Skip to content

fix(iam): adding organization id pattern verification #33555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 26, 2025
Merged

fix(iam): adding organization id pattern verification #33555

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
06e63fd
fix(iam): adding organization id pattern verification
Feb 22, 2025
d553482
fix: adding non iam test edits
Feb 22, 2025
9e3688b
Merge branch 'main' into bucketPublicReadBug
IkeNefcy Feb 22, 2025
3fb0dfa
fix: updating integ with valid org id
Feb 22, 2025
d1a6741
Merge branch 'main' into bucketPublicReadBug
IkeNefcy Feb 22, 2025
3531d7c
Merge branch 'main' into bucketPublicReadBug
mergify[bot] Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion packages/aws-cdk-lib/aws-iam/lib/principals.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ export interface IGrantable {
* Notifications Service).
*
* A single logical Principal may also map to a set of physical principals.
* For example, `new OrganizationPrincipal('o-1234')` represents all
* For example, `new OrganizationPrincipal('o-12345abcde')` represents all
* identities that are part of the given AWS Organization.
*/
export interface IPrincipal extends IGrantable {
Expand Down Expand Up @@ -603,6 +603,9 @@ export class ServicePrincipal extends PrincipalBase {

/**
* A principal that represents an AWS Organization
*
* Property organizationId must match regex pattern ^o-[a-z0-9]{10,32}$
* @see https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html
*/
export class OrganizationPrincipal extends PrincipalBase {
/**
Expand All @@ -611,6 +614,9 @@ export class OrganizationPrincipal extends PrincipalBase {
*/
constructor(public readonly organizationId: string) {
super();
if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) {
throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
}
}

public get policyFragment(): PrincipalPolicyFragment {
Expand Down
12 changes: 12 additions & 0 deletions packages/aws-cdk-lib/aws-iam/test/principals.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,3 +518,15 @@ test('ServicePrinciple construct by default reset the principle name to the defa
},
});
});

test('throw error when Organization ID does not match regex pattern', () => {
// GIVEN
const shortOrgId = 'o-shortname';
const noOOrgName = 'no-o-name';
const longOrgName = 'o-thisnameistoooooooooooooooooolong';

// THEN
expect(() => new iam.OrganizationPrincipal(shortOrgId)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${shortOrgId}`);
expect(() => new iam.OrganizationPrincipal(noOOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${noOOrgName}`);
expect(() => new iam.OrganizationPrincipal(longOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${longOrgName}`);
});
Loading