feat(aws-iam): grants support non-identity principals

[rix0rrr]

feat(aws-iam): grants support non-identity principals …
Add support for non-identity Principals in grants (for example,
principals that represent accounts or organization IDs). For resources
that support them, the required IAM statements will be added to the
resource policy. For resources that don't support them (because they
don't have resource policies) an error will be thrown.

Add a new OrganizationPrincipal principal which represents all
identities in the given AWS Organization.

Fixes #236.

---

Pull Request Checklist

• Testing
  • Unit test added
  • CLI change?: manually run integration tests and paste output as a PR comment
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[rix0rrr]

Pre-emptive implementation FAQ

Why does IIdentity extends IPrincipal?

So that we can do:

// What we can do today
bucket.grantRead(role);

// As well as (can't do this today)
bucket.grantRead(new AccountPrincipal('12345678'));
bucket.grantRead(new OrganizationPrincipal('o-asdf'));

But now we have to implement assumeRoleAction and policyFragment in all Identity objects!

Because of this inheritance we now have to do:

class Role implements IPrincipal {
    public readonly assumeRoleAction = 'sts:AssumeRole';
    public readonly policyFragment: PolicyFragment;

    constructor(...) {
        // ...
        this.policyFragment = new ArnPrincipal(this.roleArn).policyFragment;
    }
}

Can't we use inheritance? Not really, the ARN comes from a different source
every time. The only thing we could share is the assumeRoleAction, and
declaring 4 abstact methods. Doesn't seem worth it. Repeating the implementation is simpler.

The alternative is the "Curiously Recurring Interface Accessor" pattern, but it's
slightly more complex. I think I actually prefer it, but we keep it simple
unless there is consensus that people don't like simple:

// And also we'd need to find a good name for this.
interface IPrincipalable {
    principal: IPrincipal;
}

interface IPrincipal implements IPrincipalable {
    principal: IPrincipal;
    assumeRoleAction: string;
    policyPrincipal: PolicyPrincipal;
    addToPolicy(...);
}

interface IIdentity extends IPrincipalable {
    principal: IPrincipal;
    addManagedPolicy(...);
}

So that we can do:

class ArnPrincipal implements IPrincipal {
    public readonly principal: IPrincipal = this;
}

class Role implements IPrincipalable {
    public readonly principal: IPrincipal;

    constructor(...) {
        // Slightly better because we get to reuse the whole implementation
        // of ArnPrincipal here.
        this.principal = new ArnPrincipal(this.roleArn);
    }
}

The advantage of doing this is to that we can also do:

class Function implements IPrincipalable {
    public readonly principal: IPrincipal;

    constructor(...) {
        this.principal = this.role;
    }
}

// Instead of
bucket.grantRead(lambda.role);

// We can now do
bucket.grantRead(lambda);

[RomainMuller]

If there are not props.actions, then the statement can (should? must?) be skipped. Same goes for resourceArns

[rix0rrr]

The alternative is that that's an error. I see what you're saying, but feels like the chance for this to be a mistake is bigger than for it to be an expected use case?

[eladb]

@rix0rrr let us know when you want a re-review

[rix0rrr]

I need to get around to it again. But nothing majorly blocking in the reviews so far it seems.

[rix0rrr]

Ready for that re-review @eladb @RomainMuller

[RomainMuller]

What's wrong with using an inner function then? 🤷🏻‍♂️ You can return from that whenever you please.

[eladb]

Rebase

[eladb]

"is an IAM resource representing"

[eladb]

Rephrase, it's not an "adder" anymore

[eladb]

"supplied given"

[eladb]

Kinda feels like it should be possible to supply only resource without resourceArns somehow. Maybe IResourceWithPolicy can have a property resourceArn which will be the canonic resource ARN to be used?

[eladb]

Wouldn't this make more sense as an enum or boolean?

[eladb]

hell yeah!

[eladb]

Not sure this should be a warning, but okay to start

[eladb]

Although this is creative and nice, I rather we keep all our IAM code very simple and straightforward, so it will be dead easy to maintain and reason about.

[eladb]

Something feels wrong with this and I am not sure why. Can we talk? 📲

[rix0rrr]

We agreed during a chat to make grant methods output an opaque type which will be produced by our grant method.

Also split out grant method into 2 flavours for the different code paths.

[eladb]

Shouldn't this return a Grant?

[eladb]

should the awslint rule also be applied to static methods?

[rix0rrr]

Probably. One problem with the statics is that we won't have a scope to attach a warning to.

[eladb]

Probably not the end of the world

[eladb]

I was under the impression that we wanted a specific API for resources with resource policies, no?

[eladb]

Does it make sense that we lost these permissions?

[rix0rrr]

Yes, the user pulling from ECR doesn't need to create logs (they should have never have been part of that grant in the first place).

[rix0rrr]

NuGet build error again. Seems to be getting worse?