| 1 | import * as cdk from '@aws-cdk/core';
|
| 2 | import { PolicyStatement } from './policy-statement';
|
| 3 | import { IGrantable, IPrincipal } from './principals';
|
| 4 | /**
|
| 5 | * Basic options for a grant operation
|
| 6 | *
|
| 7 | */
|
| 8 | export interface CommonGrantOptions {
|
| 9 | /**
|
| 10 | * The principal to grant to
|
| 11 | *
|
| 12 | * @default if principal is undefined, no work is done.
|
| 13 | */
|
| 14 | readonly grantee: IGrantable;
|
| 15 | /**
|
| 16 | * The actions to grant
|
| 17 | */
|
| 18 | readonly actions: string[];
|
| 19 | /**
|
| 20 | * The resource ARNs to grant to
|
| 21 | */
|
| 22 | readonly resourceArns: string[];
|
| 23 | }
|
| 24 | /**
|
| 25 | * Options for a grant operation
|
| 26 | *
|
| 27 | */
|
| 28 | export interface GrantWithResourceOptions extends CommonGrantOptions {
|
| 29 | /**
|
| 30 | * The resource with a resource policy
|
| 31 | *
|
| 32 | * The statement will be added to the resource policy if it couldn't be
|
| 33 | * added to the principal policy.
|
| 34 | */
|
| 35 | readonly resource: IResourceWithPolicy;
|
| 36 | /**
|
| 37 | * When referring to the resource in a resource policy, use this as ARN.
|
| 38 | *
|
| 39 | * (Depending on the resource type, this needs to be '*' in a resource policy).
|
| 40 | *
|
| 41 | * @default Same as regular resource ARNs
|
| 42 | */
|
| 43 | readonly resourceSelfArns?: string[];
|
| 44 | }
|
| 45 | /**
|
| 46 | * Options for a grant operation that only applies to principals
|
| 47 | *
|
| 48 | */
|
| 49 | export interface GrantOnPrincipalOptions extends CommonGrantOptions {
|
| 50 | /**
|
| 51 | * Construct to report warnings on in case grant could not be registered
|
| 52 | *
|
| 53 | * @default - the construct in which this construct is defined
|
| 54 | */
|
| 55 | readonly scope?: cdk.IConstruct;
|
| 56 | }
|
| 57 | /**
|
| 58 | * Options for a grant operation to both identity and resource
|
| 59 | *
|
| 60 | */
|
| 61 | export interface GrantOnPrincipalAndResourceOptions extends CommonGrantOptions {
|
| 62 | /**
|
| 63 | * The resource with a resource policy
|
| 64 | *
|
| 65 | * The statement will always be added to the resource policy.
|
| 66 | */
|
| 67 | readonly resource: IResourceWithPolicy;
|
| 68 | /**
|
| 69 | * When referring to the resource in a resource policy, use this as ARN.
|
| 70 | *
|
| 71 | * (Depending on the resource type, this needs to be '*' in a resource policy).
|
| 72 | *
|
| 73 | * @default Same as regular resource ARNs
|
| 74 | */
|
| 75 | readonly resourceSelfArns?: string[];
|
| 76 | /**
|
| 77 | * The principal to use in the statement for the resource policy.
|
| 78 | *
|
| 79 | * @default - the principal of the grantee will be used
|
| 80 | */
|
| 81 | readonly resourcePolicyPrincipal?: IPrincipal;
|
| 82 | }
|
| 83 | /**
|
| 84 | * Result of a grant() operation
|
| 85 | *
|
| 86 | * This class is not instantiable by consumers on purpose, so that they will be
|
| 87 | * required to call the Grant factory functions.
|
| 88 | */
|
| 89 | export declare class Grant implements cdk.IDependable {
|
| 90 | /**
|
| 91 | * Grant the given permissions to the principal
|
| 92 | *
|
| 93 | * The permissions will be added to the principal policy primarily, falling
|
| 94 | * back to the resource policy if necessary. The permissions must be granted
|
| 95 | * somewhere.
|
| 96 | *
|
| 97 | * - Trying to grant permissions to a principal that does not admit adding to
|
| 98 | * the principal policy while not providing a resource with a resource policy
|
| 99 | * is an error.
|
| 100 | * - Trying to grant permissions to an absent principal (possible in the
|
| 101 | * case of imported resources) leads to a warning being added to the
|
| 102 | * resource construct.
|
| 103 | */
|
| 104 | static addToPrincipalOrResource(options: GrantWithResourceOptions): Grant;
|
| 105 | /**
|
| 106 | * Try to grant the given permissions to the given principal
|
| 107 | *
|
| 108 | * Absence of a principal leads to a warning, but failing to add
|
| 109 | * the permissions to a present principal is not an error.
|
| 110 | */
|
| 111 | static addToPrincipal(options: GrantOnPrincipalOptions): Grant;
|
| 112 | /**
|
| 113 | * Add a grant both on the principal and on the resource
|
| 114 | *
|
| 115 | * As long as any principal is given, granting on the principal may fail (in
|
| 116 | * case of a non-identity principal), but granting on the resource will
|
| 117 | * never fail.
|
| 118 | *
|
| 119 | * Statement will be the resource statement.
|
| 120 | */
|
| 121 | static addToPrincipalAndResource(options: GrantOnPrincipalAndResourceOptions): Grant;
|
| 122 | /**
|
| 123 | * Returns a "no-op" `Grant` object which represents a "dropped grant".
|
| 124 | *
|
| 125 | * This can be used for e.g. imported resources where you may not be able to modify
|
| 126 | * the resource's policy or some underlying policy which you don't know about.
|
| 127 | *
|
| 128 | * @param grantee The intended grantee
|
| 129 | * @param _intent The user's intent (will be ignored at the moment)
|
| 130 | */
|
| 131 | static drop(grantee: IGrantable, _intent: string): Grant;
|
| 132 | /**
|
| 133 | * The statement that was added to the principal's policy
|
| 134 | *
|
| 135 | * Can be accessed to (e.g.) add additional conditions to the statement.
|
| 136 | */
|
| 137 | readonly principalStatement?: PolicyStatement;
|
| 138 | /**
|
| 139 | * The statement that was added to the resource policy
|
| 140 | *
|
| 141 | * Can be accessed to (e.g.) add additional conditions to the statement.
|
| 142 | */
|
| 143 | readonly resourceStatement?: PolicyStatement;
|
| 144 | /**
|
| 145 | * The options originally used to set this result
|
| 146 | *
|
| 147 | * Private member doubles as a way to make it impossible for an object literal to
|
| 148 | * be structurally the same as this class.
|
| 149 | */
|
| 150 | private readonly options;
|
| 151 | private constructor();
|
| 152 | /**
|
| 153 | * Whether the grant operation was successful
|
| 154 | */
|
| 155 | get success(): boolean;
|
| 156 | /**
|
| 157 | * Throw an error if this grant wasn't successful
|
| 158 | */
|
| 159 | assertSuccess(): void;
|
| 160 | /**
|
| 161 | * Make sure this grant is applied before the given constructs are deployed
|
| 162 | *
|
| 163 | * The same as construct.node.addDependency(grant), but slightly nicer to read.
|
| 164 | */
|
| 165 | applyBefore(...constructs: cdk.IConstruct[]): void;
|
| 166 | }
|
| 167 | /**
|
| 168 | * A resource with a resource policy that can be added to
|
| 169 | */
|
| 170 | export interface IResourceWithPolicy extends cdk.IResource {
|
| 171 | /**
|
| 172 | * Add a statement to the resource's resource policy
|
| 173 | */
|
| 174 | addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
|
| 175 | }
|
| 176 | /**
|
| 177 | * Result of calling addToResourcePolicy
|
| 178 | */
|
| 179 | export interface AddToResourcePolicyResult {
|
| 180 | /**
|
| 181 | * Whether the statement was added
|
| 182 | */
|
| 183 | readonly statementAdded: boolean;
|
| 184 | /**
|
| 185 | * Dependable which allows depending on the policy change being applied
|
| 186 | *
|
| 187 | * @default - If `statementAdded` is true, the resource object itself.
|
| 188 | * Otherwise, no dependable.
|
| 189 | */
|
| 190 | readonly policyDependable?: cdk.IDependable;
|
| 191 | }
|
| 192 | /**
|
| 193 | * Composite dependable
|
| 194 | *
|
| 195 | * Not as simple as eagerly getting the dependency roots from the
|
| 196 | * inner dependables, as they may be mutable so we need to defer
|
| 197 | * the query.
|
| 198 | */
|
| 199 | export declare class CompositeDependable implements cdk.IDependable {
|
| 200 | constructor(...dependables: cdk.IDependable[]);
|
| 201 | }
|