1 | import * as iam from '@aws-cdk/aws-iam';
|
2 | import { Construct } from 'constructs';
|
3 | /**
|
4 | * Construction properties for UntrustedCodeBoundaryPolicy
|
5 | */
|
6 | export interface UntrustedCodeBoundaryPolicyProps {
|
7 | /**
|
8 | * The name of the managed policy.
|
9 | *
|
10 | * @default - A name is automatically generated.
|
11 | */
|
12 | readonly managedPolicyName?: string;
|
13 | /**
|
14 | * Additional statements to add to the default set of statements
|
15 | *
|
16 | * @default - No additional statements
|
17 | */
|
18 | readonly additionalStatements?: iam.PolicyStatement[];
|
19 | }
|
20 | /**
|
21 | * Permissions Boundary for a CodeBuild Project running untrusted code
|
22 | *
|
23 | * This class is a Policy, intended to be used as a Permissions Boundary
|
24 | * for a CodeBuild project. It allows most of the actions necessary to run
|
25 | * the CodeBuild project, but disallows reading from Parameter Store
|
26 | * and Secrets Manager.
|
27 | *
|
28 | * Use this when your CodeBuild project is running untrusted code (for
|
29 | * example, if you are using one to automatically build Pull Requests
|
30 | * that anyone can submit), and you want to prevent your future self
|
31 | * from accidentally exposing Secrets to this build.
|
32 | *
|
33 | * (The reason you might want to do this is because otherwise anyone
|
34 | * who can submit a Pull Request to your project can write a script
|
35 | * to email those secrets to themselves).
|
36 | *
|
37 | * @example
|
38 | *
|
39 | * declare const project: codebuild.Project;
|
40 | * iam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));
|
41 | */
|
42 | export declare class UntrustedCodeBoundaryPolicy extends iam.ManagedPolicy {
|
43 | constructor(scope: Construct, id: string, props?: UntrustedCodeBoundaryPolicyProps);
|
44 | }
|