From f1c427209785fd1f4b322abb84a432928643cbf6 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 5 Jul 2019 17:32:45 +0200 Subject: [PATCH] fix(iam): fix managed policies for User Fix adding managed policies to a User upon creation. Fixes #2557. BREAKING CHANGE: `aws-iam.User`: `managedPolicyArns` => `managedPolicies`. --- packages/@aws-cdk/aws-iam/lib/group.ts | 8 ++++--- packages/@aws-cdk/aws-iam/lib/role.ts | 3 ++- packages/@aws-cdk/aws-iam/lib/user.ts | 9 +++++--- packages/@aws-cdk/aws-iam/test/test.group.ts | 23 +++++++++++++++++-- packages/@aws-cdk/aws-iam/test/test.role.ts | 3 ++- packages/@aws-cdk/aws-iam/test/test.user.ts | 24 ++++++++++++++++++-- 6 files changed, 58 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts index 965f453fd6ea4..066905701ee94 100644 --- a/packages/@aws-cdk/aws-iam/lib/group.ts +++ b/packages/@aws-cdk/aws-iam/lib/group.ts @@ -40,11 +40,13 @@ export interface GroupProps { readonly groupName?: string; /** - * A list of ARNs for managed policies associated with group. + * A list managed policies associated with this role. + * + * You can add managed policies later using `attachManagedPolicy(policy)`. * * @default - No managed policies. */ - readonly managedPolicyArns?: any[]; + readonly managedPolicies?: IManagedPolicy[]; /** * The path to the group. For more information about paths, see [IAM @@ -130,7 +132,7 @@ export class Group extends GroupBase { physicalName: props.groupName, }); - this.managedPolicies.push(...props.managedPolicyArns || []); + this.managedPolicies.push(...props.managedPolicies || []); const group = new CfnGroup(this, 'Resource', { groupName: this.physicalName, diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts index 25153769293fc..923d8dc41ba33 100644 --- a/packages/@aws-cdk/aws-iam/lib/role.ts +++ b/packages/@aws-cdk/aws-iam/lib/role.ts @@ -30,7 +30,8 @@ export interface RoleProps { readonly externalId?: string; /** - * A list of ARNs for managed policies associated with this role. + * A list of managed policies associated with this role. + * * You can add managed policies later using `attachManagedPolicy(arn)`. * * @default - No managed policies. diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts index 465a46b32d241..dc3b9e8185bfe 100644 --- a/packages/@aws-cdk/aws-iam/lib/user.ts +++ b/packages/@aws-cdk/aws-iam/lib/user.ts @@ -24,12 +24,13 @@ export interface UserProps { readonly groups?: IGroup[]; /** - * A list of ARNs for managed policies attacherd to this user. - * You can use `addManagedPolicy(arn)` to attach a managed policy to this user. + * A list managed policies associated with this role. + * + * You can add managed policies later using `attachManagedPolicy(policy)`. * * @default - No managed policies. */ - readonly managedPolicyArns?: any[]; + readonly managedPolicies?: IManagedPolicy[]; /** * The path for the user name. For more information about paths, see IAM @@ -108,6 +109,8 @@ export class User extends Resource implements IIdentity { physicalName: props.userName, }); + this.managedPolicies.push(...props.managedPolicies || []); + const user = new CfnUser(this, 'Resource', { userName: this.physicalName, groups: undefinedIfEmpty(() => this.groups), diff --git a/packages/@aws-cdk/aws-iam/test/test.group.ts b/packages/@aws-cdk/aws-iam/test/test.group.ts index 274b705a66b29..3937a457c2434 100644 --- a/packages/@aws-cdk/aws-iam/test/test.group.ts +++ b/packages/@aws-cdk/aws-iam/test/test.group.ts @@ -1,7 +1,7 @@ -import { expect } from '@aws-cdk/assert'; +import { expect, haveResource } from '@aws-cdk/assert'; import { App, Stack } from '@aws-cdk/core'; import { Test } from 'nodeunit'; -import { Group, User } from '../lib'; +import { Group, User, ManagedPolicy } from '../lib'; export = { 'default group'(test: Test) { @@ -35,4 +35,23 @@ export = { Properties: { Groups: [ { Ref: 'MyGroupCBA54B1B' } ] } } } }); test.done(); }, + + 'create with managed policy'(test: Test) { + // GIVEN + const stack = new Stack(); + + // WHEN + new Group(stack, 'MyGroup', { + managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')] + }); + + // THEN + expect(stack).to(haveResource('AWS::IAM::Group', { + ManagedPolicyArns: [ + { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] } + ] + })); + + test.done(); + } }; diff --git a/packages/@aws-cdk/aws-iam/test/test.role.ts b/packages/@aws-cdk/aws-iam/test/test.role.ts index a4375d292d666..9684c76f5d114 100644 --- a/packages/@aws-cdk/aws-iam/test/test.role.ts +++ b/packages/@aws-cdk/aws-iam/test/test.role.ts @@ -288,5 +288,6 @@ export = { Roles: [ "MyRole" ] })); test.done(); - } + }, + }; \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iam/test/test.user.ts b/packages/@aws-cdk/aws-iam/test/test.user.ts index 62a708605f861..3746977022e98 100644 --- a/packages/@aws-cdk/aws-iam/test/test.user.ts +++ b/packages/@aws-cdk/aws-iam/test/test.user.ts @@ -1,7 +1,7 @@ -import { expect } from '@aws-cdk/assert'; +import { expect, haveResource } from '@aws-cdk/assert'; import { App, SecretValue, Stack } from '@aws-cdk/core'; import { Test } from 'nodeunit'; -import { User } from '../lib'; +import { User, ManagedPolicy } from '../lib'; export = { 'default user'(test: Test) { @@ -32,6 +32,26 @@ export = { const app = new App(); const stack = new Stack(app, 'MyStack'); test.throws(() => new User(stack, 'MyUser', { passwordResetRequired: true })); + test.done(); + }, + + 'create with managed policy'(test: Test) { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'MyStack'); + + // WHEN + new User(stack, 'MyUser', { + managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')] + }); + + // THEN + expect(stack).to(haveResource('AWS::IAM::User', { + ManagedPolicyArns: [ + { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] } + ] + })); + test.done(); } };