fix(iam): fix managed policies for User (#3221)

Fix adding managed policies to a User upon creation. Rename the property for `Group`s. Fixes #2557. BREAKING CHANGE: `aws-iam.User` and `Group`: `managedPolicyArns` => `managedPolicies`.
aws · Jul 6, 2019 · ec1c5b7 · ec1c5b7
1 parent d60d673
commit ec1c5b7
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 12 deletions.
diff --git a/allowed-breaking-changes.txt b/allowed-breaking-changes.txt
@@ -8,3 +8,5 @@ removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6Pr
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6RequestCount
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationTargetGroup.metricIPv6RequestCount
 removed:@aws-cdk/core.Fn.getAZs
+removed:@aws-cdk/aws-iam.UserProps.managedPolicyArns
+removed:@aws-cdk/aws-iam.GroupProps.managedPolicyArns
diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts
@@ -40,11 +40,13 @@ export interface GroupProps {
  readonly groupName?: string;
 
  /**
- * A list of ARNs for managed policies associated with group.
+ * A list managed policies associated with this role.
+ *
+ * You can add managed policies later using `attachManagedPolicy(policy)`.
  *
  * @default - No managed policies.
  */
- readonly managedPolicyArns?: any[];
+ readonly managedPolicies?: IManagedPolicy[];
 
  /**
  * The path to the group. For more information about paths, see [IAM
@@ -130,7 +132,7 @@ export class Group extends GroupBase {
  physicalName: props.groupName,
  });
 
- this.managedPolicies.push(...props.managedPolicyArns || []);
+ this.managedPolicies.push(...props.managedPolicies || []);
 
  const group = new CfnGroup(this, 'Resource', {
  groupName: this.physicalName,

diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -30,7 +30,8 @@ export interface RoleProps {
  readonly externalId?: string;
 
  /**
- * A list of ARNs for managed policies associated with this role.
+ * A list of managed policies associated with this role.
+ *
  * You can add managed policies later using `attachManagedPolicy(arn)`.
  *
  * @default - No managed policies.

diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts
@@ -24,12 +24,13 @@ export interface UserProps {
  readonly groups?: IGroup[];
 
  /**
- * A list of ARNs for managed policies attacherd to this user.
- * You can use `addManagedPolicy(arn)` to attach a managed policy to this user.
+ * A list managed policies associated with this role.
+ *
+ * You can add managed policies later using `attachManagedPolicy(policy)`.
  *
  * @default - No managed policies.
  */
- readonly managedPolicyArns?: any[];
+ readonly managedPolicies?: IManagedPolicy[];
 
  /**
  * The path for the user name. For more information about paths, see IAM
@@ -108,6 +109,8 @@ export class User extends Resource implements IIdentity {
  physicalName: props.userName,
  });
 
+ this.managedPolicies.push(...props.managedPolicies || []);
+
  const user = new CfnUser(this, 'Resource', {
  userName: this.physicalName,
  groups: undefinedIfEmpty(() => this.groups),

diff --git a/packages/@aws-cdk/aws-iam/test/test.group.ts b/packages/@aws-cdk/aws-iam/test/test.group.ts
@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { Group, User } from '../lib';
+import { Group, ManagedPolicy, User } from '../lib';
 
 export = {
  'default group'(test: Test) {
@@ -35,4 +35,23 @@ export = {
  Properties: { Groups: [ { Ref: 'MyGroupCBA54B1B' } ] } } } });
  test.done();
  },
+
+ 'create with managed policy'(test: Test) {
+ // GIVEN
+ const stack = new Stack();
+
+ // WHEN
+ new Group(stack, 'MyGroup', {
+ managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+ });
+
+ // THEN
+ expect(stack).to(haveResource('AWS::IAM::Group', {
+ ManagedPolicyArns: [
+ { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+ ]
+ }));
+
+ test.done();
+ }
 };
diff --git a/packages/@aws-cdk/aws-iam/test/test.role.ts b/packages/@aws-cdk/aws-iam/test/test.role.ts
@@ -288,5 +288,6 @@ export = {
  Roles: [ "MyRole" ]
  }));
  test.done();
- }
+ },
+
 };
diff --git a/packages/@aws-cdk/aws-iam/test/test.user.ts b/packages/@aws-cdk/aws-iam/test/test.user.ts
@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, SecretValue, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { User } from '../lib';
+import { ManagedPolicy, User } from '../lib';
 
 export = {
  'default user'(test: Test) {
@@ -32,6 +32,26 @@ export = {
  const app = new App();
  const stack = new Stack(app, 'MyStack');
  test.throws(() => new User(stack, 'MyUser', { passwordResetRequired: true }));
+ test.done();
+ },
+
+ 'create with managed policy'(test: Test) {
+ // GIVEN
+ const app = new App();
+ const stack = new Stack(app, 'MyStack');
+
+ // WHEN
+ new User(stack, 'MyUser', {
+ managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+ });
+
+ // THEN
+ expect(stack).to(haveResource('AWS::IAM::User', {
+ ManagedPolicyArns: [
+ { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+ ]
+ }));
+
  test.done();
  }
 };