UNPKG

6.12 kBTypeScriptView Raw
1import { Resource } from '@aws-cdk/core';
2import { Construct } from 'constructs';
3import { IGroup } from './group';
4import { PolicyDocument } from './policy-document';
5import { PolicyStatement } from './policy-statement';
6import { IRole } from './role';
7import { IUser } from './user';
8/**
9 * A managed policy
10 */
11export interface IManagedPolicy {
12 /**
13 * The ARN of the managed policy
14 * @attribute
15 */
16 readonly managedPolicyArn: string;
17}
18/**
19 * Properties for defining an IAM managed policy
20 */
21export interface ManagedPolicyProps {
22 /**
23 * The name of the managed policy. If you specify multiple policies for an entity,
24 * specify unique names. For example, if you specify a list of policies for
25 * an IAM role, each policy must have a unique name.
26 *
27 * @default - A name is automatically generated.
28 */
29 readonly managedPolicyName?: string;
30 /**
31 * A description of the managed policy. Typically used to store information about the
32 * permissions defined in the policy. For example, "Grants access to production DynamoDB tables."
33 * The policy description is immutable. After a value is assigned, it cannot be changed.
34 *
35 * @default - empty
36 */
37 readonly description?: string;
38 /**
39 * The path for the policy. This parameter allows (through its regex pattern) a string of characters
40 * consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.
41 * In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F),
42 * including most punctuation characters, digits, and upper and lowercased letters.
43 *
44 * For more information about paths, see IAM Identifiers in the IAM User Guide.
45 *
46 * @default - "/"
47 */
48 readonly path?: string;
49 /**
50 * Users to attach this policy to.
51 * You can also use `attachToUser(user)` to attach this policy to a user.
52 *
53 * @default - No users.
54 */
55 readonly users?: IUser[];
56 /**
57 * Roles to attach this policy to.
58 * You can also use `attachToRole(role)` to attach this policy to a role.
59 *
60 * @default - No roles.
61 */
62 readonly roles?: IRole[];
63 /**
64 * Groups to attach this policy to.
65 * You can also use `attachToGroup(group)` to attach this policy to a group.
66 *
67 * @default - No groups.
68 */
69 readonly groups?: IGroup[];
70 /**
71 * Initial set of permissions to add to this policy document.
72 * You can also use `addPermission(statement)` to add permissions later.
73 *
74 * @default - No statements.
75 */
76 readonly statements?: PolicyStatement[];
77 /**
78 * Initial PolicyDocument to use for this ManagedPolicy. If omited, any
79 * `PolicyStatement` provided in the `statements` property will be applied
80 * against the empty default `PolicyDocument`.
81 *
82 * @default - An empty policy.
83 */
84 readonly document?: PolicyDocument;
85}
86/**
87 * Managed policy
88 *
89 */
90export declare class ManagedPolicy extends Resource implements IManagedPolicy {
91 /**
92 * Import a customer managed policy from the managedPolicyName.
93 *
94 * For this managed policy, you only need to know the name to be able to use it.
95 *
96 */
97 static fromManagedPolicyName(scope: Construct, id: string, managedPolicyName: string): IManagedPolicy;
98 /**
99 * Import an external managed policy by ARN.
100 *
101 * For this managed policy, you only need to know the ARN to be able to use it.
102 * This can be useful if you got the ARN from a CloudFormation Export.
103 *
104 * If the imported Managed Policy ARN is a Token (such as a
105 * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
106 * managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the
107 * `managedPolicyName` property will not resolve to the correct value. Instead it
108 * will resolve to the first path component. We unfortunately cannot express
109 * the correct calculation of the full path name as a CloudFormation
110 * expression. In this scenario the Managed Policy ARN should be supplied without the
111 * `path` in order to resolve the correct managed policy resource.
112 *
113 * @param scope construct scope
114 * @param id construct id
115 * @param managedPolicyArn the ARN of the managed policy to import
116 */
117 static fromManagedPolicyArn(scope: Construct, id: string, managedPolicyArn: string): IManagedPolicy;
118 /**
119 * Import a managed policy from one of the policies that AWS manages.
120 *
121 * For this managed policy, you only need to know the name to be able to use it.
122 *
123 * Some managed policy names start with "service-role/", some start with
124 * "job-function/", and some don't start with anything. Include the
125 * prefix when constructing this object.
126 */
127 static fromAwsManagedPolicyName(managedPolicyName: string): IManagedPolicy;
128 /**
129 * Returns the ARN of this managed policy.
130 *
131 * @attribute
132 */
133 readonly managedPolicyArn: string;
134 /**
135 * The policy document.
136 */
137 readonly document: PolicyDocument;
138 /**
139 * The name of this policy.
140 *
141 * @attribute
142 */
143 readonly managedPolicyName: string;
144 /**
145 * The description of this policy.
146 *
147 * @attribute
148 */
149 readonly description: string;
150 /**
151 * The path of this policy.
152 *
153 * @attribute
154 */
155 readonly path: string;
156 private readonly roles;
157 private readonly users;
158 private readonly groups;
159 constructor(scope: Construct, id: string, props?: ManagedPolicyProps);
160 /**
161 * Adds a statement to the policy document.
162 */
163 addStatements(...statement: PolicyStatement[]): void;
164 /**
165 * Attaches this policy to a user.
166 */
167 attachToUser(user: IUser): void;
168 /**
169 * Attaches this policy to a role.
170 */
171 attachToRole(role: IRole): void;
172 /**
173 * Attaches this policy to a group.
174 */
175 attachToGroup(group: IGroup): void;
176 protected validate(): string[];
177}