/
permissions-boundary.ts
61 lines (57 loc) · 1.85 KB
/
permissions-boundary.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import { IConstruct } from 'constructs';
import { CfnRole, CfnUser } from './iam.generated';
import { IManagedPolicy } from './managed-policy';
import { Aspects, CfnResource } from '../../core';
/**
* Modify the Permissions Boundaries of Users and Roles in a construct tree
*
* ```ts
* const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');
* iam.PermissionsBoundary.of(this).apply(policy);
* ```
*/
export class PermissionsBoundary {
/**
* Access the Permissions Boundaries of a construct tree
*/
public static of(scope: IConstruct): PermissionsBoundary {
return new PermissionsBoundary(scope);
}
private constructor(private readonly scope: IConstruct) {
}
/**
* Apply the given policy as Permissions Boundary to all Roles and Users in
* the scope.
*
* Will override any Permissions Boundaries configured previously; in case
* a Permission Boundary is applied in multiple scopes, the Boundary applied
* closest to the Role wins.
*/
public apply(boundaryPolicy: IManagedPolicy) {
Aspects.of(this.scope).add({
visit(node: IConstruct) {
if (
CfnResource.isCfnResource(node) &&
(node.cfnResourceType == CfnRole.CFN_RESOURCE_TYPE_NAME || node.cfnResourceType == CfnUser.CFN_RESOURCE_TYPE_NAME)
) {
node.addPropertyOverride('PermissionsBoundary', boundaryPolicy.managedPolicyArn);
}
},
});
}
/**
* Remove previously applied Permissions Boundaries
*/
public clear() {
Aspects.of(this.scope).add({
visit(node: IConstruct) {
if (
CfnResource.isCfnResource(node) &&
(node.cfnResourceType == CfnRole.CFN_RESOURCE_TYPE_NAME || node.cfnResourceType == CfnUser.CFN_RESOURCE_TYPE_NAME)
) {
node.addPropertyDeletionOverride('PermissionsBoundary');
}
},
});
}
}