-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Expand file tree
/
Copy pathimported-role.ts
More file actions
142 lines (128 loc) · 5.31 KB
/
imported-role.ts
File metadata and controls
142 lines (128 loc) · 5.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
import { Construct } from 'constructs';
import { MAX_POLICY_NAME_LEN } from './util';
import { Annotations, FeatureFlags, Names, Resource, Token, TokenComparison } from '../../../core';
import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata-resource';
import { propertyInjectable } from '../../../core/lib/prop-injectable';
import { IAM_IMPORTED_ROLE_STACK_SAFE_DEFAULT_POLICY_NAME } from '../../../cx-api';
import { Grant } from '../grant';
import { RoleReference } from '../iam.generated';
import { IManagedPolicy, ManagedPolicy } from '../managed-policy';
import { Policy } from '../policy';
import { PolicyStatement } from '../policy-statement';
import {
AddToPrincipalPolicyResult,
ArnPrincipal,
IComparablePrincipal,
IPrincipal,
PrincipalPolicyFragment,
} from '../principals';
import { FromRoleArnOptions, IRole } from '../role';
import { AttachedPolicies } from '../util';
export interface ImportedRoleProps extends FromRoleArnOptions {
readonly roleArn: string;
readonly roleName: string;
readonly account?: string;
}
@propertyInjectable
export class ImportedRole extends Resource implements IRole, IComparablePrincipal {
/** Uniquely identifies this class. */
public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-iam.ImportedRole';
public readonly grantPrincipal: IPrincipal = this;
public readonly principalAccount?: string;
public readonly assumeRoleAction: string = 'sts:AssumeRole';
public readonly policyFragment: PrincipalPolicyFragment;
public readonly roleArn: string;
public readonly roleName: string;
private readonly attachedPolicies = new AttachedPolicies();
private readonly defaultPolicyName?: string;
private defaultPolicy?: Policy;
constructor(scope: Construct, id: string, props: ImportedRoleProps) {
super(scope, id, {
account: props.account,
});
// Enhanced CDK Analytics Telemetry
addConstructMetadata(this, props);
this.roleArn = props.roleArn;
this.roleName = props.roleName;
this.policyFragment = new ArnPrincipal(this.roleArn).policyFragment;
this.defaultPolicyName = props.defaultPolicyName;
this.principalAccount = props.account;
}
public get roleRef(): RoleReference {
return {
roleName: this.roleName,
roleArn: this.roleArn,
};
}
@MethodMetadata()
public addToPolicy(statement: PolicyStatement): boolean {
return this.addToPrincipalPolicy(statement).statementAdded;
}
@MethodMetadata()
public addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult {
if (!this.defaultPolicy) {
const useUniqueName = FeatureFlags.of(this).isEnabled(IAM_IMPORTED_ROLE_STACK_SAFE_DEFAULT_POLICY_NAME);
// To preserve existing policy names, use Names.uniqueResourceName() only when exceeding the limit of policy names
// See https://github.com/aws/aws-cdk/pull/27548 for more
const prefix = 'Policy';
let defaultDefaultPolicyName = useUniqueName
? `${prefix}${Names.uniqueId(this)}`
: prefix;
if (defaultDefaultPolicyName.length > MAX_POLICY_NAME_LEN) {
defaultDefaultPolicyName = `${prefix}${Names.uniqueResourceName(this, { maxLength: MAX_POLICY_NAME_LEN - prefix.length })}`;
}
const policyName = this.defaultPolicyName ?? defaultDefaultPolicyName;
this.defaultPolicy = new Policy(this, policyName, useUniqueName ? { policyName } : undefined);
this.attachInlinePolicy(this.defaultPolicy);
}
this.defaultPolicy.addStatements(statement);
return { statementAdded: true, policyDependable: this.defaultPolicy };
}
@MethodMetadata()
public attachInlinePolicy(policy: Policy): void {
const thisAndPolicyAccountComparison = Token.compareStrings(this.env.account, policy.env.account);
const equalOrAnyUnresolved = thisAndPolicyAccountComparison === TokenComparison.SAME ||
thisAndPolicyAccountComparison === TokenComparison.BOTH_UNRESOLVED ||
thisAndPolicyAccountComparison === TokenComparison.ONE_UNRESOLVED;
if (equalOrAnyUnresolved) {
this.attachedPolicies.attach(policy);
policy.attachToRole(this);
}
}
@MethodMetadata()
public addManagedPolicy(policy: IManagedPolicy): void {
// Using "Type Predicate" to confirm x is ManagedPolicy, which allows to avoid
// using try ... catch and throw error.
const isManagedPolicy = (x: IManagedPolicy): x is ManagedPolicy => {
return (x as ManagedPolicy).attachToRole !== undefined;
};
if (isManagedPolicy(policy)) {
policy.attachToRole(this);
} else {
Annotations.of(this).addWarningV2(
'@aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy',
`Can\'t combine imported IManagedPolicy: ${policy.managedPolicyArn} to imported role IRole: ${this.roleName}. Use ManagedPolicy directly.`,
);
}
}
@MethodMetadata()
public grantPassRole(identity: IPrincipal): Grant {
return this.grant(identity, 'iam:PassRole');
}
@MethodMetadata()
public grantAssumeRole(identity: IPrincipal): Grant {
return this.grant(identity, 'sts:AssumeRole');
}
@MethodMetadata()
public grant(grantee: IPrincipal, ...actions: string[]): Grant {
return Grant.addToPrincipal({
grantee,
actions,
resourceArns: [this.roleArn],
});
}
@MethodMetadata()
public dedupeString(): string | undefined {
return `ImportedRole:${this.roleArn}`;
}
}