feat(core): IEnvironmentAware interface to retrieve a construct's environment

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -5,7 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { App, Fn, RemovalPolicy, Stack, UnscopedValidationError } from 'aws-cdk-lib';
+import { App, Fn, RemovalPolicy, ResourceEnvironment, Stack, UnscopedValidationError } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
 import { Node } from 'constructs';
@@ -56,6 +56,9 @@ function makePolicy(arn: string): IManagedPolicy {
     get node(): Node {
       throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
     },
+    get env(): ResourceEnvironment {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
   };
 }
 

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts

@@ -25,6 +25,9 @@ function makePolicy(arn: string): IManagedPolicy {
     get node(): Node {
       throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
     },
+    get env(): cdk.ResourceEnvironment {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
   };
 }
 

packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent-alias.ts

@@ -77,7 +77,6 @@ export abstract class AgentAliasBase extends Resource implements IAgentAlias {
       grantee,
       actions,
       resourceArns: [this.aliasArn],
-      scope: this,
     });
   }
 

packages/@aws-cdk/aws-bedrock-alpha/bedrock/guardrails/guardrails.ts

@@ -199,7 +199,6 @@ export abstract class GuardrailBase extends Resource implements IGuardrail {
       grantee,
       actions,
       resourceArns: [this.guardrailArn],
-      scope: this,
     });
   }
 

packages/@aws-cdk/aws-bedrock-alpha/bedrock/inference-profiles/application-inference-profile.ts

@@ -123,7 +123,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements
           grantee: grantee,
           actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'],
           resourceArns: [this.inferenceProfileArn],
-          scope: this,
         });
       }
     }
@@ -157,7 +156,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements
           grantee: grantee,
           actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'],
           resourceArns: [this.inferenceProfileArn],
-          scope: this,
         });
       }
     })(cfnApplicationInferenceProfile, id);
@@ -357,7 +355,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements
       grantee: grantee,
       actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'],
       resourceArns: [this.inferenceProfileArn],
-      scope: this,
     });
   }
 }

packages/@aws-cdk/aws-bedrock-alpha/bedrock/prompts/prompt.ts

@@ -78,7 +78,6 @@ export abstract class PromptBase extends Resource implements IPrompt {
       grantee,
       resourceArns: [this.promptArn],
       actions: ['bedrock:GetPrompt'],
-      scope: this,
     });
   }
 }

packages/aws-cdk-lib/aws-appsync/lib/data-source-common.ts

@@ -470,7 +470,6 @@ export class AppSyncRdsDataSource extends AppSyncBackedDataSource {
         'rds-data:UpdateItems',
       ],
       resourceArns: [clusterArn, `${clusterArn}:*`],
-      scope: this,
     });
   }
 }

packages/aws-cdk-lib/aws-appsync/lib/data-source.ts

@@ -455,7 +455,6 @@ export class RdsDataSource extends BackedDataSource {
         'rds-data:UpdateItems',
       ],
       resourceArns: [clusterArn, `${clusterArn}:*`],
-      scope: this,
     });
   }
 }

packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

@@ -402,7 +402,6 @@ export abstract class EventApiBase extends ApiBase implements IEventApi {
       grantee,
       actions,
       resourceArns: resources.resourceArns(this),
-      scope: this,
     });
   }
 

packages/aws-cdk-lib/aws-appsync/lib/graphqlapi-base.ts

@@ -560,7 +560,6 @@ export abstract class GraphqlApiBase extends Resource implements IGraphqlApi {
       grantee,
       actions,
       resourceArns: resources.resourceArns(this),
-      scope: this,
     });
   }
 

packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts

@@ -4,6 +4,7 @@ import {
   Duration,
   Names,
   Resource,
+  ResourceEnvironment,
   Stack,
   Token,
   UnscopedValidationError,
@@ -152,6 +153,10 @@ export class CachePolicy extends Resource implements ICachePolicy {
         throw new UnscopedValidationError('The result of fromManagedCachePolicy can not be used in this API');
       }
 
+      public get env(): ResourceEnvironment {
+        throw new UnscopedValidationError('The result of fromManagedCachePolicy can not be used in this API');
+      }
+
       public readonly cachePolicyId = managedCachePolicyId;
       public readonly cachePolicyRef = {
         cachePolicyId: managedCachePolicyId,

packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts

@@ -1,6 +1,6 @@
 import { Construct, Node } from 'constructs';
 import { CfnOriginRequestPolicy, IOriginRequestPolicyRef, OriginRequestPolicyReference } from './cloudfront.generated';
-import { Names, Resource, Token, UnscopedValidationError, ValidationError } from '../../core';
+import { Names, Resource, ResourceEnvironment, Token, UnscopedValidationError, ValidationError } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
@@ -92,6 +92,10 @@ export class OriginRequestPolicy extends Resource implements IOriginRequestPolic
         throw new UnscopedValidationError('The result of fromManagedOriginRequestPolicy can not be used in this API');
       }
 
+      public get env(): ResourceEnvironment {
+        throw new UnscopedValidationError('The result of fromManagedOriginRequestPolicy can not be used in this API');
+      }
+
       public readonly originRequestPolicyId = managedOriginRequestPolicyId;
       public readonly originRequestPolicyRef = {
         originRequestPolicyId: managedOriginRequestPolicyId,

packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts

@@ -4,7 +4,7 @@ import {
   IResponseHeadersPolicyRef,
   ResponseHeadersPolicyReference,
 } from './cloudfront.generated';
-import { Duration, Names, Resource, Token, UnscopedValidationError, ValidationError, withResolved } from '../../core';
+import { Duration, Names, Resource, ResourceEnvironment, Token, UnscopedValidationError, ValidationError, withResolved } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
@@ -114,6 +114,10 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
         throw new UnscopedValidationError('The result of fromManagedResponseHeadersPolicy can not be used in this API');
       }
 
+      public get env(): ResourceEnvironment {
+        throw new UnscopedValidationError('The result of fromManagedResponseHeadersPolicy can not be used in this API');
+      }
+
       public readonly responseHeadersPolicyId = managedResponseHeadersPolicyId;
       public readonly responseHeadersPolicyRef = {
         responseHeadersPolicyId: managedResponseHeadersPolicyId,

packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts

@@ -1,6 +1,6 @@
 import { Construct, Node } from 'constructs';
 import * as codepipeline from '../../../aws-codepipeline';
-import { Aws, UnscopedValidationError } from '../../../core';
+import { Aws, ResourceEnvironment, UnscopedValidationError } from '../../../core';
 import { Action } from '../action';
 import { deployArtifactBounds } from '../common';
 
@@ -57,6 +57,9 @@ export class ElasticBeanstalkDeployAction extends Action {
       get node(): Node {
         throw new UnscopedValidationError('This object can not be used in this API');
       },
+      get env(): ResourceEnvironment {
+        throw new UnscopedValidationError('This object can not be used in this API');
+      },
       managedPolicyArn: policyArn,
       managedPolicyRef: { policyArn },
     });

packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts

@@ -1049,7 +1049,6 @@ abstract class UserPoolBase extends Resource implements IUserPool {
       grantee,
       actions,
       resourceArns: [this.userPoolArn],
-      scope: this,
     });
   }
 }

packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts

@@ -448,7 +448,6 @@ export abstract class TableBaseV2 extends Resource implements ITableV2, IResourc
         grantee,
         actions: options.streamActions,
         resourceArns: [this.tableStreamArn],
-        scope: this,
       });
     }
 

packages/aws-cdk-lib/aws-dynamodb/lib/table.ts

@@ -696,7 +696,6 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
       grantee,
       actions,
       resourceArns: [this.tableStreamArn],
-      scope: this,
     });
   }
 

packages/aws-cdk-lib/aws-ecr/lib/repository.ts

@@ -382,7 +382,6 @@ export abstract class RepositoryBase extends Resource implements IRepository {
         grantee,
         actions,
         resourceArns: [this.repositoryArn],
-        scope: this,
       });
     } else {
       return iam.Grant.addToPrincipalOrResource({
@@ -415,7 +414,6 @@ export abstract class RepositoryBase extends Resource implements IRepository {
       grantee,
       actions: ['ecr:GetAuthorizationToken'],
       resourceArns: ['*'],
-      scope: this,
     });
 
     return ret;
@@ -430,7 +428,6 @@ export abstract class RepositoryBase extends Resource implements IRepository {
       grantee,
       actions: ['ecr:GetAuthorizationToken'],
       resourceArns: ['*'],
-      scope: this,
     });
 
     return ret;
@@ -448,7 +445,6 @@ export abstract class RepositoryBase extends Resource implements IRepository {
       grantee,
       actions: ['ecr:GetAuthorizationToken'],
       resourceArns: ['*'],
-      scope: this,
     });
 
     return ret;

packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts

@@ -4,7 +4,7 @@ import { CfnFileSystem, CfnMountTarget } from './efs.generated';
 import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
-import { ArnFormat, FeatureFlags, Lazy, Names, RemovalPolicy, Resource, Size, Stack, Tags, Token, ValidationError } from '../../core';
+import { ArnFormat, FeatureFlags, IResource, Lazy, Names, RemovalPolicy, Resource, Size, Stack, Tags, Token, ValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 import * as cxapi from '../../cx-api';
@@ -141,7 +141,7 @@ export enum ReplicationOverwriteProtection {
 /**
  * Represents an Amazon EFS file system
  */
-export interface IFileSystem extends ec2.IConnectable, iam.IResourceWithPolicy {
+export interface IFileSystem extends ec2.IConnectable, IResource, iam.IResourceWithPolicy {
   /**
    * The ID of the file system, assigned by Amazon EFS.
    *

packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts

@@ -1320,7 +1320,6 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
       grantee,
       actions: domainActions,
       resourceArns,
-      scope: this,
     });
 
     return grant;

packages/aws-cdk-lib/aws-iam/lib/grant.ts

@@ -44,7 +44,7 @@ export interface GrantWithResourceOptions extends CommonGrantOptions {
    * The statement will be added to the resource policy if it couldn't be
    * added to the principal policy.
    */
-  readonly resource: IResourceWithPolicy;
+  readonly resource: IResourceWithPolicyV2;
 
   /**
    * When referring to the resource in a resource policy, use this as ARN.
@@ -68,7 +68,7 @@ export interface GrantPolicyWithResourceOptions extends GrantWithResourceOptions
    * The policy statement to add to the resource's policy
    *
    * This statement will be passed to the resource's addToResourcePolicy method.
-   * The actual handling of the statement depends on the specific IResourceWithPolicy
+   * The actual handling of the statement depends on the specific IResourceWithPolicyV2
    * implementation.
    */
   readonly statement: PolicyStatement;
@@ -83,6 +83,7 @@ export interface GrantOnPrincipalOptions extends CommonGrantOptions {
    * Construct to report warnings on in case grant could not be registered
    *
    * @default - the construct in which this construct is defined
+   * @deprecated The scope argument is currently unused.
    */
   readonly scope?: IConstruct;
 }
@@ -97,7 +98,7 @@ export interface GrantOnPrincipalAndResourceOptions extends CommonGrantOptions {
    *
    * The statement will always be added to the resource policy.
    */
-  readonly resource: IResourceWithPolicy;
+  readonly resource: IResourceWithPolicyV2;
 
   /**
    * When referring to the resource in a resource policy, use this as ARN.
@@ -138,10 +139,7 @@ export class Grant implements IDependable {
    *   resource construct.
    */
   public static addToPrincipalOrResource(options: GrantWithResourceOptions): Grant {
-    const result = Grant.addToPrincipal({
-      ...options,
-      scope: options.resource,
-    });
+    const result = Grant.addToPrincipal(options);
 
     const resourceAndPrincipalAccountComparison = options.grantee.grantPrincipal.principalAccount
       ? cdk.Token.compareStrings(options.resource.env.account, options.grantee.grantPrincipal.principalAccount)
@@ -267,10 +265,7 @@ export class Grant implements IDependable {
    * Statement will be the resource statement.
    */
   public static addToPrincipalAndResource(options: GrantOnPrincipalAndResourceOptions): Grant {
-    const result = Grant.addToPrincipal({
-      ...options,
-      scope: options.resource,
-    });
+    const result = Grant.addToPrincipal(options);
 
     const statement = new PolicyStatement({
       actions: options.actions,
@@ -426,13 +421,24 @@ interface GrantProps {
 /**
  * A resource with a resource policy that can be added to
  */
-export interface IResourceWithPolicy extends cdk.IResource {
+export interface IResourceWithPolicyV2 extends cdk.IEnvironmentAware {
   /**
    * Add a statement to the resource's resource policy
    */
   addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
 }
 
+/**
+ * A resource with a resource policy that can be added to
+ *
+ * This interface is maintained for backwards compatibility, but should
+ * not be used in new code. Prefer `IResourceWithPolicyV2` instead.
+ *
+ * @deprecated Implement `IResourceWithPolicyV2` instead.
+ */
+export interface IResourceWithPolicy extends IResourceWithPolicyV2, cdk.IResource {
+}
+
 /**
  * Result of calling addToResourcePolicy
  */

packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts

@@ -13,7 +13,7 @@ import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFrag
 import { undefinedIfEmpty } from './private/util';
 import { IRole } from './role';
 import { IUser } from './user';
-import { Arn, ArnFormat, Aws, Resource, Stack, UnscopedValidationError } from '../../core';
+import { Arn, ArnFormat, Aws, Resource, ResourceEnvironment, Stack, UnscopedValidationError } from '../../core';
 import { getCustomizeRolesConfig, PolicySynthesizer } from '../../core/lib/helpers-internal';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
@@ -196,6 +196,9 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl
       public get node(): Node {
         throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
       }
+      public get env(): ResourceEnvironment {
+        throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+      }
     }
     return new AwsManagedPolicy();
   }

packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts

@@ -132,7 +132,6 @@ export class ImportedRole extends Resource implements IRole, IComparablePrincipa
       grantee,
       actions,
       resourceArns: [this.roleArn],
-      scope: this,
     });
   }
 

packages/aws-cdk-lib/aws-iam/lib/role.ts

@@ -679,7 +679,6 @@ export class Role extends Resource implements IRole {
       grantee,
       actions,
       resourceArns: [this.roleArn],
-      scope: this,
     });
   }
 

packages/aws-cdk-lib/aws-kinesis/lib/stream.ts

@@ -493,10 +493,7 @@ abstract class StreamBase extends Resource implements IStream {
           }
           return { statementAdded: false };
         },
-        node: this.node,
-        stack: this.stack,
         env: this.env,
-        applyRemovalPolicy: x => this.applyRemovalPolicy(x),
       },
     });
   }