| 1 | import { Stack } from './stack';
|
| 2 | /**
|
| 3 | * An enum representing the various ARN formats that different services use.
|
| 4 | */
|
| 5 | export declare enum ArnFormat {
|
| 6 | /**
|
| 7 | * This represents a format where there is no 'resourceName' part.
|
| 8 | * This format is used for S3 resources,
|
| 9 | * like 'arn:aws:s3:::bucket'.
|
| 10 | * Everything after the last colon is considered the 'resource',
|
| 11 | * even if it contains slashes,
|
| 12 | * like in 'arn:aws:s3:::bucket/object.zip'.
|
| 13 | */
|
| 14 | NO_RESOURCE_NAME = "arn:aws:service:region:account:resource",
|
| 15 | /**
|
| 16 | * This represents a format where the 'resource' and 'resourceName'
|
| 17 | * parts are separated with a colon.
|
| 18 | * Like in: 'arn:aws:service:region:account:resource:resourceName'.
|
| 19 | * Everything after the last colon is considered the 'resourceName',
|
| 20 | * even if it contains slashes,
|
| 21 | * like in 'arn:aws:apigateway:region:account:resource:/test/mydemoresource/*'.
|
| 22 | */
|
| 23 | COLON_RESOURCE_NAME = "arn:aws:service:region:account:resource:resourceName",
|
| 24 | /**
|
| 25 | * This represents a format where the 'resource' and 'resourceName'
|
| 26 | * parts are separated with a slash.
|
| 27 | * Like in: 'arn:aws:service:region:account:resource/resourceName'.
|
| 28 | * Everything after the separating slash is considered the 'resourceName',
|
| 29 | * even if it contains colons,
|
| 30 | * like in 'arn:aws:cognito-sync:region:account:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678:bla'.
|
| 31 | */
|
| 32 | SLASH_RESOURCE_NAME = "arn:aws:service:region:account:resource/resourceName",
|
| 33 | /**
|
| 34 | * This represents a format where the 'resource' and 'resourceName'
|
| 35 | * parts are seperated with a slash,
|
| 36 | * but there is also an additional slash after the colon separating 'account' from 'resource'.
|
| 37 | * Like in: 'arn:aws:service:region:account:/resource/resourceName'.
|
| 38 | * Note that the leading slash is _not_ included in the parsed 'resource' part.
|
| 39 | */
|
| 40 | SLASH_RESOURCE_SLASH_RESOURCE_NAME = "arn:aws:service:region:account:/resource/resourceName"
|
| 41 | }
|
| 42 | export interface ArnComponents {
|
| 43 | /**
|
| 44 | * The partition that the resource is in. For standard AWS regions, the
|
| 45 | * partition is aws. If you have resources in other partitions, the
|
| 46 | * partition is aws-partitionname. For example, the partition for resources
|
| 47 | * in the China (Beijing) region is aws-cn.
|
| 48 | *
|
| 49 | * @default The AWS partition the stack is deployed to.
|
| 50 | */
|
| 51 | readonly partition?: string;
|
| 52 | /**
|
| 53 | * The service namespace that identifies the AWS product (for example,
|
| 54 | * 's3', 'iam', 'codepipline').
|
| 55 | */
|
| 56 | readonly service: string;
|
| 57 | /**
|
| 58 | * The region the resource resides in. Note that the ARNs for some resources
|
| 59 | * do not require a region, so this component might be omitted.
|
| 60 | *
|
| 61 | * @default The region the stack is deployed to.
|
| 62 | */
|
| 63 | readonly region?: string;
|
| 64 | /**
|
| 65 | * The ID of the AWS account that owns the resource, without the hyphens.
|
| 66 | * For example, 123456789012. Note that the ARNs for some resources don't
|
| 67 | * require an account number, so this component might be omitted.
|
| 68 | *
|
| 69 | * @default The account the stack is deployed to.
|
| 70 | */
|
| 71 | readonly account?: string;
|
| 72 | /**
|
| 73 | * Resource type (e.g. "table", "autoScalingGroup", "certificate").
|
| 74 | * For some resource types, e.g. S3 buckets, this field defines the bucket name.
|
| 75 | */
|
| 76 | readonly resource: string;
|
| 77 | /**
|
| 78 | * Separator between resource type and the resource.
|
| 79 | *
|
| 80 | * Can be either '/', ':' or an empty string. Will only be used if resourceName is defined.
|
| 81 | * @default '/'
|
| 82 | *
|
| 83 | * @deprecated use arnFormat instead
|
| 84 | */
|
| 85 | readonly sep?: string;
|
| 86 | /**
|
| 87 | * Resource name or path within the resource (i.e. S3 bucket object key) or
|
| 88 | * a wildcard such as ``"*"``. This is service-dependent.
|
| 89 | */
|
| 90 | readonly resourceName?: string;
|
| 91 | /**
|
| 92 | * The specific ARN format to use for this ARN value.
|
| 93 | *
|
| 94 | * @default - uses value of `sep` as the separator for formatting,
|
| 95 | * `ArnFormat.SLASH_RESOURCE_NAME` if that property was also not provided
|
| 96 | */
|
| 97 | readonly arnFormat?: ArnFormat;
|
| 98 | }
|
| 99 | export declare class Arn {
|
| 100 | /**
|
| 101 | * Creates an ARN from components.
|
| 102 | *
|
| 103 | * If `partition`, `region` or `account` are not specified, the stack's
|
| 104 | * partition, region and account will be used.
|
| 105 | *
|
| 106 | * If any component is the empty string, an empty string will be inserted
|
| 107 | * into the generated ARN at the location that component corresponds to.
|
| 108 | *
|
| 109 | * The ARN will be formatted as follows:
|
| 110 | *
|
| 111 | * arn:{partition}:{service}:{region}:{account}:{resource}{sep}{resource-name}
|
| 112 | *
|
| 113 | * The required ARN pieces that are omitted will be taken from the stack that
|
| 114 | * the 'scope' is attached to. If all ARN pieces are supplied, the supplied scope
|
| 115 | * can be 'undefined'.
|
| 116 | */
|
| 117 | static format(components: ArnComponents, stack?: Stack): string;
|
| 118 | /**
|
| 119 | * Given an ARN, parses it and returns components.
|
| 120 | *
|
| 121 | * IF THE ARN IS A CONCRETE STRING...
|
| 122 | *
|
| 123 | * ...it will be parsed and validated. The separator (`sep`) will be set to '/'
|
| 124 | * if the 6th component includes a '/', in which case, `resource` will be set
|
| 125 | * to the value before the '/' and `resourceName` will be the rest. In case
|
| 126 | * there is no '/', `resource` will be set to the 6th components and
|
| 127 | * `resourceName` will be set to the rest of the string.
|
| 128 | *
|
| 129 | * IF THE ARN IS A TOKEN...
|
| 130 | *
|
| 131 | * ...it cannot be validated, since we don't have the actual value yet at the
|
| 132 | * time of this function call. You will have to supply `sepIfToken` and
|
| 133 | * whether or not ARNs of the expected format usually have resource names
|
| 134 | * in order to parse it properly. The resulting `ArnComponents` object will
|
| 135 | * contain tokens for the subexpressions of the ARN, not string literals.
|
| 136 | *
|
| 137 | * If the resource name could possibly contain the separator char, the actual
|
| 138 | * resource name cannot be properly parsed. This only occurs if the separator
|
| 139 | * char is '/', and happens for example for S3 object ARNs, IAM Role ARNs,
|
| 140 | * IAM OIDC Provider ARNs, etc. To properly extract the resource name from a
|
| 141 | * Tokenized ARN, you must know the resource type and call
|
| 142 | * `Arn.extractResourceName`.
|
| 143 | *
|
| 144 | * @param arn The ARN to parse
|
| 145 | * @param sepIfToken The separator used to separate resource from resourceName
|
| 146 | * @param hasName Whether there is a name component in the ARN at all. For
|
| 147 | * example, SNS Topics ARNs have the 'resource' component contain the topic
|
| 148 | * name, and no 'resourceName' component.
|
| 149 | *
|
| 150 | * @returns an ArnComponents object which allows access to the various
|
| 151 | * components of the ARN.
|
| 152 | *
|
| 153 | * @returns an ArnComponents object which allows access to the various
|
| 154 | * components of the ARN.
|
| 155 | *
|
| 156 | * @deprecated use split instead
|
| 157 | */
|
| 158 | static parse(arn: string, sepIfToken?: string, hasName?: boolean): ArnComponents;
|
| 159 | /**
|
| 160 | * Splits the provided ARN into its components.
|
| 161 | * Works both if 'arn' is a string like 'arn:aws:s3:::bucket',
|
| 162 | * and a Token representing a dynamic CloudFormation expression
|
| 163 | * (in which case the returned components will also be dynamic CloudFormation expressions,
|
| 164 | * encoded as Tokens).
|
| 165 | *
|
| 166 | * @param arn the ARN to split into its components
|
| 167 | * @param arnFormat the expected format of 'arn' - depends on what format the service 'arn' represents uses
|
| 168 | */
|
| 169 | static split(arn: string, arnFormat: ArnFormat): ArnComponents;
|
| 170 | /**
|
| 171 | * Extract the full resource name from an ARN
|
| 172 | *
|
| 173 | * Necessary for resource names (paths) that may contain the separator, like
|
| 174 | * `arn:aws:iam::111111111111:role/path/to/role/name`.
|
| 175 | *
|
| 176 | * Only works if we statically know the expected `resourceType` beforehand, since we're going
|
| 177 | * to use that to split the string on ':<resourceType>/' (and take the right-hand side).
|
| 178 | *
|
| 179 | * We can't extract the 'resourceType' from the ARN at hand, because CloudFormation Expressions
|
| 180 | * only allow literals in the 'separator' argument to `{ Fn::Split }`, and so it can't be
|
| 181 | * `{ Fn::Select: [5, { Fn::Split: [':', ARN] }}`.
|
| 182 | *
|
| 183 | * Only necessary for ARN formats for which the type-name separator is `/`.
|
| 184 | */
|
| 185 | static extractResourceName(arn: string, resourceType: string): string;
|
| 186 | private constructor();
|
| 187 | }
|