diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.util.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.util.ts index 9751d3e0b7f7e..c6f06819acfbd 100644 --- a/packages/@aws-cdk/aws-certificatemanager/test/test.util.ts +++ b/packages/@aws-cdk/aws-certificatemanager/test/test.util.ts @@ -101,7 +101,7 @@ export = { domainName: 'www.example.com', }); - test.equals(getCertificateRegion(certificate), '${Token[AWS::Region.4]}'); + test.equals(getCertificateRegion(certificate), '${Token[AWS.Region.4]}'); test.done(); }, }, diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/s3/test.s3-deploy-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/s3/test.s3-deploy-action.ts index dec66faad9ed6..07bee2a9d0b6f 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/s3/test.s3-deploy-action.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/s3/test.s3-deploy-action.ts @@ -1,7 +1,7 @@ import { expect, haveResourceLike } from '@aws-cdk/assert'; import * as codepipeline from '@aws-cdk/aws-codepipeline'; import * as s3 from '@aws-cdk/aws-s3'; -import { Duration, SecretValue, Stack } from '@aws-cdk/core'; +import { App, Duration, SecretValue, Stack } from '@aws-cdk/core'; import { Test } from 'nodeunit'; import * as cpactions from '../../lib'; @@ -152,6 +152,38 @@ export = { test.done(); }, + + 'correctly makes the action cross-region for a Bucket imported with a different region'(test: Test) { + const app = new App(); + const stack = new Stack(app, 'PipelineStack', { + env: { account: '123456789012', region: 'us-west-2' }, + }); + const deployBucket = s3.Bucket.fromBucketAttributes(stack, 'DeployBucket', { + bucketName: 'my-deploy-bucket', + region: 'ap-southeast-1', + }); + + minimalPipeline(stack, { + bucket: deployBucket, + }); + + expect(stack).to(haveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: [ + {}, + { + Name: 'Deploy', + Actions: [ + { + Name: 'CopyFiles', + Region: 'ap-southeast-1', + }, + ], + }, + ], + })); + + test.done(); + }, }, }; diff --git a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts index b498c20945f83..d4100c39c69dc 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts @@ -401,11 +401,12 @@ export class Pipeline extends PipelineBase { const actionResource = action.actionProperties.resource; if (actionResource) { const actionResourceStack = Stack.of(actionResource); - if (pipelineStack.region !== actionResourceStack.region) { - actionRegion = actionResourceStack.region; + if (this.region !== actionResource.region) { + actionRegion = actionResource.region; // if the resource is from a different stack in another region but the same account, // use that stack as home for the cross-region support resources - if (pipelineStack.account === actionResourceStack.account) { + if (pipelineStack.account === actionResourceStack.account && + actionResource.region === actionResourceStack.region) { otherStack = actionResourceStack; } } @@ -850,11 +851,10 @@ export class Pipeline extends PipelineBase { } private requireRegion(): string { - const region = Stack.of(this).region; - if (Token.isUnresolved(region)) { + if (Token.isUnresolved(this.region)) { throw new Error('Pipeline stack which uses cross-environment actions must have an explicitly set region'); } - return region; + return this.region; } private requireApp(): App { diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts index c0c0fe9633ac0..98160c4208cdf 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts @@ -2103,7 +2103,7 @@ describe('import', () => { 'Roles': [{ 'Ref': 'NewRole99763075' }], }); - expect(table.tableArn).toBe('arn:${Token[AWS::Partition.3]}:dynamodb:${Token[AWS::Region.4]}:${Token[AWS::AccountId.0]}:table/MyTable'); + expect(table.tableArn).toBe('arn:${Token[AWS.Partition.3]}:dynamodb:${Token[AWS.Region.4]}:${Token[AWS.AccountId.0]}:table/MyTable'); expect(stack.resolve(table.tableName)).toBe(tableName); }); diff --git a/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts b/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts index 00b6cd396ddf9..9795551abf5a4 100644 --- a/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts +++ b/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts @@ -1,5 +1,5 @@ import { IPrincipal, IRole, PolicyStatement } from '@aws-cdk/aws-iam'; -import { CfnOutput, Construct, Stack } from '@aws-cdk/core'; +import { CfnOutput, Construct, Resource, Stack } from '@aws-cdk/core'; import { AmazonLinuxGeneration, InstanceClass, InstanceSize, InstanceType } from '.'; import { Connections } from './connections'; import { IInstance, Instance } from './instance'; @@ -90,8 +90,9 @@ export interface BastionHostLinuxProps { * You can also configure this bastion host to allow connections via SSH * * @experimental + * @resource AWS::EC2::Instance */ -export class BastionHostLinux extends Construct implements IInstance { +export class BastionHostLinux extends Resource implements IInstance { public readonly stack: Stack; /** @@ -192,4 +193,4 @@ export class BastionHostLinux extends Construct implements IInstance { this.connections.allowFrom(p, Port.tcp(22), 'SSH access'); }); } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-ec2/package.json b/packages/@aws-cdk/aws-ec2/package.json index ad6075cc5ec77..0a48f2620252d 100644 --- a/packages/@aws-cdk/aws-ec2/package.json +++ b/packages/@aws-cdk/aws-ec2/package.json @@ -117,6 +117,7 @@ "props-physical-name:@aws-cdk/aws-ec2.InterfaceVpcEndpointProps", "from-method:@aws-cdk/aws-ec2.Instance", "from-method:@aws-cdk/aws-ec2.VpcEndpointService", + "attribute-tag:@aws-cdk/aws-ec2.BastionHostLinux.instance", "attribute-tag:@aws-cdk/aws-ec2.Instance.instance", "from-signature:@aws-cdk/aws-ec2.SecurityGroup.fromSecurityGroupId", "docs-public-apis:@aws-cdk/aws-ec2.WindowsVersion.WINDOWS_SERVER_2016_ENGLISH_DEEP_LEARNING", diff --git a/packages/@aws-cdk/aws-ec2/test/userdata.test.ts b/packages/@aws-cdk/aws-ec2/test/userdata.test.ts index 4f4a357d55e37..7092d91794250 100644 --- a/packages/@aws-cdk/aws-ec2/test/userdata.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/userdata.test.ts @@ -52,7 +52,7 @@ nodeunitShim({ test.equals(rendered, 'trap {\n' + '$success=($PSItem.Exception.Message -eq "Success")\n' + - 'cfn-signal --stack Stack --resource RESOURCE1989552F --region ${Token[AWS::Region.4]} --success ($success.ToString().ToLower())\n' + + 'cfn-signal --stack Stack --resource RESOURCE1989552F --region ${Token[AWS.Region.4]} --success ($success.ToString().ToLower())\n' + 'break\n' + '}\n' + 'command1\n' + @@ -157,7 +157,7 @@ nodeunitShim({ test.equals(rendered, '#!/bin/bash\n' + 'function exitTrap(){\n' + 'exitCode=$?\n' + - '/opt/aws/bin/cfn-signal --stack Stack --resource RESOURCE1989552F --region ${Token[AWS::Region.4]} -e $exitCode || echo \'Failed to send Cloudformation Signal\'\n' + + '/opt/aws/bin/cfn-signal --stack Stack --resource RESOURCE1989552F --region ${Token[AWS.Region.4]} -e $exitCode || echo \'Failed to send Cloudformation Signal\'\n' + '}\n' + 'trap exitTrap EXIT\n' + 'command1'); diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.load-balanced-fargate-service.ts b/packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.load-balanced-fargate-service.ts index f4ecc0f0a5616..6b7c7ace3a775 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.load-balanced-fargate-service.ts +++ b/packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.load-balanced-fargate-service.ts @@ -26,7 +26,9 @@ new ApplicationLoadBalancedFargateService(stack, 'myService', { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }, }); -app.synth(); \ No newline at end of file +app.synth(); diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.load-balanced-fargate-service.ts b/packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.load-balanced-fargate-service.ts index b0b8a21705ddb..f4312798fae07 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.load-balanced-fargate-service.ts +++ b/packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.load-balanced-fargate-service.ts @@ -376,6 +376,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }, taskImageOptions: { containerPort: 2015, @@ -414,6 +416,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }, taskImageOptions: { containerPort: 2015, @@ -641,4 +645,4 @@ export = { test.done(); }, -}; \ No newline at end of file +}; diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/kubectl-layer.ts b/packages/@aws-cdk/aws-eks-legacy/lib/kubectl-layer.ts index 73168622e4ff4..03b3fda0324f2 100644 --- a/packages/@aws-cdk/aws-eks-legacy/lib/kubectl-layer.ts +++ b/packages/@aws-cdk/aws-eks-legacy/lib/kubectl-layer.ts @@ -1,5 +1,5 @@ import * as lambda from '@aws-cdk/aws-lambda'; -import { CfnResource, Construct, Stack, Token } from '@aws-cdk/core'; +import { CfnResource, Construct, Resource, Stack, Token } from '@aws-cdk/core'; import * as crypto from 'crypto'; const KUBECTL_APP_ARN = 'arn:aws:serverlessrepo:us-east-1:903779448426:applications/lambda-layer-kubectl'; @@ -19,7 +19,7 @@ export interface KubectlLayerProps { * * @see https://github.com/aws-samples/aws-lambda-layer-kubectl */ -export class KubectlLayer extends Construct implements lambda.ILayerVersion { +export class KubectlLayer extends Resource implements lambda.ILayerVersion { /** * Gets or create a singleton instance of this construct. @@ -68,10 +68,6 @@ export class KubectlLayer extends Construct implements lambda.ILayerVersion { this.layerVersionArn = Token.asString(resource.getAtt('Outputs.LayerVersionArn')); } - public get stack() { - return Stack.of(this); - } - public addPermission(_id: string, _permission: lambda.LayerVersionPermission): void { return; } diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-layer.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-layer.ts index 84efa5325854a..e58773989e1c9 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-layer.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-layer.ts @@ -1,5 +1,5 @@ import * as lambda from '@aws-cdk/aws-lambda'; -import { CfnResource, Construct, Stack, Token } from '@aws-cdk/core'; +import { CfnResource, Construct, Resource, Stack, Token } from '@aws-cdk/core'; import * as crypto from 'crypto'; const KUBECTL_APP_ARN = 'arn:aws:serverlessrepo:us-east-1:903779448426:applications/lambda-layer-kubectl'; @@ -21,7 +21,7 @@ export interface KubectlLayerProps { * * @see https://github.com/aws-samples/aws-lambda-layer-kubectl */ -export class KubectlLayer extends Construct implements lambda.ILayerVersion { +export class KubectlLayer extends Resource implements lambda.ILayerVersion { /** * Gets or create a singleton instance of this construct. @@ -70,10 +70,6 @@ export class KubectlLayer extends Construct implements lambda.ILayerVersion { this.layerVersionArn = Token.asString(resource.getAtt('Outputs.LayerVersionArn')); } - public get stack() { - return Stack.of(this); - } - public addPermission(_id: string, _permission: lambda.LayerVersionPermission): void { return; } diff --git a/packages/@aws-cdk/aws-iam/lib/account-utils.ts b/packages/@aws-cdk/aws-iam/lib/account-utils.ts new file mode 100644 index 0000000000000..b60eaf8294c70 --- /dev/null +++ b/packages/@aws-cdk/aws-iam/lib/account-utils.ts @@ -0,0 +1,23 @@ +import * as cdk from '@aws-cdk/core'; + +export enum AccountCompare { + SAME, + DIFFERENT, + UNKNOWN, +} + +export function accountsAreSameOrUnresolved(account1: string | undefined, account2: string | undefined): AccountCompare { + const firstIsUnresolved = cdk.Token.isUnresolved(account1); + const secondIsUnresolved = cdk.Token.isUnresolved(account2); + + if (firstIsUnresolved && secondIsUnresolved) { + return AccountCompare.SAME; + } + if (firstIsUnresolved || secondIsUnresolved) { + return AccountCompare.UNKNOWN; + } + + return account1 === account2 + ? AccountCompare.SAME + : AccountCompare.DIFFERENT; +} diff --git a/packages/@aws-cdk/aws-iam/lib/grant.ts b/packages/@aws-cdk/aws-iam/lib/grant.ts index 0f882c4a73d00..83b28f3bdc756 100644 --- a/packages/@aws-cdk/aws-iam/lib/grant.ts +++ b/packages/@aws-cdk/aws-iam/lib/grant.ts @@ -1,4 +1,5 @@ import * as cdk from '@aws-cdk/core'; +import { AccountCompare, accountsAreSameOrUnresolved } from './account-utils'; import { PolicyStatement } from './policy-statement'; import { IGrantable, IPrincipal } from './principals'; @@ -121,7 +122,12 @@ export class Grant implements cdk.IDependable { scope: options.resource, }); - if (result.success) { return result; } + const definitelySameAccount = accountsAreSameOrUnresolved( + options.grantee.grantPrincipal.principalAccount, + options.resource.account) === AccountCompare.SAME; + if (result.success && definitelySameAccount) { + return result; + } const statement = new PolicyStatement({ actions: options.actions, @@ -292,7 +298,7 @@ interface GrantProps { /** * A resource with a resource policy that can be added to */ -export interface IResourceWithPolicy extends cdk.IConstruct { +export interface IResourceWithPolicy extends cdk.IResource { /** * Add a statement to the resource's resource policy */ @@ -332,4 +338,4 @@ export class CompositeDependable implements cdk.IDependable { }, }); } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-iam/lib/group.ts b/packages/@aws-cdk/aws-iam/lib/group.ts index 08ef30cba9203..5c3f4ecb236a1 100644 --- a/packages/@aws-cdk/aws-iam/lib/group.ts +++ b/packages/@aws-cdk/aws-iam/lib/group.ts @@ -72,6 +72,7 @@ abstract class GroupBase extends Resource implements IGroup { public abstract readonly groupArn: string; public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount: string | undefined = this.account; public readonly assumeRoleAction: string = 'sts:AssumeRole'; private readonly attachedPolicies = new AttachedPolicies(); @@ -143,10 +144,12 @@ export class Group extends GroupBase { * @param groupArn the ARN of the group to import (e.g. `arn:aws:iam::account-id:group/group-name`) */ public static fromGroupArn(scope: Construct, id: string, groupArn: string): IGroup { - const groupName = Stack.of(scope).parseArn(groupArn).resourceName!; + const arnComponents = Stack.of(scope).parseArn(groupArn); + const groupName = arnComponents.resourceName!; class Import extends GroupBase { public groupName = groupName; public groupArn = groupArn; + public principalAccount = arnComponents.account; } return new Import(scope, id); diff --git a/packages/@aws-cdk/aws-iam/lib/lazy-role.ts b/packages/@aws-cdk/aws-iam/lib/lazy-role.ts index bfc83817ad0f8..b4ab57dad2096 100644 --- a/packages/@aws-cdk/aws-iam/lib/lazy-role.ts +++ b/packages/@aws-cdk/aws-iam/lib/lazy-role.ts @@ -27,6 +27,7 @@ export interface LazyRoleProps extends RoleProps { */ export class LazyRole extends cdk.Resource implements IRole { public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount: string | undefined = this.account; public readonly assumeRoleAction: string = 'sts:AssumeRole'; private role?: Role; diff --git a/packages/@aws-cdk/aws-iam/lib/oidc-provider.ts b/packages/@aws-cdk/aws-iam/lib/oidc-provider.ts index 06fe2395f687f..703a9e52a6af3 100644 --- a/packages/@aws-cdk/aws-iam/lib/oidc-provider.ts +++ b/packages/@aws-cdk/aws-iam/lib/oidc-provider.ts @@ -1,4 +1,4 @@ -import { Construct, CustomResource, CustomResourceProvider, CustomResourceProviderRuntime, IResource, Resource, Stack, Token } from '@aws-cdk/core'; +import { Construct, CustomResource, CustomResourceProvider, CustomResourceProviderRuntime, IResource, Resource, Token } from '@aws-cdk/core'; import * as path from 'path'; const RESOURCE_TYPE = 'Custom::AWSCDKOpenIdConnectProvider'; @@ -88,8 +88,9 @@ export interface OpenIdConnectProviderProps { * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html * * @experimental + * @resource AWS::CloudFormation::CustomResource */ -export class OpenIdConnectProvider extends Construct implements IOpenIdConnectProvider { +export class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider { /** * Imports an Open ID connect provider from an ARN. * @param scope The definition scope @@ -130,8 +131,6 @@ export class OpenIdConnectProvider extends Construct implements IOpenIdConnectPr this.openIdConnectProviderArn = Token.asString(resource.ref); } - public get stack() { return Stack.of(this); } - private getOrCreateProvider() { return CustomResourceProvider.getOrCreate(this, RESOURCE_TYPE, { codeDirectory: path.join(__dirname, 'oidc-provider'), diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts index 53e7aca1968d7..ee4cdf0c43e27 100644 --- a/packages/@aws-cdk/aws-iam/lib/principals.ts +++ b/packages/@aws-cdk/aws-iam/lib/principals.ts @@ -42,6 +42,15 @@ export interface IPrincipal extends IGrantable { */ readonly policyFragment: PrincipalPolicyFragment; + /** + * The AWS account ID of this principal. + * Can be undefined when the account is not known + * (for example, for service principals). + * Can be a Token - in that case, + * it's assumed to be AWS::AccountId. + */ + readonly principalAccount?: string; + /** * Add to the policy of this principal. * @@ -83,6 +92,7 @@ export interface AddToPrincipalPolicyResult { */ export abstract class PrincipalBase implements IPrincipal { public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount: string | undefined = undefined; /** * Return the policy fragment that identifies this principal in a Policy. diff --git a/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts b/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts index 92aed748514d5..2e7d3426db3b3 100644 --- a/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts +++ b/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts @@ -1,4 +1,4 @@ -import { ConcreteDependable, Construct, DependableTrait } from '@aws-cdk/core'; +import { ConcreteDependable, Construct, DependableTrait, Resource } from '@aws-cdk/core'; import { Grant } from '../grant'; import { IManagedPolicy } from '../managed-policy'; import { Policy } from '../policy'; @@ -19,16 +19,20 @@ import { IRole } from '../role'; * which was imported into the CDK with {@link Role.fromRoleArn}, you don't have to use this class - * simply pass the property mutable = false when calling {@link Role.fromRoleArn}. */ -export class ImmutableRole extends Construct implements IRole { +export class ImmutableRole extends Resource implements IRole { public readonly assumeRoleAction = this.role.assumeRoleAction; public readonly policyFragment = this.role.policyFragment; public readonly grantPrincipal = this; + public readonly principalAccount = this.role.principalAccount; public readonly roleArn = this.role.roleArn; public readonly roleName = this.role.roleName; public readonly stack = this.role.stack; constructor(scope: Construct, id: string, private readonly role: IRole) { - super(scope, id); + super(scope, id, { + account: role.account, + region: role.region, + }); // implement IDependable privately DependableTrait.implement(this, { @@ -60,4 +64,4 @@ export class ImmutableRole extends Construct implements IRole { public grantPassRole(grantee: IPrincipal): Grant { return this.role.grantPassRole(grantee); } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts index e62dcd45af0be..4352c693d5fac 100644 --- a/packages/@aws-cdk/aws-iam/lib/role.ts +++ b/packages/@aws-cdk/aws-iam/lib/role.ts @@ -176,6 +176,7 @@ export class Role extends Resource implements IRole { const scopeStack = Stack.of(scope); const parsedArn = scopeStack.parseArn(roleArn); const resourceName = parsedArn.resourceName!; + const roleAccount = parsedArn.account; // service roles have an ARN like 'arn:aws:iam:::role/service-role/' // we want to support these as well, so strip out the 'service-role/' prefix if we see it const roleName = resourceName.startsWith('service-role/') @@ -184,6 +185,7 @@ export class Role extends Resource implements IRole { class Import extends Resource implements IRole { public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount = roleAccount; public readonly assumeRoleAction: string = 'sts:AssumeRole'; public readonly policyFragment = new ArnPrincipal(roleArn).policyFragment; public readonly roleArn = roleArn; @@ -191,6 +193,12 @@ export class Role extends Resource implements IRole { private readonly attachedPolicies = new AttachedPolicies(); private defaultPolicy?: Policy; + constructor(_scope: Construct, _id: string) { + super(_scope, _id, { + account: roleAccount, + }); + } + public addToPolicy(statement: PolicyStatement): boolean { return this.addToPrincipalPolicy(statement).statementAdded; } @@ -237,13 +245,10 @@ export class Role extends Resource implements IRole { } } - const roleAccount = parsedArn.account; - - const scopeAccount = scopeStack.account; - - return options.mutable !== false && accountsAreEqualOrOneIsUnresolved(scopeAccount, roleAccount) - ? new Import(scope, id) - : new ImmutableRole(scope, `ImmutableRole${id}`, new Import(scope, id)); + const importedRole = new Import(scope, id); + return options.mutable !== false && accountsAreEqualOrOneIsUnresolved(scopeStack.account, importedRole.account) + ? importedRole + : new ImmutableRole(scope, `ImmutableRole${id}`, importedRole); function accountsAreEqualOrOneIsUnresolved( account1: string | undefined, @@ -254,6 +259,7 @@ export class Role extends Resource implements IRole { } public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount: string | undefined = this.account; public readonly assumeRoleAction: string = 'sts:AssumeRole'; diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts index 886937fcf3cb8..0be8ac94a5465 100644 --- a/packages/@aws-cdk/aws-iam/lib/user.ts +++ b/packages/@aws-cdk/aws-iam/lib/user.ts @@ -1,4 +1,4 @@ -import { Construct, Lazy, Resource, SecretValue, Stack } from '@aws-cdk/core'; +import { Aws, Construct, Lazy, Resource, SecretValue, Stack } from '@aws-cdk/core'; import { IGroup } from './group'; import { CfnUser } from './iam.generated'; import { IIdentity } from './identity-base'; @@ -139,6 +139,7 @@ export class User extends Resource implements IIdentity, IUser { class Import extends Resource implements IUser { public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount = Aws.ACCOUNT_ID; public readonly userName: string = userName; public readonly userArn: string = arn; public readonly assumeRoleAction: string = 'sts:AssumeRole'; @@ -175,6 +176,7 @@ export class User extends Resource implements IIdentity, IUser { } public readonly grantPrincipal: IPrincipal = this; + public readonly principalAccount: string | undefined = this.account; public readonly assumeRoleAction: string = 'sts:AssumeRole'; /** diff --git a/packages/@aws-cdk/aws-iam/package.json b/packages/@aws-cdk/aws-iam/package.json index a0dcc893ca6da..0f37067cedab6 100644 --- a/packages/@aws-cdk/aws-iam/package.json +++ b/packages/@aws-cdk/aws-iam/package.json @@ -89,6 +89,7 @@ "exclude": [ "from-signature:@aws-cdk/aws-iam.Role.fromRoleArn", "construct-interface-extends-iconstruct:@aws-cdk/aws-iam.IManagedPolicy", + "props-physical-name:@aws-cdk/aws-iam.OpenIdConnectProviderProps", "resource-interface-extends-resource:@aws-cdk/aws-iam.IManagedPolicy", "docs-public-apis:@aws-cdk/aws-iam.IUser" ] diff --git a/packages/@aws-cdk/aws-iam/test/cross-account.test.ts b/packages/@aws-cdk/aws-iam/test/cross-account.test.ts new file mode 100644 index 0000000000000..899747f98fd04 --- /dev/null +++ b/packages/@aws-cdk/aws-iam/test/cross-account.test.ts @@ -0,0 +1,233 @@ +import '@aws-cdk/assert/jest'; +import * as cdk from '@aws-cdk/core'; +import * as iam from '../lib'; + +// Test cross-account grant scenario's for principals +// +// When doing a grant on a resource with a resource policy: +// +// - Permissions are added to the identity if possible. +// - Trust is added to the resource if necessary (identity is in +// a different account than the resource). + +let app: cdk.App; +const stack1Account = '1234'; +let stack1: cdk.Stack; +const stack2Account = '5678'; +let stack2: cdk.Stack; +const thirdAccount = '123456789012'; + +beforeEach(() => { + app = new cdk.App(); + stack1 = new cdk.Stack(app, 'Stack1', { env: { account: stack1Account, region: 'us-bla-5' }}); + stack2 = new cdk.Stack(app, 'Stack2', { env: { account: stack2Account, region: 'us-bla-5' }}); +}); + +test('cross-account Role grant creates permissions AND trust', () => { + // GIVEN + const role = new iam.Role(stack1, 'Role', { + roleName: cdk.PhysicalName.GENERATE_IF_NEEDED, + assumedBy: new iam.ServicePrincipal('some.service'), + }); + const resource = new FakeResource(stack2, 'Resource'); + + // WHEN + doGrant(resource, role); + + // THEN + assertPolicyCreated(stack1); + assertTrustCreated(stack2, { AWS: { + 'Fn::Join': [ '', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${stack1Account}:role/stack1stack1rolef3c14260253562f428b7`, + ]], + }}); +}); + +test('Service Principal grant creates trust', () => { + const resource = new FakeResource(stack2, 'Resource'); + + // WHEN + doGrant(resource, new iam.ServicePrincipal('service.amazonaws.com')); + + // THEN + assertTrustCreated(stack2, { Service: 'service.amazonaws.com' }); +}); + +test('Imported Role with definitely different account grant creates trust', () => { + const resource = new FakeResource(stack2, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:aws:iam::${thirdAccount}:role/S3Access`, { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + noPolicyCreated(stack2); + assertTrustCreated(stack2, { + AWS: `arn:aws:iam::${thirdAccount}:role/S3Access`, + }); +}); + +test('Imported Role with partition token in ARN (definitely different account) grant creates trust', () => { + const resource = new FakeResource(stack2, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:${stack2.partition}:iam::${thirdAccount}:role/S3Access`, { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + noPolicyCreated(stack2); + assertTrustCreated(stack2, { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${thirdAccount}:role/S3Access`, + ]], + }, + }); +}); + +test('Imported Role with definitely same account grant does not create trust', () => { + const resource = new FakeResource(stack2, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:aws:iam::${stack2Account}:role/S3Access`, { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + assertPolicyCreated(stack2); + noTrustCreated(stack2); +}); + +test('Imported Role with partition token and definitely same account grant does not create trust', () => { + const resource = new FakeResource(stack2, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:${stack2.partition}:iam::5678:role/S3Access`, { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + assertPolicyCreated(stack2); + noTrustCreated(stack2); +}); + +test('Agnostic stack with concrete imported role adds trust', () => { + // GIVEN + const stack = new cdk.Stack(app, 'AgStack'); + const resource = new FakeResource(stack, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', 'arn:aws:iam::5678:role/S3Access', { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + assertTrustCreated(stack, { AWS: 'arn:aws:iam::5678:role/S3Access' }); + noPolicyCreated(stack); +}); + +test('Agnostic stack with agnostic imported role does not add trust', () => { + // GIVEN + const stack = new cdk.Stack(app, 'AgStack'); + const resource = new FakeResource(stack, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:aws:iam::${cdk.Aws.ACCOUNT_ID}:role/S3Access`, { mutable: true }); + + // WHEN + doGrant(resource, role); + + // THEN + assertPolicyCreated(stack2); + noTrustCreated(stack); +}); + +test('Immutable role in same account adds no policy and no trust', () => { + // GIVEN + const resource = new FakeResource(stack2, 'Resource'); + const role = iam.Role.fromRoleArn(stack2, 'Role', `arn:aws:iam::${stack2Account}:role/S3Access`, { mutable: false }); + + // require('util').inspect.defaultOptions.customInspect = false; // ? + + // WHEN + doGrant(resource, role); + + // THEN + noTrustCreated(stack2); + noPolicyCreated(stack2); + +}); + +class FakeResource extends cdk.Resource implements iam.IResourceWithPolicy { + public readonly arn = 'arn:aws:resource'; + private readonly policy = new iam.PolicyDocument(); + + constructor(scope: cdk.Construct, id: string) { + super(scope, id); + + new cdk.CfnResource(this, 'Default', { + type: 'Test::Fake::Resource', + properties: { + ResourcePolicy: cdk.Lazy.anyValue({ produce: () => this.policy }), + }, + }); + } + + public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult { + this.policy.addStatements(statement); + return { statementAdded: true, policyDependable: this.policy }; + } +} + +function doGrant(resource: FakeResource, principal: iam.IPrincipal) { + iam.Grant.addToPrincipalOrResource({ + actions: ['some:action'], + grantee: principal, + resourceArns: [resource.arn], + resource, + }); +} + +function assertTrustCreated(stack: cdk.Stack, principal: any) { + expect(stack).toHaveResource('Test::Fake::Resource', { + ResourcePolicy: { + Statement: [ + { + Action: 'some:action', + Effect: 'Allow', + Resource: 'arn:aws:resource', + Principal: principal, + }, + ], + Version: '2012-10-17', + }, + }); +} + +function noTrustCreated(stack: cdk.Stack) { + expect(stack).not.toHaveResourceLike('Test::Fake::Resource', { + ResourcePolicy: { + Statement: [ + {}, + ], + }, + }); +} + +function assertPolicyCreated(stack: cdk.Stack) { + expect(stack).toHaveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'some:action', + Effect: 'Allow', + Resource: 'arn:aws:resource', + }, + ], + Version: '2012-10-17', + }, + }); +} + +function noPolicyCreated(stack: cdk.Stack) { + expect(stack).not.toHaveResource('AWS::IAM::Policy'); +} diff --git a/packages/@aws-cdk/aws-iam/test/grant.test.ts b/packages/@aws-cdk/aws-iam/test/grant.test.ts index 93143f07c8125..3a1d7d580fcb0 100644 --- a/packages/@aws-cdk/aws-iam/test/grant.test.ts +++ b/packages/@aws-cdk/aws-iam/test/grant.test.ts @@ -1,6 +1,6 @@ import { ResourcePart } from '@aws-cdk/assert'; import '@aws-cdk/assert/jest'; -import { CfnResource, Construct, Stack } from '@aws-cdk/core'; +import { CfnResource, Construct, Resource, Stack } from '@aws-cdk/core'; import * as iam from '../lib'; let stack: Stack; @@ -113,13 +113,12 @@ function expectDependencyOn(id: string) { }, ResourcePart.CompleteDefinition); } -class FakeResourceWithPolicy extends CfnResource implements iam.IResourceWithPolicy { - private policy: CfnResource; +class FakeResourceWithPolicy extends Resource implements iam.IResourceWithPolicy { + private readonly policy: CfnResource; constructor(scope: Construct, id: string) { - super(scope, id, { - type: 'CDK::Test::Buckaroo', - }); + super(scope, id); + this.policy = new CfnResource(this, 'Policy', { type: 'CDK::Test::BuckarooPolicy', }); @@ -128,4 +127,4 @@ class FakeResourceWithPolicy extends CfnResource implements iam.IResourceWithPol public addToResourcePolicy(_statement: iam.PolicyStatement): iam.AddToResourcePolicyResult { return { statementAdded: true, policyDependable: this.policy }; } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index b9a2e6b4ef166..97555e9ebef0b 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -287,6 +287,9 @@ export abstract class FunctionBase extends Resource implements IFunction { return { statementAdded: true, policyDependable: this._functionNode().findChild(identifier) } as iam.AddToResourcePolicyResult; }, node: this.node, + stack: this.stack, + account: this.account, + region: this.region, }, }); } diff --git a/packages/@aws-cdk/aws-route53/test/test.util.ts b/packages/@aws-cdk/aws-route53/test/test.util.ts index 006527d3ad869..6c240724a9017 100644 --- a/packages/@aws-cdk/aws-route53/test/test.util.ts +++ b/packages/@aws-cdk/aws-route53/test/test.util.ts @@ -26,6 +26,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }); // THEN @@ -45,6 +47,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }); // THEN @@ -64,6 +68,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }); // THEN @@ -83,6 +89,8 @@ export = { hostedZoneArn: 'arn:aws:route53:::hostedzone/fakeId', stack, node: stack.node, + account: stack.account, + region: stack.region, }); // THEN diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts index ddc2b8939913c..8e8bf60472190 100644 --- a/packages/@aws-cdk/aws-s3/lib/bucket.ts +++ b/packages/@aws-cdk/aws-s3/lib/bucket.ts @@ -279,6 +279,20 @@ export interface BucketAttributes { readonly bucketWebsiteNewUrlFormat?: boolean; readonly encryptionKey?: kms.IKey; + + /** + * The account this existing bucket belongs to. + * + * @default - it's assumed the bucket belongs to the same account as the scope it's being imported into + */ + readonly account?: string; + + /** + * The region this existing bucket is in. + * + * @default - it's assumed the bucket is in the same region as the scope it's being imported into + */ + readonly region?: string; } /** @@ -610,25 +624,12 @@ abstract class BucketBase extends Resource implements IBucket { resourceArn: string, ...otherResourceArns: string[]) { const resources = [ resourceArn, ...otherResourceArns ]; - const crossAccountAccess = this.isGranteeFromAnotherAccount(grantee); - let ret: iam.Grant; - if (crossAccountAccess) { - // if the access is cross-account, we need to trust the accessing principal in the bucket's policy - ret = iam.Grant.addToPrincipalAndResource({ - grantee, - actions: bucketActions, - resourceArns: resources, - resource: this, - }); - } else { - // if not, we don't need to modify the resource policy if the grantee is an identity principal - ret = iam.Grant.addToPrincipalOrResource({ - grantee, - actions: bucketActions, - resourceArns: resources, - resource: this, - }); - } + const ret = iam.Grant.addToPrincipalOrResource({ + grantee, + actions: bucketActions, + resourceArns: resources, + resource: this, + }); if (this.encryptionKey && keyActions && keyActions.length !== 0) { this.encryptionKey.grant(grantee, ...keyActions); @@ -636,15 +637,6 @@ abstract class BucketBase extends Resource implements IBucket { return ret; } - - private isGranteeFromAnotherAccount(grantee: iam.IGrantable): boolean { - if (!(Construct.isConstruct(grantee))) { - return false; - } - const bucketStack = Stack.of(this); - const identityStack = Stack.of(grantee); - return bucketStack.account !== identityStack.account; - } } export interface BlockPublicAccessOptions { @@ -1003,6 +995,8 @@ export class Bucket extends BucketBase { public readonly bucketDualStackDomainName = attrs.bucketDualStackDomainName || `${bucketName}.s3.dualstack.${region}.${urlSuffix}`; public readonly bucketWebsiteNewUrlFormat = newUrlFormat; public readonly encryptionKey = attrs.encryptionKey; + public readonly account = attrs.account ?? stack.account; + public readonly region = attrs.region ?? stack.region; public policy?: BucketPolicy = undefined; protected autoCreatePolicy = false; protected disallowPublicAccess = false; diff --git a/packages/@aws-cdk/aws-s3/test/test.util.ts b/packages/@aws-cdk/aws-s3/test/test.util.ts index dfa612da7d335..96276f681d499 100644 --- a/packages/@aws-cdk/aws-s3/test/test.util.ts +++ b/packages/@aws-cdk/aws-s3/test/test.util.ts @@ -51,37 +51,10 @@ export = { const stack = new cdk.Stack(); const bucketArn = `arn:aws:s3:::${cdk.Token.asString({ Ref: 'my-bucket' })}`; - test.deepEqual(stack.resolve(parseBucketName(stack, { bucketArn })), { - 'Fn::Select': [ - 0, - { - 'Fn::Split': [ - '/', - { - 'Fn::Select': [ - 5, - { - 'Fn::Split': [ - ':', - { - 'Fn::Join': [ - '', - [ - 'arn:aws:s3:::', - { - Ref: 'my-bucket', - }, - ], - ], - }, - ], - }, - ], - }, - ], - }, - ], - }); + test.deepEqual( + stack.resolve(parseBucketName(stack, { bucketArn })), + { Ref: 'my-bucket' }, + ); test.done(); }, diff --git a/packages/@aws-cdk/core/lib/arn.ts b/packages/@aws-cdk/core/lib/arn.ts index 966832c9e4786..d92ddbf9a0aeb 100644 --- a/packages/@aws-cdk/core/lib/arn.ts +++ b/packages/@aws-cdk/core/lib/arn.ts @@ -135,12 +135,16 @@ export class Arn { * components of the ARN. */ public static parse(arn: string, sepIfToken: string = '/', hasName: boolean = true): ArnComponents { - if (Token.isUnresolved(arn)) { + const components = arn.split(':') as Array; + const looksLikeArn = arn.startsWith('arn:') && components.length >= 6 && components.length <= 7; + + // If the ARN merely contains Tokens, but otherwise *looks* mostly like an ARN, + // it's a string of the form 'arn:${partition}:service:us-west-1:${account}:abc/xyz'. Parse fields + // out to the best of our ability. Tokens won't contain ":" so this won't break them. + if (Token.isUnresolved(arn) && !looksLikeArn) { return parseToken(arn, sepIfToken, hasName); } - const components = arn.split(':') as Array; - if (components.length < 6) { throw new Error('ARNs must have at least 6 components: ' + arn); } diff --git a/packages/@aws-cdk/core/lib/cfn-pseudo.ts b/packages/@aws-cdk/core/lib/cfn-pseudo.ts index dc1848aa49ca4..7144b7edc2af1 100644 --- a/packages/@aws-cdk/core/lib/cfn-pseudo.ts +++ b/packages/@aws-cdk/core/lib/cfn-pseudo.ts @@ -77,5 +77,10 @@ export class ScopedAws { } function pseudoString(name: string): string { - return Token.asString({ Ref: name }, { displayHint: name }); + // we don't want any ':' in the serialized form, + // as ':' is the ARN separator, + // and so we don't want ARN components + // (which these CFN references like AWS::Partition certainly can be) + // to contain ':'s themselves + return Token.asString({ Ref: name }, { displayHint: name.replace('::', '.') }); } diff --git a/packages/@aws-cdk/core/lib/resource.ts b/packages/@aws-cdk/core/lib/resource.ts index 6574dbe331da0..2e0dbbc3c4fbc 100644 --- a/packages/@aws-cdk/core/lib/resource.ts +++ b/packages/@aws-cdk/core/lib/resource.ts @@ -14,6 +14,28 @@ export interface IResource extends IConstruct { * The stack in which this resource is defined. */ readonly stack: Stack; + + /** + * The AWS account ID that this resource belongs to. + * For resources that are created and managed by the CDK + * (generally, those created by creating new class instances like Role, Bucket, etc.) + * this is always the same as the account of the stack they belong to; + * however, for imported resources + * (those obtained from static methods like fromRoleArn, fromBucketName, etc.) + * that might be different than the stack they were imported into. + */ + readonly account: string; + + /** + * The AWS region that this resource belongs to. + * For resources that are created and managed by the CDK + * (generally, those created by creating new class instances like Role, Bucket, etc.) + * this is always the same as the account of the stack they belong to; + * however, for imported resources + * (those obtained from static methods like fromRoleArn, fromBucketName, etc.) + * that might be different than the stack they were imported into. + */ + readonly region: string; } /** @@ -32,6 +54,20 @@ export interface ResourceProps { * @default - The physical name will be allocated by CloudFormation at deployment time */ readonly physicalName?: string; + + /** + * The AWS account ID this resource belongs to. + * + * @default - the resource is in the same account as the stack it belongs to + */ + readonly account?: string; + + /** + * The AWS region this resource belongs to. + * + * @default - the resource is in the same region as the stack it belongs to + */ + readonly region?: string; } /** @@ -39,6 +75,8 @@ export interface ResourceProps { */ export abstract class Resource extends Construct implements IResource { public readonly stack: Stack; + public readonly account: string; + public readonly region: string; /** * Returns a string-encoded token that resolves to the physical name that @@ -59,7 +97,10 @@ export abstract class Resource extends Construct implements IResource { constructor(scope: Construct, id: string, props: ResourceProps = {}) { super(scope, id); + this.stack = Stack.of(this); + this.account = props.account ?? this.stack.account; + this.region = props.region ?? this.stack.region; let physicalName = props.physicalName; diff --git a/packages/@aws-cdk/core/test/test.arn.ts b/packages/@aws-cdk/core/test/test.arn.ts index 86210ed856bcf..b271afd9f5f8d 100644 --- a/packages/@aws-cdk/core/test/test.arn.ts +++ b/packages/@aws-cdk/core/test/test.arn.ts @@ -1,5 +1,5 @@ import { Test } from 'nodeunit'; -import { ArnComponents, CfnOutput, ScopedAws, Stack } from '../lib'; +import { ArnComponents, Aws, CfnOutput, ScopedAws, Stack } from '../lib'; import { Intrinsic } from '../lib/private/intrinsic'; import { toCloudFormation } from './util'; @@ -256,4 +256,23 @@ export = { test.done(); }, + + 'parse other fields if only some are tokens'(test: Test) { + // GIVEN + const stack = new Stack(); + + // WHEN + const parsed = stack.parseArn(`arn:${Aws.PARTITION}:iam::123456789012:role/S3Access`); + + // THEN + test.deepEqual(stack.resolve(parsed.partition), { Ref: 'AWS::Partition' }); + test.deepEqual(stack.resolve(parsed.service), 'iam'); + test.equal(stack.resolve(parsed.region), ''); + test.deepEqual(stack.resolve(parsed.account), '123456789012'); + test.deepEqual(stack.resolve(parsed.resource), 'role'); + test.deepEqual(stack.resolve(parsed.resourceName), 'S3Access'); + test.equal(parsed.sep, '/'); + + test.done(); + }, };