Updating all the call sites

packages/@aws-cdk/app-delivery/test/test.pipeline-deploy-stack-action.ts

@@ -222,17 +222,18 @@ export = nodeunit.testCase({
  adminPermissions: false,
  });
  // we might need to add permissions
- deployAction.addToDeploymentRolePolicy( new iam.PolicyStatement().
- addActions(
+ deployAction.addToDeploymentRolePolicy(new iam.PolicyStatement({
+ actions: [
  'ec2:AuthorizeSecurityGroupEgress',
  'ec2:AuthorizeSecurityGroupIngress',
  'ec2:DeleteSecurityGroup',
  'ec2:DescribeSecurityGroups',
  'ec2:CreateSecurityGroup',
  'ec2:RevokeSecurityGroupEgress',
  'ec2:RevokeSecurityGroupIngress'
- ).
- addAllResources());
+ ],
+ resources: ['*']
+ }));
 
  // THEN //
  // there should be 3 policies 1. CodePipeline, 2. Codebuild, 3.

packages/@aws-cdk/assets-docker/lib/adopted-repository.ts

@@ -41,15 +41,16 @@ export class AdoptedRepository extends ecr.RepositoryBase {
  timeout: 300
  });
 
- fn.addToRolePolicy(new iam.PolicyStatement()
- .addResource(ecr.Repository.arnForLocalRepository(props.repositoryName, this))
- .addActions(
+ fn.addToRolePolicy(new iam.PolicyStatement({
+ resources: [ecr.Repository.arnForLocalRepository(props.repositoryName, this)],
+ actions: [
  'ecr:GetRepositoryPolicy',
  'ecr:SetRepositoryPolicy',
  'ecr:DeleteRepository',
  'ecr:ListImages',
  'ecr:BatchDeleteImage'
- ));
+ ],
+ }));
 
  const adopter = new cfn.CustomResource(this, 'Resource', {
  resourceType: 'Custom::ECRAdoptedRepository',

packages/@aws-cdk/assets-docker/test/test.image-asset.ts

@@ -112,9 +112,10 @@ export = {
  });
 
  // WHEN
- asset.repository.addToResourcePolicy(new iam.PolicyStatement()
- .addAction('BOOM')
- .addPrincipal(new iam.ServicePrincipal('test.service')));
+ asset.repository.addToResourcePolicy(new iam.PolicyStatement({
+ actions: ['BOOM'],
+ principals: [new iam.ServicePrincipal('test.service')]
+ }));
 
  // THEN
  expect(stack).to(haveResource('Custom::ECRAdoptedRepository', {

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -343,14 +343,7 @@ export class RestApi extends Resource implements IRestApi {
  private configureCloudWatchRole(apiResource: CfnRestApi) {
  const role = new iam.Role(this, 'CloudWatchRole', {
  assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
- managedPolicyArns: [ Stack.of(this).formatArn({
- service: 'iam',
- region: '',
- account: 'aws',
- resource: 'policy',
- sep: '/',
- resourceName: 'service-role/AmazonAPIGatewayPushToCloudWatchLogs'
- }) ]
+ managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonAPIGatewayPushToCloudWatchLogs')],
  });
 
  const resource = new CfnAccount(this, 'Account', {

packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts

@@ -231,9 +231,10 @@ export = {
  vpc
  });
 
- fleet.addToRolePolicy(new iam.PolicyStatement()
- .addAction('test:SpecialName')
- .addAllResources());
+ fleet.addToRolePolicy(new iam.PolicyStatement({
+ actions: ['test:SpecialName'],
+ resources: ['*']
+ }));
 
  expect(stack).to(haveResource('AWS::IAM::Policy', {
  PolicyDocument: {

packages/@aws-cdk/aws-autoscaling/test/test.lifecyclehooks.ts

@@ -71,9 +71,10 @@ export = {
 
 class FakeNotificationTarget implements autoscaling.ILifecycleHookTarget {
  public bind(_scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
- lifecycleHook.role.addToPolicy(new iam.PolicyStatement()
- .addAction('action:Work')
- .addAllResources());
+ lifecycleHook.role.addToPolicy(new iam.PolicyStatement({
+ actions: ['action:Work'],
+ resources: ['*']
+ }));
  return { notificationTargetArn: 'target:arn', };
  }
 }

packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

@@ -53,21 +53,18 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
  runtime: lambda.Runtime.NodeJS810,
  timeout: 15 * 60 // 15 minutes
  });
- requestorFunction.addToRolePolicy(
- new iam.PolicyStatement()
- .addActions('acm:RequestCertificate', 'acm:DescribeCertificate', 'acm:DeleteCertificate')
- .addResource('*')
- );
- requestorFunction.addToRolePolicy(
- new iam.PolicyStatement()
- .addActions('route53:GetChange')
- .addResource('*')
- );
- requestorFunction.addToRolePolicy(
- new iam.PolicyStatement()
- .addActions('route53:changeResourceRecordSets')
- .addResource(`arn:aws:route53:::hostedzone/${this.hostedZoneId}`)
- );
+ requestorFunction.addToRolePolicy(new iam.PolicyStatement({
+ actions: ['acm:RequestCertificate', 'acm:DescribeCertificate', 'acm:DeleteCertificate'],
+ resources: ['*'],
+ }));
+ requestorFunction.addToRolePolicy(new iam.PolicyStatement({
+ actions: ['route53:GetChange'],
+ resources: ['*'],
+ }));
+ requestorFunction.addToRolePolicy(new iam.PolicyStatement({
+ actions: ['route53:changeResourceRecordSets'],
+ resources: [`arn:aws:route53:::hostedzone/${this.hostedZoneId}`],
+ }));
 
  const certificate = new cfn.CustomResource(this, 'CertificateRequestorResource', {
  provider: cfn.CustomResourceProvider.lambda(requestorFunction),

packages/@aws-cdk/aws-cloudformation/lib/aws-custom-resource.ts

@@ -136,11 +136,10 @@ export class AwsCustomResource extends cdk.Construct {
  } else { // Derive statements from AWS SDK calls
  for (const call of [props.onCreate, props.onUpdate, props.onDelete]) {
  if (call) {
- provider.addToRolePolicy(
- new iam.PolicyStatement()
- .addAction(awsSdkToIamAction(call.service, call.action))
- .addAllResources()
- );
+ provider.addToRolePolicy(new iam.PolicyStatement({
+ actions: [awsSdkToIamAction(call.service, call.action)],
+ resources: ['*']
+ }));
  }
  }
  }

packages/@aws-cdk/aws-cloudformation/test/test.aws-custom-resource.ts

@@ -134,9 +134,10 @@ export = {
  physicalResourceIdPath: 'ETag'
  },
  policyStatements: [
- new iam.PolicyStatement()
- .addAction('s3:PutObject')
- .addResource('arn:aws:s3:::my-bucket/my-key')
+ new iam.PolicyStatement({
+ actions: ['s3:PutObject'],
+ resources: ['arn:aws:s3:::my-bucket/my-key']
+ })
  ]
  });
 

packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts

@@ -21,10 +21,10 @@ const dist = new cloudfront.CloudFrontWebDistribution(stack, 'Distribution', {
  },
  }]
 });
-bucket.addToResourcePolicy(new iam.PolicyStatement()
- .allow()
- .addActions('s3:Get*', 's3:List*')
- .addResources(bucket.bucketArn, bucket.arnForObjects('*'))
- .addCanonicalUserPrincipal(oai.cloudFrontOriginAccessIdentityS3CanonicalUserId));
+bucket.addToResourcePolicy(new iam.PolicyStatement({
+ actions: ['s3:Get*', 's3:List*'],
+ resources: [bucket.bucketArn, bucket.arnForObjects('*')],
+ principals: [new iam.CanonicalUserPrincipal(oai.cloudFrontOriginAccessIdentityS3CanonicalUserId)]
+}));
 
 new cdk.CfnOutput(stack, 'DistributionDomainName', { value: dist.domainName });

packages/@aws-cdk/aws-cloudtrail/lib/index.ts

@@ -130,16 +130,20 @@ export class Trail extends Resource {
  const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.Unencrypted});
  const cloudTrailPrincipal = "cloudtrail.amazonaws.com";
 
- s3bucket.addToResourcePolicy(new iam.PolicyStatement()
- .addResource(s3bucket.bucketArn)
- .addActions('s3:GetBucketAcl')
- .addServicePrincipal(cloudTrailPrincipal));
-
- s3bucket.addToResourcePolicy(new iam.PolicyStatement()
- .addResource(s3bucket.arnForObjects(`AWSLogs/${Stack.of(this).accountId}/*`))
- .addActions("s3:PutObject")
- .addServicePrincipal(cloudTrailPrincipal)
- .setCondition("StringEquals", {'s3:x-amz-acl': "bucket-owner-full-control"}));
+ s3bucket.addToResourcePolicy(new iam.PolicyStatement({
+ resources: [s3bucket.bucketArn],
+ actions: ['s3:GetBucketAcl'],
+ principals: [new iam.ServicePrincipal(cloudTrailPrincipal)]
+ }));
+
+ s3bucket.addToResourcePolicy(new iam.PolicyStatement({
+ resources: [s3bucket.arnForObjects(`AWSLogs/${Stack.of(this).accountId}/*`)],
+ actions: ["s3:PutObject"],
+ principals: [new iam.ServicePrincipal(cloudTrailPrincipal)],
+ conditions: {
+ StringEquals: {'s3:x-amz-acl': "bucket-owner-full-control"}
+ }
+ }));
 
  let logGroup: logs.CfnLogGroup | undefined;
  let logsRole: iam.IRole | undefined;
@@ -150,9 +154,10 @@ export class Trail extends Resource {
 
  logsRole = new iam.Role(this, 'LogsRole', { assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
 
- logsRole.addToPolicy(new iam.PolicyStatement()
- .addActions("logs:PutLogEvents", "logs:CreateLogStream")
- .addResource(logGroup.logGroupArn));
+ logsRole.addToPolicy(new iam.PolicyStatement({
+ actions: ["logs:PutLogEvents", "logs:CreateLogStream"],
+ resources: [logGroup.logGroupArn],
+ }));
  }
  if (props.managementEvents) {
  const managementEvent = {

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -814,15 +814,10 @@ export class Project extends ProjectBase {
 
  const logGroupStarArn = `${logGroupArn}:*`;
 
- const p = new iam.PolicyStatement();
- p.allow();
- p.addResource(logGroupArn);
- p.addResource(logGroupStarArn);
- p.addAction('logs:CreateLogGroup');
- p.addAction('logs:CreateLogStream');
- p.addAction('logs:PutLogEvents');
-
- return p;
+ return new iam.PolicyStatement({
+ resources: [logGroupArn, logGroupStarArn],
+ actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+ });
  }
 
  private renderEnvironment(env: BuildEnvironment = {},
@@ -899,26 +894,26 @@ export class Project extends ProjectBase {
  });
  this._securityGroups = [securityGroup];
  }
- this.addToRoleInlinePolicy(new iam.PolicyStatement()
- .addAllResources()
- .addActions(
- 'ec2:CreateNetworkInterface',
- 'ec2:DescribeNetworkInterfaces',
- 'ec2:DeleteNetworkInterface',
- 'ec2:DescribeSubnets',
-  'ec2:DescribeSecurityGroups',
-  'ec2:DescribeDhcpOptions',
-  'ec2:DescribeVpcs'
- ));
- this.addToRolePolicy(new iam.PolicyStatement()
- .addResource(`arn:aws:ec2:${Aws.region}:${Aws.accountId}:network-interface/*`)
- .addCondition('StringEquals', {
- "ec2:Subnet": props.vpc
- .selectSubnets(props.subnetSelection).subnetIds
- .map(si => `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/${si}`),
- "ec2:AuthorizedService": "codebuild.amazonaws.com"
- })
-  .addAction('ec2:CreateNetworkInterfacePermission'));
+ this.addToRoleInlinePolicy(new iam.PolicyStatement({
+ resources: ['*'],
+ actions: [
+ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces',
+ 'ec2:DeleteNetworkInterface', 'ec2:DescribeSubnets',
+ 'ec2:DescribeSecurityGroups', 'ec2:DescribeDhcpOptions',
+ 'ec2:DescribeVpcs']
+ }));
+ this.addToRolePolicy(new iam.PolicyStatement({
+ resources: [`arn:aws:ec2:${Aws.region}:${Aws.accountId}:network-interface/*`],
+ actions: ['ec2:CreateNetworkInterfacePermission'],
+  conditions: {
+  StringEquals: {
+  "ec2:Subnet": props.vpc
+  .selectSubnets(props.subnetSelection).subnetIds
+  .map(si => `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/${si}`),
+ "ec2:AuthorizedService": "codebuild.amazonaws.com"
+ }
+ }
+ }));
  return {
  vpcId: props.vpc.vpcId,
  subnets: props.vpc.selectSubnets(props.subnetSelection).subnetIds,
@@ -1300,12 +1295,10 @@ function extendBuildSpec(buildSpec: any, extend: any) {
 }
 
 function ecrAccessForCodeBuildService(): iam.PolicyStatement {
- return new iam.PolicyStatement()
- .describe('CodeBuild')
- .addServicePrincipal('codebuild.amazonaws.com')
- .addActions(
- 'ecr:GetDownloadUrlForLayer',
- 'ecr:BatchGetImage',
- 'ecr:BatchCheckLayerAvailability'
- );
+ const s = new iam.PolicyStatement({
+ principals: [new iam.ServicePrincipal('codebuild.amazonaws.com')],
+ actions: ['ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', 'ecr:BatchCheckLayerAvailability'],
+ });
+ s.sid = 'CodeBuild';
+ return s;
 }

packages/@aws-cdk/aws-codebuild/lib/source.ts

@@ -466,9 +466,10 @@ export class CodeCommitSource extends GitBuildSource {
  */
  public _bind(project: Project) {
  // https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html
- project.addToRolePolicy(new iam.PolicyStatement()
- .addAction('codecommit:GitPull')
- .addResource(this.repo.repositoryArn));
+ project.addToRolePolicy(new iam.PolicyStatement({
+ actions: ['codecommit:GitPull'],
+ resources: [this.repo.repositoryArn]
+ }));
  }
 
  protected toSourceProperty(): any {

packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts

@@ -151,7 +151,7 @@ export class LambdaDeploymentGroup extends cdk.Resource implements ILambdaDeploy
  assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com')
  });
 
- this.role.attachManagedPolicy('arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda');
+ this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRoleForLambda'));
 
  const resource = new CfnDeploymentGroup(this, 'Resource', {
  applicationName: this.application.applicationName,

packages/@aws-cdk/aws-codedeploy/lib/server/deployment-group.ts

@@ -272,7 +272,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
 
  this.role = props.role || new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
- managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole'],
+ managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRole')],
  });
 
  this._autoScalingGroups = props.autoScalingGroups || [];