feat: Implement CodeArtifact L2 construct

packages/@aws-cdk/aws-codeartifact/README.md

@@ -9,12 +9,130 @@
 >
 > [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib
 
+![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
+
+> The APIs of higher level constructs in this module are experimental and under active development.
+> They are subject to non-backward compatible changes or removal in any future version. These are
+> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
+> announced in the release notes. This means that while you may use them, you may need to update
+> your source code when upgrading to a newer version of this package.
+
 ---
 
 <!--END STABILITY BANNER-->
 
-This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
+CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store and share software packages used for application development. You can use CodeArtifact with popular build tools and package managers such as **Maven**, **Gradle**, **npm**, **yarn**, **pip**, and **twine**.
+
+For further information on CodeCommit, see the [AWS CodeArtifact documentation](https://docs.aws.amazon.com/codeartifact).
+
+Add a CodeArtifact Domain to your stack:
 
 ```ts
-import codeartifact = require('@aws-cdk/aws-codeartifact');
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+```
+
+Add a CodeArtifact Repository to your stack:
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+const repository = new codeartifact.Repository(stack, 'repository', {
+    repositoryName: 'repository',
+    domain: domain,
+});
+```
+
+It is possible to use the `addRepository` method on `codeartifact.Domain` to add repostories implicitly.
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+const repo1 = new codeartifact.Repository(stack, 'repository_1', { repositoryName: 'repository-1' });
+const repo2 = new codeartifact.Repository(stack, 'repository_2', { repositoryName: 'repository-2' });
+
+domain.addRepositories(repo1, repo2);
+
+```
+
+## External Connections
+
+Extenal connections can be added by calling `.withExternalConnections(...)` method on a repository. It accepts and
+array of external connecitions. You can also pass the external connections when creating a repository by setting the
+`externalConnections` property.
+
+Add an external connection when constructing a new repository
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+const repository = new codeartifact.Repository(stack, 'repository', {
+    repositoryName: 'repository',
+    domain: domain,
+    externalConnections: [codeartifact.ExternalConnection.NPM]
+});
+```
+
+Add an external connection to an existing repository
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+const repository = new codeartifact.Repository(stack, 'repository', {
+    repositoryName: 'repository',
+    domain: domain
+});
+
+
+repository.withExternalConnections(codeartifact.ExternalConnection.NPM);
+```
+
+## Upstream Repositories
+
+Upstream repositories can be added by calling `.withUpstream(...)` method on a repository. It accepts an array of `IRepository`.
+You can also pass the upstream repositories in the `upstreams` property during construction.
+
+Add an upstream when constructing a new repository
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+
+const upstreamRepository = new codeartifact.Repository(stack, 'upstream-repository', {
+    repositoryName: 'upstream-repository',
+    domain: domain,
+});
+
+const repository = new codeartifact.Repository(stack, 'repository', {
+    repositoryName: 'repository',
+    domain: domain,
+    upstreams: [upstreamRepository]
+});
+```
+
+Add an upstream to an existing repository
+
+```ts
+import * as codeartifact from '@aws-cdk/aws-codeartifact';
+
+const domain = new codeartifact.Domain(stack, 'domain', { domainName: 'example-domain' });
+
+const upstreamRepository = new codeartifact.Repository(stack, 'upstream-repository', {
+    repositoryName: 'upstream-repository',
+    domain: domain,
+});
+
+const repository = new codeartifact.Repository(stack, 'repository', {
+    repositoryName: 'repository',
+    domain: domain
+});
+
+
+repository.withUpstream(upstreamRepository);
 ```

packages/@aws-cdk/aws-codeartifact/lib/domain.ts

@@ -0,0 +1,202 @@
+import * as iam from '@aws-cdk/aws-iam';
+import * as kms from '@aws-cdk/aws-kms';
+import { Resource, Stack, Lazy, Token } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnDomain } from './codeartifact.generated';
+import { IDomain, IRepository, DomainAttributes } from './interfaces';
+import { DOMAIN_CREATE_ACTIONS, DOMAIN_LOGIN_ACTIONS, DOMAIN_READ_ACTIONS } from './perms';
+import { validate } from './validation';
+
+/**
+ * Properties for a new CodeArtifact domain
+ * @experimental
+ */
+export interface DomainProps {
+  /**
+  * The name of the domain
+  * @default Unique id
+  */
+  readonly domainName?: string;
+
+  /**
+   * The KMS encryption key used for the domain resource.
+   * @default AWS Managed Key
+   * @attribute
+   */
+  readonly domainEncryptionKey?: kms.IKey;
+  /**
+     * Principal for the resource policy for the domain
+     * @default AccountRootPrincipal
+     */
+  readonly principal?: iam.IPrincipal
+
+  /**
+   * Resource policy for the domain
+   * @default Open policy that allows principal to reader, create, and generate authorization token.
+   */
+  readonly policyDocument?: iam.PolicyDocument
+}
+
+/**
+ * A new CodeArtifacft domain
+ * @experimental
+ */
+export class Domain extends Resource implements IDomain {
+  /**
+ * Import an existing domain provided an ARN
+ *
+ * @param scope The parent creating construct
+ * @param id The construct's name
+ * @param domainArn Domain ARN (i.e. arn:aws:codeartifact:us-east-2:444455556666:domain/MyDomain)
+ */
+  public static fromDomainArn(scope: Construct, id: string, domainArn: string): IDomain {
+    return Domain.fromDomainAttributes(scope, id, { domainArn: domainArn });
+  }
+
+  /**
+   * Import an existing domain
+   */
+  public static fromDomainAttributes(scope: Construct, id: string, attrs: DomainAttributes): IDomain {
+    const stack = Stack.of(scope);
+    const domainName = attrs.domainName || stack.parseArn(attrs.domainArn).resourceName;
+
+    if (!domainName || domainName == '') {
+      throw new Error('Domain name is required as a resource name with the ARN');
+    }
+
+    class Import extends Resource implements IDomain {
+      domainArn: string = '';
+      domainName?: string | undefined;
+      domainOwner?: string | undefined;
+      domainEncryptionKey?: kms.IKey | undefined;
+    }
+
+    const instance = new Import(scope, id);
+    instance.domainName = domainName;
+    instance.domainArn = attrs.domainArn;
+    instance.domainEncryptionKey = attrs.domainEncryptionKey;
+
+    return instance;
+  }
+
+  public readonly domainName?: string;
+  public readonly domainNameAttr?: string;
+  public readonly domainArn: string = '';
+  public readonly domainOwner?: string = '';
+  public readonly domainEncryptionKey?: kms.IKey;
+  public readonly policyDocument?: iam.PolicyDocument;
+  private readonly cfnDomain: CfnDomain;
+
+  constructor(scope: Construct, id: string, props?: DomainProps) {
+    super(scope, id);
+
+    // Set domain and encryption key as we will validate them before creation
+    const domainName = props?.domainName ?? this.node.uniqueId;
+    const domainEncryptionKey = props?.domainEncryptionKey ?? null;
+
+    this.validateProps(domainName, domainEncryptionKey);
+
+    // Create the CFN domain instance
+    this.cfnDomain = new CfnDomain(this, 'Resource', {
+      domainName: domainName,
+      permissionsPolicyDocument: Lazy.anyValue({ produce: () => props?.policyDocument?.toJSON() }),
+      encryptionKey: domainEncryptionKey?.keyId,
+    });
+
+    this.domainName = domainName;
+    this.domainNameAttr = this.cfnDomain.attrName;
+    this.domainArn = this.cfnDomain.attrArn;
+    this.domainOwner = this.cfnDomain.attrOwner;
+    this.policyDocument = props?.policyDocument;
+  }
+
+  /**
+   * Add a repositories to the domain
+   */
+  addRepositories(...repositories: IRepository[]): IDomain {
+    if (repositories.length > 0) {
+      repositories.forEach(r => r.assignDomain(this));
+    }
+
+    return this;
+  }
+
+  private validateProps(domainName : string, domainEncryptionKey? : kms.IKey | null) {
+    if (Token.isUnresolved(domainName)) {
+      throw new Error(`'domainName' must resolve, got: '${domainName}'`);
+    }
+
+    validate('DomainName',
+      { required: true, minLength: 2, maxLength: 50, pattern: /[a-z][a-z0-9\-]{0,48}[a-z0-9]/gi, documentationLink: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codeartifact-domain.html#cfn-codeartifact-domain-domainname' },
+      domainName);
+
+    validate('EncryptionKey',
+      { minLength: 1, maxLength: 2048, pattern: /\S+/gi, documentationLink: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codeartifact-domain.html#cfn-codeartifact-domain-encryptionkey' },
+      domainEncryptionKey?.keyArn || '');
+  }
+
+  /**
+   * Adds a statement to the IAM resource policy associated with this domain.
+   */
+  public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
+
+    if (!this.policyDocument) {
+      const p = this.policyDocument || new iam.PolicyDocument();
+
+      p.addStatements(statement);
+
+      return { statementAdded: true, policyDependable: p };
+    }
+
+    return { statementAdded: false };
+  }
+
+  private grant(principal: iam.IGrantable, iamActions: string[], resource: string = '*'): iam.Grant {
+    return iam.Grant.addToPrincipalOrResource({
+      grantee: principal,
+      actions: iamActions,
+      resourceArns: [resource],
+      resource: this,
+    });
+  }
+
+  /**
+   * Assign default login, creation, and read for the domain.
+   * @param principal The principal of for the policy
+   * @see https://docs.aws.amazon.com/codeartifact/latest/ug/domain-policies.html#domain-policy-example
+   */
+  grantDefaultPolicy(principal: iam.IPrincipal): iam.Grant {
+    const p = principal;
+    this.grantLogin(p);
+    this.grantCreate(p);
+    return this.grantRead(p);
+  }
+
+  /**
+     * Adds read actions for the principal to the domain's
+     * resource policy
+     * @param principal The principal for the policy
+     * @see https://docs.aws.amazon.com/codeartifact/latest/ug/domain-spolicies.html
+     */
+  public grantRead(principal: iam.IPrincipal): iam.Grant {
+    return this.grant(principal, DOMAIN_READ_ACTIONS);
+  }
+  /**
+     * Adds GetAuthorizationToken for the principal to the domain's
+     * resource policy
+     * @param principal The principal for the policy
+     * @see https://docs.aws.amazon.com/codeartifact/latest/ug/domain-policies.html
+     */
+  public grantLogin(principal: iam.IPrincipal): iam.Grant {
+    return this.grant(principal, DOMAIN_LOGIN_ACTIONS);
+  }
+  /**
+     * Adds CreateRepository for the principal to the domain's
+     * resource policy
+     * @param principal The principal for the policy
+     * @see https://docs.aws.amazon.com/codeartifact/latest/ug/domain-policies.html
+     */
+  public grantCreate(principal: iam.IPrincipal): iam.Grant {
+    return this.grant(principal, DOMAIN_CREATE_ACTIONS);
+  }
+}

packages/@aws-cdk/aws-codeartifact/lib/external-connection.ts

@@ -0,0 +1,35 @@
+/**
+ * CodeArtifact supports an external connection to the following public repositories.
+ * @experimental
+ * @see https://docs.aws.amazon.com/codeartifact/latest/ug/external-connection.html#supported-public-repositories
+ */
+export enum ExternalConnection {
+  /**
+   * NPM public registry
+   */
+  NPM = 'public:npmjs',
+  /**
+   * NuGet.org public registry
+   */
+  DOTNET_NUGETORG = 'public:nuget-org',
+  /**
+   * Python Package Index
+   */
+  PYTHON_PYPI = 'public:pypi',
+  /**
+   * Maven Central
+   */
+  MAVEN_CENTRAL = 'public:maven-central',
+  /**
+   * Google Android repository
+   */
+  MAVEN_GOOGLEANDROID = 'public:maven-googleandroid',
+  /**
+   * Gradle plugins repository
+   */
+  MAVEN_GRADLEPLUGINS = 'public:maven-gradleplugins',
+  /**
+   * CommonsWare Android repository
+   * */
+  MAVEN_COMMONSWARE = 'public:maven-commonsware',
+}

packages/@aws-cdk/aws-codeartifact/lib/index.ts

@@ -1,2 +1,6 @@
 // AWS::CodeArtifact CloudFormation Resources:
 export * from './codeartifact.generated';
+export * from './domain';
+export * from './repository';
+export * from './external-connection';
+export * from './interfaces';