Skip to content

Commit

Permalink
feat(iam): add convenience method inOrganization to ArnPrincipal (#…
Browse files Browse the repository at this point in the history
…20109)

Add a convenience method to ArnPrincipal. ArnPrincipal is extended by AccountPrincipal and AnyPrincipal, which are the only principals that could reasonably want to add a condition on organization.

```ts
new AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx');
```

Related: #19975 (comment). With this method, the API in #19975 will look like:

```ts
fn.grantInvoke(new AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx');
```  

Which is really slick!

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
kaizencc authored Apr 28, 2022
1 parent f832227 commit c545bfe
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 1 deletion.
14 changes: 13 additions & 1 deletion packages/@aws-cdk/aws-iam/lib/principals.ts
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,18 @@ export class ArnPrincipal extends PrincipalBase {
public toString() {
return `ArnPrincipal(${this.arn})`;
}

/**
* A convenience method for adding a condition that the principal is part of the specified
* AWS Organization.
*/
public inOrganization(organizationId: string) {
return this.withConditions({
StringEquals: {
'aws:PrincipalOrgID': organizationId,
},
});
}
}

/**
Expand Down Expand Up @@ -397,7 +409,7 @@ export interface ServicePrincipalOpts {
/**
* The region in which the service is operating.
*
* @default the current Stack's region.
* @default - the current Stack's region.
* @deprecated You should not need to set this. The stack's region is always correct.
*/
readonly region?: string;
Expand Down
49 changes: 49 additions & 0 deletions packages/@aws-cdk/aws-iam/test/principals.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,55 @@ test('PrincipalWithConditions inherits principalAccount from AccountPrincipal ',
expect(principalWithConditions.principalAccount).toStrictEqual('123456789012');
});

test('AccountPrincipal can specify an organization', () => {
// GIVEN
const stack = new Stack();

// WHEN
const pol = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['service:action'],
resources: ['*'],
principals: [
new iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx'),
],
}),
],
});

// THEN
expect(stack.resolve(pol)).toEqual({
Statement: [
{
Action: 'service:action',
Effect: 'Allow',
Principal: {
AWS: {
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':iam::123456789012:root',
],
],
},
},
Condition: {
StringEquals: {
'aws:PrincipalOrgID': 'o-xxxxxxxxxx',
},
},
Resource: '*',
},
],
Version: '2012-10-17',
});
});

test('ServicePrincipal in agnostic stack generates lookup table', () => {
// GIVEN
const stack = new Stack();
Expand Down

0 comments on commit c545bfe

Please sign in to comment.