diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out index ae4b03c54e770..188478b55560e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.0.0"} \ No newline at end of file +{"version":"41.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json index 8fcd0e362a9dd..f060967b94dca 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json @@ -1,7 +1,8 @@ { - "version": "30.0.0", + "version": "41.0.0", "files": { - "514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a": { + "c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2": { + "displayName": "integ-iam-role-1 Template", "source": { "path": "integ-iam-role-1.template.json", "packaging": "file" @@ -9,7 +10,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a.json", + "objectKey": "c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json index 2a6784d4f7504..8cbd61fab40c2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json @@ -105,7 +105,7 @@ "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "aws:PrincipalOrgID": "o-1234" + "aws:PrincipalOrgID": "o-12345abcde" } }, "Effect": "Allow", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json index fb19d898ca1a4..1f917cc7d105b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "41.0.0", "testCases": { "integ-iam-role/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json index bbcbe43c78388..0499fd40e17f3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json @@ -1,7 +1,8 @@ { - "version": "30.0.0", + "version": "41.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "integiamroleDefaultTestDeployAssert48737E31 Template", "source": { "path": "integiamroleDefaultTestDeployAssert48737E31.template.json", "packaging": "file" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json index 1064dbf931db6..f3a5260b4a1fe 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "42.0.0", "artifacts": { "integ-iam-role-1.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integ-iam-role-1.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,30 +34,198 @@ "integ-iam-role-1.assets" ], "metadata": { + "/integ-iam-role-1/TestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/integ-iam-role-1/TestRole/ImportTestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRole6C9272DF" } ], + "/integ-iam-role-1/TestRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/integ-iam-role-1/TestRole/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRoleDefaultPolicyD1C92014" } ], + "/integ-iam-role-1/HelloPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + } + ], "/integ-iam-role-1/HelloPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "HelloPolicyD59007DF" } ], + "/integ-iam-role-1/TestImportedRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/integ-iam-role-1/TestRole2": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "externalIds": "*" + } + } + ], + "/integ-iam-role-1/TestRole2/ImportTestRole2": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole2/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRole25D98AB21" } ], + "/integ-iam-role-1/TestRole3": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + } + ], + "/integ-iam-role-1/TestRole3/ImportTestRole3": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole3/Resource": [ { "type": "aws:cdk:logicalId", @@ -91,6 +260,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integiamroleDefaultTestDeployAssert48737E31.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", @@ -131,5 +301,6 @@ "file": "tree.json" } } - } + }, + "minimumCliVersion": "2.1006.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json index 507038fa79bba..399fc5023a6d9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json @@ -16,8 +16,9 @@ "id": "ImportTestRole", "path": "integ-iam-role-1/TestRole/ImportTestRole", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": ["*"] } }, "Resource": { @@ -31,9 +32,7 @@ { "Action": "sts:AssumeRole", "Effect": "Allow", - "Principal": { - "Service": "sqs.amazonaws.com" - } + "Principal": { "Service": "sqs.amazonaws.com" } } ], "Version": "2012-10-17" @@ -41,7 +40,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } }, @@ -66,28 +65,43 @@ "Version": "2012-10-17" }, "policyName": "TestRoleDefaultPolicyD1C92014", - "roles": [ - { - "Ref": "TestRole6C9272DF" - } - ] + "roles": [{ "Ref": "TestRole6C9272DF" }] } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0", + "metadata": [ + "*", + { "attachToRole": ["*"] }, + { "attachToRole": ["*"] }, + { "addStatements": [{}] } + ] } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + }, + { "addToPolicy": [{}] }, + { "addToPrincipalPolicy": [{}] }, + { "attachInlinePolicy": ["*"] }, + { "attachInlinePolicy": ["*"] }, + { "attachInlinePolicy": ["*"] } + ] } }, "HelloPolicy": { @@ -111,22 +125,34 @@ "Version": "2012-10-17" }, "policyName": "Default", - "roles": [ - { - "Ref": "TestRole6C9272DF" - } - ] + "roles": [{ "Ref": "TestRole6C9272DF" }] } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0", + "metadata": [ + { "policyName": "*" }, + { "addStatements": [{}] }, + { "attachToRole": ["*"] }, + { "attachToRole": ["*"] }, + { "attachToRole": ["*"] } + ] + } + }, + "TestImportedRole": { + "id": "TestImportedRole", + "path": "integ-iam-role-1/TestImportedRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": ["*"] } }, "TestRole2": { @@ -137,8 +163,9 @@ "id": "ImportTestRole2", "path": "integ-iam-role-1/TestRole2/ImportTestRole2", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": ["*"] } }, "Resource": { @@ -152,9 +179,7 @@ { "Action": "sts:AssumeRole", "Condition": { - "StringEquals": { - "sts:ExternalId": "supply-me" - } + "StringEquals": { "sts:ExternalId": "supply-me" } }, "Effect": "Allow", "Principal": { @@ -163,13 +188,9 @@ "", [ "arn:", - { - "Ref": "AWS::Partition" - }, + { "Ref": "AWS::Partition" }, ":iam::", - { - "Ref": "AWS::AccountId" - }, + { "Ref": "AWS::AccountId" }, ":root" ] ] @@ -182,14 +203,23 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "externalIds": "*" + } + ] } }, "TestRole3": { @@ -200,8 +230,9 @@ "id": "ImportTestRole3", "path": "integ-iam-role-1/TestRole3/ImportTestRole3", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": ["*"] } }, "Resource": { @@ -216,13 +247,11 @@ "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "aws:PrincipalOrgID": "o-1234" + "aws:PrincipalOrgID": "o-12345abcde" } }, "Effect": "Allow", - "Principal": { - "AWS": "*" - } + "Principal": { "AWS": "*" } } ], "Version": "2012-10-17" @@ -230,21 +259,29 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + ] } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "integ-iam-role-1/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -252,15 +289,12 @@ "id": "CheckBootstrapVersion", "path": "integ-iam-role-1/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, - "constructInfo": { - "fqn": "@aws-cdk/core.Stack", - "version": "0.0.0" - } + "constructInfo": { "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } }, "integ-iam-role": { "id": "integ-iam-role", @@ -275,7 +309,7 @@ "path": "integ-iam-role/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.249" + "version": "10.4.2" } }, "DeployAssert": { @@ -286,7 +320,7 @@ "id": "BootstrapVersion", "path": "integ-iam-role/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -294,40 +328,34 @@ "id": "CheckBootstrapVersion", "path": "integ-iam-role/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } }, "Tree": { "id": "Tree", "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.249" - } + "constructInfo": { "fqn": "constructs.Construct", "version": "10.4.2" } } }, - "constructInfo": { - "fqn": "@aws-cdk/core.App", - "version": "0.0.0" - } + "constructInfo": { "fqn": "aws-cdk-lib.App", "version": "0.0.0" } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts index ca3a161594ac5..28b54ac51d47b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts @@ -28,7 +28,7 @@ new Role(stack, 'TestRole2', { // Role with an org new Role(stack, 'TestRole3', { - assumedBy: new OrganizationPrincipal('o-1234'), + assumedBy: new OrganizationPrincipal('o-12345abcde'), }); new IntegTest(app, 'integ-iam-role', { diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts index f84848fb7c251..8057d2ad0e5dc 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/principals.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/principals.ts @@ -32,7 +32,7 @@ export interface IGrantable { * Notifications Service). * * A single logical Principal may also map to a set of physical principals. - * For example, `new OrganizationPrincipal('o-1234')` represents all + * For example, `new OrganizationPrincipal('o-12345abcde')` represents all * identities that are part of the given AWS Organization. */ export interface IPrincipal extends IGrantable { @@ -608,9 +608,18 @@ export class OrganizationPrincipal extends PrincipalBase { /** * * @param organizationId The unique identifier (ID) of an organization (i.e. o-12345abcde) + * It must match regex pattern ^o-[a-z0-9]{10,32}$ + * @see https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html */ constructor(public readonly organizationId: string) { super(); + + // We can only validate if it's a literal string (not a token) + if (!cdk.Token.isUnresolved(organizationId)) { + if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) { + throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`); + } + } } public get policyFragment(): PrincipalPolicyFragment { diff --git a/packages/aws-cdk-lib/aws-iam/test/organization-principal.test.ts b/packages/aws-cdk-lib/aws-iam/test/organization-principal.test.ts new file mode 100644 index 0000000000000..7d0b39a76ae98 --- /dev/null +++ b/packages/aws-cdk-lib/aws-iam/test/organization-principal.test.ts @@ -0,0 +1,60 @@ +import { Annotations, Stack } from '../../core'; +import * as cdk from '../../core'; +import * as iam from '../lib'; + +describe('OrganizationPrincipal', () => { + test('accepts valid organization ID', () => { + // GIVEN + const stack = new Stack(); + + // WHEN / THEN + expect(() => { + new iam.OrganizationPrincipal('o-1234567890'); + }).not.toThrow(); + }); + + test.each([ + ['empty string', ''], + ['invalid prefix', 'invalid-org-id'], + ['too short', 'o-short'], + ['too long', 'o-thisnameistoooooooooooooooooolong'], + ])('throws error for non-compliant organization ID format: %s', (_, invalidId) => { + // GIVEN + const stack = new Stack(); + + // WHEN / THEN + expect(() => { + new iam.OrganizationPrincipal(invalidId); + }).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${invalidId}`); + }); + + test('allows token as organization ID without validation', () => { + // GIVEN + const stack = new Stack(); + const orgIdToken = cdk.Token.asString({ Ref: 'OrgId' }); + + // WHEN / THEN + expect(() => { + new iam.OrganizationPrincipal(orgIdToken); + }).not.toThrow(); + }); + + test('creates correct policy fragment', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const principal = new iam.OrganizationPrincipal('o-1234567890'); + + // THEN + expect(stack.resolve(principal.policyFragment.principalJson)).toEqual({ + AWS: ['*'], + }); + + expect(stack.resolve(principal.policyFragment.conditions)).toEqual({ + StringEquals: { + 'aws:PrincipalOrgID': 'o-1234567890', + }, + }); + }); +}); diff --git a/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts b/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts index 4c86986e8b4a6..86367e249eff3 100644 --- a/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts @@ -23,7 +23,7 @@ test('Via service, principal with conditions', () => { // WHEN const statement = new iam.PolicyStatement({ actions: ['abc:call'], - principals: [new kms.ViaServicePrincipal('bla.amazonaws.com', new iam.OrganizationPrincipal('o-1234'))], + principals: [new kms.ViaServicePrincipal('bla.amazonaws.com', new iam.OrganizationPrincipal('o-12345abcde'))], resources: ['*'], }); @@ -33,7 +33,7 @@ test('Via service, principal with conditions', () => { Condition: { StringEquals: { 'kms:ViaService': 'bla.amazonaws.com', - 'aws:PrincipalOrgID': 'o-1234', + 'aws:PrincipalOrgID': 'o-12345abcde', }, }, Effect: 'Allow', diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index e1d9bda088f97..c5491ec06f177 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -223,7 +223,7 @@ describe('function', () => { fn.addPermission('S1', { principal: new iam.ServicePrincipal('my-service') }); fn.addPermission('S2', { principal: new iam.AccountPrincipal('account') }); fn.addPermission('S3', { principal: new iam.ArnPrincipal('my:arn') }); - fn.addPermission('S4', { principal: new iam.OrganizationPrincipal('my:org') }); + fn.addPermission('S4', { principal: new iam.OrganizationPrincipal('o-12345abcde') }); }); test('does not show warning if skipPermissions is set', () => { @@ -1730,7 +1730,7 @@ describe('function', () => { handler: 'index.handler', runtime: lambda.Runtime.NODEJS_LATEST, }); - const org = new iam.OrganizationPrincipal('my-org-id'); + const org = new iam.OrganizationPrincipal('o-12345abcde'); // WHEN fn.grantInvoke(org); @@ -1745,7 +1745,7 @@ describe('function', () => { ], }, Principal: '*', - PrincipalOrgID: 'my-org-id', + PrincipalOrgID: 'o-12345abcde', }); }); @@ -1959,7 +1959,7 @@ describe('function', () => { new iam.AccountPrincipal('1234'), new iam.ServicePrincipal('apigateway.amazonaws.com'), new iam.ArnPrincipal('arn:aws:iam::123456789012:role/someRole'), - new iam.OrganizationPrincipal('my-org-id'), + new iam.OrganizationPrincipal('o-12345abcde'), ); const fn = new lambda.Function(stack, 'Function', { @@ -2011,7 +2011,7 @@ describe('function', () => { ], }, Principal: '*', - PrincipalOrgID: 'my-org-id', + PrincipalOrgID: 'o-12345abcde', }); }); }); diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 352ba91750042..f7e7bfc893e5e 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -1776,7 +1776,7 @@ describe('bucket', () => { const bucket = new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS }); // WHEN - bucket.grantRead(new iam.OrganizationPrincipal('o-1234')); + bucket.grantRead(new iam.OrganizationPrincipal('o-12345abcde')); // THEN Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { @@ -1785,7 +1785,7 @@ describe('bucket', () => { 'Statement': [ { Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-1234' } }, + 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-12345abcde' } }, 'Effect': 'Allow', 'Principal': { AWS: '*' }, 'Resource': [ @@ -1806,7 +1806,7 @@ describe('bucket', () => { 'Effect': 'Allow', 'Resource': '*', 'Principal': { AWS: '*' }, - 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-1234' } }, + 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-12345abcde' } }, }, ]), 'Version': '2012-10-17',