fix(iam): adding organization id pattern verification (#33555)

### Issue # Closes #32756 ### Reason for this change The original issue was related to over permissive s3 permissions. Which originally was being caused by what seems to be something related to an undefined `iam.OrgranizationPrincipal` being allowed. However when using 2.178.2, I'm not seeing this particular issue, but the policy that is generated could still be incorrectly created by leaving a blank string. `iam.OrgranizationPrincipal('')` This can be avoided with a simple check. Although this is not a golden solution since it's not able to check if that organization exists, but for the use case it's better than nothing. ### Description of changes Adding a regex check that matches the Organization ID regex pattern in the docs; https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html ``` if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) { throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`); } ``` ### Description of how you validated changes Added a test for bad names ``` test('throw error when Organization ID does not match regex pattern', () => { // GIVEN const shortOrgId = 'o-shortname'; const noOOrgName = 'no-o-name'; const longOrgName = 'o-thisnameistoooooooooooooooooolong'; // THEN expect(() => new iam.OrganizationPrincipal(shortOrgId)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${shortOrgId}`); expect(() => new iam.OrganizationPrincipal(noOOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${noOOrgName}`); expect(() => new iam.OrganizationPrincipal(longOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${longOrgName}`); }); ``` ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 26, 2025 · 6df9bfe · 6df9bfe
1 parent a6bfe3c
commit 6df9bfe
Show file tree

Hide file tree

Showing 13 changed files with 356 additions and 55 deletions.
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out
diff --git a/...ing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json b/...ing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json
diff --git a/...g/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json b/...g/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json
@@ -105,7 +105,7 @@
        "Action": "sts:AssumeRole",
        "Condition": {
         "StringEquals": {
-         "aws:PrincipalOrgID": "o-1234"
+         "aws:PrincipalOrgID": "o-12345abcde"
         }
        },
        "Effect": "Allow",

diff --git a/...ages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json b/...ages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json
diff --git a/...s-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json b/...s-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json
diff --git a/...s/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json b/...s/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json