| 1 | import * as iam from '@aws-cdk/aws-iam';
|
| 2 | import { Construct } from 'constructs';
|
| 3 | /**
|
| 4 | * Construction properties for UntrustedCodeBoundaryPolicy
|
| 5 | */
|
| 6 | export interface UntrustedCodeBoundaryPolicyProps {
|
| 7 | /**
|
| 8 | * The name of the managed policy.
|
| 9 | *
|
| 10 | * @default - A name is automatically generated.
|
| 11 | */
|
| 12 | readonly managedPolicyName?: string;
|
| 13 | /**
|
| 14 | * Additional statements to add to the default set of statements
|
| 15 | *
|
| 16 | * @default - No additional statements
|
| 17 | */
|
| 18 | readonly additionalStatements?: iam.PolicyStatement[];
|
| 19 | }
|
| 20 | /**
|
| 21 | * Permissions Boundary for a CodeBuild Project running untrusted code
|
| 22 | *
|
| 23 | * This class is a Policy, intended to be used as a Permissions Boundary
|
| 24 | * for a CodeBuild project. It allows most of the actions necessary to run
|
| 25 | * the CodeBuild project, but disallows reading from Parameter Store
|
| 26 | * and Secrets Manager.
|
| 27 | *
|
| 28 | * Use this when your CodeBuild project is running untrusted code (for
|
| 29 | * example, if you are using one to automatically build Pull Requests
|
| 30 | * that anyone can submit), and you want to prevent your future self
|
| 31 | * from accidentally exposing Secrets to this build.
|
| 32 | *
|
| 33 | * (The reason you might want to do this is because otherwise anyone
|
| 34 | * who can submit a Pull Request to your project can write a script
|
| 35 | * to email those secrets to themselves).
|
| 36 | *
|
| 37 | * @example
|
| 38 | *
|
| 39 | * declare const project: codebuild.Project;
|
| 40 | * iam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));
|
| 41 | */
|
| 42 | export declare class UntrustedCodeBoundaryPolicy extends iam.ManagedPolicy {
|
| 43 | constructor(scope: Construct, id: string, props?: UntrustedCodeBoundaryPolicyProps);
|
| 44 | }
|