Merge branch 'master' into 6741-cloudtrail-prefix-correct-bucket-policy

aws · Mar 31, 2020 · 790e9bd · 790e9bd
2 parents f86605d + 497f63e
commit 790e9bd
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 12 deletions.
diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts
@@ -108,10 +108,21 @@ abstract class GroupBase extends Resource implements IGroup {
 }
 
 export class Group extends GroupBase {
-
   /**
-   * Imports a group from ARN
-   * @param groupArn (e.g. `arn:aws:iam::account-id:group/group-name`)
+   * Import an external group by ARN.
+   *
+   * If the imported Group ARN is a Token (such as a
+   * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
+   * group has a `path` (like `arn:...:group/AdminGroup/NetworkAdmin`), the
+   * `groupName` property will not resolve to the correct value. Instead it
+   * will resolve to the first path component. We unfortunately cannot express
+   * the correct calculation of the full path name as a CloudFormation
+   * expression. In this scenario the Group ARN should be supplied without the
+   * `path` in order to resolve the correct group resource.
+   *
+   * @param scope construct scope
+   * @param id construct id
+   * @param groupArn the ARN of the group to import (e.g. `arn:aws:iam::account-id:group/group-name`)
    */
   public static fromGroupArn(scope: Construct, id: string, groupArn: string): IGroup {
     const groupName = Stack.of(scope).parseArn(groupArn).resourceName!;

diff --git a/packages/@aws-cdk/aws-iam/lib/managed-policy.ts b/packages/@aws-cdk/aws-iam/lib/managed-policy.ts
@@ -88,7 +88,7 @@ export interface ManagedPolicyProps {
  */
 export class ManagedPolicy extends Resource implements IManagedPolicy {
   /**
-   * Construct a customer managed policy from the managedPolicyName
+   * Import a customer managed policy from the managedPolicyName.
    *
    * For this managed policy, you only need to know the name to be able to use it.
    *
@@ -107,10 +107,23 @@ export class ManagedPolicy extends Resource implements IManagedPolicy {
   }
 
   /**
-   * Constructs a managed policy from an ARN.
+   * Import an external managed policy by ARN.
    *
-   * For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN in a Cloudformation Export.
+   * For this managed policy, you only need to know the ARN to be able to use it.
+   * This can be useful if you got the ARN from a CloudFormation Export.
    *
+   * If the imported Managed Policy ARN is a Token (such as a
+   * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
+   * managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the
+   * `managedPolicyName` property will not resolve to the correct value. Instead it
+   * will resolve to the first path component. We unfortunately cannot express
+   * the correct calculation of the full path name as a CloudFormation
+   * expression. In this scenario the Managed Policy ARN should be supplied without the
+   * `path` in order to resolve the correct managed policy resource.
+   *
+   * @param scope construct scope
+   * @param id construct id
+   * @param managedPolicyArn the ARN of the managed policy to import
    */
   public static fromManagedPolicyArn(scope: Construct, id: string, managedPolicyArn: string): IManagedPolicy {
     class Import extends Resource implements IManagedPolicy {
@@ -120,7 +133,7 @@ export class ManagedPolicy extends Resource implements IManagedPolicy {
   }
 
   /**
-   * Construct a managed policy from one of the policies that AWS manages
+   * Import a managed policy from one of the policies that AWS manages.
    *
    * For this managed policy, you only need to know the name to be able to use it.
    *

diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -153,15 +153,16 @@ export interface FromRoleArnOptions {
  */
 export class Role extends Resource implements IRole {
   /**
-   * Imports an external role by ARN.
+   * Import an external role by ARN.
    *
    * If the imported Role ARN is a Token (such as a
    * `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced
    * role has a `path` (like `arn:...:role/AdminRoles/Alice`), the
-   * `role.roleName` property will not resolve to the correct value. Instead it
+   * `roleName` property will not resolve to the correct value. Instead it
    * will resolve to the first path component. We unfortunately cannot express
    * the correct calculation of the full path name as a CloudFormation
-   * expression.
+   * expression. In this scenario the Role ARN should be supplied without the
+   * `path` in order to resolve the correct role resource.
    *
    * @param scope construct scope
    * @param id construct id
@@ -479,4 +480,4 @@ class AwsStarStatement extends PolicyStatement {
 
     return stat;
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts
@@ -115,7 +115,11 @@ export interface UserProps {
  */
 export class User extends Resource implements IIdentity, IUser {
   /**
-   * Import an existing user given a username
+   * Import an existing user given a username.
+   *
+   * @param scope construct scope
+   * @param id construct id
+   * @param userName the username of the existing user to import
    */
   public static fromUserName(scope: Construct, id: string, userName: string): IUser {
     const arn = Stack.of(scope).formatArn({