From 06f9b96d7b14a81a4428a9a3c9ab69a2a732e8af Mon Sep 17 00:00:00 2001 From: DannyBlazejczak Date: Mon, 13 May 2024 13:44:12 +1000 Subject: [PATCH 1/2] feat: add ability to specify permission boundary via context --- bin/vpc-builder.ts | 3 ++- lib/stack-builder.ts | 23 +++++++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/bin/vpc-builder.ts b/bin/vpc-builder.ts index 0e581d4..e0c8c33 100644 --- a/bin/vpc-builder.ts +++ b/bin/vpc-builder.ts @@ -9,9 +9,10 @@ import { Stack } from "aws-cdk-lib" const cdkApp = stackBuilder.stackMapper.app; const configFile = cdkApp.node.tryGetContext("config"); + const permissionsBoundary = cdkApp.node.tryGetContext("permissions_boundary"); // If a configuration file is provided we will use it to build our stacks if (configFile) { - stackBuilder.configure(configFile); + stackBuilder.configure(configFile, undefined, permissionsBoundary); await stackBuilder.build(); } else { // When no configuration context provided, we will warn but not fail. This allows 'cdk bootstrap', 'cdk help' diff --git a/lib/stack-builder.ts b/lib/stack-builder.ts index 3d73f88..1a6800c 100644 --- a/lib/stack-builder.ts +++ b/lib/stack-builder.ts @@ -24,6 +24,7 @@ import { IVpcInterfaceEndpointsProps } from "./vpc-interface-endpoints-stack"; import * as path from "path"; import * as fs from "fs"; import * as ri from "@aws-cdk/region-info" +import * as cdk from 'aws-cdk-lib'; export interface namedVpcStack { name: string; @@ -93,6 +94,7 @@ export class StackBuilderClass { workload: [], }; configParser: ConfigParser; + permissionsBoundary: cdk.PermissionsBoundary; c: IConfig; interfaceDiscovery: Array = []; interfaceList: Array = []; @@ -102,11 +104,12 @@ export class StackBuilderClass { this.stackMapper = new StackMapper({}); } - configure(configFilename?: string, configContents?: string) { + configure(configFilename?: string, configContents?: string, permissionsBoundary?: string) { this.configParser = new ConfigParser({ configFilename: configFilename, configContents: configContents, }); + this.permissionsBoundary = cdk.PermissionsBoundary.fromName(permissionsBoundary); try { this.configParser.parse(); this.c = this.configParser.config; @@ -185,6 +188,7 @@ export class StackBuilderClass { shareWithVpcs: sharedWithAppStacks, shareWithExistingVpcs: dnsStanza.shareWithExistingVpcs, }, + permissionsBoundary: this.permissionsBoundary, } ); } @@ -196,13 +200,15 @@ export class StackBuilderClass { const allNamedStacks = this.allNamedStacks(); this.stackMapper.transitGatewayRoutesStack("transit-gateway-routes", { tgwAttachmentsAndRoutes: allNamedStacks, - useLegacyIdentifiers: this.c.global.useLegacyIdentifiers ? this.c.global.useLegacyIdentifiers : false - }) + useLegacyIdentifiers: this.c.global.useLegacyIdentifiers ? this.c.global.useLegacyIdentifiers : false, + permissionsBoundary: this.permissionsBoundary, + }); // Use our Dummy Stack to assure our key exports (tgw ID, vpc ID, TGW attach ID remain exported) // Really only required when we're attaching to a TGW. Stand alone VPCs don't require exports to // co-ordinate their installation. this.stackMapper.cdkExportPersistStack("cdk-export-persistence", { persistExports: allNamedStacks, + permissionsBoundary: this.permissionsBoundary, }); } } @@ -232,6 +238,7 @@ export class StackBuilderClass { ssmParameterPrefix: this.c.global.ssmPrefix, vpcCidr: configStanza.vpcCidr, createSubnets: subnets, + permissionsBoundary: this.permissionsBoundary, }; const transitGatewayName = this.workloadHasTransit(workloadVpcName); @@ -307,6 +314,7 @@ export class StackBuilderClass { props: { namePrefix: transitGatewayName, tgwDescription: "imported", + permissionsBoundary: this.permissionsBoundary, }, }; this.stacks.transitGateway.push({ @@ -322,6 +330,7 @@ export class StackBuilderClass { { namePrefix: transitGatewayName, tgwDescription: configStanza.tgwDescription, + permissionsBoundary: this.permissionsBoundary, } ), }); @@ -361,6 +370,7 @@ export class StackBuilderClass { "transitGateway", configStanza.useTransit ).tgw, + permissionsBoundary: this.permissionsBoundary, } ), }); @@ -383,7 +393,8 @@ export class StackBuilderClass { existingDxGwTransitGatewayRouteTableId: configStanza.existingDxGwTransitGatewayRouteTableId, tgw: { attrId: configStanza.existingTgwId - } + }, + permissionsBoundary: this.permissionsBoundary, } ), }); @@ -469,6 +480,7 @@ export class StackBuilderClass { "transitGateway", configStanza.useTransit ).tgw, + permissionsBoundary: this.permissionsBoundary, } as IVpcInterfaceEndpointsProps ), }); @@ -510,6 +522,7 @@ export class StackBuilderClass { "transitGateway", configStanza.useTransit ).tgw, + permissionsBoundary: this.permissionsBoundary, } as IVpcRoute53ResolverEndpointsProps ), }); @@ -539,6 +552,7 @@ export class StackBuilderClass { "transitGateway", configStanza.useTransit ).tgw, + permissionsBoundary: this.permissionsBoundary, } ), }); @@ -567,6 +581,7 @@ export class StackBuilderClass { "transitGateway", configStanza.useTransit ).tgw, + permissionsBoundary: this.permissionsBoundary, } ), }); From 557cf6590a0bb225acb0931eb182301e75edfb21 Mon Sep 17 00:00:00 2001 From: DannyBlazejczak Date: Mon, 13 May 2024 14:02:16 +1000 Subject: [PATCH 2/2] fix --- lib/stack-builder.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/stack-builder.ts b/lib/stack-builder.ts index 1a6800c..11b9fef 100644 --- a/lib/stack-builder.ts +++ b/lib/stack-builder.ts @@ -109,7 +109,9 @@ export class StackBuilderClass { configFilename: configFilename, configContents: configContents, }); - this.permissionsBoundary = cdk.PermissionsBoundary.fromName(permissionsBoundary); + if (permissionsBoundary) { + this.permissionsBoundary = cdk.PermissionsBoundary.fromName(permissionsBoundary); + } try { this.configParser.parse(); this.c = this.configParser.config;