', partition, ':', components.service, ':', region, ':', account, ':', components.resource ]; const sep = components.sep || '/'; if (sep !== '/' && sep !== ':') { diff --git a/packages/@aws-cdk/cdk/lib/cloudformation/fn.ts b/packages/@aws-cdk/cdk/lib/cloudformation/fn.ts index 791950ee8b57f..2b64f876f9fad 100644 --- a/packages/@aws-cdk/cdk/lib/cloudformation/fn.ts +++ b/packages/@aws-cdk/cdk/lib/cloudformation/fn.ts @@ -1,4 +1,3 @@ -import { unresolved } from '../core/tokens'; import { CloudFormationToken, isIntrinsic } from './cloudformation-token'; // tslint:disable:max-line-length @@ -83,9 +82,6 @@ export class FnImportValue extends Fn { * with no delimiter. */ export class FnJoin extends Fn { - private readonly delimiter: string; - private readonly listOfValues: any[]; - /** * Creates an ``Fn::Join`` function. * @param delimiter The value you want to occur between fragments. The delimiter will occur between fragments only. @@ -96,45 +92,7 @@ export class FnJoin extends Fn { if (listOfValues.length === 0) { throw new Error(`FnJoin requires at least one value to be provided`); } - /* - * Optimization: if an Fn::Join is nested in another one (either as an instance of the FnJoin class, or as a JSON - * token), and they share the same delimiter, then flatten it up. Also, if two concatenated elements are literal - * strings (not tokens), then pre-concatenate them with the delimiter, to generate shorter output. - */ - let i = 0; - while (i < listOfValues.length) { - const el = listOfValues[i]; - if (el instanceof FnJoin && el.delimiter === delimiter) { - listOfValues.splice(i, 1, ...el.listOfValues); - } else if (isFnJoinIntrinsicWithSameDelimiter(el)) { - listOfValues.splice(i, 1, ...el['Fn::Join'][1]); - } else if (i > 0 && isPlainString(listOfValues[i - 1]) && isPlainString(listOfValues[i])) { - listOfValues[i - 1] += delimiter + listOfValues[i]; - listOfValues.splice(i, 1); - } else { - i += 1; - } - } super('Fn::Join', [ delimiter, listOfValues ]); - this.delimiter = delimiter; - this.listOfValues = listOfValues; - - function isFnJoinIntrinsicWithSameDelimiter(obj: any) { - return isIntrinsic(obj) - && Object.keys(obj)[0] === 'Fn::Join' - && obj['Fn::Join'][0] === delimiter; - } - - function isPlainString(obj: any) { - return typeof obj === 'string' && !unresolved(obj); - } - } - - public resolve(): any { - if (this.listOfValues.length === 1) { - return this.listOfValues[0]; - } - return super.resolve(); } } @@ -142,15 +100,54 @@ export class FnJoin extends Fn { * Alias for ``FnJoin('', listOfValues)``. */ export class FnConcat extends FnJoin { + private readonly listOfValues: any[]; + /** * Creates an ``Fn::Join`` function with an empty delimiter. * @param listOfValues The list of values to concatenate. */ constructor(...listOfValues: any[]) { + // Optimization: if any of the input arguments is also a FnConcat, + // splice their list of values into the current FnConcat. 'instanceof' + // can fail, but we do not depend depend on this for correctness. + // + // Do the same for resolved intrinsics, so we can detect this + // happening both at Token as well as at CloudFormation level. + + let i = 0; + while (i < listOfValues.length) { + const el = listOfValues[i]; + if (el instanceof FnConcat) { + listOfValues.splice(i, 1, ...el.listOfValues); + i += el.listOfValues.length; + } else if (isConcatIntrinsic(el)) { + const values = concatIntrinsicValues(el); + listOfValues.splice(i, 1, ...values); + i += values; + } else { + i++; + } + } + super('', listOfValues); + this.listOfValues = listOfValues; } } +/** + * Return whether the given object represents a CloudFormation intrinsic that is the result of a FnConcat resolution + */ +function isConcatIntrinsic(x: any) { + return isIntrinsic(x) && Object.keys(x)[0] === 'Fn::Join' && x['Fn::Join'][0] === ''; +} + +/** + * Return the concatted values of the concat intrinsic + */ +function concatIntrinsicValues(x: any) { + return x['Fn::Join'][1]; +} + /** * The intrinsic function ``Fn::Select`` returns a single object from a list of objects by index. */ diff --git a/packages/@aws-cdk/cdk/package-lock.json b/packages/@aws-cdk/cdk/package-lock.json index 9026349c1c045..143432e7f8fa8 100644 --- a/packages/@aws-cdk/cdk/package-lock.json +++ b/packages/@aws-cdk/cdk/package-lock.json @@ -1,16 +1,14 @@ { - "requires": true, + "name": "@aws-cdk/cdk", + "version": "0.12.0", "lockfileVersion": 1, + "requires": true, "dependencies": { "@types/js-base64": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/@types/js-base64/-/js-base64-2.3.1.tgz", - "integrity": "sha512-4RKbhIDGC87s4EBy2Cp2/5S2O6kmCRcZnD5KRCq1q9z2GhBte1+BdsfVKCpG8yKpDGNyEE2G6IqFIh6W2YwWPA==" - }, - "@types/lodash": { - "version": "4.14.117", - "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.117.tgz", - "integrity": "sha512-xyf2m6tRbz8qQKcxYZa7PA4SllYcay+eh25DN3jmNYY6gSTL7Htc/bttVdkqj2wfJGbeWlQiX8pIyJpKU+tubw==" + "integrity": "sha512-4RKbhIDGC87s4EBy2Cp2/5S2O6kmCRcZnD5KRCq1q9z2GhBte1+BdsfVKCpG8yKpDGNyEE2G6IqFIh6W2YwWPA==", + "dev": true }, "cli-color": { "version": "0.1.7", @@ -41,15 +39,6 @@ "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.8.2.tgz", "integrity": "sha1-q6jZ4ZQ6iVrJaDemKjmz9V7NlKs=" }, - "fast-check": { - "version": "1.6.2", - "resolved": "https://registry.npmjs.org/fast-check/-/fast-check-1.6.2.tgz", - "integrity": "sha512-RmCPZYkDfRGxPg/CEjuCA3bcb53aVOz495Cw+1IIuOr5S3sznLRTGIQF2U/AaanMbNg7UacZIGCWwiqp54ifAw==", - "requires": { - "lorem-ipsum": "~1.0.6", - "pure-rand": "^1.4.2" - } - }, "heap": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/heap/-/heap-0.2.6.tgz", @@ -62,7 +51,7 @@ }, "json-diff": { "version": "0.3.1", - "resolved": "http://registry.npmjs.org/json-diff/-/json-diff-0.3.1.tgz", + "resolved": "https://registry.npmjs.org/json-diff/-/json-diff-0.3.1.tgz", "integrity": "sha1-bbw64tJeB1p/1xvNmHRFhmb7aBs=", "requires": { "cli-color": "~0.1.6", @@ -70,29 +59,6 @@ "dreamopt": "~0.6.0" } }, - "lodash": { - "version": "4.17.11", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz", - "integrity": "sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg==" - }, - "lorem-ipsum": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/lorem-ipsum/-/lorem-ipsum-1.0.6.tgz", - "integrity": "sha512-Rx4XH8X4KSDCKAVvWGYlhAfNqdUP5ZdT4rRyf0jjrvWgtViZimDIlopWNfn/y3lGM5K4uuiAoY28TaD+7YKFrQ==", - "requires": { - "minimist": "~1.2.0" - } - }, - "minimist": { - "version": "1.2.0", - "resolved": "http://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" - }, - "pure-rand": { - "version": "1.4.2", - "resolved": "https://registry.npmjs.org/pure-rand/-/pure-rand-1.4.2.tgz", - "integrity": "sha512-5WrOH3ZPZgwW5CRyeNxmZ8BcQnL6s0YWGOZL6SROLfhIw9Uc1SseEyeNw9q5tc3Y5E783yzvNlsE9KJY8IuxcA==" - }, "wordwrap": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-1.0.0.tgz", diff --git a/packages/@aws-cdk/cdk/package.json b/packages/@aws-cdk/cdk/package.json index c5ed1414a5bb4..e3edfcb79a1a3 100644 --- a/packages/@aws-cdk/cdk/package.json +++ b/packages/@aws-cdk/cdk/package.json @@ -53,11 +53,8 @@ "license": "Apache-2.0", "devDependencies": { "@types/js-base64": "^2.3.1", - "@types/lodash": "^4.14.117", "cdk-build-tools": "^0.12.0", "cfn2ts": "^0.12.0", - "fast-check": "^1.6.2", - "lodash": "^4.17.11", "pkglint": "^0.12.0" }, "dependencies": { diff --git a/packages/@aws-cdk/cdk/test/cloudformation/test.arn.ts b/packages/@aws-cdk/cdk/test/cloudformation/test.arn.ts index fce33f308177f..c8879d5a119c9 100644 --- a/packages/@aws-cdk/cdk/test/cloudformation/test.arn.ts +++ b/packages/@aws-cdk/cdk/test/cloudformation/test.arn.ts @@ -10,13 +10,17 @@ export = { test.deepEqual(resolve(arn), { 'Fn::Join': [ '', - [ 'arn:', + [ 'arn', + ':', { Ref: 'AWS::Partition' }, - ':sqs:', + ':', + 'sqs', + ':', { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, - ':myqueuename' ] ] }); + ':', + 'myqueuename' ] ] }); test.done(); }, @@ -30,7 +34,21 @@ export = { resourceName: 'mytable/stream/label' }); - test.deepEqual(resolve(arn), 'arn:aws-cn:dynamodb:us-east-1:123456789012:table/mytable/stream/label'); + test.deepEqual(resolve(arn), { 'Fn::Join': + [ '', + [ 'arn', + ':', + 'aws-cn', + ':', + 'dynamodb', + ':', + 'us-east-1', + ':', + '123456789012', + ':', + 'table', + '/', + 'mytable/stream/label' ] ] }); test.done(); }, @@ -43,7 +61,24 @@ export = { partition: 'aws-cn', }); - test.deepEqual(resolve(arn), 'arn:aws-cn:s3:::my-bucket'); + test.deepEqual(resolve(arn), { + 'Fn::Join': [ + '', + [ + 'arn', + ':', + 'aws-cn', + ':', + 's3', + ':', + '', + ':', + '', + ':', + 'my-bucket', + ] + ] + }); test.done(); }, @@ -58,13 +93,19 @@ export = { test.deepEqual(resolve(arn), { 'Fn::Join': [ '', - [ 'arn:', + [ 'arn', + ':', { Ref: 'AWS::Partition' }, - ':codedeploy:', + ':', + 'codedeploy', + ':', { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, - ':application:WordPress_App' ] ] }); + ':', + 'application', + ':', + 'WordPress_App' ] ] }); test.done(); }, diff --git a/packages/@aws-cdk/cdk/test/cloudformation/test.fn.ts b/packages/@aws-cdk/cdk/test/cloudformation/test.fn.ts index ad59fd10a13f0..87a0548d62a40 100644 --- a/packages/@aws-cdk/cdk/test/cloudformation/test.fn.ts +++ b/packages/@aws-cdk/cdk/test/cloudformation/test.fn.ts @@ -1,90 +1,11 @@ -import fc = require('fast-check'); -import _ = require('lodash'); import nodeunit = require('nodeunit'); import fn = require('../../lib/cloudformation/fn'); -function asyncTest(cb: (test: nodeunit.Test) => Promise): (test: nodeunit.Test) => void { - return async (test: nodeunit.Test) => { - let error: Error; - try { - await cb(test); - } catch (e) { - error = e; - } finally { - test.doesNotThrow(() => { - if (error) { throw error; } - }); - test.done(); - } - }; -} - export = nodeunit.testCase({ - FnJoin: { + 'Fn::Join': { 'rejects empty list of arguments to join'(test: nodeunit.Test) { test.throws(() => new fn.FnJoin('.', [])); test.done(); - }, - 'resolves to the value if only one value is joined': asyncTest(async () => { - await fc.assert( - fc.property( - fc.string(), fc.oneof(fc.string(), fc.object()), - (delimiter, value) => new fn.FnJoin(delimiter, [value]).resolve() === value - ), - { verbose: true } - ); - }), - 'pre-concatenates string literals': asyncTest(async () => { - await fc.assert( - fc.property( - fc.string(), fc.array(fc.string(), 1, 15), - (delimiter, values) => new fn.FnJoin(delimiter, values).resolve() === values.join(delimiter) - ), - { verbose: true } - ); - }), - 'pre-concatenates around tokens': asyncTest(async () => { - await fc.assert( - fc.property( - fc.string(), fc.array(fc.string(), 1, 3), fc.object(), fc.array(fc.string(), 1, 3), - (delimiter, prefix, obj, suffix) => - _.isEqual(new fn.FnJoin(delimiter, [...prefix, obj, ...suffix]).resolve(), - { 'Fn::Join': [delimiter, [prefix.join(delimiter), obj, suffix.join(delimiter)]] }) - ), - { verbose: true } - ); - }), - 'flattens joins nested under joins with same delimiter': asyncTest(async () => { - await fc.assert( - fc.property( - fc.string(), fc.array(fc.oneof(fc.string(), fc.object())), - fc.array(fc.oneof(fc.string(), fc.object()), 1, 3), - fc.array(fc.oneof(fc.string(), fc.object())), - (delimiter, prefix, nested, suffix) => - _.isEqual(new fn.FnJoin(delimiter, [...prefix, new fn.FnJoin(delimiter, nested), ...suffix]).resolve(), - new fn.FnJoin(delimiter, [...prefix, ...nested, ...suffix]).resolve()) - ), - { verbose: true } - ); - }), - 'does not flatten joins nested under joins with different delimiter': asyncTest(async () => { - await fc.assert( - fc.property( - fc.string(), fc.string(), - fc.array(fc.oneof(fc.string(), fc.object()), 1, 3), - fc.array(fc.object(), 2, 3), - fc.array(fc.oneof(fc.string(), fc.object()), 3), - (delimiter1, delimiter2, prefix, nested, suffix) => { - fc.pre(delimiter1 !== delimiter2); - const join = new fn.FnJoin(delimiter1, [...prefix, new fn.FnJoin(delimiter2, nested), ...suffix]); - const resolved = join.resolve(); - return resolved['Fn::Join'][1].find((e: any) => typeof e === 'object' - && (e instanceof fn.FnJoin) - && e.resolve()['Fn::Join'][0] === delimiter2) != null; - } - ), - { verbose: true } - ); - }), - }, + } + } }); diff --git a/packages/@aws-cdk/cdk/test/core/test.tokens.ts b/packages/@aws-cdk/cdk/test/core/test.tokens.ts index 21ec4d60d314f..4aece581c20f3 100644 --- a/packages/@aws-cdk/cdk/test/core/test.tokens.ts +++ b/packages/@aws-cdk/cdk/test/core/test.tokens.ts @@ -159,7 +159,7 @@ export = { 'Tokens stringification and reversing of CloudFormation Tokens is implemented using Fn::Join'(test: Test) { // GIVEN - const token = new CloudFormationToken(() => ({ Woof: 'woof' })); + const token = new CloudFormationToken(() => 'woof woof'); // WHEN const stringified = `The dog says: ${token}`; @@ -167,7 +167,7 @@ export = { // THEN test.deepEqual(resolved, { - 'Fn::Join': ['', ['The dog says: ', { Woof: 'woof' }]] + 'Fn::Join': ['', ['The dog says: ', 'woof woof']] }); test.done(); }, diff --git a/packages/@aws-cdk/cfnspec/package-lock.json b/packages/@aws-cdk/cfnspec/package-lock.json index 2342f7001d6cf..8e065de23c99f 100644 --- a/packages/@aws-cdk/cfnspec/package-lock.json +++ b/packages/@aws-cdk/cfnspec/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/cfnspec", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/cloudformation-diff/package-lock.json b/packages/@aws-cdk/cloudformation-diff/package-lock.json index 926acccaeec40..445bc02dcc872 100644 --- a/packages/@aws-cdk/cloudformation-diff/package-lock.json +++ b/packages/@aws-cdk/cloudformation-diff/package-lock.json @@ -1,6 +1,6 @@ { "name": "@aws-cdk/cloudformation-diff", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/@aws-cdk/runtime-values/test/integ.rtv.lambda.expected.json b/packages/@aws-cdk/runtime-values/test/integ.rtv.lambda.expected.json index e4b82cebcf85c..8d13b76a7ad9e 100644 --- a/packages/@aws-cdk/runtime-values/test/integ.rtv.lambda.expected.json +++ b/packages/@aws-cdk/runtime-values/test/integ.rtv.lambda.expected.json @@ -7,27 +7,37 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": "sts:AssumeRole", + "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } - ] + ], + "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ":", + "iam", + ":", + "", + ":", + "aws", + ":", + "policy", + "/", + "service-role/AWSLambdaBasicExecutionRole" ] ] } @@ -38,24 +48,26 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", "Action": [ "ssm:DescribeParameters", - "ssm:GetParameter", - "ssm:GetParameters" + "ssm:GetParameters", + "ssm:GetParameter" ], + "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ - "arn:", + "arn", + ":", { "Ref": "AWS::Partition" }, - ":ssm:", + ":", + "ssm", + ":", { "Ref": "AWS::Region" }, @@ -63,7 +75,9 @@ { "Ref": "AWS::AccountId" }, - ":parameter/", + ":", + "parameter", + "/", { "Fn::Join": [ "", @@ -80,7 +94,8 @@ ] } } - ] + ], + "Version": "2012-10-17" }, "PolicyName": "MyFunctionServiceRoleDefaultPolicyB705ABD4", "Roles": [ diff --git a/packages/@aws-cdk/runtime-values/test/test.rtv.ts b/packages/@aws-cdk/runtime-values/test/test.rtv.ts index c2f0e49c362ea..669a5bdef7bb4 100644 --- a/packages/@aws-cdk/runtime-values/test/test.rtv.ts +++ b/packages/@aws-cdk/runtime-values/test/test.rtv.ts @@ -11,10 +11,9 @@ export = { 'RuntimeValue is awesome'(test: Test) { const stack = new cdk.Stack(); - test.doesNotThrow(() => { - new RuntimeValueTest(stack, 'RuntimeValue'); - console.log(JSON.stringify(stack.toCloudFormation(), undefined, 2)); - }); + new RuntimeValueTest(stack, 'RuntimeValue'); + + console.log(JSON.stringify(stack.toCloudFormation(), undefined, 2)); test.done(); } }; diff --git a/packages/aws-cdk/package-lock.json b/packages/aws-cdk/package-lock.json index 8ce044dd06105..baf25d15e995a 100644 --- a/packages/aws-cdk/package-lock.json +++ b/packages/aws-cdk/package-lock.json @@ -1,6 +1,6 @@ { "name": "aws-cdk", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/packages/simple-resource-bundler/package-lock.json b/packages/simple-resource-bundler/package-lock.json index f4aab92a58885..f6a4ea9fd244f 100644 --- a/packages/simple-resource-bundler/package-lock.json +++ b/packages/simple-resource-bundler/package-lock.json @@ -1,6 +1,6 @@ { "name": "simple-resource-bundler", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/cdk-build-tools/package-lock.json b/tools/cdk-build-tools/package-lock.json index fa6fd98022f9a..80fa99f974738 100644 --- a/tools/cdk-build-tools/package-lock.json +++ b/tools/cdk-build-tools/package-lock.json @@ -1,6 +1,6 @@ { "name": "cdk-build-tools", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/cdk-integ-tools/package-lock.json b/tools/cdk-integ-tools/package-lock.json index ff5943331db32..c543cc0792be2 100644 --- a/tools/cdk-integ-tools/package-lock.json +++ b/tools/cdk-integ-tools/package-lock.json @@ -1,6 +1,6 @@ { "name": "cdk-integ-tools", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/cfn2ts/package-lock.json b/tools/cfn2ts/package-lock.json index 50e16695e22d7..5695de2011d5a 100644 --- a/tools/cfn2ts/package-lock.json +++ b/tools/cfn2ts/package-lock.json @@ -1,6 +1,6 @@ { "name": "cfn2ts", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/merkle-build/package-lock.json b/tools/merkle-build/package-lock.json index 5c5f77f8f2072..8006ccc8f830d 100644 --- a/tools/merkle-build/package-lock.json +++ b/tools/merkle-build/package-lock.json @@ -1,6 +1,6 @@ { "name": "merkle-build", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/pkglint/package-lock.json b/tools/pkglint/package-lock.json index c4f5e6f2778f4..15df5566cae93 100644 --- a/tools/pkglint/package-lock.json +++ b/tools/pkglint/package-lock.json @@ -1,6 +1,6 @@ { "name": "pkglint", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/pkgtools/package-lock.json b/tools/pkgtools/package-lock.json index 6780154c1d6a8..f9be7cbae54b0 100644 --- a/tools/pkgtools/package-lock.json +++ b/tools/pkgtools/package-lock.json @@ -1,6 +1,6 @@ { "name": "pkgtools", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/tools/y-npm/package-lock.json b/tools/y-npm/package-lock.json index 723edd217f9b8..37dfd8d93e53b 100644 --- a/tools/y-npm/package-lock.json +++ b/tools/y-npm/package-lock.json @@ -1,6 +1,6 @@ { "name": "y-npm", - "version": "0.11.0", + "version": "0.12.0", "lockfileVersion": 1, "requires": true, "dependencies": {