aws · mergify · Feb 8, 2023 · Jan 26, 2023 · Jan 31, 2023 · Feb 2, 2023
diff --git a/packages/@aws-cdk/aws-cloud9/README.md b/packages/@aws-cdk/aws-cloud9/README.md
@@ -23,19 +23,19 @@
 
 This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
 
-AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a 
-browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular 
-programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your 
-development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your 
-office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing 
-serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of 
-serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair 
+AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a
+browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular
+programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your
+development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your
+office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing
+serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of
+serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair
 program and track each other's inputs in real time.
 
 
 ## Creating EC2 Environment
 
-EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify 
+EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify
 `subnetSelection` with private `subnetType`.
 
 
@@ -52,7 +52,7 @@ new cloud9.Ec2Environment(this, 'Cloud9Env2', {
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
 });
 
-// or specify in a different subnetSelection 
+// or specify in a different subnetSelection
 const c9env = new cloud9.Ec2Environment(this, 'Cloud9Env3', {
   vpc,
   subnetSelection: {
@@ -104,3 +104,39 @@ new cloud9.Ec2Environment(this, 'C9Env', {
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
 });
 ```
+
+## Specifying Owners
+`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user
-`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user
+Every Cloud9 Environment has an **owner**. An owner has full control over the environment, and can invite additional members to the environment for collaboration purposes. For more information, see [Working with shared environments in AWS Cloud9](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html)).
+
+By default, the owner will be the identity that creates the Environment, which is most likely your CloudFormation Execution Role when the Environment is created using CloudFormation. Provider a value for the `owner` property to assign a different owner, either a specific IAM User or the AWS Account Root User.
+
+`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user (but using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices)).
-`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user
+Every Cloud9 Environment has an **owner**. An owner has full control over the environment, and can invite additional members to the environment for collaboration purposes. For more information, see [Working with shared environments in AWS Cloud9](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html)).
+
+By default, the owner will be the identity that creates the Environment, which is most likely your CloudFormation Execution Role when the Environment is created using CloudFormation. Provider a value for the `owner` property to assign a different owner, either a specific IAM User or the AWS Account Root User.
+
+`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user (but using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices)).
+
+### AccountRoot
-### AccountRoot
+To specify the AWS Account Root User as the environment owner, use `Owner.accountRoot()`:
-### AccountRoot
+To specify the AWS Account Root User as the environment owner, use `Owner.accountRoot()`:
+
+```ts
+new cloud9.Ec2Environment(this, 'C9Env', {
+  // provides root account id.
+  owner: cloud9.Owner.AccountRoot('root account id')
-  owner: cloud9.Owner.AccountRoot('root account id')
+  owner: cloud9.Owner.AccountRoot('111111111111')
-  owner: cloud9.Owner.AccountRoot('root account id')
+  owner: cloud9.Owner.AccountRoot('111111111111')
+})
+```
+
+### Iam User
-### Iam User
+To specify a specific IAM User as the environment owner, use `Owner.user()`. The user should have the `AWSCloud9Administrator` managed policy:
-### Iam User
+To specify a specific IAM User as the environment owner, use `Owner.user()`. The user should have the `AWSCloud9Administrator` managed policy:
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+
+const user = new iam.User(stack, 'User');
+// provides an iam user.
-// provides an iam user.
+user.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCloud9Administrator'));
-// provides an iam user.
+user.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCloud9Administrator'));
+new cloud9.Ec2Environment(this, 'C9Env', {
+  owner: cloud9.Owner.User(user)
+})
+```
+
+### create a new Cloud9 environment with an owner as an Iam User.
+
+```ts
+const user = new iam.User(stack, 'User');
+declare const vpc: ec2.Vpc;
+new cloud9.Ec2Environment(this, 'C9Env', {
+  vpc,
+  imageId: cloud9.ImageId.AMAZON_LINUX_2,
+  owner: cloud9.Owner.User(user)
+});
+```
diff --git a/packages/@aws-cdk/aws-cloud9/lib/environment.ts b/packages/@aws-cdk/aws-cloud9/lib/environment.ts
@@ -1,5 +1,6 @@
 import * as codecommit from '@aws-cdk/aws-codecommit';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import { IUser } from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnEnvironmentEC2 } from '../lib/cloud9.generated';
@@ -53,11 +54,16 @@ export enum ImageId {
    */
   UBUNTU_18_04 = 'ubuntu-18.04-x86_64'
 }
-
 /**
  * Properties for Ec2Environment
  */
 export interface Ec2EnvironmentProps {
+  /**
+   * Owner of the environment.
+   *
+   */
+  readonly owner?: Owner;
+
   /**
    * The type of instance to connect to the environment.
    *
@@ -136,7 +142,6 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
     }
     return new Import(scope, id);
   }
-
   /**
    * The environment name of this Cloud9 environment
    *
@@ -182,6 +187,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
     const c9env = new CfnEnvironmentEC2(this, 'Resource', {
       name: props.ec2EnvironmentName,
       description: props.description,
+      ownerArn: props.owner?.ownerArn,
       instanceType: props.instanceType?.toString() ?? ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO).toString(),
       subnetId: this.vpc.selectSubnets(vpcSubnets).subnetIds[0],
       repositories: props.clonedRepositories ? props.clonedRepositories.map(r => ({
@@ -217,3 +223,38 @@ export class CloneRepository {
 
   private constructor(public readonly repositoryUrl: string, public readonly pathComponent: string) {}
 }
+
+/**
+ * The class for different types of owners
+ *
+ *
- * The class for different types of owners
- *
- *
+ * An environment owner
- * The class for different types of owners
- *
- *
+ * An environment owner
+ */
+export class Owner {
+  /**
+   * import from Owner Iuser
-   * import from Owner Iuser
+   * Make an IAM user the environment owner
-   * import from Owner Iuser
+   * Make an IAM user the environment owner
+   *
+   * User need to have AWSCloud9Administrator permissions
+   * @see https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-about
+   *
+   * @param user the User object to use as the environment owner
+   */
+  public static User(user: IUser): Owner {
+    return { ownerArn: user.userArn };
+  }
+
+
+  /**
+   * import from Owner account root
-   * import from Owner account root
+   * Make the Account Root User the environment owner (not recommended)
-   * import from Owner account root
+   * Make the Account Root User the environment owner (not recommended)
+   *
+   * @param accountId the AccountId to use as the environment owner.
+   */
+  public static AccountRoot(accountId: string): Owner {
+    return { ownerArn: `arn:aws:iam::${accountId}:root` };
+  }
+
+  /**
+   *
+   * @param ownerArn of environment owner.
+   */
+  private constructor(public readonly ownerArn: string) {}
+}
diff --git a/packages/@aws-cdk/aws-cloud9/package.json b/packages/@aws-cdk/aws-cloud9/package.json
@@ -92,13 +92,15 @@
   "dependencies": {
     "@aws-cdk/aws-codecommit": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },
   "homepage": "https://github.com/aws/aws-cdk",
   "peerDependencies": {
     "@aws-cdk/aws-codecommit": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },

diff --git a/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts
@@ -1,9 +1,10 @@
 import { Match, Template } from '@aws-cdk/assertions';
 import * as codecommit from '@aws-cdk/aws-codecommit';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import * as cloud9 from '../lib';
-import { ConnectionType, ImageId } from '../lib';
+import { ConnectionType, ImageId, Owner } from '../lib';
 
 let stack: cdk.Stack;
 let vpc: ec2.IVpc;
@@ -79,7 +80,6 @@ test('throw error when subnetSelection not specified and the provided VPC has no
 test('can use CodeCommit repositories', () => {
   // WHEN
   const repo = codecommit.Repository.fromRepositoryName(stack, 'Repo', 'foo');
-
   new cloud9.Ec2Environment(stack, 'C9Env', {
     vpc,
     clonedRepositories: [
@@ -114,6 +114,37 @@ test('can use CodeCommit repositories', () => {
   });
 });
 
+test('environment owner can be an IAM user', () => {
+  // WHEN
+  const user = new iam.User(stack, 'User', {
+    userName: 'testUser',
+  });
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.User(user),
+  });
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: {
+      'Fn::GetAtt': ['User00B015A1', 'Arn'],
+    },
+  });
+});
+
+test('environment owner can be account root', () => {
+  // WHEN
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.AccountRoot('12345678'),
+  });
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: 'arn:aws:iam::12345678:root',
+  });
+});
+
 test.each([
   [ConnectionType.CONNECT_SSH, 'CONNECT_SSH'],
   [ConnectionType.CONNECT_SSM, 'CONNECT_SSM'],