| 1 | import { IResource, Resource } from '@aws-cdk/core';
|
| 2 | import { Construct } from 'constructs';
|
| 3 | import { IGroup } from './group';
|
| 4 | import { PolicyDocument } from './policy-document';
|
| 5 | import { PolicyStatement } from './policy-statement';
|
| 6 | import { IRole } from './role';
|
| 7 | import { IUser } from './user';
|
| 8 | /**
|
| 9 | * Represents an IAM Policy
|
| 10 | *
|
| 11 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
|
| 12 | */
|
| 13 | export interface IPolicy extends IResource {
|
| 14 | /**
|
| 15 | * The name of this policy.
|
| 16 | *
|
| 17 | * @attribute
|
| 18 | */
|
| 19 | readonly policyName: string;
|
| 20 | }
|
| 21 | /**
|
| 22 | * Properties for defining an IAM inline policy document
|
| 23 | */
|
| 24 | export interface PolicyProps {
|
| 25 | /**
|
| 26 | * The name of the policy. If you specify multiple policies for an entity,
|
| 27 | * specify unique names. For example, if you specify a list of policies for
|
| 28 | * an IAM role, each policy must have a unique name.
|
| 29 | *
|
| 30 | * @default - Uses the logical ID of the policy resource, which is ensured
|
| 31 | * to be unique within the stack.
|
| 32 | */
|
| 33 | readonly policyName?: string;
|
| 34 | /**
|
| 35 | * Users to attach this policy to.
|
| 36 | * You can also use `attachToUser(user)` to attach this policy to a user.
|
| 37 | *
|
| 38 | * @default - No users.
|
| 39 | */
|
| 40 | readonly users?: IUser[];
|
| 41 | /**
|
| 42 | * Roles to attach this policy to.
|
| 43 | * You can also use `attachToRole(role)` to attach this policy to a role.
|
| 44 | *
|
| 45 | * @default - No roles.
|
| 46 | */
|
| 47 | readonly roles?: IRole[];
|
| 48 | /**
|
| 49 | * Groups to attach this policy to.
|
| 50 | * You can also use `attachToGroup(group)` to attach this policy to a group.
|
| 51 | *
|
| 52 | * @default - No groups.
|
| 53 | */
|
| 54 | readonly groups?: IGroup[];
|
| 55 | /**
|
| 56 | * Initial set of permissions to add to this policy document.
|
| 57 | * You can also use `addStatements(...statement)` to add permissions later.
|
| 58 | *
|
| 59 | * @default - No statements.
|
| 60 | */
|
| 61 | readonly statements?: PolicyStatement[];
|
| 62 | /**
|
| 63 | * Force creation of an `AWS::IAM::Policy`
|
| 64 | *
|
| 65 | * Unless set to `true`, this `Policy` construct will not materialize to an
|
| 66 | * `AWS::IAM::Policy` CloudFormation resource in case it would have no effect
|
| 67 | * (for example, if it remains unattached to an IAM identity or if it has no
|
| 68 | * statements). This is generally desired behavior, since it prevents
|
| 69 | * creating invalid--and hence undeployable--CloudFormation templates.
|
| 70 | *
|
| 71 | * In cases where you know the policy must be created and it is actually
|
| 72 | * an error if no statements have been added to it, you can set this to `true`.
|
| 73 | *
|
| 74 | * @default false
|
| 75 | */
|
| 76 | readonly force?: boolean;
|
| 77 | /**
|
| 78 | * Initial PolicyDocument to use for this Policy. If omited, any
|
| 79 | * `PolicyStatement` provided in the `statements` property will be applied
|
| 80 | * against the empty default `PolicyDocument`.
|
| 81 | *
|
| 82 | * @default - An empty policy.
|
| 83 | */
|
| 84 | readonly document?: PolicyDocument;
|
| 85 | }
|
| 86 | /**
|
| 87 | * The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles,
|
| 88 | * or groups. For more information about IAM policies, see [Overview of IAM
|
| 89 | * Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html)
|
| 90 | * in the IAM User Guide guide.
|
| 91 | */
|
| 92 | export declare class Policy extends Resource implements IPolicy {
|
| 93 | /**
|
| 94 | * Import a policy in this app based on its name
|
| 95 | */
|
| 96 | static fromPolicyName(scope: Construct, id: string, policyName: string): IPolicy;
|
| 97 | /**
|
| 98 | * The policy document.
|
| 99 | */
|
| 100 | readonly document: PolicyDocument;
|
| 101 | private readonly _policyName;
|
| 102 | private readonly roles;
|
| 103 | private readonly users;
|
| 104 | private readonly groups;
|
| 105 | private readonly force;
|
| 106 | private referenceTaken;
|
| 107 | constructor(scope: Construct, id: string, props?: PolicyProps);
|
| 108 | /**
|
| 109 | * Adds a statement to the policy document.
|
| 110 | */
|
| 111 | addStatements(...statement: PolicyStatement[]): void;
|
| 112 | /**
|
| 113 | * Attaches this policy to a user.
|
| 114 | */
|
| 115 | attachToUser(user: IUser): void;
|
| 116 | /**
|
| 117 | * Attaches this policy to a role.
|
| 118 | */
|
| 119 | attachToRole(role: IRole): void;
|
| 120 | /**
|
| 121 | * Attaches this policy to a group.
|
| 122 | */
|
| 123 | attachToGroup(group: IGroup): void;
|
| 124 | /**
|
| 125 | * The name of this policy.
|
| 126 | *
|
| 127 | * @attribute
|
| 128 | */
|
| 129 | get policyName(): string;
|
| 130 | protected validate(): string[];
|
| 131 | /**
|
| 132 | * Whether the policy resource has been attached to any identity
|
| 133 | */
|
| 134 | private get isAttached();
|
| 135 | }
|