1 | import { IResource, Resource } from '@aws-cdk/core';
|
2 | import { Construct } from 'constructs';
|
3 | import { IGroup } from './group';
|
4 | import { PolicyDocument } from './policy-document';
|
5 | import { PolicyStatement } from './policy-statement';
|
6 | import { IRole } from './role';
|
7 | import { IUser } from './user';
|
8 | /**
|
9 | * Represents an IAM Policy
|
10 | *
|
11 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
|
12 | */
|
13 | export interface IPolicy extends IResource {
|
14 | /**
|
15 | * The name of this policy.
|
16 | *
|
17 | * @attribute
|
18 | */
|
19 | readonly policyName: string;
|
20 | }
|
21 | /**
|
22 | * Properties for defining an IAM inline policy document
|
23 | */
|
24 | export interface PolicyProps {
|
25 | /**
|
26 | * The name of the policy. If you specify multiple policies for an entity,
|
27 | * specify unique names. For example, if you specify a list of policies for
|
28 | * an IAM role, each policy must have a unique name.
|
29 | *
|
30 | * @default - Uses the logical ID of the policy resource, which is ensured
|
31 | * to be unique within the stack.
|
32 | */
|
33 | readonly policyName?: string;
|
34 | /**
|
35 | * Users to attach this policy to.
|
36 | * You can also use `attachToUser(user)` to attach this policy to a user.
|
37 | *
|
38 | * @default - No users.
|
39 | */
|
40 | readonly users?: IUser[];
|
41 | /**
|
42 | * Roles to attach this policy to.
|
43 | * You can also use `attachToRole(role)` to attach this policy to a role.
|
44 | *
|
45 | * @default - No roles.
|
46 | */
|
47 | readonly roles?: IRole[];
|
48 | /**
|
49 | * Groups to attach this policy to.
|
50 | * You can also use `attachToGroup(group)` to attach this policy to a group.
|
51 | *
|
52 | * @default - No groups.
|
53 | */
|
54 | readonly groups?: IGroup[];
|
55 | /**
|
56 | * Initial set of permissions to add to this policy document.
|
57 | * You can also use `addStatements(...statement)` to add permissions later.
|
58 | *
|
59 | * @default - No statements.
|
60 | */
|
61 | readonly statements?: PolicyStatement[];
|
62 | /**
|
63 | * Force creation of an `AWS::IAM::Policy`
|
64 | *
|
65 | * Unless set to `true`, this `Policy` construct will not materialize to an
|
66 | * `AWS::IAM::Policy` CloudFormation resource in case it would have no effect
|
67 | * (for example, if it remains unattached to an IAM identity or if it has no
|
68 | * statements). This is generally desired behavior, since it prevents
|
69 | * creating invalid--and hence undeployable--CloudFormation templates.
|
70 | *
|
71 | * In cases where you know the policy must be created and it is actually
|
72 | * an error if no statements have been added to it, you can set this to `true`.
|
73 | *
|
74 | * @default false
|
75 | */
|
76 | readonly force?: boolean;
|
77 | /**
|
78 | * Initial PolicyDocument to use for this Policy. If omited, any
|
79 | * `PolicyStatement` provided in the `statements` property will be applied
|
80 | * against the empty default `PolicyDocument`.
|
81 | *
|
82 | * @default - An empty policy.
|
83 | */
|
84 | readonly document?: PolicyDocument;
|
85 | }
|
86 | /**
|
87 | * The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles,
|
88 | * or groups. For more information about IAM policies, see [Overview of IAM
|
89 | * Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html)
|
90 | * in the IAM User Guide guide.
|
91 | */
|
92 | export declare class Policy extends Resource implements IPolicy {
|
93 | /**
|
94 | * Import a policy in this app based on its name
|
95 | */
|
96 | static fromPolicyName(scope: Construct, id: string, policyName: string): IPolicy;
|
97 | /**
|
98 | * The policy document.
|
99 | */
|
100 | readonly document: PolicyDocument;
|
101 | private readonly _policyName;
|
102 | private readonly roles;
|
103 | private readonly users;
|
104 | private readonly groups;
|
105 | private readonly force;
|
106 | private referenceTaken;
|
107 | constructor(scope: Construct, id: string, props?: PolicyProps);
|
108 | /**
|
109 | * Adds a statement to the policy document.
|
110 | */
|
111 | addStatements(...statement: PolicyStatement[]): void;
|
112 | /**
|
113 | * Attaches this policy to a user.
|
114 | */
|
115 | attachToUser(user: IUser): void;
|
116 | /**
|
117 | * Attaches this policy to a role.
|
118 | */
|
119 | attachToRole(role: IRole): void;
|
120 | /**
|
121 | * Attaches this policy to a group.
|
122 | */
|
123 | attachToGroup(group: IGroup): void;
|
124 | /**
|
125 | * The name of this policy.
|
126 | *
|
127 | * @attribute
|
128 | */
|
129 | get policyName(): string;
|
130 | protected validate(): string[];
|
131 | /**
|
132 | * Whether the policy resource has been attached to any identity
|
133 | */
|
134 | private get isAttached();
|
135 | }
|