From 888e5a06ca67b6e7438bfcc5923eeb46f55203f1 Mon Sep 17 00:00:00 2001 From: kaizen3031593 <36202692+kaizen3031593@users.noreply.github.com> Date: Fri, 29 Oct 2021 05:28:31 -0400 Subject: [PATCH] chore(iam): make examples compile (#17195) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/README.md | 58 ++++++++++--------- .../aws-iam/lib/permissions-boundary.ts | 8 +-- .../aws-iam/rosetta/default.ts-fixture | 13 ++--- 3 files changed, 40 insertions(+), 39 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/README.md b/packages/@aws-cdk/aws-iam/README.md index b54a0bff34fc4..a81b25d53e6ba 100644 --- a/packages/@aws-cdk/aws-iam/README.md +++ b/packages/@aws-cdk/aws-iam/README.md @@ -30,8 +30,8 @@ Managed policies can be attached using `xxx.addManagedPolicy(ManagedPolicy.fromA Many of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table. ```ts -const fn = new lambda.Function(this, 'Function', functionProps); -const table = new dynamodb.Table(this, 'Table', tableProps); +declare const fn: lambda.Function; +declare const table: dynamodb.Table; table.grantWriteData(fn); ``` @@ -39,8 +39,8 @@ table.grantWriteData(fn); The more generic `grant` method allows you to give specific permissions to a resource: ```ts -const fn = new lambda.Function(this, 'Function', functionProps); -const table = new dynamodb.Table(this, 'Table', tableProps); +declare const fn: lambda.Function; +declare const table: dynamodb.Table; table.grant(fn, 'dynamodb:PutItem'); ``` @@ -186,7 +186,7 @@ const role = new iam.Role(this, 'MyRole', { assumedBy: new iam.CompositePrincipal( new iam.ServicePrincipal('ec2.amazonaws.com'), new iam.AccountPrincipal('1818188181818187272') - ) + ), }); ``` @@ -212,7 +212,7 @@ Cognito, Amazon, Google or Facebook, for example: const principal = new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com') .withConditions({ "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456" }, - "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"} + "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated" }, }); ``` @@ -256,11 +256,11 @@ const customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument); // You can pass this document as an initial document to a ManagedPolicy // or inline Policy. -const newManagedPolicy = new ManagedPolicy(stack, 'MyNewManagedPolicy', { - document: customPolicyDocument +const newManagedPolicy = new iam.ManagedPolicy(this, 'MyNewManagedPolicy', { + document: customPolicyDocument, }); -const newPolicy = new Policy(stack, 'MyNewPolicy', { - document: customPolicyDocument +const newPolicy = new iam.Policy(this, 'MyNewPolicy', { + document: customPolicyDocument, }); ``` @@ -296,15 +296,18 @@ const boundary2 = new iam.ManagedPolicy(this, 'Boundary2', { }); // Directly apply the boundary to a Role you create +declare const role: iam.Role; iam.PermissionsBoundary.of(role).apply(boundary); // Apply the boundary to an Role that was implicitly created for you -iam.PermissionsBoundary.of(lambdaFunction).apply(boundary); +declare const fn: lambda.Function; +iam.PermissionsBoundary.of(fn).apply(boundary); // Apply the boundary to all Roles in a stack -iam.PermissionsBoundary.of(stack).apply(boundary); +iam.PermissionsBoundary.of(this).apply(boundary); // Remove a Permissions Boundary that is inherited, for example from the Stack level +declare const customResource: CustomResource; iam.PermissionsBoundary.of(customResource).clear(); ``` @@ -347,10 +350,13 @@ pool](https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html) you can reference the provider's ARN as follows: ```ts +import * as cognito from '@aws-cdk/aws-cognito'; + +declare const myProvider: iam.OpenIdConnectProvider; new cognito.CfnIdentityPool(this, 'IdentityPool', { openIdConnectProviderArns: [myProvider.openIdConnectProviderArn], // And the other properties for your identity pool - allowUnauthenticatedIdentities, + allowUnauthenticatedIdentities: false, }); ``` @@ -359,7 +365,7 @@ The `OpenIdConnectPrincipal` class can be used as a principal used with a `OpenI ```ts const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', { url: 'https://openid/connect', - clientIds: [ 'myclient1', 'myclient2' ] + clientIds: [ 'myclient1', 'myclient2' ], }); const principal = new iam.OpenIdConnectPrincipal(provider); ``` @@ -410,25 +416,25 @@ new iam.Role(this, 'Role', { IAM manages users for your AWS account. To create a new user: ```ts -const user = new User(this, 'MyUser'); +const user = new iam.User(this, 'MyUser'); ``` To import an existing user by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names): ```ts -const user = User.fromUserName(stack, 'MyImportedUserByName', 'johnsmith'); +const user = iam.User.fromUserName(this, 'MyImportedUserByName', 'johnsmith'); ``` To import an existing user by ARN: ```ts -const user = User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith'); +const user = iam.User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith'); ``` To import an existing user by attributes: ```ts -const user = User.fromUserAttributes(stack, 'MyImportedUserByAttributes', { +const user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', { userArn: 'arn:aws:iam::123456789012:user/johnsmith', }); ``` @@ -436,8 +442,8 @@ const user = User.fromUserAttributes(stack, 'MyImportedUserByAttributes', { To add a user to a group (both for a new and imported user/group): ```ts -const user = new User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith'); -const group = new Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name'); +const user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith'); +const group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name'); user.addToGroup(group); // or @@ -447,9 +453,9 @@ group.addUser(user); ## Features - * Policy name uniqueness is enforced. If two policies by the same name are attached to the same - principal, the attachment will fail. - * Policy names are not required - the CDK logical ID will be used and ensured to be unique. - * Policies are validated during synthesis to ensure that they have actions, and that policies - attached to IAM principals specify relevant resources, while policies attached to resources - specify which IAM principals they apply to. + * Policy name uniqueness is enforced. If two policies by the same name are attached to the same + principal, the attachment will fail. + * Policy names are not required - the CDK logical ID will be used and ensured to be unique. + * Policies are validated during synthesis to ensure that they have actions, and that policies + attached to IAM principals specify relevant resources, while policies attached to resources + specify which IAM principals they apply to. diff --git a/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts b/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts index c1a3dde69a026..5084caf9fe4fc 100644 --- a/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts +++ b/packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts @@ -6,10 +6,10 @@ import { IManagedPolicy } from './managed-policy'; /** * Modify the Permissions Boundaries of Users and Roles in a construct tree * - * @example - * - * const policy = ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'); - * PermissionsBoundary.of(stack).apply(policy); + * ```ts + * const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'); + * iam.PermissionsBoundary.of(this).apply(policy); + * ``` */ export class PermissionsBoundary { /** diff --git a/packages/@aws-cdk/aws-iam/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-iam/rosetta/default.ts-fixture index a76493f53c694..a27f557ccf250 100644 --- a/packages/@aws-cdk/aws-iam/rosetta/default.ts-fixture +++ b/packages/@aws-cdk/aws-iam/rosetta/default.ts-fixture @@ -1,17 +1,12 @@ -import { Construct } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { CustomResource, Stack } from '@aws-cdk/core'; import * as codepipeline from '@aws-cdk/aws-codepipeline'; -import * as cognito from '@aws-cdk/aws-cognito'; import * as dynamodb from '@aws-cdk/aws-dynamodb'; import * as lambda from '@aws-cdk/aws-lambda'; import * as iam from '@aws-cdk/aws-iam'; -declare const allowUnauthenticatedIdentities: boolean; -declare const functionProps: lambda.FunctionProps; -declare const myProvider: iam.OpenIdConnectProvider; -declare const tableProps: dynamodb.TableProps; - -class fixture$construct extends Construct { - public constructor(scope: Construct, id: string) { +class Fixture extends Stack { + constructor(scope: Construct, id: string) { super(scope, id); /// here