diff --git a/examples/cdk-examples-typescript/advanced-usage/index.ts b/examples/cdk-examples-typescript/advanced-usage/index.ts index 6bc453eb5b1fd..479534795eca3 100644 --- a/examples/cdk-examples-typescript/advanced-usage/index.ts +++ b/examples/cdk-examples-typescript/advanced-usage/index.ts @@ -16,7 +16,7 @@ class PolicyExample extends cdk.Stack { // here's how to create an IAM Role with an assume policy for the Lambda // service principal. const role = new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('lambda.amazon.aws.com') + assumedBy: new iam.ServicePrincipal('lambda.amazon.aws.com') }); // when you call `addToPolicy`, a default policy is defined and attached @@ -24,7 +24,7 @@ class PolicyExample extends cdk.Stack { const bucket = new s3.Bucket(this, 'MyBucket'); // the role also has a policy attached to it. - role.addToPolicy(new cdk.PolicyStatement() + role.addToPolicy(new iam.PolicyStatement() .addResource(bucket.arnForObjects('*')) .addResource(bucket.bucketArn) .addActions('s3:*')); diff --git a/examples/cdk-examples-typescript/bucket-import-export/index.ts b/examples/cdk-examples-typescript/bucket-import-export/index.ts index 03811a8059b21..a9c97c25d06d2 100644 --- a/examples/cdk-examples-typescript/bucket-import-export/index.ts +++ b/examples/cdk-examples-typescript/bucket-import-export/index.ts @@ -25,7 +25,7 @@ class ConsumerConstruct extends cdk.Construct { constructor(parent: cdk.Construct, name: string, props: ConsumerConstructProps) { super(parent, name); - props.bucket.addToResourcePolicy(new cdk.PolicyStatement().addAction('*')); + props.bucket.addToResourcePolicy(new iam.PolicyStatement().addAction('*')); } } diff --git a/examples/cdk-examples-typescript/sns-sqs/index.ts b/examples/cdk-examples-typescript/sns-sqs/index.ts index 58dcbff371ea9..5e58c2aafe9b3 100644 --- a/examples/cdk-examples-typescript/sns-sqs/index.ts +++ b/examples/cdk-examples-typescript/sns-sqs/index.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import sns = require('@aws-cdk/aws-sns'); import sqs = require('@aws-cdk/aws-sqs'); import cdk = require('@aws-cdk/cdk'); @@ -28,8 +29,8 @@ class CFN extends cdk.Stack { protocol: 'sqs' }); - const policyDocument = new cdk.PolicyDocument(); - policyDocument.addStatement(new cdk.PolicyStatement() + const policyDocument = new iam.PolicyDocument(); + policyDocument.addStatement(new iam.PolicyStatement() .addResource(queue.queueArn) .addAction('sqs:SendMessage') .addServicePrincipal('sns.amazonaws.com') diff --git a/packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts index 3305e4fe94031..72dde50ef2f1e 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts @@ -1,5 +1,5 @@ +import iam = require('@aws-cdk/aws-iam'); import lambda = require('@aws-cdk/aws-lambda'); -import cdk = require('@aws-cdk/cdk'); import { IntegrationOptions } from '../integration'; import { Method } from '../method'; import { AwsIntegration } from './aws'; @@ -52,7 +52,7 @@ export class LambdaIntegration extends AwsIntegration { } public bind(method: Method) { - const principal = new cdk.ServicePrincipal('apigateway.amazonaws.com'); + const principal = new iam.ServicePrincipal('apigateway.amazonaws.com'); const desc = `${method.httpMethod}.${method.resource.resourcePath.replace(/\//g, '.')}`; diff --git a/packages/@aws-cdk/aws-apigateway/lib/restapi.ts b/packages/@aws-cdk/aws-apigateway/lib/restapi.ts index 800c2c564a4a7..6ad39ed4bbc4e 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/restapi.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/restapi.ts @@ -66,7 +66,7 @@ export interface RestApiProps extends ResourceOptions { /** * A policy document that contains the permissions for this RestApi */ - policy?: cdk.PolicyDocument; + policy?: iam.PolicyDocument; /** * A description of the purpose of this API Gateway RestApi resource. @@ -314,7 +314,7 @@ export class RestApi extends RestApiRef implements cdk.IDependable { private configureCloudWatchRole(apiResource: cloudformation.RestApiResource) { const role = new iam.Role(this, 'CloudWatchRole', { - assumedBy: new cdk.ServicePrincipal('apigateway.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'), managedPolicyArns: [ cdk.ArnUtils.fromComponents({ service: 'iam', region: '', diff --git a/packages/@aws-cdk/aws-apigateway/test/test.method.ts b/packages/@aws-cdk/aws-apigateway/test/test.method.ts index 22f0e74729acf..99877d8041d54 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.method.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.method.ts @@ -206,7 +206,7 @@ export = { // GIVEN const stack = new cdk.Stack(); const api = new apigateway.RestApi(stack, 'test-api', { deploy: false }); - const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') }); + const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') }); // WHEN api.root.addMethod('GET', new apigateway.Integration({ @@ -251,7 +251,7 @@ export = { // GIVEN const stack = new cdk.Stack(); const api = new apigateway.RestApi(stack, 'test-api', { deploy: false }); - const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') }); + const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') }); // WHEN const integration = new apigateway.Integration({ diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts index acf23e55ec05f..47f058f6f24fa 100644 --- a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts @@ -190,7 +190,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el } this.role = new iam.Role(this, 'InstanceRole', { - assumedBy: new cdk.ServicePrincipal('ec2.amazonaws.com') + assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com') }); const iamProfile = new iam.cloudformation.InstanceProfileResource(this, 'InstanceProfile', { @@ -302,7 +302,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el /** * Adds a statement to the IAM role assumed by instances of this fleet. */ - public addToRolePolicy(statement: cdk.PolicyStatement) { + public addToRolePolicy(statement: iam.PolicyStatement) { this.role.addToPolicy(statement); } diff --git a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts index 322d79f8f0f8e..453ded434a48e 100644 --- a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts @@ -1,5 +1,6 @@ import { expect, haveResource, ResourcePart } from '@aws-cdk/assert'; import ec2 = require('@aws-cdk/aws-ec2'); +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { Test } from 'nodeunit'; import autoscaling = require('../lib'); @@ -137,7 +138,7 @@ export = { vpc }); - fleet.addToRolePolicy(new cdk.PolicyStatement() + fleet.addToRolePolicy(new iam.PolicyStatement() .addAction('test:SpecialName') .addAllResources()); diff --git a/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts b/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts index cf271353ea47a..2ed7ccbd5d13a 100644 --- a/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts +++ b/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts @@ -89,7 +89,7 @@ export class PipelineExecuteChangeSetAction extends PipelineCloudFormationAction ChangeSetName: props.changeSetName, }); - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addAction('cloudformation:ExecuteChangeSet') .addResource(stackArnFromName(props.stackName)) .addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName })); @@ -201,11 +201,11 @@ export abstract class PipelineCloudFormationDeployAction extends PipelineCloudFo this.role = props.role; } else { this.role = new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('cloudformation.amazonaws.com') + assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com') }); if (props.fullPermissions) { - this.role.addToPolicy(new cdk.PolicyStatement().addAction('*').addAllResources()); + this.role.addToPolicy(new iam.PolicyStatement().addAction('*').addAllResources()); } } } @@ -213,7 +213,7 @@ export abstract class PipelineCloudFormationDeployAction extends PipelineCloudFo /** * Add statement to the service role assumed by CloudFormation while executing this action. */ - public addToRolePolicy(statement: cdk.PolicyStatement) { + public addToRolePolicy(statement: iam.PolicyStatement) { return this.role.addToPolicy(statement); } } @@ -254,16 +254,16 @@ export class PipelineCreateReplaceChangeSetAction extends PipelineCloudFormation const stackArn = stackArnFromName(props.stackName); // Allow the pipeline to check for Stack & ChangeSet existence - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addAction('cloudformation:DescribeStacks') .addResource(stackArn)); // Allow the pipeline to create & delete the specified ChangeSet - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addActions('cloudformation:CreateChangeSet', 'cloudformation:DeleteChangeSet', 'cloudformation:DescribeChangeSet') .addResource(stackArn) .addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName })); // Allow the pipeline to pass this actions' role to CloudFormation - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addAction('iam:PassRole') .addResource(this.role.roleArn)); } diff --git a/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts b/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts index c251c63c78bf8..24b8044c4e362 100644 --- a/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts +++ b/packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts @@ -170,11 +170,11 @@ class StageDouble implements cpapi.IStage { class RoleDouble extends iam.Role { public readonly statements = new Array(); - constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new cdk.ServicePrincipal('test') }) { + constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new iam.ServicePrincipal('test') }) { super(parent, id, props); } - public addToPolicy(statement: cdk.PolicyStatement) { + public addToPolicy(statement: iam.PolicyStatement) { super.addToPolicy(statement); this.statements.push(statement.toJson()); } diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/index.ts b/packages/@aws-cdk/aws-cloudtrail/lib/index.ts index a2047f73f18b3..792d86b37f958 100644 --- a/packages/@aws-cdk/aws-cloudtrail/lib/index.ts +++ b/packages/@aws-cdk/aws-cloudtrail/lib/index.ts @@ -132,12 +132,12 @@ export class CloudTrail extends cdk.Construct { const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.Unencrypted}); const cloudTrailPrincipal = "cloudtrail.amazonaws.com"; - s3bucket.addToResourcePolicy(new cdk.PolicyStatement() + s3bucket.addToResourcePolicy(new iam.PolicyStatement() .addResource(s3bucket.bucketArn) .addActions('s3:GetBucketAcl') .addServicePrincipal(cloudTrailPrincipal)); - s3bucket.addToResourcePolicy(new cdk.PolicyStatement() + s3bucket.addToResourcePolicy(new iam.PolicyStatement() .addResource(s3bucket.arnForObjects(new cdk.FnConcat('/AWSLogs/', new cdk.AwsAccountId()))) .addActions("s3:PutObject") .addServicePrincipal(cloudTrailPrincipal) @@ -149,10 +149,10 @@ export class CloudTrail extends cdk.Construct { }); this.cloudWatchLogsGroupArn = logGroup.logGroupArn; - const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new cdk.ServicePrincipal(cloudTrailPrincipal) }); + const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) }); const streamArn = `${this.cloudWatchLogsRoleArn}:log-stream:*`; - logsRole.addToPolicy(new cdk.PolicyStatement() + logsRole.addToPolicy(new iam.PolicyStatement() .addActions("logs:PutLogEvents", "logs:CreateLogStream") .addResource(streamArn)); this.cloudWatchLogsRoleArn = logsRole.roleArn; diff --git a/packages/@aws-cdk/aws-cloudwatch/lib/metric.ts b/packages/@aws-cdk/aws-cloudwatch/lib/metric.ts index d5b3a061a8c0b..f938fa85d7b73 100644 --- a/packages/@aws-cdk/aws-cloudwatch/lib/metric.ts +++ b/packages/@aws-cdk/aws-cloudwatch/lib/metric.ts @@ -90,7 +90,7 @@ export class Metric { public static grantPutMetricData(identity?: iam.IIdentityResource) { if (!identity) { return; } - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addAllResources() .addAction("cloudwatch:PutMetricData")); } diff --git a/packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts b/packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts index 6e9635c388548..8169f04484a57 100644 --- a/packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts +++ b/packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts @@ -9,7 +9,7 @@ export = { // GIVEN const stack = new cdk.Stack(); const role = new iam.Role(stack, 'SomeRole', { - assumedBy: new cdk.Anyone() + assumedBy: new iam.Anyone() }); // WHEN diff --git a/packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts b/packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts index d29bd8ff66f47..083132babbcf2 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts @@ -1,4 +1,5 @@ import codepipeline = require('@aws-cdk/aws-codepipeline-api'); +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { ProjectRef } from './project'; @@ -53,7 +54,7 @@ export class PipelineBuildAction extends codepipeline.BuildAction { 'codebuild:StopBuild', ]; - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addResource(props.project.projectArn) .addActions(...actions)); diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts index 9111f1c11bdcf..11c7f63c0e7fb 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/project.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts @@ -279,10 +279,10 @@ export abstract class ProjectRef extends cdk.Construct implements events.IEventR public asEventRuleTarget(_ruleArn: string, _ruleId: string): events.EventRuleTargetProps { if (!this.eventsRole) { this.eventsRole = new iam.Role(this, 'EventsRole', { - assumedBy: new cdk.ServicePrincipal('events.amazonaws.com') + assumedBy: new iam.ServicePrincipal('events.amazonaws.com') }); - this.eventsRole.addToPolicy(new cdk.PolicyStatement() + this.eventsRole.addToPolicy(new iam.PolicyStatement() .addAction('codebuild:StartBuild') .addResource(this.projectArn)); } @@ -446,7 +446,7 @@ export class Project extends ProjectRef { } this.role = props.role || new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('codebuild.amazonaws.com') + assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com') }); let cache: cloudformation.ProjectResource.ProjectCacheProperty | undefined; @@ -515,7 +515,7 @@ export class Project extends ProjectRef { * Add a permission only if there's a policy attached. * @param statement The permissions statement to add */ - public addToRolePolicy(statement: cdk.PolicyStatement) { + public addToRolePolicy(statement: iam.PolicyStatement) { if (this.role) { this.role.addToPolicy(statement); } @@ -531,7 +531,7 @@ export class Project extends ProjectRef { const logGroupStarArn = `${logGroupArn}:*`; - const p = new cdk.PolicyStatement(); + const p = new iam.PolicyStatement(); p.allow(); p.addResource(logGroupArn); p.addResource(logGroupStarArn); diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts index 485dc1e5147ab..2fef03ce0db39 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/source.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/source.ts @@ -1,4 +1,5 @@ import codecommit = require('@aws-cdk/aws-codecommit'); +import iam = require('@aws-cdk/aws-iam'); import s3 = require('@aws-cdk/aws-s3'); import cdk = require('@aws-cdk/cdk'); import { cloudformation } from './codebuild.generated'; @@ -43,7 +44,7 @@ export class CodeCommitSource extends BuildSource { public bind(project: Project) { // https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html - project.addToRolePolicy(new cdk.PolicyStatement() + project.addToRolePolicy(new iam.PolicyStatement() .addAction('codecommit:GitPull') .addResource(this.repo.repositoryArn)); } diff --git a/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts b/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts index 0699e4ff8ace3..e41dbdd6d51bc 100644 --- a/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts +++ b/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts @@ -1,4 +1,5 @@ import codepipeline = require('@aws-cdk/aws-codepipeline-api'); +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { RepositoryRef } from './repository'; @@ -63,7 +64,7 @@ export class PipelineSourceAction extends codepipeline.SourceAction { 'codecommit:CancelUploadArchive', ]; - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addResource(props.repository.repositoryArn) .addActions(...actions)); } diff --git a/packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts b/packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts index 37f448669185d..2fa51c92cac50 100644 --- a/packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts +++ b/packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts @@ -1,9 +1,9 @@ import autoscaling = require("@aws-cdk/aws-autoscaling"); import codedeploylb = require("@aws-cdk/aws-codedeploy-api"); import ec2 = require("@aws-cdk/aws-ec2"); +import iam = require('@aws-cdk/aws-iam'); import s3 = require("@aws-cdk/aws-s3"); import cdk = require("@aws-cdk/cdk"); -import iam = require("../../aws-iam/lib/role"); import { ServerApplication, ServerApplicationRef } from "./application"; import { cloudformation } from './codedeploy.generated'; import { IServerDeploymentConfig, ServerDeploymentConfig } from "./deployment-config"; @@ -174,7 +174,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupRef { this.application = props.application || new ServerApplication(this, 'Application'); this.role = props.role || new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('codedeploy.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'), managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole'], }); diff --git a/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts b/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts index 72e2d177a4217..0f79eedc7cbf6 100644 --- a/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts +++ b/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts @@ -1,4 +1,5 @@ import actions = require('@aws-cdk/aws-codepipeline-api'); +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); /** @@ -49,7 +50,7 @@ export class PipelineDeployAction extends actions.DeployAction { resourceName: props.applicationName, sep: ':', }); - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addResource(applicationArn) .addActions( 'codedeploy:GetApplicationRevision', @@ -62,7 +63,7 @@ export class PipelineDeployAction extends actions.DeployAction { resourceName: `${props.applicationName}/${props.deploymentGroupName}`, sep: ':', }); - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addResource(deploymentGroupArn) .addActions( 'codedeploy:CreateDeployment', @@ -75,7 +76,7 @@ export class PipelineDeployAction extends actions.DeployAction { resourceName: '*', sep: ':', }); - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addResource(deployConfigArn) .addActions( 'codedeploy:GetDeploymentConfig', diff --git a/packages/@aws-cdk/aws-codedeploy/package.json b/packages/@aws-cdk/aws-codedeploy/package.json index 832349d9290a6..77c6faf01cf4d 100644 --- a/packages/@aws-cdk/aws-codedeploy/package.json +++ b/packages/@aws-cdk/aws-codedeploy/package.json @@ -63,6 +63,7 @@ }, "dependencies": { "@aws-cdk/aws-autoscaling": "^0.10.0", + "@aws-cdk/aws-iam": "^0.10.0", "@aws-cdk/aws-codedeploy-api": "^0.10.0", "@aws-cdk/aws-codepipeline-api": "^0.10.0", "@aws-cdk/aws-s3": "^0.10.0", diff --git a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts index 7a3d690d2aadc..f83cac1f4a161 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts @@ -89,7 +89,7 @@ export class Pipeline extends cdk.Construct implements events.IEventRuleTarget { this.artifactBucket = propsBucket; this.role = new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('codepipeline.amazonaws.com') + assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com') }); const codePipeline = new cloudformation.PipelineResource(this, 'Resource', { @@ -133,7 +133,7 @@ export class Pipeline extends cdk.Construct implements events.IEventRuleTarget { /** * Adds a statement to the pipeline role. */ - public addToRolePolicy(statement: cdk.PolicyStatement) { + public addToRolePolicy(statement: iam.PolicyStatement) { this.role.addToPolicy(statement); } @@ -154,10 +154,10 @@ export class Pipeline extends cdk.Construct implements events.IEventRuleTarget { // role per pipeline. if (!this.eventsRole) { this.eventsRole = new iam.Role(this, 'EventsRole', { - assumedBy: new cdk.ServicePrincipal('events.amazonaws.com') + assumedBy: new iam.ServicePrincipal('events.amazonaws.com') }); - this.eventsRole.addToPolicy(new cdk.PolicyStatement() + this.eventsRole.addToPolicy(new iam.PolicyStatement() .addResource(this.pipelineArn) .addAction('codepipeline:StartPipelineExecution')); } diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.ts b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.ts index 378083d5bee9f..2e3d49653bfbf 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.ts +++ b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-cfn.ts @@ -1,9 +1,9 @@ import cfn = require('@aws-cdk/aws-cloudformation'); import { ArtifactPath } from '@aws-cdk/aws-codepipeline-api'; import { Role } from '@aws-cdk/aws-iam'; +import { ServicePrincipal } from '@aws-cdk/aws-iam'; import s3 = require('@aws-cdk/aws-s3'); import cdk = require('@aws-cdk/cdk'); -import { ServicePrincipal } from '@aws-cdk/cdk'; import codepipeline = require('../lib'); const app = new cdk.App(process.argv); diff --git a/packages/@aws-cdk/aws-codepipeline/test/test.cloudformation-pipeline-actions.ts b/packages/@aws-cdk/aws-codepipeline/test/test.cloudformation-pipeline-actions.ts index 4994ee2243047..920a3fdc57e50 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/test.cloudformation-pipeline-actions.ts +++ b/packages/@aws-cdk/aws-codepipeline/test/test.cloudformation-pipeline-actions.ts @@ -4,8 +4,8 @@ import { CodePipelineBuildArtifacts, CodePipelineSource, PipelineBuildAction, Pr import { PipelineSourceAction, Repository } from '@aws-cdk/aws-codecommit'; import { ArtifactPath } from '@aws-cdk/aws-codepipeline-api'; import { Role } from '@aws-cdk/aws-iam'; +import { PolicyStatement, ServicePrincipal } from '@aws-cdk/aws-iam'; import cdk = require('@aws-cdk/cdk'); -import { PolicyStatement, ServicePrincipal } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; import { Pipeline, Stage } from '../lib'; diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts index 3fa09a9a52f83..922919cf4e6b9 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/table.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/table.ts @@ -1,6 +1,6 @@ import { cloudformation as applicationautoscaling } from '@aws-cdk/aws-applicationautoscaling'; -import { Role } from '@aws-cdk/aws-iam'; -import { Construct, PolicyStatement, PolicyStatementEffect, ServicePrincipal } from '@aws-cdk/cdk'; +import { PolicyStatement, PolicyStatementEffect, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; +import { Construct } from '@aws-cdk/cdk'; import { cloudformation as dynamodb } from './dynamodb.generated'; const HASH_KEY_TYPE = 'HASH'; diff --git a/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts b/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts index 90b2dfd7e744d..f1acfaa91c822 100644 --- a/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts +++ b/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); /** @@ -24,7 +25,7 @@ export abstract class RepositoryRef extends cdk.Construct { /** * Add a policy statement to the repository's resource policy */ - public abstract addToResourcePolicy(statement: cdk.PolicyStatement): void; + public abstract addToResourcePolicy(statement: iam.PolicyStatement): void; /** * Export this repository from the stack @@ -62,7 +63,7 @@ class ImportedRepository extends RepositoryRef { this.repositoryName = cdk.ArnUtils.parse(props.repositoryArn).resourceName!; } - public addToResourcePolicy(_statement: cdk.PolicyStatement) { + public addToResourcePolicy(_statement: iam.PolicyStatement) { // FIXME: Add annotation about policy we dropped on the floor } } diff --git a/packages/@aws-cdk/aws-ecr/lib/repository.ts b/packages/@aws-cdk/aws-ecr/lib/repository.ts index 5ba2622315752..142fa6f278dfa 100644 --- a/packages/@aws-cdk/aws-ecr/lib/repository.ts +++ b/packages/@aws-cdk/aws-ecr/lib/repository.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { cloudformation } from './ecr.generated'; import { CountType, LifecycleRule, TagStatus } from './lifecycle'; @@ -45,7 +46,7 @@ export class Repository extends RepositoryRef { public readonly repositoryArn: string; private readonly lifecycleRules = new Array(); private readonly registryId?: string; - private policyDocument?: cdk.PolicyDocument; + private policyDocument?: iam.PolicyDocument; constructor(parent: cdk.Construct, id: string, props: RepositoryProps = {}) { super(parent, id); @@ -70,9 +71,9 @@ export class Repository extends RepositoryRef { this.repositoryArn = resource.repositoryArn; } - public addToResourcePolicy(statement: cdk.PolicyStatement) { + public addToResourcePolicy(statement: iam.PolicyStatement) { if (this.policyDocument === undefined) { - this.policyDocument = new cdk.PolicyDocument(); + this.policyDocument = new iam.PolicyDocument(); } this.policyDocument.addStatement(statement); } diff --git a/packages/@aws-cdk/aws-ecr/package.json b/packages/@aws-cdk/aws-ecr/package.json index f719c74e6cc9c..008cf1cee6a13 100644 --- a/packages/@aws-cdk/aws-ecr/package.json +++ b/packages/@aws-cdk/aws-ecr/package.json @@ -59,7 +59,8 @@ "pkglint": "^0.10.0" }, "dependencies": { - "@aws-cdk/cdk": "^0.10.0" + "@aws-cdk/cdk": "^0.10.0", + "@aws-cdk/aws-iam": "^0.10.0" }, "homepage": "https://github.com/awslabs/aws-cdk" } diff --git a/packages/@aws-cdk/aws-ecr/test/test.repository.ts b/packages/@aws-cdk/aws-ecr/test/test.repository.ts index 8cde24379ebf4..39201bb8dbed3 100644 --- a/packages/@aws-cdk/aws-ecr/test/test.repository.ts +++ b/packages/@aws-cdk/aws-ecr/test/test.repository.ts @@ -1,4 +1,5 @@ import { expect, haveResource } from '@aws-cdk/assert'; +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { Test } from 'nodeunit'; import ecr = require('../lib'); @@ -169,7 +170,7 @@ export = { const repo = new ecr.Repository(stack, 'Repo'); // WHEN - repo.addToResourcePolicy(new cdk.PolicyStatement().addAction('*')); + repo.addToResourcePolicy(new iam.PolicyStatement().addAction('*')); // THEN expect(stack).to(haveResource('AWS::ECR::Repository', { diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 3f3c1465cc635..c2a0213cf0003 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -1,4 +1,5 @@ import ec2 = require('@aws-cdk/aws-ec2'); +import iam = require('@aws-cdk/aws-iam'); import s3 = require('@aws-cdk/aws-s3'); import cdk = require('@aws-cdk/cdk'); import { BaseLoadBalancer, BaseLoadBalancerProps } from '../shared/base-load-balancer'; @@ -88,8 +89,8 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic } // FIXME: can't use grantPut() here because that only takes IAM objects, not arbitrary principals - bucket.addToResourcePolicy(new cdk.PolicyStatement() - .addPrincipal(new cdk.AccountPrincipal(account)) + bucket.addToResourcePolicy(new iam.PolicyStatement() + .addPrincipal(new iam.AccountPrincipal(account)) .addAction('s3:PutObject') .addResource(bucket.arnForObjects(prefix || '', '*'))); } diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json b/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json index f1a3dee9db99b..74fc2059ff80e 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json @@ -61,6 +61,7 @@ "dependencies": { "@aws-cdk/aws-codedeploy-api": "^0.10.0", "@aws-cdk/aws-ec2": "^0.10.0", + "@aws-cdk/aws-iam": "^0.10.0", "@aws-cdk/aws-s3": "^0.10.0", "@aws-cdk/cdk": "^0.10.0" }, diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts index 6066998d70b47..b4350236cf394 100644 --- a/packages/@aws-cdk/aws-iam/lib/group.ts +++ b/packages/@aws-cdk/aws-iam/lib/group.ts @@ -1,6 +1,7 @@ -import { ArnPrincipal, Construct, PolicyPrincipal, PolicyStatement } from '@aws-cdk/cdk'; +import { Construct } from '@aws-cdk/cdk'; import { cloudformation } from './iam.generated'; import { IIdentityResource, IPrincipal, Policy } from './policy'; +import { ArnPrincipal, PolicyPrincipal, PolicyStatement } from './policy-document'; import { User } from './user'; import { AttachedPolicies, undefinedIfEmpty } from './util'; diff --git a/packages/@aws-cdk/aws-iam/lib/index.ts b/packages/@aws-cdk/aws-iam/lib/index.ts index 1792fa972602c..b64fb2a5139f7 100644 --- a/packages/@aws-cdk/aws-iam/lib/index.ts +++ b/packages/@aws-cdk/aws-iam/lib/index.ts @@ -1,3 +1,4 @@ +export * from './policy-document'; export * from './managed-policy'; export * from './role'; export * from './policy'; diff --git a/packages/@aws-cdk/cdk/lib/cloudformation/permission.ts b/packages/@aws-cdk/aws-iam/lib/policy-document.ts similarity index 98% rename from packages/@aws-cdk/cdk/lib/cloudformation/permission.ts rename to packages/@aws-cdk/aws-iam/lib/policy-document.ts index 33ad7339f1881..dba222ab5817b 100644 --- a/packages/@aws-cdk/cdk/lib/cloudformation/permission.ts +++ b/packages/@aws-cdk/aws-iam/lib/policy-document.ts @@ -1,5 +1,4 @@ -import { Token } from '../core/tokens'; -import { AwsAccountId, AwsPartition } from './pseudo'; +import { AwsAccountId, AwsPartition, Token } from '@aws-cdk/cdk'; export class PolicyDocument extends Token { private statements = new Array(); diff --git a/packages/@aws-cdk/aws-iam/lib/policy.ts b/packages/@aws-cdk/aws-iam/lib/policy.ts index 45a1771d026c2..e35a415fa372b 100644 --- a/packages/@aws-cdk/aws-iam/lib/policy.ts +++ b/packages/@aws-cdk/aws-iam/lib/policy.ts @@ -1,6 +1,7 @@ -import { Construct, IDependable, PolicyDocument, PolicyPrincipal, PolicyStatement, Token } from '@aws-cdk/cdk'; +import { Construct, IDependable, Token } from '@aws-cdk/cdk'; import { Group } from './group'; import { cloudformation } from './iam.generated'; +import { PolicyDocument, PolicyPrincipal, PolicyStatement } from './policy-document'; import { Role } from './role'; import { User } from './user'; import { generatePolicyName, undefinedIfEmpty } from './util'; diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts index d98137a66c3b8..1853f28952f7d 100644 --- a/packages/@aws-cdk/aws-iam/lib/role.ts +++ b/packages/@aws-cdk/aws-iam/lib/role.ts @@ -1,6 +1,7 @@ -import { ArnPrincipal, Construct, IDependable, PolicyDocument, PolicyPrincipal, PolicyStatement } from '@aws-cdk/cdk'; +import { Construct, IDependable } from '@aws-cdk/cdk'; import { cloudformation } from './iam.generated'; import { IIdentityResource, IPrincipal, Policy } from './policy'; +import { ArnPrincipal, PolicyDocument, PolicyPrincipal, PolicyStatement } from './policy-document'; import { AttachedPolicies, undefinedIfEmpty } from './util'; export interface RoleProps { diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts index 1b95811542ffb..c75a4efbf88b0 100644 --- a/packages/@aws-cdk/aws-iam/lib/user.ts +++ b/packages/@aws-cdk/aws-iam/lib/user.ts @@ -1,7 +1,8 @@ -import { ArnPrincipal, Construct, PolicyPrincipal, PolicyStatement } from '@aws-cdk/cdk'; +import { Construct } from '@aws-cdk/cdk'; import { Group } from './group'; import { cloudformation } from './iam.generated'; import { IIdentityResource, IPrincipal, Policy } from './policy'; +import { ArnPrincipal, PolicyPrincipal, PolicyStatement } from './policy-document'; import { AttachedPolicies, undefinedIfEmpty } from './util'; export interface UserProps { diff --git a/packages/@aws-cdk/aws-iam/test/integ.policy.ts b/packages/@aws-cdk/aws-iam/test/integ.policy.ts index 446c5394484b4..f699c93e02bbc 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.policy.ts +++ b/packages/@aws-cdk/aws-iam/test/integ.policy.ts @@ -1,5 +1,5 @@ -import { App, PolicyStatement, Stack } from "@aws-cdk/cdk"; -import { Policy } from "../lib"; +import { App, Stack } from "@aws-cdk/cdk"; +import { Policy, PolicyStatement } from "../lib"; import { User } from "../lib/user"; const app = new App(process.argv); diff --git a/packages/@aws-cdk/aws-iam/test/integ.role.ts b/packages/@aws-cdk/aws-iam/test/integ.role.ts index 194891aa01a3a..8107fb95c4dfb 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.role.ts +++ b/packages/@aws-cdk/aws-iam/test/integ.role.ts @@ -1,5 +1,5 @@ -import { App, PolicyStatement, ServicePrincipal, Stack } from "@aws-cdk/cdk"; -import { Policy, Role } from "../lib"; +import { App, Stack } from "@aws-cdk/cdk"; +import { Policy, PolicyStatement, Role, ServicePrincipal } from "../lib"; const app = new App(process.argv); diff --git a/packages/@aws-cdk/aws-iam/test/integ.users-and-groups.ts b/packages/@aws-cdk/aws-iam/test/integ.users-and-groups.ts index b04513eb76036..015fcb455644c 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.users-and-groups.ts +++ b/packages/@aws-cdk/aws-iam/test/integ.users-and-groups.ts @@ -1,5 +1,5 @@ -import { App, PolicyStatement, Stack } from "@aws-cdk/cdk"; -import { Group, Policy, User } from "../lib"; +import { App, Stack } from "@aws-cdk/cdk"; +import { Group, Policy, PolicyStatement, User } from "../lib"; const app = new App(process.argv); diff --git a/packages/@aws-cdk/cdk/test/cloudformation/test.perms.ts b/packages/@aws-cdk/aws-iam/test/test.policy-document.ts similarity index 97% rename from packages/@aws-cdk/cdk/test/cloudformation/test.perms.ts rename to packages/@aws-cdk/aws-iam/test/test.policy-document.ts index 24fcfdf60fbd0..f43bb5e41c6a0 100644 --- a/packages/@aws-cdk/cdk/test/cloudformation/test.perms.ts +++ b/packages/@aws-cdk/aws-iam/test/test.policy-document.ts @@ -1,5 +1,6 @@ +import { FnConcat, resolve } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; -import { CanonicalUserPrincipal, FnConcat, PolicyDocument, PolicyStatement, resolve } from '../../lib'; +import { CanonicalUserPrincipal, PolicyDocument, PolicyStatement } from '../lib'; export = { 'the Permission class is a programming model for iam'(test: Test) { diff --git a/packages/@aws-cdk/aws-iam/test/test.policy.ts b/packages/@aws-cdk/aws-iam/test/test.policy.ts index 7b22651be5d7c..5a7f0c0eaf7c3 100644 --- a/packages/@aws-cdk/aws-iam/test/test.policy.ts +++ b/packages/@aws-cdk/aws-iam/test/test.policy.ts @@ -1,9 +1,6 @@ -import { App, PolicyStatement, ServicePrincipal, Stack } from '@aws-cdk/cdk'; +import { App, Stack } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; -import { Role } from '../lib'; -import { Group } from '../lib/group'; -import { Policy } from '../lib/policy'; -import { User } from '../lib/user'; +import { Group, Policy, PolicyStatement, Role, ServicePrincipal, User } from '../lib'; import { generatePolicyName } from '../lib/util'; export = { diff --git a/packages/@aws-cdk/aws-iam/test/test.role.ts b/packages/@aws-cdk/aws-iam/test/test.role.ts index 18e1ed063c294..66209cfe1cb3d 100644 --- a/packages/@aws-cdk/aws-iam/test/test.role.ts +++ b/packages/@aws-cdk/aws-iam/test/test.role.ts @@ -1,7 +1,7 @@ import { expect, haveResource } from '@aws-cdk/assert'; -import { FederatedPrincipal, PolicyStatement, Resource, ServicePrincipal, Stack } from '@aws-cdk/cdk'; +import { Resource, Stack } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; -import { Role } from '../lib'; +import { FederatedPrincipal, PolicyStatement, Role, ServicePrincipal } from '../lib'; export = { 'default role'(test: Test) { diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index 8d49bfd100f9b..1ba79398612b5 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -170,10 +170,10 @@ export abstract class StreamRef extends cdk.Construct implements logs.ILogSubscr if (!this.cloudWatchLogsRole) { // Create a role to be assumed by CWL that can write to this stream and pass itself. this.cloudWatchLogsRole = new iam.Role(this, 'CloudWatchLogsCanPutRecords', { - assumedBy: new cdk.ServicePrincipal(new cdk.FnConcat('logs.', new cdk.AwsRegion(), '.amazonaws.com').toString()), + assumedBy: new iam.ServicePrincipal(new cdk.FnConcat('logs.', new cdk.AwsRegion(), '.amazonaws.com').toString()), }); - this.cloudWatchLogsRole.addToPolicy(new cdk.PolicyStatement().addAction('kinesis:PutRecord').addResource(this.streamArn)); - this.cloudWatchLogsRole.addToPolicy(new cdk.PolicyStatement().addAction('iam:PassRole').addResource(this.cloudWatchLogsRole.roleArn)); + this.cloudWatchLogsRole.addToPolicy(new iam.PolicyStatement().addAction('kinesis:PutRecord').addResource(this.streamArn)); + this.cloudWatchLogsRole.addToPolicy(new iam.PolicyStatement().addAction('iam:PassRole').addResource(this.cloudWatchLogsRole.roleArn)); } // We've now made it possible for CloudWatch events to write to us. In case the LogGroup is in a @@ -213,7 +213,7 @@ export abstract class StreamRef extends cdk.Construct implements logs.ILogSubscr role: this.cloudWatchLogsRole! }); - dest.addToPolicy(new cdk.PolicyStatement() + dest.addToPolicy(new iam.PolicyStatement() .addAction('logs:PutSubscriptionFilter') .addAwsAccountPrincipal(sourceStack.env.account) .addAllResources()); @@ -222,13 +222,13 @@ export abstract class StreamRef extends cdk.Construct implements logs.ILogSubscr } private grant(identity: iam.IIdentityResource, actions: { streamActions: string[], keyActions: string[] }) { - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addResource(this.streamArn) .addActions(...actions.streamActions)); // grant key permissions if there's an associated key. if (this.encryptionKey) { - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addResource(this.encryptionKey.keyArn) .addActions(...actions.keyActions)); } diff --git a/packages/@aws-cdk/aws-kms/lib/key.ts b/packages/@aws-cdk/aws-kms/lib/key.ts index a64cff86e4da8..fed34ea93a97e 100644 --- a/packages/@aws-cdk/aws-kms/lib/key.ts +++ b/packages/@aws-cdk/aws-kms/lib/key.ts @@ -1,4 +1,5 @@ -import { Construct, DeletionPolicy, Output, PolicyDocument, PolicyStatement, resolve } from '@aws-cdk/cdk'; +import { PolicyDocument, PolicyStatement } from '@aws-cdk/aws-iam'; +import { Construct, DeletionPolicy, Output, resolve } from '@aws-cdk/cdk'; import { EncryptionKeyAlias } from './alias'; import { cloudformation } from './kms.generated'; diff --git a/packages/@aws-cdk/aws-kms/test/integ.key.ts b/packages/@aws-cdk/aws-kms/test/integ.key.ts index ea7f4122ffafd..aecf85c959fcc 100644 --- a/packages/@aws-cdk/aws-kms/test/integ.key.ts +++ b/packages/@aws-cdk/aws-kms/test/integ.key.ts @@ -1,4 +1,5 @@ -import { App, AwsAccountId, PolicyStatement, Stack } from '@aws-cdk/cdk'; +import { PolicyStatement } from '@aws-cdk/aws-iam'; +import { App, AwsAccountId, Stack } from '@aws-cdk/cdk'; import { EncryptionKey } from '../lib'; const app = new App(process.argv); diff --git a/packages/@aws-cdk/aws-kms/test/test.key.ts b/packages/@aws-cdk/aws-kms/test/test.key.ts index 7feaa17e4ea29..5805b1fa315d9 100644 --- a/packages/@aws-cdk/aws-kms/test/test.key.ts +++ b/packages/@aws-cdk/aws-kms/test/test.key.ts @@ -1,5 +1,6 @@ import { exactlyMatchTemplate, expect } from '@aws-cdk/assert'; -import { App, PolicyDocument, PolicyStatement, Stack } from '@aws-cdk/cdk'; +import { PolicyDocument, PolicyStatement } from '@aws-cdk/aws-iam'; +import { App, Stack } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; import { EncryptionKey } from '../lib'; diff --git a/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts b/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts index 36d6fc109c8e6..d3047a27d6212 100644 --- a/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts +++ b/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts @@ -181,7 +181,7 @@ export abstract class FunctionRef extends cdk.Construct }); } - public addToRolePolicy(statement: cdk.PolicyStatement) { + public addToRolePolicy(statement: iam.PolicyStatement) { if (!this.role) { return; } @@ -220,7 +220,7 @@ export abstract class FunctionRef extends cdk.Construct if (!this.tryFindChild(permissionId)) { this.addPermission(permissionId, { action: 'lambda:InvokeFunction', - principal: new cdk.ServicePrincipal('events.amazonaws.com'), + principal: new iam.ServicePrincipal('events.amazonaws.com'), sourceArn: ruleArn }); } @@ -288,7 +288,7 @@ export abstract class FunctionRef extends cdk.Construct // // (Wildcards in principals are unfortunately not supported. this.addPermission('InvokedByCloudWatchLogs', { - principal: new cdk.ServicePrincipal(new cdk.FnConcat('logs.', new cdk.AwsRegion(), '.amazonaws.com').toString()), + principal: new iam.ServicePrincipal(new cdk.FnConcat('logs.', new cdk.AwsRegion(), '.amazonaws.com').toString()), sourceArn: arn }); this.logSubscriptionDestinationPolicyAddedFor.push(arn); @@ -317,7 +317,7 @@ export abstract class FunctionRef extends cdk.Construct if (!this.tryFindChild(permissionId)) { this.addPermission(permissionId, { sourceAccount: new cdk.AwsAccountId().toString(), - principal: new cdk.ServicePrincipal('s3.amazonaws.com'), + principal: new iam.ServicePrincipal('s3.amazonaws.com'), sourceArn: bucketArn, }); } @@ -333,7 +333,7 @@ export abstract class FunctionRef extends cdk.Construct }; } - private parsePermissionPrincipal(principal?: cdk.PolicyPrincipal) { + private parsePermissionPrincipal(principal?: iam.PolicyPrincipal) { if (!principal) { return undefined; } @@ -341,11 +341,11 @@ export abstract class FunctionRef extends cdk.Construct // use duck-typing, not instance of if ('accountId' in principal) { - return (principal as cdk.AccountPrincipal).accountId; + return (principal as iam.AccountPrincipal).accountId; } if (`service` in principal) { - return (principal as cdk.ServicePrincipal).service; + return (principal as iam.ServicePrincipal).service; } throw new Error(`Invalid principal type for Lambda permission statement: ${JSON.stringify(cdk.resolve(principal))}. ` + diff --git a/packages/@aws-cdk/aws-lambda/lib/lambda.ts b/packages/@aws-cdk/aws-lambda/lib/lambda.ts index 85ae02f80fd64..ba409aafd394e 100644 --- a/packages/@aws-cdk/aws-lambda/lib/lambda.ts +++ b/packages/@aws-cdk/aws-lambda/lib/lambda.ts @@ -98,7 +98,7 @@ export interface FunctionProps { * * You can call `addToRolePolicy` to the created lambda to add statements post creation. */ - initialPolicy?: cdk.PolicyStatement[]; + initialPolicy?: iam.PolicyStatement[]; /** * Lambda execution role. @@ -223,7 +223,7 @@ export class Function extends FunctionRef { } this.role = props.role || new iam.Role(this, 'ServiceRole', { - assumedBy: new cdk.ServicePrincipal('lambda.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), managedPolicyArns, }); @@ -352,7 +352,7 @@ export class Function extends FunctionRef { retentionPeriodSec: 1209600 }); - this.addToRolePolicy(new cdk.PolicyStatement() + this.addToRolePolicy(new iam.PolicyStatement() .addAction('sqs:SendMessage') .addResource(deadLetterQueue.queueArn)); @@ -366,7 +366,7 @@ export class Function extends FunctionRef { return undefined; } - this.addToRolePolicy(new cdk.PolicyStatement() + this.addToRolePolicy(new iam.PolicyStatement() .addActions('xray:PutTraceSegments', 'xray:PutTelemetryRecords') .addAllResources()); diff --git a/packages/@aws-cdk/aws-lambda/lib/permission.ts b/packages/@aws-cdk/aws-lambda/lib/permission.ts index fa3b8a13bfbce..de4ab91c6794d 100644 --- a/packages/@aws-cdk/aws-lambda/lib/permission.ts +++ b/packages/@aws-cdk/aws-lambda/lib/permission.ts @@ -1,4 +1,4 @@ -import { PolicyPrincipal } from '@aws-cdk/cdk'; +import { PolicyPrincipal } from '@aws-cdk/aws-iam'; /** * Represents a permission statement that can be added to a Lambda's resource policy diff --git a/packages/@aws-cdk/aws-lambda/lib/pipeline-action.ts b/packages/@aws-cdk/aws-lambda/lib/pipeline-action.ts index d8e3e8065b116..96a666ac175bd 100644 --- a/packages/@aws-cdk/aws-lambda/lib/pipeline-action.ts +++ b/packages/@aws-cdk/aws-lambda/lib/pipeline-action.ts @@ -1,4 +1,5 @@ import codepipeline = require('@aws-cdk/aws-codepipeline-api'); +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import { FunctionRef } from './lambda-ref'; @@ -58,19 +59,19 @@ export class PipelineInvokeAction extends codepipeline.Action { }); // allow pipeline to list functions - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addAction('lambda:ListFunctions') .addAllResources()); // allow pipeline to invoke this lambda functionn - props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement() + props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() .addAction('lambda:InvokeFunction') .addResource(props.lambda.functionArn)); // allow lambda to put job results for this pipeline. const addToPolicy = props.addPutJobResultPolicy !== undefined ? props.addPutJobResultPolicy : true; if (addToPolicy) { - props.lambda.addToRolePolicy(new cdk.PolicyStatement() + props.lambda.addToRolePolicy(new iam.PolicyStatement() .addAllResources() // to avoid cycles (see docs) .addAction('codepipeline:PutJobSuccessResult') .addAction('codepipeline:PutJobFailureResult')); diff --git a/packages/@aws-cdk/aws-lambda/test/integ.lambda.ts b/packages/@aws-cdk/aws-lambda/test/integ.lambda.ts index a05b6e53b93ab..adda9bf9d8ae6 100644 --- a/packages/@aws-cdk/aws-lambda/test/integ.lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/integ.lambda.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import cdk = require('@aws-cdk/cdk'); import lambda = require('../lib'); @@ -11,7 +12,7 @@ const fn = new lambda.Function(stack, 'MyLambda', { runtime: lambda.Runtime.NodeJS610, }); -fn.addToRolePolicy(new cdk.PolicyStatement().addAllResources().addAction('*')); +fn.addToRolePolicy(new iam.PolicyStatement().addAllResources().addAction('*')); const version = fn.addVersion('1'); diff --git a/packages/@aws-cdk/aws-lambda/test/test.alias.ts b/packages/@aws-cdk/aws-lambda/test/test.alias.ts index 10a8ce37ddea3..3a0316c6a8450 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.alias.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.alias.ts @@ -1,5 +1,6 @@ import { beASupersetOfTemplate, expect, haveResource } from '@aws-cdk/assert'; -import { AccountPrincipal, resolve, Stack } from '@aws-cdk/cdk'; +import { AccountPrincipal } from '@aws-cdk/aws-iam'; +import { resolve, Stack } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; import lambda = require('../lib'); diff --git a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts index a0f91243b6458..4c2b2d42ee716 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts @@ -51,7 +51,7 @@ export = { code: new lambda.InlineCode('foo'), handler: 'index.handler', runtime: lambda.Runtime.NodeJS610, - initialPolicy: [new cdk.PolicyStatement().addAction("*").addAllResources()] + initialPolicy: [new iam.PolicyStatement().addAction("*").addAllResources()] }); expect(stack).toMatch({ Resources: { MyLambdaServiceRole4539ECB6: @@ -117,7 +117,7 @@ export = { fn.addPermission('S3Permission', { action: 'lambda:*', - principal: new cdk.ServicePrincipal('s3.amazonaws.com'), + principal: new iam.ServicePrincipal('s3.amazonaws.com'), sourceAccount: new cdk.AwsAccountId().toString(), sourceArn: 'arn:aws:s3:::my_bucket' }); @@ -187,11 +187,11 @@ export = { const stack = new cdk.Stack(); const fn = newTestLambda(stack); - test.throws(() => fn.addPermission('F1', { principal: new cdk.ArnPrincipal('just:arn') }), + test.throws(() => fn.addPermission('F1', { principal: new iam.ArnPrincipal('just:arn') }), /Invalid principal type for Lambda permission statement/); - fn.addPermission('S1', { principal: new cdk.ServicePrincipal('my-service') }); - fn.addPermission('S2', { principal: new cdk.AccountPrincipal('account') }); + fn.addPermission('S1', { principal: new iam.ServicePrincipal('my-service') }); + fn.addPermission('S2', { principal: new iam.AccountPrincipal('account') }); test.done(); }, @@ -200,9 +200,9 @@ export = { // GIVEN const stack = new cdk.Stack(); const role = new iam.Role(stack, 'SomeRole', { - assumedBy: new cdk.ServicePrincipal('lambda.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), }); - role.addToPolicy(new cdk.PolicyStatement().addAction('confirm:itsthesame')); + role.addToPolicy(new iam.PolicyStatement().addAction('confirm:itsthesame')); // WHEN const fn = new lambda.Function(stack, 'Function', { @@ -211,11 +211,11 @@ export = { handler: 'index.test', role, initialPolicy: [ - new cdk.PolicyStatement().addAction('inline:inline') + new iam.PolicyStatement().addAction('inline:inline') ] }); - fn.addToRolePolicy(new cdk.PolicyStatement().addAction('explicit:explicit')); + fn.addToRolePolicy(new iam.PolicyStatement().addAction('explicit:explicit')); // THEN expect(stack).to(haveResource('AWS::IAM::Policy', { @@ -245,7 +245,7 @@ export = { // Can call addPermission() but it won't do anything imported.addPermission('Hello', { - principal: new cdk.ServicePrincipal('harry') + principal: new iam.ServicePrincipal('harry') }); test.done(); diff --git a/packages/@aws-cdk/aws-logs/lib/cross-account-destination.ts b/packages/@aws-cdk/aws-logs/lib/cross-account-destination.ts index 88cbbae84b3eb..3843a08c6e0b0 100644 --- a/packages/@aws-cdk/aws-logs/lib/cross-account-destination.ts +++ b/packages/@aws-cdk/aws-logs/lib/cross-account-destination.ts @@ -39,7 +39,7 @@ export class CrossAccountDestination extends cdk.Construct implements ILogSubscr /** * Policy object of this CrossAccountDestination object */ - public readonly policyDocument: cdk.PolicyDocument = new cdk.PolicyDocument(); + public readonly policyDocument: iam.PolicyDocument = new iam.PolicyDocument(); /** * The name of this CrossAccountDestination object @@ -74,7 +74,7 @@ export class CrossAccountDestination extends cdk.Construct implements ILogSubscr this.destinationName = this.resource.destinationName; } - public addToPolicy(statement: cdk.PolicyStatement) { + public addToPolicy(statement: iam.PolicyStatement) { this.policyDocument.addStatement(statement); } diff --git a/packages/@aws-cdk/aws-logs/test/test.destination.ts b/packages/@aws-cdk/aws-logs/test/test.destination.ts index e14d0fce73522..61d2ab1ee8402 100644 --- a/packages/@aws-cdk/aws-logs/test/test.destination.ts +++ b/packages/@aws-cdk/aws-logs/test/test.destination.ts @@ -9,7 +9,7 @@ export = { // GIVEN const stack = new cdk.Stack(); const role = new iam.Role(stack, 'Role', { - assumedBy: new cdk.ServicePrincipal('logs.us-east-2.amazonaws.com') + assumedBy: new iam.ServicePrincipal('logs.us-east-2.amazonaws.com') }); // WHEN @@ -33,7 +33,7 @@ export = { // GIVEN const stack = new cdk.Stack(); const role = new iam.Role(stack, 'Role', { - assumedBy: new cdk.ServicePrincipal('logs.us-east-2.amazonaws.com') + assumedBy: new iam.ServicePrincipal('logs.us-east-2.amazonaws.com') }); const dest = new CrossAccountDestination(stack, 'Dest', { @@ -43,7 +43,7 @@ export = { }); // WHEN - dest.addToPolicy(new cdk.PolicyStatement() + dest.addToPolicy(new iam.PolicyStatement() .addAction('logs:TalkToMe')); // THEN diff --git a/packages/@aws-cdk/aws-s3/lib/bucket-policy.ts b/packages/@aws-cdk/aws-s3/lib/bucket-policy.ts index fa2f98ec09201..280304d837688 100644 --- a/packages/@aws-cdk/aws-s3/lib/bucket-policy.ts +++ b/packages/@aws-cdk/aws-s3/lib/bucket-policy.ts @@ -1,4 +1,5 @@ -import { Construct, PolicyDocument } from '@aws-cdk/cdk'; +import { PolicyDocument } from '@aws-cdk/aws-iam'; +import { Construct } from '@aws-cdk/cdk'; import { BucketRef } from './bucket'; import { cloudformation } from './s3.generated'; diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts index 0bf19511b5928..b2fd2d20e7a99 100644 --- a/packages/@aws-cdk/aws-s3/lib/bucket.ts +++ b/packages/@aws-cdk/aws-s3/lib/bucket.ts @@ -137,7 +137,7 @@ export abstract class BucketRef extends cdk.Construct { * contents. Use `bucketArn` and `arnForObjects(keys)` to obtain ARNs for * this bucket or objects. */ - public addToResourcePolicy(permission: cdk.PolicyStatement) { + public addToResourcePolicy(permission: iam.PolicyStatement) { if (!this.policy && this.autoCreatePolicy) { this.policy = new BucketPolicy(this, 'Policy', { bucket: this }); } @@ -280,18 +280,18 @@ export abstract class BucketRef extends cdk.Construct { const resources = [ resourceArn, ...otherResourceArns ]; - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addResources(...resources) .addActions(...bucketActions)); // grant key permissions if there's an associated key. if (this.encryptionKey) { // KMS permissions need to be granted both directions - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addResource(this.encryptionKey.keyArn) .addActions(...keyActions)); - this.encryptionKey.addToResourcePolicy(new cdk.PolicyStatement() + this.encryptionKey.addToResourcePolicy(new iam.PolicyStatement() .addAllResources() .addPrincipal(identity.principal) .addActions(...keyActions)); diff --git a/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts b/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts index e30b0cb35227c..dd0f1a91d8101 100644 --- a/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts +++ b/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts @@ -48,7 +48,7 @@ export class NotificationsResourceHandler extends cdk.Construct { super(parent, id); const role = new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('lambda.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), managedPolicyArns: [ cdk.ArnUtils.fromComponents({ service: 'iam', @@ -61,7 +61,7 @@ export class NotificationsResourceHandler extends cdk.Construct { }); // handler allows to put bucket notification on s3 buckets. - role.addToPolicy(new cdk.PolicyStatement() + role.addToPolicy(new iam.PolicyStatement() .addAction('s3:PutBucketNotification') .addAllResources()); diff --git a/packages/@aws-cdk/aws-s3/test/demo.import-export.ts b/packages/@aws-cdk/aws-s3/test/demo.import-export.ts index 2e7d908c624e9..04ae78a402f99 100644 --- a/packages/@aws-cdk/aws-s3/test/demo.import-export.ts +++ b/packages/@aws-cdk/aws-s3/test/demo.import-export.ts @@ -25,7 +25,7 @@ class ConsumerConstruct extends cdk.Construct { constructor(parent: cdk.Construct, name: string, props: ConsumerConstructProps) { super(parent, name); - props.bucket.addToResourcePolicy(new cdk.PolicyStatement().addAction('*')); + props.bucket.addToResourcePolicy(new iam.PolicyStatement().addAction('*')); } } diff --git a/packages/@aws-cdk/aws-s3/test/notification-dests.ts b/packages/@aws-cdk/aws-s3/test/notification-dests.ts index ef9a0131fc7a7..1750d941d1dd2 100644 --- a/packages/@aws-cdk/aws-s3/test/notification-dests.ts +++ b/packages/@aws-cdk/aws-s3/test/notification-dests.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import s3notifications = require('@aws-cdk/aws-s3-notifications'); import cdk = require('@aws-cdk/cdk'); @@ -7,7 +8,7 @@ import cdk = require('@aws-cdk/cdk'); */ export class Topic extends cdk.Construct implements s3notifications.IBucketNotificationDestination { public readonly topicArn: string; - private readonly policy = new cdk.PolicyDocument(); + private readonly policy = new iam.PolicyDocument(); private readonly notifyingBucketPaths = new Set(); constructor(parent: cdk.Construct, id: string) { @@ -31,7 +32,7 @@ export class Topic extends cdk.Construct implements s3notifications.IBucketNotif // add permission to each source bucket if (!this.notifyingBucketPaths.has(bucketId)) { - this.policy.addStatement(new cdk.PolicyStatement() + this.policy.addStatement(new iam.PolicyStatement() .describe(`sid${this.policy.statementCount}`) .addServicePrincipal('s3.amazonaws.com') .addAction('sns:Publish') diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts index 5f94485c79c9c..e3c3a44f886ed 100644 --- a/packages/@aws-cdk/aws-s3/test/test.bucket.ts +++ b/packages/@aws-cdk/aws-s3/test/test.bucket.ts @@ -203,7 +203,7 @@ export = { const stack = new cdk.Stack(); const bucket = new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.Unencrypted }); - bucket.addToResourcePolicy(new cdk.PolicyStatement().addResource('foo').addAction('bar')); + bucket.addToResourcePolicy(new iam.PolicyStatement().addResource('foo').addAction('bar')); expect(stack).toMatch({ "Resources": { @@ -239,7 +239,7 @@ export = { const bucket = new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.Unencrypted }); - const x = new cdk.PolicyStatement().addResource(bucket.bucketArn).addAction('s3:ListBucket'); + const x = new iam.PolicyStatement().addResource(bucket.bucketArn).addAction('s3:ListBucket'); test.deepEqual(cdk.resolve(x), { Action: 's3:ListBucket', @@ -255,7 +255,7 @@ export = { const bucket = new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.Unencrypted }); - const p = new cdk.PolicyStatement().addResource(bucket.arnForObjects('hello/world')).addAction('s3:GetObject'); + const p = new iam.PolicyStatement().addResource(bucket.arnForObjects('hello/world')).addAction('s3:GetObject'); test.deepEqual(cdk.resolve(p), { Action: 's3:GetObject', @@ -281,7 +281,7 @@ export = { const team = new iam.Group(stack, 'MyTeam'); const resource = bucket.arnForObjects('home/', team.groupName, '/', user.userName, '/*'); - const p = new cdk.PolicyStatement().addResource(resource).addAction('s3:GetObject'); + const p = new iam.PolicyStatement().addResource(resource).addAction('s3:GetObject'); test.deepEqual(cdk.resolve(p), { Action: 's3:GetObject', @@ -354,9 +354,9 @@ export = { const bucket = s3.Bucket.import(stack, 'ImportedBucket', { bucketArn }); // this is a no-op since the bucket is external - bucket.addToResourcePolicy(new cdk.PolicyStatement().addResource('foo').addAction('bar')); + bucket.addToResourcePolicy(new iam.PolicyStatement().addResource('foo').addAction('bar')); - const p = new cdk.PolicyStatement().addResource(bucket.bucketArn).addAction('s3:ListBucket'); + const p = new iam.PolicyStatement().addResource(bucket.bucketArn).addAction('s3:ListBucket'); // it is possible to obtain a permission statement for a ref test.deepEqual(cdk.resolve(p), { @@ -375,7 +375,7 @@ export = { 'import can also be used to import arbitrary ARNs'(test: Test) { const stack = new cdk.Stack(); const bucket = s3.Bucket.import(stack, 'ImportedBucket', { bucketArn: 'arn:aws:s3:::my-bucket' }); - bucket.addToResourcePolicy(new cdk.PolicyStatement().addAllResources().addAction('*')); + bucket.addToResourcePolicy(new iam.PolicyStatement().addAllResources().addAction('*')); // at this point we technically didn't create any resources in the consuming stack. expect(stack).toMatch({}); @@ -383,7 +383,7 @@ export = { // but now we can reference the bucket // you can even use the bucket name, which will be extracted from the arn provided. const user = new iam.User(stack, 'MyUser'); - user.addToPolicy(new cdk.PolicyStatement() + user.addToPolicy(new iam.PolicyStatement() .addResource(bucket.arnForObjects('my/folder/', bucket.bucketName)) .addAction('s3:*')); diff --git a/packages/@aws-cdk/aws-sns/lib/policy.ts b/packages/@aws-cdk/aws-sns/lib/policy.ts index e48d65ed62988..a1018aa24d907 100644 --- a/packages/@aws-cdk/aws-sns/lib/policy.ts +++ b/packages/@aws-cdk/aws-sns/lib/policy.ts @@ -1,4 +1,5 @@ -import { Construct, IDependable, PolicyDocument } from '@aws-cdk/cdk'; +import { PolicyDocument } from '@aws-cdk/aws-iam'; +import { Construct, IDependable } from '@aws-cdk/cdk'; import { cloudformation } from './sns.generated'; import { TopicRef } from './topic-ref'; diff --git a/packages/@aws-cdk/aws-sns/lib/topic-ref.ts b/packages/@aws-cdk/aws-sns/lib/topic-ref.ts index e9a7edc3c7a3c..e5c9c202179bb 100644 --- a/packages/@aws-cdk/aws-sns/lib/topic-ref.ts +++ b/packages/@aws-cdk/aws-sns/lib/topic-ref.ts @@ -89,7 +89,7 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul // add a statement to the queue resource policy which allows this topic // to send messages to the queue. - queue.addToResourcePolicy(new cdk.PolicyStatement() + queue.addToResourcePolicy(new iam.PolicyStatement() .addResource(queue.queueArn) .addAction('sqs:SendMessage') .addServicePrincipal('sns.amazonaws.com') @@ -122,7 +122,7 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul lambdaFunction.addPermission(this.id, { sourceArn: this.topicArn, - principal: new cdk.ServicePrincipal('sns.amazonaws.com'), + principal: new iam.ServicePrincipal('sns.amazonaws.com'), }); return sub; @@ -172,7 +172,7 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul * will be automatically created upon the first call to `addToPolicy`. If * the topic is improted (`Topic.import`), then this is a no-op. */ - public addToResourcePolicy(statement: cdk.PolicyStatement) { + public addToResourcePolicy(statement: iam.PolicyStatement) { if (!this.policy && this.autoCreatePolicy) { this.policy = new TopicPolicy(this, 'Policy', { topics: [ this ] }); } @@ -195,7 +195,7 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul return; } - identity.addToPolicy(new cdk.PolicyStatement() + identity.addToPolicy(new iam.PolicyStatement() .addResource(this.topicArn) .addActions('sns:Publish')); } @@ -208,9 +208,9 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul */ public asEventRuleTarget(_ruleArn: string, _ruleId: string): events.EventRuleTargetProps { if (!this.eventRuleTargetPolicyAdded) { - this.addToResourcePolicy(new cdk.PolicyStatement() + this.addToResourcePolicy(new iam.PolicyStatement() .addAction('sns:Publish') - .addPrincipal(new cdk.ServicePrincipal('events.amazonaws.com')) + .addPrincipal(new iam.ServicePrincipal('events.amazonaws.com')) .addResource(this.topicArn)); this.eventRuleTargetPolicyAdded = true; @@ -285,7 +285,7 @@ export abstract class TopicRef extends cdk.Construct implements events.IEventRul // allow this bucket to sns:publish to this topic (if it doesn't already have a permission) if (!this.notifyingBuckets.has(bucketId)) { - this.addToResourcePolicy(new cdk.PolicyStatement() + this.addToResourcePolicy(new iam.PolicyStatement() .addServicePrincipal('s3.amazonaws.com') .addAction('sns:Publish') .addResource(this.topicArn) diff --git a/packages/@aws-cdk/aws-sns/test/test.sns.ts b/packages/@aws-cdk/aws-sns/test/test.sns.ts index 9f8364514b39b..8997a26d8e75d 100644 --- a/packages/@aws-cdk/aws-sns/test/test.sns.ts +++ b/packages/@aws-cdk/aws-sns/test/test.sns.ts @@ -506,10 +506,10 @@ export = { const topic = new sns.Topic(stack, 'Topic'); // WHEN - topic.addToResourcePolicy(new cdk.PolicyStatement() + topic.addToResourcePolicy(new iam.PolicyStatement() .addAllResources() .addActions('sns:*') - .addPrincipal(new cdk.ArnPrincipal('arn'))); + .addPrincipal(new iam.ArnPrincipal('arn'))); // THEN expect(stack).to(haveResource('AWS::SNS::TopicPolicy', { @@ -618,8 +618,8 @@ export = { const topic = new sns.Topic(stack, 'MyTopic'); - topic.addToResourcePolicy(new cdk.PolicyStatement().addAction('statement0')); - topic.addToResourcePolicy(new cdk.PolicyStatement().addAction('statement1')); + topic.addToResourcePolicy(new iam.PolicyStatement().addAction('statement0')); + topic.addToResourcePolicy(new iam.PolicyStatement().addAction('statement1')); expect(stack).toMatch({ "Resources": { diff --git a/packages/@aws-cdk/aws-sqs/lib/policy.ts b/packages/@aws-cdk/aws-sqs/lib/policy.ts index 74f544a73266d..0ac34c0dc4e00 100644 --- a/packages/@aws-cdk/aws-sqs/lib/policy.ts +++ b/packages/@aws-cdk/aws-sqs/lib/policy.ts @@ -1,4 +1,5 @@ -import { Construct, IDependable, PolicyDocument } from '@aws-cdk/cdk'; +import { PolicyDocument } from '@aws-cdk/aws-iam'; +import { Construct, IDependable } from '@aws-cdk/cdk'; import { QueueRef } from './queue-ref'; import { cloudformation } from './sqs.generated'; diff --git a/packages/@aws-cdk/aws-sqs/lib/queue-ref.ts b/packages/@aws-cdk/aws-sqs/lib/queue-ref.ts index 196e8c7cc96a5..f8e94acecd35e 100644 --- a/packages/@aws-cdk/aws-sqs/lib/queue-ref.ts +++ b/packages/@aws-cdk/aws-sqs/lib/queue-ref.ts @@ -1,3 +1,4 @@ +import iam = require('@aws-cdk/aws-iam'); import kms = require('@aws-cdk/aws-kms'); import s3n = require('@aws-cdk/aws-s3-notifications'); import cdk = require('@aws-cdk/cdk'); @@ -63,7 +64,7 @@ export abstract class QueueRef extends cdk.Construct implements s3n.IBucketNotif * will be automatically created upon the first call to `addToPolicy`. If * the queue is improted (`Queue.import`), then this is a no-op. */ - public addToResourcePolicy(statement: cdk.PolicyStatement) { + public addToResourcePolicy(statement: iam.PolicyStatement) { if (!this.policy && this.autoCreatePolicy) { this.policy = new QueuePolicy(this, 'Policy', { queues: [ this ] }); } @@ -81,7 +82,7 @@ export abstract class QueueRef extends cdk.Construct implements s3n.IBucketNotif */ public asBucketNotificationDestination(bucketArn: string, bucketId: string): s3n.BucketNotificationDestinationProps { if (!this.notifyingBuckets.has(bucketId)) { - this.addToResourcePolicy(new cdk.PolicyStatement() + this.addToResourcePolicy(new iam.PolicyStatement() .addServicePrincipal('s3.amazonaws.com') .addAction('sqs:SendMessage') .addResource(this.queueArn) @@ -93,7 +94,7 @@ export abstract class QueueRef extends cdk.Construct implements s3n.IBucketNotif // control access to can be used here as described in: // https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html if (this.encryptionMasterKey) { - this.encryptionMasterKey.addToResourcePolicy(new cdk.PolicyStatement() + this.encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement() .addServicePrincipal('s3.amazonaws.com') .addAction('kms:GenerateDataKey') .addAction('kms:Decrypt') diff --git a/packages/@aws-cdk/aws-sqs/package.json b/packages/@aws-cdk/aws-sqs/package.json index e45fdccc062f6..61ea9352a0f75 100644 --- a/packages/@aws-cdk/aws-sqs/package.json +++ b/packages/@aws-cdk/aws-sqs/package.json @@ -63,6 +63,7 @@ "dependencies": { "@aws-cdk/aws-kms": "^0.10.0", "@aws-cdk/aws-s3-notifications": "^0.10.0", + "@aws-cdk/aws-iam": "^0.10.0", "@aws-cdk/cdk": "^0.10.0" }, "homepage": "https://github.com/awslabs/aws-cdk" diff --git a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts index 9607a06512338..90a03973e4b82 100644 --- a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts +++ b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts @@ -1,7 +1,8 @@ import { expect, haveResource } from '@aws-cdk/assert'; +import { ArnPrincipal, PolicyStatement } from '@aws-cdk/aws-iam'; import kms = require('@aws-cdk/aws-kms'); import s3 = require('@aws-cdk/aws-s3'); -import { ArnPrincipal, PolicyStatement, resolve, Stack } from '@aws-cdk/cdk'; +import { resolve, Stack } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; import sqs = require('../lib'); diff --git a/packages/@aws-cdk/cdk/lib/index.ts b/packages/@aws-cdk/cdk/lib/index.ts index 0f78d369d02d9..549980a45e7fd 100644 --- a/packages/@aws-cdk/cdk/lib/index.ts +++ b/packages/@aws-cdk/cdk/lib/index.ts @@ -12,7 +12,6 @@ export * from './cloudformation/logical-id'; export * from './cloudformation/mapping'; export * from './cloudformation/output'; export * from './cloudformation/parameter'; -export * from './cloudformation/permission'; export * from './cloudformation/pseudo'; export * from './cloudformation/resource'; export * from './cloudformation/resource-policy'; diff --git a/packages/@aws-cdk/cdk/test/cloudformation/test.resource.ts b/packages/@aws-cdk/cdk/test/cloudformation/test.resource.ts index 56421e9fc6b02..12cd7d61f2e6a 100644 --- a/packages/@aws-cdk/cdk/test/cloudformation/test.resource.ts +++ b/packages/@aws-cdk/cdk/test/cloudformation/test.resource.ts @@ -1,6 +1,6 @@ import { Test } from 'nodeunit'; import { applyRemovalPolicy, Condition, Construct, DeletionPolicy, - FnEquals, FnNot, HashedAddressingScheme, IDependable, PolicyStatement, + FnEquals, FnNot, HashedAddressingScheme, IDependable, RemovalPolicy, resolve, Resource, Root, Stack } from '../../lib'; export = { @@ -100,25 +100,21 @@ export = { new Resource(stack, 'MyResource2', { type: 'Type', properties: { - Perm: new PolicyStatement().addResource(res.arn).addActions('counter:add', 'counter:remove') + Perm: res.arn } }); test.deepEqual(stack.toCloudFormation(), { Resources: { - MyResource: { Type: "My::Counter", Properties: { Count: 1 } }, - MyResource2: { - Type: "Type", - Properties: { - Perm: { - Effect: "Allow", - Action: [ "counter:add", "counter:remove" ], - Resource: { - "Fn::GetAtt": [ "MyResource", "Arn" ] + MyResource: { Type: "My::Counter", Properties: { Count: 1 } }, + MyResource2: { + Type: "Type", + Properties: { + Perm: { + "Fn::GetAtt": [ "MyResource", "Arn" ] + } } } - } - } } }); diff --git a/packages/@aws-cdk/runtime-values/lib/rtv.ts b/packages/@aws-cdk/runtime-values/lib/rtv.ts index cdc9565e68111..778da7666fe92 100644 --- a/packages/@aws-cdk/runtime-values/lib/rtv.ts +++ b/packages/@aws-cdk/runtime-values/lib/rtv.ts @@ -80,7 +80,7 @@ export class RuntimeValue extends cdk.Construct { return; } - principal.addToPolicy(new cdk.PolicyStatement() + principal.addToPolicy(new iam.PolicyStatement() .addResource(this.parameterArn) .addActions(...RuntimeValue.SSM_READ_ACTIONS)); } diff --git a/packages/@aws-cdk/runtime-values/test/test.rtv.ts b/packages/@aws-cdk/runtime-values/test/test.rtv.ts index 20580cbbf6bbb..669a5bdef7bb4 100644 --- a/packages/@aws-cdk/runtime-values/test/test.rtv.ts +++ b/packages/@aws-cdk/runtime-values/test/test.rtv.ts @@ -26,7 +26,7 @@ class RuntimeValueTest extends cdk.Construct { const queue = new sqs.cloudformation.QueueResource(this, 'Queue', {}); const role = new iam.Role(this, 'Role', { - assumedBy: new cdk.ServicePrincipal('lambda.amazonaws.com'), + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), }); new lambda.cloudformation.FunctionResource(this, 'Function', {