1 | import { Resource } from '@aws-cdk/core';
|
2 | import { Construct } from 'constructs';
|
3 | import { IIdentity } from './identity-base';
|
4 | import { IManagedPolicy } from './managed-policy';
|
5 | import { Policy } from './policy';
|
6 | import { PolicyStatement } from './policy-statement';
|
7 | import { AddToPrincipalPolicyResult, IPrincipal, PrincipalPolicyFragment } from './principals';
|
8 | import { IUser } from './user';
|
9 | /**
|
10 | * Represents an IAM Group.
|
11 | *
|
12 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
|
13 | */
|
14 | export interface IGroup extends IIdentity {
|
15 | /**
|
16 | * Returns the IAM Group Name
|
17 | *
|
18 | * @attribute
|
19 | */
|
20 | readonly groupName: string;
|
21 | /**
|
22 | * Returns the IAM Group ARN
|
23 | *
|
24 | * @attribute
|
25 | */
|
26 | readonly groupArn: string;
|
27 | }
|
28 | /**
|
29 | * Properties for defining an IAM group
|
30 | */
|
31 | export interface GroupProps {
|
32 | /**
|
33 | * A name for the IAM group. For valid values, see the GroupName parameter
|
34 | * for the CreateGroup action in the IAM API Reference. If you don't specify
|
35 | * a name, AWS CloudFormation generates a unique physical ID and uses that
|
36 | * ID for the group name.
|
37 | *
|
38 | * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
|
39 | * acknowledge your template's capabilities. For more information, see
|
40 | * Acknowledging IAM Resources in AWS CloudFormation Templates.
|
41 | *
|
42 | * @default Generated by CloudFormation (recommended)
|
43 | */
|
44 | readonly groupName?: string;
|
45 | /**
|
46 | * A list of managed policies associated with this role.
|
47 | *
|
48 | * You can add managed policies later using
|
49 | * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
|
50 | *
|
51 | * @default - No managed policies.
|
52 | */
|
53 | readonly managedPolicies?: IManagedPolicy[];
|
54 | /**
|
55 | * The path to the group. For more information about paths, see [IAM
|
56 | * Identifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html)
|
57 | * in the IAM User Guide.
|
58 | *
|
59 | * @default /
|
60 | */
|
61 | readonly path?: string;
|
62 | }
|
63 | declare abstract class GroupBase extends Resource implements IGroup {
|
64 | abstract readonly groupName: string;
|
65 | abstract readonly groupArn: string;
|
66 | readonly grantPrincipal: IPrincipal;
|
67 | readonly principalAccount: string | undefined;
|
68 | readonly assumeRoleAction: string;
|
69 | private readonly attachedPolicies;
|
70 | private defaultPolicy?;
|
71 | get policyFragment(): PrincipalPolicyFragment;
|
72 | /**
|
73 | * Attaches a policy to this group.
|
74 | * @param policy The policy to attach.
|
75 | */
|
76 | attachInlinePolicy(policy: Policy): void;
|
77 | addManagedPolicy(_policy: IManagedPolicy): void;
|
78 | /**
|
79 | * Adds a user to this group.
|
80 | */
|
81 | addUser(user: IUser): void;
|
82 | /**
|
83 | * Adds an IAM statement to the default policy.
|
84 | */
|
85 | addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
86 | addToPolicy(statement: PolicyStatement): boolean;
|
87 | }
|
88 | /**
|
89 | * An IAM Group (collection of IAM users) lets you specify permissions for
|
90 | * multiple users, which can make it easier to manage permissions for those users.
|
91 | *
|
92 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
|
93 | */
|
94 | export declare class Group extends GroupBase {
|
95 | /**
|
96 | * Import an external group by ARN.
|
97 | *
|
98 | * If the imported Group ARN is a Token (such as a
|
99 | * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
|
100 | * group has a `path` (like `arn:...:group/AdminGroup/NetworkAdmin`), the
|
101 | * `groupName` property will not resolve to the correct value. Instead it
|
102 | * will resolve to the first path component. We unfortunately cannot express
|
103 | * the correct calculation of the full path name as a CloudFormation
|
104 | * expression. In this scenario the Group ARN should be supplied without the
|
105 | * `path` in order to resolve the correct group resource.
|
106 | *
|
107 | * @param scope construct scope
|
108 | * @param id construct id
|
109 | * @param groupArn the ARN of the group to import (e.g. `arn:aws:iam::account-id:group/group-name`)
|
110 | */
|
111 | static fromGroupArn(scope: Construct, id: string, groupArn: string): IGroup;
|
112 | /**
|
113 | * Import an existing group by given name (with path).
|
114 | * This method has same caveats of `fromGroupArn`
|
115 | *
|
116 | * @param scope construct scope
|
117 | * @param id construct id
|
118 | * @param groupName the groupName (path included) of the existing group to import
|
119 | */
|
120 | static fromGroupName(scope: Construct, id: string, groupName: string): IGroup;
|
121 | readonly groupName: string;
|
122 | readonly groupArn: string;
|
123 | private readonly managedPolicies;
|
124 | constructor(scope: Construct, id: string, props?: GroupProps);
|
125 | /**
|
126 | * Attaches a managed policy to this group.
|
127 | * @param policy The managed policy to attach.
|
128 | */
|
129 | addManagedPolicy(policy: IManagedPolicy): void;
|
130 | }
|
131 | export {};
|