-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(iam): SAML identity provider (#13393)
L2 for [`AWS::IAM::SAMLProvider`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html). Also add derived classes for federated principals. Closes #5320 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Showing
10 changed files
with
473 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
import * as fs from 'fs'; | ||
import { IResource, Resource, Token } from '@aws-cdk/core'; | ||
import { Construct } from 'constructs'; | ||
import { CfnSAMLProvider } from './iam.generated'; | ||
|
||
/** | ||
* A SAML provider | ||
*/ | ||
export interface ISamlProvider extends IResource { | ||
/** | ||
* The Amazon Resource Name (ARN) of the provider | ||
* | ||
* @attribute | ||
*/ | ||
readonly samlProviderArn: string; | ||
} | ||
|
||
/** | ||
* Properties for a SAML provider | ||
*/ | ||
export interface SamlProviderProps { | ||
/** | ||
* The name of the provider to create. | ||
* | ||
* This parameter allows a string of characters consisting of upper and | ||
* lowercase alphanumeric characters with no spaces. You can also include | ||
* any of the following characters: _+=,.@- | ||
* | ||
* Length must be between 1 and 128 characters. | ||
* | ||
* @default - a CloudFormation generated name | ||
*/ | ||
readonly name?: string; | ||
|
||
/** | ||
* An XML document generated by an identity provider (IdP) that supports | ||
* SAML 2.0. The document includes the issuer's name, expiration information, | ||
* and keys that can be used to validate the SAML authentication response | ||
* (assertions) that are received from the IdP. You must generate the metadata | ||
* document using the identity management software that is used as your | ||
* organization's IdP. | ||
*/ | ||
readonly metadataDocument: SamlMetadataDocument; | ||
} | ||
|
||
/** | ||
* A SAML metadata document | ||
*/ | ||
export abstract class SamlMetadataDocument { | ||
/** | ||
* Create a SAML metadata document from a XML string | ||
*/ | ||
public static fromXml(xml: string): SamlMetadataDocument { | ||
return { xml }; | ||
} | ||
|
||
/** | ||
* Create a SAML metadata document from a XML file | ||
*/ | ||
public static fromFile(path: string): SamlMetadataDocument { | ||
return { xml: fs.readFileSync(path, 'utf-8') }; | ||
} | ||
|
||
/** | ||
* The XML content of the metadata document | ||
*/ | ||
public abstract readonly xml: string; | ||
} | ||
|
||
/** | ||
* A SAML provider | ||
*/ | ||
export class SamlProvider extends Resource implements ISamlProvider { | ||
/** | ||
* Import an existing provider | ||
*/ | ||
public static fromSamlProviderArn(scope: Construct, id: string, samlProviderArn: string): ISamlProvider { | ||
class Import extends Resource implements ISamlProvider { | ||
public readonly samlProviderArn = samlProviderArn; | ||
} | ||
return new Import(scope, id); | ||
} | ||
|
||
public readonly samlProviderArn: string; | ||
|
||
constructor(scope: Construct, id: string, props: SamlProviderProps) { | ||
super(scope, id); | ||
|
||
if (props.name && !Token.isUnresolved(props.name) && !/^[\w+=,.@-]{1,128}$/.test(props.name)) { | ||
throw new Error('Invalid SAML provider name. The name must be a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. Length must be between 1 and 128 characters.'); | ||
} | ||
|
||
const samlProvider = new CfnSAMLProvider(this, 'Resource', { | ||
name: this.physicalName, | ||
samlMetadataDocument: props.metadataDocument.xml, | ||
}); | ||
|
||
this.samlProviderArn = samlProvider.ref; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
packages/@aws-cdk/aws-iam/test/integ.saml-provider.expected.json
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
import * as path from 'path'; | ||
import { App, Stack, StackProps } from '@aws-cdk/core'; | ||
import { Construct } from 'constructs'; | ||
import * as iam from '../lib'; | ||
|
||
class TestStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: StackProps) { | ||
super(scope, id, props); | ||
|
||
const provider = new iam.SamlProvider(this, 'Provider', { | ||
metadataDocument: iam.SamlMetadataDocument.fromFile(path.join(__dirname, 'saml-metadata-document.xml')), | ||
}); | ||
|
||
new iam.Role(this, 'Role', { | ||
assumedBy: new iam.SamlConsolePrincipal(provider), | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new TestStack(app, 'cdk-saml-provider'); | ||
app.synth(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.