Skip to content

Commit 27b4048

Browse files
committed
Rename after discussions
1 parent b6249e9 commit 27b4048

3 files changed

Lines changed: 35 additions & 10 deletions

File tree

src/constructs/iam/policies/index.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ export * from "./describe-ec2";
66
export * from "./dynamodb";
77
export * from "./kcl";
88
export * from "./log-shipping";
9-
export * from "./developer-policy";
9+
export * from "./workload-policy";
1010
export * from "./parameter-store-read";
1111
export * from "./s3-get-object";
1212
export * from "./s3-put-object";

src/constructs/iam/policies/developer-policy.test.ts renamed to src/constructs/iam/policies/workload-policy.test.ts

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
import { Template } from "aws-cdk-lib/assertions";
22
import { simpleGuStackForTesting } from "../../../utils/test";
3-
import { GuDeveloperPolicy } from "./developer-policy";
3+
import { GuWorkloadPolicy } from "./workload-policy";
44

55
describe("GuDeveloperPolicy", () => {
66
test("if a single action is provided, the resulting Developer Policy resource's statement will have a single item", () => {
77
const stack = simpleGuStackForTesting();
8-
new GuDeveloperPolicy(stack, "AllowS3GetObject", {
8+
new GuWorkloadPolicy(stack, "AllowS3GetObject", {
99
allow: [
1010
{
1111
actions: ["s3:GetObject"],
@@ -16,7 +16,7 @@ describe("GuDeveloperPolicy", () => {
1616
});
1717

1818
Template.fromStack(stack).hasResourceProperties("AWS::IAM::ManagedPolicy", {
19-
Path: "/developer-policy/test123/",
19+
Path: "/workload-policy/test123/",
2020
PolicyDocument: {
2121
Version: "2012-10-17",
2222
Statement: [
@@ -31,7 +31,7 @@ describe("GuDeveloperPolicy", () => {
3131
});
3232
test("if multiple actions are provided, the resulting Managed Policy resource's action will container all items", () => {
3333
const stack = simpleGuStackForTesting();
34-
new GuDeveloperPolicy(stack, "AllowS3GetObject", {
34+
new GuWorkloadPolicy(stack, "AllowS3GetObject", {
3535
allow: [
3636
{
3737
actions: ["s3:GetObject"],
@@ -54,7 +54,7 @@ describe("GuDeveloperPolicy", () => {
5454

5555
Template.fromStack(stack).hasResourceProperties("AWS::IAM::ManagedPolicy", {
5656
Description: "testtesttest",
57-
Path: "/developer-policy/test321/",
57+
Path: "/workload-policy/test321/",
5858
PolicyDocument: {
5959
Version: "2012-10-17",
6060
Statement: [

src/constructs/iam/policies/developer-policy.ts renamed to src/constructs/iam/policies/workload-policy.ts

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
1+
import { Annotations } from "aws-cdk-lib";
12
import { Effect, ManagedPolicy, PolicyStatement } from "aws-cdk-lib/aws-iam";
23
import type { GuStack } from "../../core";
34
import type { GuAllowPolicyProps, GuDenyPolicyProps } from "./base-policy";
45

5-
export type GuDeveloperPolicyProps = {
6+
export type GuWorkloadPolicyProps = {
67
/**
78
* List of explicitly allowed permissions given by this policy.
89
*/
@@ -52,14 +53,33 @@ export type GuDeveloperPolicyProps = {
5253
* aws:cdk:path: janus-resources-for-testing-managed-policy-tagging/justin-testing/Resource* ```
5354
* ```
5455
*/
55-
export class GuDeveloperPolicy extends ManagedPolicy {
56-
constructor(scope: GuStack, id: string, props: GuDeveloperPolicyProps) {
56+
export class GuWorkloadPolicy extends ManagedPolicy {
57+
constructor(scope: GuStack, id: string, props: GuWorkloadPolicyProps) {
5758
super(scope, id, {
5859
description: `${props.permission} developer policy`,
5960
...props,
60-
path: `/developer-policy/${props.permission}/`,
61+
path: `/workload-policy/${props.permission}/`,
6162
});
63+
64+
let valid = true;
65+
6266
for (const allowed of props.allow) {
67+
68+
// validity checks
69+
const name = allowed.policyName ?? allowed.actions.join(",") + ' on ' + allowed.resources.join(",");
70+
for (const resource of allowed.resources) {
71+
if (resource === "*") {
72+
Annotations.of(this).addError(`Resource of '*' found in ${name} ALLOW permission`);
73+
valid = false;
74+
}
75+
}
76+
for (const action of allowed.actions) {
77+
if (action === "*") {
78+
const name = allowed.policyName ?? allowed.actions.join(",");
79+
Annotations.of(this).addError(`Action of '*' found in ${name} ALLOW permission`);
80+
valid = false;
81+
}
82+
}
6383
this.addStatements(
6484
new PolicyStatement({
6585
effect: Effect.ALLOW,
@@ -68,6 +88,11 @@ export class GuDeveloperPolicy extends ManagedPolicy {
6888
}),
6989
);
7090
}
91+
92+
if (!valid) {
93+
throw new Error("Overly broad permission present, see annotations for details");
94+
}
95+
7196
const { deny = [] } = props;
7297
for (const denied of deny) {
7398
this.addStatements(

0 commit comments

Comments
 (0)