1 | ;
|
2 | var _a;
|
3 | Object.defineProperty(exports, "__esModule", { value: true });
|
4 | exports.ManagedPolicy = void 0;
|
5 | const jsiiDeprecationWarnings = require("../.warnings.jsii.js");
|
6 | const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
|
7 | const core_1 = require("@aws-cdk/core");
|
8 | const iam_generated_1 = require("./iam.generated");
|
9 | const policy_document_1 = require("./policy-document");
|
10 | const util_1 = require("./util");
|
11 | /**
|
12 | * Managed policy
|
13 | *
|
14 | */
|
15 | class ManagedPolicy extends core_1.Resource {
|
16 | constructor(scope, id, props = {}) {
|
17 | super(scope, id, {
|
18 | physicalName: props.managedPolicyName,
|
19 | });
|
20 | /**
|
21 | * The policy document.
|
22 | */
|
23 | this.document = new policy_document_1.PolicyDocument();
|
24 | this.roles = new Array();
|
25 | this.users = new Array();
|
26 | this.groups = new Array();
|
27 | try {
|
28 | jsiiDeprecationWarnings._aws_cdk_aws_iam_ManagedPolicyProps(props);
|
29 | }
|
30 | catch (error) {
|
31 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
32 | Error.captureStackTrace(error, ManagedPolicy);
|
33 | }
|
34 | throw error;
|
35 | }
|
36 | this.description = props.description || '';
|
37 | this.path = props.path || '/';
|
38 | if (props.document) {
|
39 | this.document = props.document;
|
40 | }
|
41 | const resource = new iam_generated_1.CfnManagedPolicy(this, 'Resource', {
|
42 | policyDocument: this.document,
|
43 | managedPolicyName: this.physicalName,
|
44 | description: this.description,
|
45 | path: this.path,
|
46 | roles: util_1.undefinedIfEmpty(() => this.roles.map(r => r.roleName)),
|
47 | users: util_1.undefinedIfEmpty(() => this.users.map(u => u.userName)),
|
48 | groups: util_1.undefinedIfEmpty(() => this.groups.map(g => g.groupName)),
|
49 | });
|
50 | if (props.users) {
|
51 | props.users.forEach(u => this.attachToUser(u));
|
52 | }
|
53 | if (props.groups) {
|
54 | props.groups.forEach(g => this.attachToGroup(g));
|
55 | }
|
56 | if (props.roles) {
|
57 | props.roles.forEach(r => this.attachToRole(r));
|
58 | }
|
59 | if (props.statements) {
|
60 | props.statements.forEach(p => this.addStatements(p));
|
61 | }
|
62 | // arn:aws:iam::123456789012:policy/teststack-CreateTestDBPolicy-16M23YE3CS700
|
63 | this.managedPolicyName = this.getResourceNameAttribute(core_1.Stack.of(this).splitArn(resource.ref, core_1.ArnFormat.SLASH_RESOURCE_NAME).resourceName);
|
64 | this.managedPolicyArn = this.getResourceArnAttribute(resource.ref, {
|
65 | region: '',
|
66 | service: 'iam',
|
67 | resource: 'policy',
|
68 | resourceName: this.physicalName,
|
69 | });
|
70 | }
|
71 | /**
|
72 | * Import a customer managed policy from the managedPolicyName.
|
73 | *
|
74 | * For this managed policy, you only need to know the name to be able to use it.
|
75 | *
|
76 | */
|
77 | static fromManagedPolicyName(scope, id, managedPolicyName) {
|
78 | class Import extends core_1.Resource {
|
79 | constructor() {
|
80 | super(...arguments);
|
81 | this.managedPolicyArn = core_1.Stack.of(scope).formatArn({
|
82 | service: 'iam',
|
83 | region: '',
|
84 | account: core_1.Stack.of(scope).account,
|
85 | resource: 'policy',
|
86 | resourceName: managedPolicyName,
|
87 | });
|
88 | }
|
89 | }
|
90 | return new Import(scope, id);
|
91 | }
|
92 | /**
|
93 | * Import an external managed policy by ARN.
|
94 | *
|
95 | * For this managed policy, you only need to know the ARN to be able to use it.
|
96 | * This can be useful if you got the ARN from a CloudFormation Export.
|
97 | *
|
98 | * If the imported Managed Policy ARN is a Token (such as a
|
99 | * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
|
100 | * managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the
|
101 | * `managedPolicyName` property will not resolve to the correct value. Instead it
|
102 | * will resolve to the first path component. We unfortunately cannot express
|
103 | * the correct calculation of the full path name as a CloudFormation
|
104 | * expression. In this scenario the Managed Policy ARN should be supplied without the
|
105 | * `path` in order to resolve the correct managed policy resource.
|
106 | *
|
107 | * @param scope construct scope
|
108 | * @param id construct id
|
109 | * @param managedPolicyArn the ARN of the managed policy to import
|
110 | */
|
111 | static fromManagedPolicyArn(scope, id, managedPolicyArn) {
|
112 | class Import extends core_1.Resource {
|
113 | constructor() {
|
114 | super(...arguments);
|
115 | this.managedPolicyArn = managedPolicyArn;
|
116 | }
|
117 | }
|
118 | return new Import(scope, id);
|
119 | }
|
120 | /**
|
121 | * Import a managed policy from one of the policies that AWS manages.
|
122 | *
|
123 | * For this managed policy, you only need to know the name to be able to use it.
|
124 | *
|
125 | * Some managed policy names start with "service-role/", some start with
|
126 | * "job-function/", and some don't start with anything. Include the
|
127 | * prefix when constructing this object.
|
128 | */
|
129 | static fromAwsManagedPolicyName(managedPolicyName) {
|
130 | class AwsManagedPolicy {
|
131 | constructor() {
|
132 | this.managedPolicyArn = core_1.Arn.format({
|
133 | partition: core_1.Aws.PARTITION,
|
134 | service: 'iam',
|
135 | region: '',
|
136 | account: 'aws',
|
137 | resource: 'policy',
|
138 | resourceName: managedPolicyName,
|
139 | });
|
140 | }
|
141 | }
|
142 | return new AwsManagedPolicy();
|
143 | }
|
144 | /**
|
145 | * Adds a statement to the policy document.
|
146 | */
|
147 | addStatements(...statement) {
|
148 | try {
|
149 | jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyStatement(statement);
|
150 | }
|
151 | catch (error) {
|
152 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
153 | Error.captureStackTrace(error, this.addStatements);
|
154 | }
|
155 | throw error;
|
156 | }
|
157 | this.document.addStatements(...statement);
|
158 | }
|
159 | /**
|
160 | * Attaches this policy to a user.
|
161 | */
|
162 | attachToUser(user) {
|
163 | try {
|
164 | jsiiDeprecationWarnings._aws_cdk_aws_iam_IUser(user);
|
165 | }
|
166 | catch (error) {
|
167 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
168 | Error.captureStackTrace(error, this.attachToUser);
|
169 | }
|
170 | throw error;
|
171 | }
|
172 | if (this.users.find(u => u === user)) {
|
173 | return;
|
174 | }
|
175 | this.users.push(user);
|
176 | }
|
177 | /**
|
178 | * Attaches this policy to a role.
|
179 | */
|
180 | attachToRole(role) {
|
181 | try {
|
182 | jsiiDeprecationWarnings._aws_cdk_aws_iam_IRole(role);
|
183 | }
|
184 | catch (error) {
|
185 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
186 | Error.captureStackTrace(error, this.attachToRole);
|
187 | }
|
188 | throw error;
|
189 | }
|
190 | if (this.roles.find(r => r === role)) {
|
191 | return;
|
192 | }
|
193 | this.roles.push(role);
|
194 | }
|
195 | /**
|
196 | * Attaches this policy to a group.
|
197 | */
|
198 | attachToGroup(group) {
|
199 | try {
|
200 | jsiiDeprecationWarnings._aws_cdk_aws_iam_IGroup(group);
|
201 | }
|
202 | catch (error) {
|
203 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
204 | Error.captureStackTrace(error, this.attachToGroup);
|
205 | }
|
206 | throw error;
|
207 | }
|
208 | if (this.groups.find(g => g === group)) {
|
209 | return;
|
210 | }
|
211 | this.groups.push(group);
|
212 | }
|
213 | validate() {
|
214 | const result = new Array();
|
215 | // validate that the policy document is not empty
|
216 | if (this.document.isEmpty) {
|
217 | result.push('Managed Policy is empty. You must add statements to the policy');
|
218 | }
|
219 | result.push(...this.document.validateForIdentityPolicy());
|
220 | return result;
|
221 | }
|
222 | }
|
223 | exports.ManagedPolicy = ManagedPolicy;
|
224 | _a = JSII_RTTI_SYMBOL_1;
|
225 | ManagedPolicy[_a] = { fqn: "@aws-cdk/aws-iam.ManagedPolicy", version: "1.161.0" };
|
226 | //# sourceMappingURL=data:application/json;base64,{"version":3,"file":"managed-policy.js","sourceRoot":"","sources":["managed-policy.ts"],"names":[],"mappings":";;;;;;AAAA,wCAAqE;AAGrE,mDAAmD;AACnD,uDAAmD;AAInD,iCAA0C;AAyF1C;;;GAGG;AACH,MAAa,aAAc,SAAQ,eAAQ;IA0GzC,YAAY,KAAgB,EAAE,EAAU,EAAE,QAA4B,EAAE;QACtE,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE;YACf,YAAY,EAAE,KAAK,CAAC,iBAAiB;SACtC,CAAC,CAAC;QAjCL;;WAEG;QACa,aAAQ,GAAG,IAAI,gCAAc,EAAE,CAAC;QAuB/B,UAAK,GAAG,IAAI,KAAK,EAAS,CAAC;QAC3B,UAAK,GAAG,IAAI,KAAK,EAAS,CAAC;QAC3B,WAAM,GAAG,IAAI,KAAK,EAAU,CAAC;;;;;;+CAxGnC,aAAa;;;;QA+GtB,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QAE9B,IAAI,KAAK,CAAC,QAAQ,EAAE;YAClB,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;SAChC;QAED,MAAM,QAAQ,GAAG,IAAI,gCAAgB,CAAC,IAAI,EAAE,UAAU,EAAE;YACtD,cAAc,EAAE,IAAI,CAAC,QAAQ;YAC7B,iBAAiB,EAAE,IAAI,CAAC,YAAY;YACpC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,uBAAgB,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAC9D,KAAK,EAAE,uBAAgB,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAC9D,MAAM,EAAE,uBAAgB,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;SAClE,CAAC,CAAC;QAEH,IAAI,KAAK,CAAC,KAAK,EAAE;YACf,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD;QAED,IAAI,KAAK,CAAC,MAAM,EAAE;YAChB,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;SAClD;QAED,IAAI,KAAK,CAAC,KAAK,EAAE;YACf,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD;QAED,IAAI,KAAK,CAAC,UAAU,EAAE;YACpB,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;SACtD;QAED,8EAA8E;QAC9E,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,YAAK,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAS,CAAC,mBAAmB,CAAC,CAAC,YAAa,CAAC,CAAC;QAC3I,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,GAAG,EAAE;YACjE,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,QAAQ;YAClB,YAAY,EAAE,IAAI,CAAC,YAAY;SAChC,CAAC,CAAC;KACJ;IAvJD;;;;;OAKG;IACI,MAAM,CAAC,qBAAqB,CAAC,KAAgB,EAAE,EAAU,EAAE,iBAAyB;QACzF,MAAM,MAAO,SAAQ,eAAQ;YAA7B;;gBACkB,qBAAgB,GAAG,YAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC;oBAC3D,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,YAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO;oBAChC,QAAQ,EAAE,QAAQ;oBAClB,YAAY,EAAE,iBAAiB;iBAChC,CAAC,CAAC;YACL,CAAC;SAAA;QACD,OAAO,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;KAC9B;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACI,MAAM,CAAC,oBAAoB,CAAC,KAAgB,EAAE,EAAU,EAAE,gBAAwB;QACvF,MAAM,MAAO,SAAQ,eAAQ;YAA7B;;gBACkB,qBAAgB,GAAG,gBAAgB,CAAC;YACtD,CAAC;SAAA;QACD,OAAO,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;KAC9B;IAED;;;;;;;;OAQG;IACI,MAAM,CAAC,wBAAwB,CAAC,iBAAyB;QAC9D,MAAM,gBAAgB;YAAtB;gBACkB,qBAAgB,GAAG,UAAG,CAAC,MAAM,CAAC;oBAC5C,SAAS,EAAE,UAAG,CAAC,SAAS;oBACxB,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,QAAQ,EAAE,QAAQ;oBAClB,YAAY,EAAE,iBAAiB;iBAChC,CAAC,CAAC;YACL,CAAC;SAAA;QACD,OAAO,IAAI,gBAAgB,EAAE,CAAC;KAC/B;IAuFD;;OAEG;IACI,aAAa,CAAC,GAAG,SAA4B;;;;;;;;;;QAClD,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,CAAC;KAC3C;IAED;;OAEG;IACI,YAAY,CAAC,IAAW;;;;;;;;;;QAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,EAAE;YAAE,OAAO;SAAE;QACjD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACvB;IAED;;OAEG;IACI,YAAY,CAAC,IAAW;;;;;;;;;;QAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,EAAE;YAAE,OAAO;SAAE;QACjD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACvB;IAED;;OAEG;IACI,aAAa,CAAC,KAAa;;;;;;;;;;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,KAAK,CAAC,EAAE;YAAE,OAAO;SAAE;QACnD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;KACzB;IAES,QAAQ;QAChB,MAAM,MAAM,GAAG,IAAI,KAAK,EAAU,CAAC;QAEnC,iDAAiD;QACjD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE;YACzB,MAAM,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;SAC/E;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,yBAAyB,EAAE,CAAC,CAAC;QAE1D,OAAO,MAAM,CAAC;KACf;;AApMH,sCAqMC","sourcesContent":["import { ArnFormat, Resource, Stack, Arn, Aws } from '@aws-cdk/core';\nimport { Construct } from 'constructs';\nimport { IGroup } from './group';\nimport { CfnManagedPolicy } from './iam.generated';\nimport { PolicyDocument } from './policy-document';\nimport { PolicyStatement } from './policy-statement';\nimport { IRole } from './role';\nimport { IUser } from './user';\nimport { undefinedIfEmpty } from './util';\n\n/**\n * A managed policy\n */\nexport interface IManagedPolicy {\n  /**\n   * The ARN of the managed policy\n   * @attribute\n   */\n  readonly managedPolicyArn: string;\n}\n\n/**\n * Properties for defining an IAM managed policy\n */\nexport interface ManagedPolicyProps {\n  /**\n   * The name of the managed policy. If you specify multiple policies for an entity,\n   * specify unique names. For example, if you specify a list of policies for\n   * an IAM role, each policy must have a unique name.\n   *\n   * @default - A name is automatically generated.\n   */\n  readonly managedPolicyName?: string;\n\n  /**\n   * A description of the managed policy. Typically used to store information about the\n   * permissions defined in the policy. For example, \"Grants access to production DynamoDB tables.\"\n   * The policy description is immutable. After a value is assigned, it cannot be changed.\n   *\n   * @default - empty\n   */\n  readonly description?: string;\n\n  /**\n   * The path for the policy. This parameter allows (through its regex pattern) a string of characters\n   * consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.\n   * In addition, it can contain any ASCII character from the ! (\\u0021) through the DEL character (\\u007F),\n   * including most punctuation characters, digits, and upper and lowercased letters.\n   *\n   * For more information about paths, see IAM Identifiers in the IAM User Guide.\n   *\n   * @default - \"/\"\n   */\n  readonly path?: string;\n\n  /**\n   * Users to attach this policy to.\n   * You can also use `attachToUser(user)` to attach this policy to a user.\n   *\n   * @default - No users.\n   */\n  readonly users?: IUser[];\n\n  /**\n   * Roles to attach this policy to.\n   * You can also use `attachToRole(role)` to attach this policy to a role.\n   *\n   * @default - No roles.\n   */\n  readonly roles?: IRole[];\n\n  /**\n   * Groups to attach this policy to.\n   * You can also use `attachToGroup(group)` to attach this policy to a group.\n   *\n   * @default - No groups.\n   */\n  readonly groups?: IGroup[];\n\n  /**\n   * Initial set of permissions to add to this policy document.\n   * You can also use `addPermission(statement)` to add permissions later.\n   *\n   * @default - No statements.\n   */\n  readonly statements?: PolicyStatement[];\n\n  /**\n   * Initial PolicyDocument to use for this ManagedPolicy. If omited, any\n   * `PolicyStatement` provided in the `statements` property will be applied\n   * against the empty default `PolicyDocument`.\n   *\n   * @default - An empty policy.\n   */\n  readonly document?: PolicyDocument;\n}\n\n/**\n * Managed policy\n *\n */\nexport class ManagedPolicy extends Resource implements IManagedPolicy {\n  /**\n   * Import a customer managed policy from the managedPolicyName.\n   *\n   * For this managed policy, you only need to know the name to be able to use it.\n   *\n   */\n  public static fromManagedPolicyName(scope: Construct, id: string, managedPolicyName: string): IManagedPolicy {\n    class Import extends Resource implements IManagedPolicy {\n      public readonly managedPolicyArn = Stack.of(scope).formatArn({\n        service: 'iam',\n        region: '', // no region for managed policy\n        account: Stack.of(scope).account, // Can this be something the user specifies?\n        resource: 'policy',\n        resourceName: managedPolicyName,\n      });\n    }\n    return new Import(scope, id);\n  }\n\n  /**\n   * Import an external managed policy by ARN.\n   *\n   * For this managed policy, you only need to know the ARN to be able to use it.\n   * This can be useful if you got the ARN from a CloudFormation Export.\n   *\n   * If the imported Managed Policy ARN is a Token (such as a\n   * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced\n   * managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the\n   * `managedPolicyName` property will not resolve to the correct value. Instead it\n   * will resolve to the first path component. We unfortunately cannot express\n   * the correct calculation of the full path name as a CloudFormation\n   * expression. In this scenario the Managed Policy ARN should be supplied without the\n   * `path` in order to resolve the correct managed policy resource.\n   *\n   * @param scope construct scope\n   * @param id construct id\n   * @param managedPolicyArn the ARN of the managed policy to import\n   */\n  public static fromManagedPolicyArn(scope: Construct, id: string, managedPolicyArn: string): IManagedPolicy {\n    class Import extends Resource implements IManagedPolicy {\n      public readonly managedPolicyArn = managedPolicyArn;\n    }\n    return new Import(scope, id);\n  }\n\n  /**\n   * Import a managed policy from one of the policies that AWS manages.\n   *\n   * For this managed policy, you only need to know the name to be able to use it.\n   *\n   * Some managed policy names start with \"service-role/\", some start with\n   * \"job-function/\", and some don't start with anything. Include the\n   * prefix when constructing this object.\n   */\n  public static fromAwsManagedPolicyName(managedPolicyName: string): IManagedPolicy {\n    class AwsManagedPolicy implements IManagedPolicy {\n      public readonly managedPolicyArn = Arn.format({\n        partition: Aws.PARTITION,\n        service: 'iam',\n        region: '', // no region for managed policy\n        account: 'aws', // the account for a managed policy is 'aws'\n        resource: 'policy',\n        resourceName: managedPolicyName,\n      });\n    }\n    return new AwsManagedPolicy();\n  }\n\n  /**\n   * Returns the ARN of this managed policy.\n   *\n   * @attribute\n   */\n  public readonly managedPolicyArn: string;\n\n  /**\n   * The policy document.\n   */\n  public readonly document = new PolicyDocument();\n\n  /**\n   * The name of this policy.\n   *\n   * @attribute\n   */\n  public readonly managedPolicyName: string;\n\n  /**\n   * The description of this policy.\n   *\n   * @attribute\n   */\n  public readonly description: string;\n\n  /**\n   * The path of this policy.\n   *\n   * @attribute\n   */\n  public readonly path: string;\n\n  private readonly roles = new Array<IRole>();\n  private readonly users = new Array<IUser>();\n  private readonly groups = new Array<IGroup>();\n\n  constructor(scope: Construct, id: string, props: ManagedPolicyProps = {}) {\n    super(scope, id, {\n      physicalName: props.managedPolicyName,\n    });\n\n    this.description = props.description || '';\n    this.path = props.path || '/';\n\n    if (props.document) {\n      this.document = props.document;\n    }\n\n    const resource = new CfnManagedPolicy(this, 'Resource', {\n      policyDocument: this.document,\n      managedPolicyName: this.physicalName,\n      description: this.description,\n      path: this.path,\n      roles: undefinedIfEmpty(() => this.roles.map(r => r.roleName)),\n      users: undefinedIfEmpty(() => this.users.map(u => u.userName)),\n      groups: undefinedIfEmpty(() => this.groups.map(g => g.groupName)),\n    });\n\n    if (props.users) {\n      props.users.forEach(u => this.attachToUser(u));\n    }\n\n    if (props.groups) {\n      props.groups.forEach(g => this.attachToGroup(g));\n    }\n\n    if (props.roles) {\n      props.roles.forEach(r => this.attachToRole(r));\n    }\n\n    if (props.statements) {\n      props.statements.forEach(p => this.addStatements(p));\n    }\n\n    // arn:aws:iam::123456789012:policy/teststack-CreateTestDBPolicy-16M23YE3CS700\n    this.managedPolicyName = this.getResourceNameAttribute(Stack.of(this).splitArn(resource.ref, ArnFormat.SLASH_RESOURCE_NAME).resourceName!);\n    this.managedPolicyArn = this.getResourceArnAttribute(resource.ref, {\n      region: '', // IAM is global in each partition\n      service: 'iam',\n      resource: 'policy',\n      resourceName: this.physicalName,\n    });\n  }\n\n  /**\n   * Adds a statement to the policy document.\n   */\n  public addStatements(...statement: PolicyStatement[]) {\n    this.document.addStatements(...statement);\n  }\n\n  /**\n   * Attaches this policy to a user.\n   */\n  public attachToUser(user: IUser) {\n    if (this.users.find(u => u === user)) { return; }\n    this.users.push(user);\n  }\n\n  /**\n   * Attaches this policy to a role.\n   */\n  public attachToRole(role: IRole) {\n    if (this.roles.find(r => r === role)) { return; }\n    this.roles.push(role);\n  }\n\n  /**\n   * Attaches this policy to a group.\n   */\n  public attachToGroup(group: IGroup) {\n    if (this.groups.find(g => g === group)) { return; }\n    this.groups.push(group);\n  }\n\n  protected validate(): string[] {\n    const result = new Array<string>();\n\n    // validate that the policy document is not empty\n    if (this.document.isEmpty) {\n      result.push('Managed Policy is empty. You must add statements to the policy');\n    }\n\n    result.push(...this.document.validateForIdentityPolicy());\n\n    return result;\n  }\n}\n"]} |
\ | No newline at end of file |