Skip to content

Commit

Permalink
fix(iam): fix managed policies for User (#3221)
Browse files Browse the repository at this point in the history
Fix adding managed policies to a User upon creation. Rename the
property for `Group`s.

Fixes #2557.

BREAKING CHANGE: `aws-iam.User` and `Group`: `managedPolicyArns` =>
`managedPolicies`.
  • Loading branch information
rix0rrr authored and Elad Ben-Israel committed Jul 6, 2019
1 parent d60d673 commit ec1c5b7
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 12 deletions.
2 changes: 2 additions & 0 deletions allowed-breaking-changes.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6Pr
removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6RequestCount
removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationTargetGroup.metricIPv6RequestCount
removed:@aws-cdk/core.Fn.getAZs
removed:@aws-cdk/aws-iam.UserProps.managedPolicyArns
removed:@aws-cdk/aws-iam.GroupProps.managedPolicyArns
8 changes: 5 additions & 3 deletions packages/@aws-cdk/aws-iam/lib/group.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,13 @@ export interface GroupProps {
readonly groupName?: string;

/**
* A list of ARNs for managed policies associated with group.
* A list managed policies associated with this role.
*
* You can add managed policies later using `attachManagedPolicy(policy)`.
*
* @default - No managed policies.
*/
readonly managedPolicyArns?: any[];
readonly managedPolicies?: IManagedPolicy[];

/**
* The path to the group. For more information about paths, see [IAM
Expand Down Expand Up @@ -130,7 +132,7 @@ export class Group extends GroupBase {
physicalName: props.groupName,
});

this.managedPolicies.push(...props.managedPolicyArns || []);
this.managedPolicies.push(...props.managedPolicies || []);

const group = new CfnGroup(this, 'Resource', {
groupName: this.physicalName,
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-iam/lib/role.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ export interface RoleProps {
readonly externalId?: string;

/**
* A list of ARNs for managed policies associated with this role.
* A list of managed policies associated with this role.
*
* You can add managed policies later using `attachManagedPolicy(arn)`.
*
* @default - No managed policies.
Expand Down
9 changes: 6 additions & 3 deletions packages/@aws-cdk/aws-iam/lib/user.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,13 @@ export interface UserProps {
readonly groups?: IGroup[];

/**
* A list of ARNs for managed policies attacherd to this user.
* You can use `addManagedPolicy(arn)` to attach a managed policy to this user.
* A list managed policies associated with this role.
*
* You can add managed policies later using `attachManagedPolicy(policy)`.
*
* @default - No managed policies.
*/
readonly managedPolicyArns?: any[];
readonly managedPolicies?: IManagedPolicy[];

/**
* The path for the user name. For more information about paths, see IAM
Expand Down Expand Up @@ -108,6 +109,8 @@ export class User extends Resource implements IIdentity {
physicalName: props.userName,
});

this.managedPolicies.push(...props.managedPolicies || []);

const user = new CfnUser(this, 'Resource', {
userName: this.physicalName,
groups: undefinedIfEmpty(() => this.groups),
Expand Down
23 changes: 21 additions & 2 deletions packages/@aws-cdk/aws-iam/test/test.group.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { expect } from '@aws-cdk/assert';
import { expect, haveResource } from '@aws-cdk/assert';
import { App, Stack } from '@aws-cdk/core';
import { Test } from 'nodeunit';
import { Group, User } from '../lib';
import { Group, ManagedPolicy, User } from '../lib';

export = {
'default group'(test: Test) {
Expand Down Expand Up @@ -35,4 +35,23 @@ export = {
Properties: { Groups: [ { Ref: 'MyGroupCBA54B1B' } ] } } } });
test.done();
},

'create with managed policy'(test: Test) {
// GIVEN
const stack = new Stack();

// WHEN
new Group(stack, 'MyGroup', {
managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
});

// THEN
expect(stack).to(haveResource('AWS::IAM::Group', {
ManagedPolicyArns: [
{ "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
]
}));

test.done();
}
};
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-iam/test/test.role.ts
Original file line number Diff line number Diff line change
Expand Up @@ -288,5 +288,6 @@ export = {
Roles: [ "MyRole" ]
}));
test.done();
}
},

};
24 changes: 22 additions & 2 deletions packages/@aws-cdk/aws-iam/test/test.user.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { expect } from '@aws-cdk/assert';
import { expect, haveResource } from '@aws-cdk/assert';
import { App, SecretValue, Stack } from '@aws-cdk/core';
import { Test } from 'nodeunit';
import { User } from '../lib';
import { ManagedPolicy, User } from '../lib';

export = {
'default user'(test: Test) {
Expand Down Expand Up @@ -32,6 +32,26 @@ export = {
const app = new App();
const stack = new Stack(app, 'MyStack');
test.throws(() => new User(stack, 'MyUser', { passwordResetRequired: true }));
test.done();
},

'create with managed policy'(test: Test) {
// GIVEN
const app = new App();
const stack = new Stack(app, 'MyStack');

// WHEN
new User(stack, 'MyUser', {
managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
});

// THEN
expect(stack).to(haveResource('AWS::IAM::User', {
ManagedPolicyArns: [
{ "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
]
}));

test.done();
}
};

0 comments on commit ec1c5b7

Please sign in to comment.