diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json index 7bd221a9030e9..fc269296a396a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json @@ -1,13 +1,14 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ManagedPolicyIntegDefaultTestDeployAssert27007DC6 Template", "source": { "path": "ManagedPolicyIntegDefaultTestDeployAssert27007DC6.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-d8d86b35": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json index a8d7c77ea7ee9..4f8f99da2b5e4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json @@ -1,15 +1,16 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { - "26f1836028ead2829dce663ff9f4b0c71fd9db149cb19a6c54ed9128e3e09120": { + "a1ddefb7d4b85bf1ba2b3191e41bac5c948815b53b5a4b80e8c9a099eb5c690d": { + "displayName": "aws-cdk-iam-managed-policy Template", "source": { "path": "aws-cdk-iam-managed-policy.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-951c54a7": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "26f1836028ead2829dce663ff9f4b0c71fd9db149cb19a6c54ed9128e3e09120.json", + "objectKey": "a1ddefb7d4b85bf1ba2b3191e41bac5c948815b53b5a4b80e8c9a099eb5c690d.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.template.json index 9ee516ff18224..eaf6d0af63e7d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.template.json @@ -44,6 +44,32 @@ "Arn" ] } + }, + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "Function76856677", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Function76856677", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -118,6 +144,75 @@ "Version": "2012-10-17" } } + }, + "FunctionServiceRole675BB04A": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "Function76856677": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "export const handler = async () => null" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "FunctionServiceRole675BB04A", + "Arn" + ] + }, + "Runtime": "nodejs22.x" + }, + "DependsOn": [ + "FunctionServiceRole675BB04A" + ] + }, + "FunctionLogGroup55B80E27": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Join": [ + "", + [ + "/aws/lambda/", + { + "Ref": "Function76856677" + } + ] + ] + }, + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out index 1f0068d32659a..523a9aac37cbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json index 16f5dbc2709ee..f42c03d6c7a53 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "testCases": { "ManagedPolicyInteg/DefaultTest": { "stacks": [ @@ -8,5 +8,6 @@ "assertionStack": "ManagedPolicyInteg/DefaultTest/DeployAssert", "assertionStackName": "ManagedPolicyIntegDefaultTestDeployAssert27007DC6" } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json index 6f96e4a674236..208def7a06880 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "artifacts": { "aws-cdk-iam-managed-policy.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/26f1836028ead2829dce663ff9f4b0c71fd9db149cb19a6c54ed9128e3e09120.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a1ddefb7d4b85bf1ba2b3191e41bac5c948815b53b5a4b80e8c9a099eb5c690d.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,49 +34,248 @@ "aws-cdk-iam-managed-policy.assets" ], "metadata": { + "/aws-cdk-iam-managed-policy/MyUser": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addManagedPolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addManagedPolicy": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], "/aws-cdk-iam-managed-policy/MyUser/Resource": [ { "type": "aws:cdk:logicalId", "data": "MyUserDC45028B" } ], + "/aws-cdk-iam-managed-policy/OneManagedPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "managedPolicyName": "*", + "description": "*", + "path": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-cdk-iam-managed-policy/OneManagedPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "OneManagedPolicy77F9185F" } ], + "/aws-cdk-iam-managed-policy/TwoManagedPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-cdk-iam-managed-policy/TwoManagedPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "TwoManagedPolicy7E701864" } ], + "/aws-cdk-iam-managed-policy/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "grantAssumeRole": [ + { + "policyFragment": "*", + "principalAccount": "*" + } + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "grant": [ + { + "policyFragment": "*", + "principalAccount": "*" + }, + "*" + ] + } + } + ], + "/aws-cdk-iam-managed-policy/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-cdk-iam-managed-policy/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "Role1ABCC5F0" } ], - "/aws-cdk-iam-managed-policy/BootstrapVersion": [ + "/aws-cdk-iam-managed-policy/ImportedRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-iam-managed-policy/Function": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "runtime": "*", + "handler": "*", + "code": "*" + } + } + ], + "/aws-cdk-iam-managed-policy/Function/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/aws-cdk-iam-managed-policy/Function/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-iam-managed-policy/Function/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" + "data": "FunctionServiceRole675BB04A" } ], - "/aws-cdk-iam-managed-policy/CheckBootstrapVersion": [ + "/aws-cdk-iam-managed-policy/Function/Resource": [ { "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" + "data": "Function76856677" + } + ], + "/aws-cdk-iam-managed-policy/Function/LogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "logGroupName": "*" + } } ], - "MyUserDefaultPolicy7B897426": [ + "/aws-cdk-iam-managed-policy/Function/LogGroup/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyUserDefaultPolicy7B897426", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] + "data": "FunctionLogGroup55B80E27" + } + ], + "/aws-cdk-iam-managed-policy/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-iam-managed-policy/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" } ] }, @@ -135,6 +334,496 @@ "properties": { "file": "tree.json" } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json index 08230dd699706..e4409cf35640d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json @@ -1,324 +1 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-cdk-iam-managed-policy": { - "id": "aws-cdk-iam-managed-policy", - "path": "aws-cdk-iam-managed-policy", - "children": { - "MyUser": { - "id": "MyUser", - "path": "aws-cdk-iam-managed-policy/MyUser", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-managed-policy/MyUser/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::User", - "aws:cdk:cloudformation:props": { - "managedPolicyArns": [ - { - "Ref": "TwoManagedPolicy7E701864" - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/SecurityAudit" - ] - ] - } - ] - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "OneManagedPolicy": { - "id": "OneManagedPolicy", - "path": "aws-cdk-iam-managed-policy/OneManagedPolicy", - "children": { - "ImportedOneManagedPolicy": { - "id": "ImportedOneManagedPolicy", - "path": "aws-cdk-iam-managed-policy/OneManagedPolicy/ImportedOneManagedPolicy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-managed-policy/OneManagedPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::ManagedPolicy", - "aws:cdk:cloudformation:props": { - "description": "My Policy", - "managedPolicyName": "Default", - "path": "/some/path/", - "policyDocument": { - "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "roles": [ - { - "Ref": "Role1ABCC5F0" - } - ], - "users": [ - { - "Ref": "MyUserDC45028B" - } - ] - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "TwoManagedPolicy": { - "id": "TwoManagedPolicy", - "path": "aws-cdk-iam-managed-policy/TwoManagedPolicy", - "children": { - "ImportedTwoManagedPolicy": { - "id": "ImportedTwoManagedPolicy", - "path": "aws-cdk-iam-managed-policy/TwoManagedPolicy/ImportedTwoManagedPolicy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-managed-policy/TwoManagedPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::ManagedPolicy", - "aws:cdk:cloudformation:props": { - "description": "", - "path": "/", - "policyDocument": { - "Statement": [ - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "iam:*", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Role": { - "id": "Role", - "path": "aws-cdk-iam-managed-policy/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-cdk-iam-managed-policy/Role/ImportRole", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-managed-policy/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "ImportedRole": { - "id": "ImportedRole", - "path": "aws-cdk-iam-managed-policy/ImportedRole", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-cdk-iam-managed-policy/BootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-cdk-iam-managed-policy/CheckBootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "ManagedPolicyInteg": { - "id": "ManagedPolicyInteg", - "path": "ManagedPolicyInteg", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "ManagedPolicyInteg/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "ManagedPolicyInteg/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "ManagedPolicyInteg/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "ManagedPolicyInteg/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "ManagedPolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } -} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-iam-managed-policy":{"id":"aws-cdk-iam-managed-policy","path":"aws-cdk-iam-managed-policy","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"MyUser":{"id":"MyUser","path":"aws-cdk-iam-managed-policy/MyUser","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.User","version":"0.0.0","metadata":["*",{"addManagedPolicy":["*"]},{"addManagedPolicy":[{"managedPolicyArn":"*"}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/MyUser/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnUser","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::User","aws:cdk:cloudformation:props":{"managedPolicyArns":[{"Ref":"TwoManagedPolicy7E701864"},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/SecurityAudit"]]}]}}}}},"OneManagedPolicy":{"id":"OneManagedPolicy","path":"aws-cdk-iam-managed-policy/OneManagedPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.ManagedPolicy","version":"0.0.0","metadata":[{"managedPolicyName":"*","description":"*","path":"*"},{"addStatements":[{}]},{"attachToUser":["*"]},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"ImportedOneManagedPolicy":{"id":"ImportedOneManagedPolicy","path":"aws-cdk-iam-managed-policy/OneManagedPolicy/ImportedOneManagedPolicy","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/OneManagedPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnManagedPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::ManagedPolicy","aws:cdk:cloudformation:props":{"description":"My Policy","managedPolicyName":"Default","path":"/some/path/","policyDocument":{"Statement":[{"Action":"sqs:SendMessage","Effect":"Allow","Resource":"*"},{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}},{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":[{"Fn::GetAtt":["Function76856677","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["Function76856677","Arn"]},":*"]]}]}],"Version":"2012-10-17"},"roles":[{"Ref":"Role1ABCC5F0"}],"users":[{"Ref":"MyUserDC45028B"}]}}}}},"TwoManagedPolicy":{"id":"TwoManagedPolicy","path":"aws-cdk-iam-managed-policy/TwoManagedPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.ManagedPolicy","version":"0.0.0","metadata":["*",{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"ImportedTwoManagedPolicy":{"id":"ImportedTwoManagedPolicy","path":"aws-cdk-iam-managed-policy/TwoManagedPolicy/ImportedTwoManagedPolicy","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/TwoManagedPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnManagedPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::ManagedPolicy","aws:cdk:cloudformation:props":{"description":"","path":"/","policyDocument":{"Statement":[{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":"*"},{"Action":"iam:*","Effect":"Allow","Resource":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}}],"Version":"2012-10-17"}}}}}},"Role":{"id":"Role","path":"aws-cdk-iam-managed-policy/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"grantAssumeRole":[{"policyFragment":"*","principalAccount":"*"}]},{"grant":[{"policyFragment":"*","principalAccount":"*"},"*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-cdk-iam-managed-policy/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}}}],"Version":"2012-10-17"}}}}}},"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-iam-managed-policy/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Function":{"id":"Function","path":"aws-cdk-iam-managed-policy/Function","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Function","version":"0.0.0","metadata":[{"runtime":"*","handler":"*","code":"*"}]},"children":{"ServiceRole":{"id":"ServiceRole","path":"aws-cdk-iam-managed-policy/Function/ServiceRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"aws-cdk-iam-managed-policy/Function/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/Function/ServiceRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/Function/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"export const handler = async () => null"},"handler":"index.handler","role":{"Fn::GetAtt":["FunctionServiceRole675BB04A","Arn"]},"runtime":"nodejs22.x"}}},"LogGroup":{"id":"LogGroup","path":"aws-cdk-iam-managed-policy/Function/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"logGroupName":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-managed-policy/Function/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"logGroupName":{"Fn::Join":["",["/aws/lambda/",{"Ref":"Function76856677"}]]},"retentionInDays":731}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-iam-managed-policy/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-iam-managed-policy/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ManagedPolicyInteg":{"id":"ManagedPolicyInteg","path":"ManagedPolicyInteg","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ManagedPolicyInteg/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ManagedPolicyInteg/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"ManagedPolicyInteg/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ManagedPolicyInteg/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ManagedPolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts index 4633262a34cb7..afbb553b6650d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts @@ -1,6 +1,7 @@ import { App, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { AccountRootPrincipal, Grant, ManagedPolicy, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; const app = new App(); @@ -34,6 +35,14 @@ policy.attachToRole(role); const importedRole = Role.fromRoleArn(stack, 'ImportedRole', role.roleArn); policy.attachToRole(importedRole); +// Can be passed to grantInvoke, see https://github.com/aws/aws-cdk/issues/32980 +const func = new lambda.Function(stack, 'Function', { + runtime: lambda.Runtime.NODEJS_LATEST, + handler: 'index.handler', + code: lambda.Code.fromInline('export const handler = async () => null'), +}); +func.grantInvoke(policy); + new IntegTest(app, 'ManagedPolicyInteg', { testCases: [stack], }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json index 3466d1580639c..35cdfabe2b36d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json @@ -1,13 +1,14 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "PolicyIntegDefaultTestDeployAssert274BB918 Template", "source": { "path": "PolicyIntegDefaultTestDeployAssert274BB918.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-d8d86b35": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json index 1eb3b6a6cab5f..e49f84fb71e3b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json @@ -1,15 +1,16 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { - "372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a": { + "f610dd853ec9155bff8652c80624b267774134ad7563037ff22c6ceb964a5d76": { + "displayName": "aws-cdk-iam-policy Template", "source": { "path": "aws-cdk-iam-policy.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-082398ef": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a.json", + "objectKey": "f610dd853ec9155bff8652c80624b267774134ad7563037ff22c6ceb964a5d76.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json index 1621257587ce3..d395618d0e8bf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json @@ -38,6 +38,32 @@ "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": "*" + }, + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "Function76856677", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Function76856677", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -112,6 +138,75 @@ "Version": "2012-10-17" } } + }, + "FunctionServiceRole675BB04A": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "Function76856677": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "export const handler = async () => null" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "FunctionServiceRole675BB04A", + "Arn" + ] + }, + "Runtime": "nodejs22.x" + }, + "DependsOn": [ + "FunctionServiceRole675BB04A" + ] + }, + "FunctionLogGroup55B80E27": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Join": [ + "", + [ + "/aws/lambda/", + { + "Ref": "Function76856677" + } + ] + ] + }, + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out index 1f0068d32659a..523a9aac37cbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json index 3c0a370f43539..0ac5eafb67c67 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "testCases": { "PolicyInteg/DefaultTest": { "stacks": [ @@ -8,5 +8,6 @@ "assertionStack": "PolicyInteg/DefaultTest/DeployAssert", "assertionStackName": "PolicyIntegDefaultTestDeployAssert274BB918" } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json index c3dd1773186d1..0d3f47eddb369 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "artifacts": { "aws-cdk-iam-policy.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f610dd853ec9155bff8652c80624b267774134ad7563037ff22c6ceb964a5d76.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,36 +34,274 @@ "aws-cdk-iam-policy.assets" ], "metadata": { + "/aws-cdk-iam-policy/MyUser": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], "/aws-cdk-iam-policy/MyUser/Resource": [ { "type": "aws:cdk:logicalId", "data": "MyUserDC45028B" } ], + "/aws-cdk-iam-policy/MyUser/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-cdk-iam-policy/MyUser/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "MyUserDefaultPolicy7B897426" } ], + "/aws-cdk-iam-policy/HelloPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-cdk-iam-policy/HelloPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "HelloPolicyD59007DF" } ], + "/aws-cdk-iam-policy/GoodbyePolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToUser": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-cdk-iam-policy/GoodbyePolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "GoodbyePolicy739B8974" } ], + "/aws-cdk-iam-policy/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "grantAssumeRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "grant": [ + "*", + "*" + ] + } + } + ], + "/aws-cdk-iam-policy/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-cdk-iam-policy/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "Role1ABCC5F0" } ], + "/aws-cdk-iam-policy/Function": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "runtime": "*", + "handler": "*", + "code": "*" + } + } + ], + "/aws-cdk-iam-policy/Function/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/aws-cdk-iam-policy/Function/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-iam-policy/Function/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FunctionServiceRole675BB04A" + } + ], + "/aws-cdk-iam-policy/Function/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Function76856677" + } + ], + "/aws-cdk-iam-policy/Function/LogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "logGroupName": "*" + } + } + ], + "/aws-cdk-iam-policy/Function/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FunctionLogGroup55B80E27" + } + ], "/aws-cdk-iam-policy/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -132,6 +370,496 @@ "properties": { "file": "tree.json" } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json index 0fbd0593a5d5d..11dd0e567b502 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json @@ -1,313 +1 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-cdk-iam-policy": { - "id": "aws-cdk-iam-policy", - "path": "aws-cdk-iam-policy", - "children": { - "MyUser": { - "id": "MyUser", - "path": "aws-cdk-iam-policy/MyUser", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-policy/MyUser/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::User", - "aws:cdk:cloudformation:props": {} - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnUser", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "aws-cdk-iam-policy/MyUser/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-policy/MyUser/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "MyUserDefaultPolicy7B897426", - "users": [ - { - "Ref": "MyUserDC45028B" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.User", - "version": "0.0.0" - } - }, - "HelloPolicy": { - "id": "HelloPolicy", - "path": "aws-cdk-iam-policy/HelloPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-policy/HelloPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "policyName": "Default", - "users": [ - { - "Ref": "MyUserDC45028B" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - }, - "GoodbyePolicy": { - "id": "GoodbyePolicy", - "path": "aws-cdk-iam-policy/GoodbyePolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-policy/GoodbyePolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "iam:*", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "GoodbyePolicy739B8974", - "users": [ - { - "Ref": "MyUserDC45028B" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "aws-cdk-iam-policy/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-cdk-iam-policy/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-cdk-iam-policy/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-cdk-iam-policy/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-cdk-iam-policy/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PolicyInteg": { - "id": "PolicyInteg", - "path": "PolicyInteg", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PolicyInteg/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PolicyInteg/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PolicyInteg/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PolicyInteg/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-iam-policy":{"id":"aws-cdk-iam-policy","path":"aws-cdk-iam-policy","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"MyUser":{"id":"MyUser","path":"aws-cdk-iam-policy/MyUser","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.User","version":"0.0.0","metadata":["*",{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/MyUser/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnUser","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::User","aws:cdk:cloudformation:props":{}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-cdk-iam-policy/MyUser/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToUser":["*"]},{"attachToUser":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/MyUser/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}}],"Version":"2012-10-17"},"policyName":"MyUserDefaultPolicy7B897426","users":[{"Ref":"MyUserDC45028B"}]}}}}}}},"HelloPolicy":{"id":"HelloPolicy","path":"aws-cdk-iam-policy/HelloPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"addStatements":[{}]},{"attachToUser":["*"]},{"attachToUser":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/HelloPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sqs:SendMessage","Effect":"Allow","Resource":"*"},{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":[{"Fn::GetAtt":["Function76856677","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["Function76856677","Arn"]},":*"]]}]}],"Version":"2012-10-17"},"policyName":"Default","users":[{"Ref":"MyUserDC45028B"}]}}}}},"GoodbyePolicy":{"id":"GoodbyePolicy","path":"aws-cdk-iam-policy/GoodbyePolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"addStatements":[{}]},{"attachToUser":["*"]},{"attachToUser":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/GoodbyePolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":"*"},{"Action":"iam:*","Effect":"Allow","Resource":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}}],"Version":"2012-10-17"},"policyName":"GoodbyePolicy739B8974","users":[{"Ref":"MyUserDC45028B"}]}}}}},"Role":{"id":"Role","path":"aws-cdk-iam-policy/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"grantAssumeRole":["*"]},{"grant":["*","*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-cdk-iam-policy/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}}}],"Version":"2012-10-17"}}}}}},"Function":{"id":"Function","path":"aws-cdk-iam-policy/Function","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Function","version":"0.0.0","metadata":[{"runtime":"*","handler":"*","code":"*"}]},"children":{"ServiceRole":{"id":"ServiceRole","path":"aws-cdk-iam-policy/Function/ServiceRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"aws-cdk-iam-policy/Function/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/Function/ServiceRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/Function/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"export const handler = async () => null"},"handler":"index.handler","role":{"Fn::GetAtt":["FunctionServiceRole675BB04A","Arn"]},"runtime":"nodejs22.x"}}},"LogGroup":{"id":"LogGroup","path":"aws-cdk-iam-policy/Function/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"logGroupName":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-iam-policy/Function/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"logGroupName":{"Fn::Join":["",["/aws/lambda/",{"Ref":"Function76856677"}]]},"retentionInDays":731}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-iam-policy/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-iam-policy/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"PolicyInteg":{"id":"PolicyInteg","path":"PolicyInteg","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"PolicyInteg/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"PolicyInteg/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"PolicyInteg/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"PolicyInteg/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"PolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts index 68974890aded5..93a6ec819788e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts @@ -1,6 +1,7 @@ import { App, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { AccountRootPrincipal, Grant, Policy, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; const app = new App(); @@ -21,6 +22,14 @@ role.grantAssumeRole(user); Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 }); +// Can be passed to grantInvoke, see https://github.com/aws/aws-cdk/issues/32980 +const func = new lambda.Function(stack, 'Function', { + runtime: lambda.Runtime.NODEJS_LATEST, + handler: 'index.handler', + code: lambda.Code.fromInline('export const handler = async () => null'), +}); +func.grantInvoke(policy); + new IntegTest(app, 'PolicyInteg', { testCases: [stack], }); diff --git a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts index 2bae724f8222a..d868b5877d44b 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts @@ -9,11 +9,11 @@ import { } from './iam.generated'; import { PolicyDocument } from './policy-document'; import { PolicyStatement } from './policy-statement'; -import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFragment } from './principals'; +import { AddToPrincipalPolicyResult, ArnPrincipal, IGrantable, IPrincipal, PrincipalPolicyFragment } from './principals'; import { undefinedIfEmpty } from './private/util'; import { IRole } from './role'; import { IUser } from './user'; -import { Arn, ArnFormat, Aws, Resource, ResourceEnvironment, Stack, UnscopedValidationError } from '../../core'; +import { Arn, ArnFormat, Aws, Resource, ResourceEnvironment, Stack, UnscopedValidationError, ValidationError, Lazy } from '../../core'; import { getCustomizeRolesConfig, PolicySynthesizer } from '../../core/lib/helpers-internal'; import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -368,20 +368,29 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl } class ManagedPolicyGrantPrincipal implements IPrincipal { - public readonly assumeRoleAction = 'sts:AssumeRole'; - public readonly grantPrincipal: IPrincipal; + public readonly policyFragment: PrincipalPolicyFragment; public readonly principalAccount?: string; + public readonly grantPrincipal: IPrincipal = this; constructor(private _managedPolicy: ManagedPolicy) { - this.grantPrincipal = this; + // lambda.Function.grantInvoke() wants policyFragment to be readable to use as a dedupe hash. + // The ARN is referenced to add policy statements as a resource-based policy. + // We should fail to synth because a managed policy cannot be used as a principal of a policy document. + // cf. https://github.com/aws/aws-cdk/issues/32980 + const arn = Lazy.string({ + produce: () => { + throw new ValidationError('This grant operation needs to add a resource policy so needs access to a principal. Grant permissions to a Role or User, instead of a ManagedPolicy.', _managedPolicy); + }, + }); + this.policyFragment = new ArnPrincipal(arn).policyFragment; this.principalAccount = _managedPolicy.env.account; } - public get policyFragment(): PrincipalPolicyFragment { - // This property is referenced to add policy statements as a resource-based policy. + public get assumeRoleAction(): string { + // This property is referenced to add policy statements as a trust policy. // We should fail because a managed policy cannot be used as a principal of a policy document. // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying - throw new UnscopedValidationError(`Cannot use a ManagedPolicy '${this._managedPolicy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`); + throw new ValidationError('This grant operation needs to add a resource policy so needs access to a principal. Grant permissions to a Role or User, instead of a ManagedPolicy.', this._managedPolicy); } public addToPolicy(statement: PolicyStatement): boolean { @@ -392,4 +401,8 @@ class ManagedPolicyGrantPrincipal implements IPrincipal { this._managedPolicy.addStatements(statement); return { statementAdded: true, policyDependable: this._managedPolicy }; } + + public toString(): string { + return `ManagedPolicy(${this._managedPolicy.node.path})`; + } } diff --git a/packages/aws-cdk-lib/aws-iam/lib/policy.ts b/packages/aws-cdk-lib/aws-iam/lib/policy.ts index 8dff699522d64..58a9e82e06c4d 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/policy.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/policy.ts @@ -3,11 +3,11 @@ import { IGroup } from './group'; import { CfnPolicy, IPolicyRef, PolicyReference } from './iam.generated'; import { PolicyDocument } from './policy-document'; import { PolicyStatement } from './policy-statement'; -import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFragment } from './principals'; +import { AddToPrincipalPolicyResult, ArnPrincipal, IGrantable, IPrincipal, PrincipalPolicyFragment } from './principals'; import { generatePolicyName, undefinedIfEmpty } from './private/util'; import { IRole } from './role'; import { IUser } from './user'; -import { IResource, Lazy, Resource, UnscopedValidationError, ValidationError } from '../../core'; +import { IResource, Lazy, Resource, ValidationError } from '../../core'; import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -290,20 +290,29 @@ export class Policy extends Resource implements IPolicy, IGrantable { } class PolicyGrantPrincipal implements IPrincipal { - public readonly assumeRoleAction = 'sts:AssumeRole'; - public readonly grantPrincipal: IPrincipal; + public readonly policyFragment: PrincipalPolicyFragment; public readonly principalAccount?: string; + public readonly grantPrincipal: IPrincipal = this; constructor(private _policy: Policy) { - this.grantPrincipal = this; + // lambda.Function.grantInvoke() wants policyFragment to be readable to use as a dedupe hash. + // The ARN is referenced to add policy statements as a resource-based policy. + // We should fail to synth because a managed policy cannot be used as a principal of a policy document. + // cf. https://github.com/aws/aws-cdk/issues/32980 + const arn = Lazy.string({ + produce: () => { + throw new ValidationError('This grant operation needs to add a resource policy so needs access to a principal. Grant permissions to a Role or User, instead of a Policy.', _policy); + }, + }); + this.policyFragment = new ArnPrincipal(arn).policyFragment; this.principalAccount = _policy.env.account; } - public get policyFragment(): PrincipalPolicyFragment { - // This property is referenced to add policy statements as a resource-based policy. + public get assumeRoleAction(): string { + // This property is referenced to add policy statements as a trust policy. // We should fail because a policy cannot be used as a principal of a policy document. // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying - throw new UnscopedValidationError(`Cannot use a Policy '${this._policy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`); + throw new ValidationError('This grant operation needs to add a resource policy so needs access to a principal. Grant permissions to a Role or User, instead of a Policy.', this._policy); } public addToPolicy(statement: PolicyStatement): boolean { @@ -314,4 +323,8 @@ class PolicyGrantPrincipal implements IPrincipal { this._policy.addStatements(statement); return { statementAdded: true, policyDependable: this._policy }; } + + public toString(): string { + return `Policy(${this._policy.node.path})`; + } } diff --git a/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts b/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts index 9a8159984ebb6..3113d3756afa4 100644 --- a/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts @@ -1,4 +1,6 @@ import { Template } from '../../assertions'; +import * as lambda from '../../aws-lambda'; +import * as s3 from '../../aws-s3'; import * as cdk from '../../core'; import { AddToPrincipalPolicyResult, Grant, Group, IResourceWithPolicy, ManagedPolicy, PolicyDocument, PolicyStatement, Role, ServicePrincipal, User, Effect } from '../lib'; @@ -670,7 +672,7 @@ describe('managed policy', () => { }); }); - test('Policies can be granted principal permissions', () => { + test('ManagedPolicy can be granted principal permissions', () => { const mp = new ManagedPolicy(stack, 'Policy', { managedPolicyName: 'MyManagedPolicyName', }); @@ -689,7 +691,32 @@ describe('managed policy', () => { }); }); - test('addPrincipalOrResource() correctly grants Policies permissions', () => { + test('ManagedPolicy can be granted via lambda.Function.grantInvoke()', () => { + const func = new lambda.Function(stack, 'Function', { code: lambda.Code.fromInline('export const handler = () => {}'), runtime: lambda.Runtime.NODEJS_LATEST, handler: 'index.handler' }); + const mp = new ManagedPolicy(stack, 'Policy', { + managedPolicyName: 'MyManagedPolicyName', + }); + func.grantInvoke(mp); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::ManagedPolicy', { + ManagedPolicyName: 'MyManagedPolicyName', + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Action: 'lambda:InvokeFunction', + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], + }, + ], + Version: '2012-10-17', + }, + }); + }); + + test('addPrincipalOrResource() correctly grants ManagedPolicy permissions', () => { const mp = new ManagedPolicy(stack, 'Policy', { managedPolicyName: 'MyManagedPolicyName', }); @@ -715,38 +742,30 @@ describe('managed policy', () => { }); }); - test('Policies cannot be granted principal permissions across accounts', () => { + test('ManagedPolicy cannot be granted principal permissions across accounts', () => { const mp = new ManagedPolicy(stack, 'Policy', { managedPolicyName: 'MyManagedPolicyName', }); + const crossAccountStack = new cdk.Stack(app, 'CrossAccountStack', { env: { account: '5678' } }); + const bucket = new s3.Bucket(crossAccountStack, 'CrossAccountBucket', { + bucketName: 'cross-account-bucket', + }); + bucket.grantRead(mp); - class DummyResource extends cdk.Resource implements IResourceWithPolicy { - addToResourcePolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult { - throw new Error('should not be called.'); - } - } - const resource = new DummyResource(stack, 'Dummy', { account: '5678' }); - - expect(() => { - Grant.addToPrincipalOrResource({ actions: ['dummy:Action'], grantee: mp, resourceArns: ['*'], resource }); - }).toThrow(/Cannot use a ManagedPolicy 'MyStack\/Policy'/); + expect(() => app.synth()).toThrow('This grant operation needs to add a resource policy so needs access to a principal.'); }); - test('Policies cannot be granted resource permissions', () => { + test('ManagedPolicy cannot be granted resource permissions', () => { const mp = new ManagedPolicy(stack, 'Policy', { managedPolicyName: 'MyManagedPolicyName', }); + const crossAccountStack = new cdk.Stack(app, 'CrossAccountStack', { env: { account: '5678' } }); + const bucket = new s3.Bucket(crossAccountStack, 'CrossAccountBucket', { + bucketName: 'cross-account-bucket', + }); + Grant.addToPrincipalAndResource({ actions: ['dummy:Action'], grantee: mp, resourceArns: ['*'], resource: bucket }); - class DummyResource extends cdk.Resource implements IResourceWithPolicy { - addToResourcePolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult { - throw new Error('should not be called.'); - } - } - const resource = new DummyResource(stack, 'Dummy'); - - expect(() => { - Grant.addToPrincipalAndResource({ actions: ['dummy:Action'], grantee: mp, resourceArns: ['*'], resource }); - }).toThrow(/Cannot use a ManagedPolicy 'MyStack\/Policy'/); + expect(() => app.synth()).toThrow('This grant operation needs to add a resource policy so needs access to a principal.'); }); test('prevent creation when customizeRoles is configured', () => { diff --git a/packages/aws-cdk-lib/aws-iam/test/policy.test.ts b/packages/aws-cdk-lib/aws-iam/test/policy.test.ts index f703cb5d0ca66..9246e8d58bb06 100644 --- a/packages/aws-cdk-lib/aws-iam/test/policy.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/policy.test.ts @@ -1,4 +1,6 @@ import { Template } from '../../assertions'; +import * as lambda from '../../aws-lambda'; +import * as s3 from '../../aws-s3'; import { App, CfnResource, Resource, Stack } from '../../core'; import { AddToPrincipalPolicyResult, AnyPrincipal, CfnPolicy, Grant, Group, IResourceWithPolicy, Policy, PolicyDocument, PolicyStatement, Role, ServicePrincipal, User } from '../lib'; @@ -564,7 +566,7 @@ describe('IAM policy', () => { expect(() => app.synth()).toThrow(/A PolicyStatement used in an identity-based policy cannot specify any IAM principals/); }); - test('Policies can be granted principal permissions', () => { + test('Policy can be granted principal permissions', () => { const pol = new Policy(stack, 'Policy', { policyName: 'MyPolicyName', }); @@ -582,7 +584,33 @@ describe('IAM policy', () => { }); }); - test('addPrincipalOrResource() correctly grants Policies permissions', () => { + test('Policy can be granted via lambda.Function.grantInvoke()', () => { + const func = new lambda.Function(stack, 'Function', { code: lambda.Code.fromInline('export const handler = () => {}'), runtime: lambda.Runtime.NODEJS_LATEST, handler: 'index.handler' }); + const pol = new Policy(stack, 'Policy', { + policyName: 'MyPolicyName', + }); + func.grantInvoke(pol); + pol.attachToUser(new User(stack, 'User')); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyName: 'MyPolicyName', + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Action: 'lambda:InvokeFunction', + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], + }, + ], + Version: '2012-10-17', + }, + }); + }); + + test('addPrincipalOrResource() correctly grants Policy permissions', () => { const pol = new Policy(stack, 'Policy', { policyName: 'MyPolicyName', }); @@ -607,38 +635,30 @@ describe('IAM policy', () => { }); }); - test('Policies cannot be granted principal permissions across accounts', () => { + test('Policy cannot be granted principal permissions across accounts', () => { const pol = new Policy(stack, 'Policy', { policyName: 'MyPolicyName', }); + const crossAccountStack = new Stack(app, 'CrossAccountStack', { env: { account: '5678' } }); + const bucket = new s3.Bucket(crossAccountStack, 'CrossAccountBucket', { + bucketName: 'cross-account-bucket', + }); + bucket.grantRead(pol); - class DummyResource extends Resource implements IResourceWithPolicy { - addToResourcePolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult { - throw new Error('should not be called.'); - } - } - const resource = new DummyResource(stack, 'Dummy', { account: '5678' }); - - expect(() => { - Grant.addToPrincipalOrResource({ actions: ['dummy:Action'], grantee: pol, resourceArns: ['*'], resource }); - }).toThrow(/Cannot use a Policy 'MyStack\/Policy'/); + expect(() => app.synth()).toThrow('This grant operation needs to add a resource policy so needs access to a principal.'); }); test('Policies cannot be granted resource permissions', () => { const pol = new Policy(stack, 'Policy', { policyName: 'MyPolicyName', }); + const crossAccountStack = new Stack(app, 'CrossAccountStack', { env: { account: '5678' } }); + const bucket = new s3.Bucket(crossAccountStack, 'CrossAccountBucket', { + bucketName: 'cross-account-bucket', + }); + Grant.addToPrincipalAndResource({ actions: ['dummy:Action'], grantee: pol, resourceArns: ['*'], resource: bucket }); - class DummyResource extends Resource implements IResourceWithPolicy { - addToResourcePolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult { - throw new Error('should not be called.'); - } - } - const resource = new DummyResource(stack, 'Dummy'); - - expect(() => { - Grant.addToPrincipalAndResource({ actions: ['dummy:Action'], grantee: pol, resourceArns: ['*'], resource }); - }).toThrow(/Cannot use a Policy 'MyStack\/Policy'/); + expect(() => app.synth()).toThrow('This grant operation needs to add a resource policy so needs access to a principal.'); }); });