From c3f82ab75ed95ba97e4e194bf80ef4856e63619e Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Mon, 4 Sep 2023 13:13:03 +0200 Subject: [PATCH 1/5] Adds test case for roles as environment owners --- .../test/cloud9.environment.test.ts | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts index 41879129e907e..b6c4a912e9063 100644 --- a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts +++ b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts @@ -5,6 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; import * as cloud9 from '../lib'; import { ConnectionType, ImageId, Owner } from '../lib'; +import { AnyPrincipal, CfnRole } from 'aws-cdk-lib/aws-iam'; let stack: cdk.Stack; let vpc: ec2.IVpc; @@ -132,6 +133,28 @@ test('environment owner can be an IAM user', () => { }); }); +test('environment owner can be an IAM role', () => { + // WHEN + const role = new iam.Role(stack, 'Role', { + roleName: "TestRole", + assumedBy: new AnyPrincipal() + }); + new cloud9.Ec2Environment(stack, 'C9Env', { + vpc, + imageId: cloud9.ImageId.AMAZON_LINUX_2, + owner: Owner.role(role), + }); + // THEN + + const roleLogicalId = stack.getLogicalId(role.node.defaultChild as CfnRole); + + Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', { + OwnerArn: { + 'Fn::GetAtt': [roleLogicalId, 'Arn'], + }, + }); +}); + test('environment owner can be account root', () => { // WHEN new cloud9.Ec2Environment(stack, 'C9Env', { From 600a4dc255acbcd1067171aa1db63755bba15a95 Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Mon, 4 Sep 2023 13:14:34 +0200 Subject: [PATCH 2/5] Implements Owner.role(..) to support role ownership in the cloud9 construct --- packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts b/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts index 1894499e4da5f..ad8827c896cd9 100644 --- a/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts +++ b/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts @@ -1,6 +1,6 @@ import * as codecommit from 'aws-cdk-lib/aws-codecommit'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; -import { IUser } from 'aws-cdk-lib/aws-iam'; +import { IUser, IRole } from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; import { CfnEnvironmentEC2 } from 'aws-cdk-lib/aws-cloud9'; @@ -257,6 +257,15 @@ export class Owner { return { ownerArn: user.userArn }; } + /** + * Make an IAM role the environment owner + * + * @param role the Role object to use as the environment owner + */ + public static role(role: IRole): Owner { + return { ownerArn: role.roleArn }; + } + /** * Make the Account Root User the environment owner (not recommended) * From 2f8845299b88262d04e64c59f2a18935ee27071a Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Mon, 4 Sep 2023 13:16:09 +0200 Subject: [PATCH 3/5] Improves existing test case for user ownership by replacing a hardcoded logicalId with the dynamic value from the stack --- .../aws-cloud9-alpha/test/cloud9.environment.test.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts index b6c4a912e9063..412b2e052c64e 100644 --- a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts +++ b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts @@ -5,7 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; import * as cloud9 from '../lib'; import { ConnectionType, ImageId, Owner } from '../lib'; -import { AnyPrincipal, CfnRole } from 'aws-cdk-lib/aws-iam'; +import { AnyPrincipal, CfnRole, CfnUser } from 'aws-cdk-lib/aws-iam'; let stack: cdk.Stack; let vpc: ec2.IVpc; @@ -125,10 +125,12 @@ test('environment owner can be an IAM user', () => { imageId: cloud9.ImageId.AMAZON_LINUX_2, owner: Owner.user(user), }); + + const userLogicalId = stack.getLogicalId(user.node.defaultChild as CfnUser); // THEN Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', { OwnerArn: { - 'Fn::GetAtt': ['User00B015A1', 'Arn'], + 'Fn::GetAtt': [userLogicalId, 'Arn'], }, }); }); From 7b2d11536088402600a3d849b14928a5e955e325 Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Mon, 4 Sep 2023 13:17:17 +0200 Subject: [PATCH 4/5] Updates generated file THIRD_PARTY_LICENSES --- packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES index 768a185be9246..231613e7eabf1 100644 --- a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES +++ b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES @@ -1,6 +1,6 @@ The @aws-cdk/cli-lib-alpha package includes the following third-party software/licensing: -** @jsii/check-node@1.87.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.87.0 | Apache-2.0 +** @jsii/check-node@1.88.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.88.0 | Apache-2.0 jsii Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -238,7 +238,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE ---------------- -** aws-sdk@2.1446.0 - https://www.npmjs.com/package/aws-sdk/v/2.1446.0 | Apache-2.0 +** aws-sdk@2.1447.0 - https://www.npmjs.com/package/aws-sdk/v/2.1447.0 | Apache-2.0 AWS SDK for JavaScript Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. From 6646ca384ce59bbfbd08d6746b763f4b665e255c Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Mon, 4 Sep 2023 13:20:00 +0200 Subject: [PATCH 5/5] Fixes ESLint checks --- .../@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts index 412b2e052c64e..336655c38cbea 100644 --- a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts +++ b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts @@ -138,8 +138,8 @@ test('environment owner can be an IAM user', () => { test('environment owner can be an IAM role', () => { // WHEN const role = new iam.Role(stack, 'Role', { - roleName: "TestRole", - assumedBy: new AnyPrincipal() + roleName: 'TestRole', + assumedBy: new AnyPrincipal(), }); new cloud9.Ec2Environment(stack, 'C9Env', { vpc,