From ec8709adf45116b9ac3b1324df1bce546c034aa4 Mon Sep 17 00:00:00 2001 From: Aidan Crank Date: Fri, 6 May 2022 13:14:34 -0400 Subject: [PATCH 01/20] example RAM share start for appreg --- .../lib/application.ts | 34 +++++++--- .../lib/attribute-group.ts | 19 ++++++ .../lib/common.ts | 67 +++++++++++++++++++ 3 files changed, 110 insertions(+), 10 deletions(-) create mode 100644 packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 2006e7cce1bdb..145942d8ad113 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -1,6 +1,7 @@ -import * as crypto from 'crypto'; +import { CfnResourceShare } from '@aws-cdk/aws-ram'; import * as cdk from '@aws-cdk/core'; import { IAttributeGroup } from './attribute-group'; +import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; import { InputValidator } from './private/validation'; import { CfnApplication, CfnAttributeGroupAssociation, CfnResourceAssociation } from './servicecatalogappregistry.generated'; @@ -35,6 +36,12 @@ export interface IApplication extends cdk.IResource { * @param stack a CFN stack */ associateStack(stack: cdk.Stack): void; + + /** + * Share this resource with other IAM entities, accounts, or OUs. + * @param shareOptions The options for the share. + */ + shareResource(shareOptions: ShareOptions): void; } /** @@ -91,6 +98,22 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { } } + /** + * Share application resource with target accounts. + * The application will become available to end users within targetss. + * @param shareOptions + */ + public shareResource(shareOptions: ShareOptions): void { + const principals = getPrincipalsforSharing(shareOptions); + const shareName = `RAMShare${hashValues(this.node.addr,...principals)}`; + new CfnResourceShare(this, shareName, { + name: shareName, + allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, + principals: principals, + resourceArns: [this.applicationArn], + }); + } + /** * Create a unique id */ @@ -159,12 +182,3 @@ export class Application extends ApplicationBase { InputValidator.validateLength(this.node.path, 'application description', 0, 1024, props.description); } } - -/** - * Generates a unique hash identfifer using SHA256 encryption algorithm - */ -function hashValues(...values: string[]): string { - const sha256 = crypto.createHash('sha256'); - values.forEach(val => sha256.update(val)); - return sha256.digest('hex').slice(0, 12); -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 11fde74fb968e..7342264c2df7f 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -1,4 +1,6 @@ import * as cdk from '@aws-cdk/core'; +import { CfnResourceShare } from '@aws-cdk/aws-ram'; +import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; import { InputValidator } from './private/validation'; import { CfnAttributeGroup } from './servicecatalogappregistry.generated'; @@ -21,6 +23,12 @@ export interface IAttributeGroup extends cdk.IResource { * @attribute */ readonly attributeGroupId: string; + + /** + * Share the attribute group resource with other IAM entities, accounts, or OUs. + * @param shareOptions The options for the share. + */ + shareResource(shareOptions: ShareOptions): void; } /** @@ -48,6 +56,17 @@ export interface AttributeGroupProps { abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGroup { public abstract readonly attributeGroupArn: string; public abstract readonly attributeGroupId: string; + + public shareResource(shareOptions: ShareOptions): void { + const principals = getPrincipalsforSharing(shareOptions); + const shareName = `RAMShare${hashValues(this.node.addr,...principals)}`; + new CfnResourceShare(this, shareName, { + name: shareName, + allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, + principals: principals, + resourceArns: [this.attributeGroupArn], + }); + } } /** diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts new file mode 100644 index 0000000000000..6e097100da556 --- /dev/null +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -0,0 +1,67 @@ +import * as iam from '@aws-cdk/aws-iam'; +import * as crypto from 'crypto'; + +export interface ShareOptions { + /** + * Explicitly allow share of applicaiton with principals outside of your AWS Organization. + * + * @default true + */ + readonly allowExternalPrincipals?: boolean; + + /** + * A list of AWS accounts that the application will be shared with. + * + * @default - No accounts specified for share + */ + readonly accounts?: string[]; + + /** + * A list of AWS Organization or Organizationl Units (OUs) ARNs that the application will be shared with. + * + * @default - No AWS Organizations or OUs specified for share + */ + readonly organizations?: string[]; + + /** + * A list of AWS IAM roles that the application will be shared with. + * + * @default - No IAM roles specified for share + */ + readonly roles?: iam.IRole[]; + + /** + * A list of AWS IAM users that the application will be shared with. + * + * @default - No IAM Users specified for share + */ + readonly users?: iam.IUser[]; + } + +/** + * Generates a unique hash identfifer using SHA256 encryption algorithm + */ +export function hashValues(...values: string[]): string { + const sha256 = crypto.createHash('sha256'); + values.forEach(val => sha256.update(val)); + return sha256.digest('hex').slice(0, 12); +} + +/** + * Reformats share targets into a collapsed list necessary for handler. + * @param options The share target options + * @returns flat list of target ARNs + */ +export function getPrincipalsforSharing(options: ShareOptions): string[] { + const principals = [ + ...options.accounts ?? [], + ...options.organizations ?? [], + ...options.users ? options.users.map(user => user.userArn) : [], + ...options.roles ? options.roles.map(role => role.roleArn) : [], + ]; + + if (principals.length == 0) { + throw new Error('An entity must be provided for the share'); + } + return principals; +} \ No newline at end of file From 4e5fcf4b6df16be18f9121a62dd5e55958b3361c Mon Sep 17 00:00:00 2001 From: Aidan Crank Date: Fri, 6 May 2022 13:21:02 -0400 Subject: [PATCH 02/20] update spacing --- .../lib/application.ts | 6 +- .../lib/attribute-group.ts | 8 +- .../lib/common.ts | 98 +++++++++---------- 3 files changed, 56 insertions(+), 56 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 145942d8ad113..7988b4d8c51a1 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -41,7 +41,7 @@ export interface IApplication extends cdk.IResource { * Share this resource with other IAM entities, accounts, or OUs. * @param shareOptions The options for the share. */ - shareResource(shareOptions: ShareOptions): void; + shareResource(shareOptions: ShareOptions): void; } /** @@ -101,11 +101,11 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { /** * Share application resource with target accounts. * The application will become available to end users within targetss. - * @param shareOptions + * @param shareOptions */ public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${hashValues(this.node.addr,...principals)}`; + const shareName = `RAMShare${hashValues(this.node.addr, ...principals)}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 7342264c2df7f..567c5fb8351c1 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -1,5 +1,5 @@ -import * as cdk from '@aws-cdk/core'; import { CfnResourceShare } from '@aws-cdk/aws-ram'; +import * as cdk from '@aws-cdk/core'; import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; import { InputValidator } from './private/validation'; import { CfnAttributeGroup } from './servicecatalogappregistry.generated'; @@ -59,14 +59,14 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${hashValues(this.node.addr,...principals)}`; + const shareName = `RAMShare${hashValues(this.node.addr, ...principals)}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, principals: principals, resourceArns: [this.attributeGroupArn], - }); - } + }); + } } /** diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 6e097100da556..7e6f777683584 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -2,49 +2,49 @@ import * as iam from '@aws-cdk/aws-iam'; import * as crypto from 'crypto'; export interface ShareOptions { - /** - * Explicitly allow share of applicaiton with principals outside of your AWS Organization. - * - * @default true - */ - readonly allowExternalPrincipals?: boolean; - - /** - * A list of AWS accounts that the application will be shared with. - * - * @default - No accounts specified for share - */ - readonly accounts?: string[]; - - /** - * A list of AWS Organization or Organizationl Units (OUs) ARNs that the application will be shared with. - * - * @default - No AWS Organizations or OUs specified for share - */ - readonly organizations?: string[]; - - /** - * A list of AWS IAM roles that the application will be shared with. - * - * @default - No IAM roles specified for share - */ - readonly roles?: iam.IRole[]; - - /** - * A list of AWS IAM users that the application will be shared with. - * - * @default - No IAM Users specified for share - */ - readonly users?: iam.IUser[]; - } + /** + * Explicitly allow share of applicaiton with principals outside of your AWS Organization. + * + * @default true + */ + readonly allowExternalPrincipals?: boolean; + + /** + * A list of AWS accounts that the application will be shared with. + * + * @default - No accounts specified for share + */ + readonly accounts?: string[]; + + /** + * A list of AWS Organization or Organizationl Units (OUs) ARNs that the application will be shared with. + * + * @default - No AWS Organizations or OUs specified for share + */ + readonly organizations?: string[]; + + /** + * A list of AWS IAM roles that the application will be shared with. + * + * @default - No IAM roles specified for share + */ + readonly roles?: iam.IRole[]; + + /** + * A list of AWS IAM users that the application will be shared with. + * + * @default - No IAM Users specified for share + */ + readonly users?: iam.IUser[]; +} /** * Generates a unique hash identfifer using SHA256 encryption algorithm */ export function hashValues(...values: string[]): string { - const sha256 = crypto.createHash('sha256'); - values.forEach(val => sha256.update(val)); - return sha256.digest('hex').slice(0, 12); + const sha256 = crypto.createHash('sha256'); + values.forEach(val => sha256.update(val)); + return sha256.digest('hex').slice(0, 12); } /** @@ -53,15 +53,15 @@ export function hashValues(...values: string[]): string { * @returns flat list of target ARNs */ export function getPrincipalsforSharing(options: ShareOptions): string[] { - const principals = [ - ...options.accounts ?? [], - ...options.organizations ?? [], - ...options.users ? options.users.map(user => user.userArn) : [], - ...options.roles ? options.roles.map(role => role.roleArn) : [], - ]; - - if (principals.length == 0) { - throw new Error('An entity must be provided for the share'); - } - return principals; + const principals = [ + ...options.accounts ?? [], + ...options.organizations ?? [], + ...options.users ? options.users.map(user => user.userArn) : [], + ...options.roles ? options.roles.map(role => role.roleArn) : [], + ]; + + if (principals.length == 0) { + throw new Error('An entity must be provided for the share'); + } + return principals; } \ No newline at end of file From b2ad0ebd85f4d63389304f47a9b8e89ad7304030 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 17 Jun 2022 18:26:34 -0700 Subject: [PATCH 03/20] Add unit tests, fix typos --- .../lib/application.ts | 2 +- .../lib/common.ts | 6 +- .../lib/index.ts | 1 + .../package.json | 4 + .../test/application.test.ts | 87 ++++++++++++++++++ .../test/attribute-group.test.ts | 88 +++++++++++++++++++ 6 files changed, 184 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 7988b4d8c51a1..842a1af0229ee 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -100,7 +100,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { /** * Share application resource with target accounts. - * The application will become available to end users within targetss. + * The application will become available to end users within targets. * @param shareOptions */ public shareResource(shareOptions: ShareOptions): void { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 7e6f777683584..9675cdccd6603 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -1,9 +1,9 @@ -import * as iam from '@aws-cdk/aws-iam'; import * as crypto from 'crypto'; +import * as iam from '@aws-cdk/aws-iam'; export interface ShareOptions { /** - * Explicitly allow share of applicaiton with principals outside of your AWS Organization. + * Explicitly allow share of application with principals outside of your AWS Organization. * * @default true */ @@ -17,7 +17,7 @@ export interface ShareOptions { readonly accounts?: string[]; /** - * A list of AWS Organization or Organizationl Units (OUs) ARNs that the application will be shared with. + * A list of AWS Organization or Organizational Units (OUs) ARNs that the application will be shared with. * * @default - No AWS Organizations or OUs specified for share */ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/index.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/index.ts index 8f4ec75704657..adbf2a9febfe6 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/index.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/index.ts @@ -1,5 +1,6 @@ export * from './application'; export * from './attribute-group'; +export * from './common'; // AWS::ServiceCatalogAppRegistry CloudFormation Resources: export * from './servicecatalogappregistry.generated'; diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/package.json b/packages/@aws-cdk/aws-servicecatalogappregistry/package.json index b4fe710d6fe99..ea065cae74b2e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/package.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/package.json @@ -92,10 +92,14 @@ }, "dependencies": { "@aws-cdk/core": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", + "@aws-cdk/aws-ram": "0.0.0", "constructs": "^3.3.69" }, "peerDependencies": { "@aws-cdk/core": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", + "@aws-cdk/aws-ram": "0.0.0", "constructs": "^3.3.69" }, "engines": { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 18b7b55884522..ca8757178e3e4 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -1,4 +1,5 @@ import { Template } from '@aws-cdk/assertions'; +import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import * as appreg from '../lib'; @@ -216,4 +217,90 @@ describe('Application', () => { Template.fromStack(stack).resourceCountIs('AWS::ServiceCatalogAppRegistry::ResourceAssociation', 1); }); }); + + describe('Resource sharing of an application', () => { + let application: appreg.Application; + + beforeEach(() => { + application = new appreg.Application(stack, 'MyApplication', { + applicationName: 'MyApplication', + }); + }); + + test('fails for sharing application without principals', () => { + expect(() => { + application.shareResource({}); + }).toThrow(/An entity must be provided for the share/); + }); + + test('share application with an organization', () => { + application.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShare2bc04f06e3de', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + }); + }); + + test('share application with an account', () => { + application.shareResource({ + accounts: ['123456789012'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMSharec9a397e51b48', + Principals: ['123456789012'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + }); + }); + + test('share application with an IAM role', () => { + const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::123456789012:role/myRole'); + + application.shareResource({ + roles: [myRole], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMSharebcd0cfbb7d94', + Principals: ['arn:aws:iam::123456789012:role/myRole'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + }); + }); + + test('share application with an IAM user', () => { + const myUser = iam.User.fromUserArn(stack, 'MyUser', 'arn:aws:iam::123456789012:user/myUser'); + + application.shareResource({ + users: [myUser], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShare27697fc6a22a', + Principals: ['arn:aws:iam::123456789012:user/myUser'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + }); + }); + + test('share application with organization, do not allow external principals', () => { + application.shareResource({ + allowExternalPrincipals: false, + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: false, + Name: 'RAMShare2bc04f06e3de', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + }); + }); + }); }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index b94ff8411afdd..820daf8fc1827 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -1,4 +1,5 @@ import { Template } from '@aws-cdk/assertions'; +import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import * as appreg from '../lib'; @@ -174,4 +175,91 @@ describe('Attribute Group', () => { Attributes: {}, }); }); + + describe('Resource sharing of an attribute group', () => { + let attributeGroup: appreg.AttributeGroup; + + beforeEach(() => { + attributeGroup = new appreg.AttributeGroup(stack, 'MyAttributeGroup', { + attributeGroupName: 'MyAttributeGroup', + attributes: {}, + }); + }); + + test('fails for sharing attribute group without principals', () => { + expect(() => { + attributeGroup.shareResource({}); + }).toThrow(/An entity must be provided for the share/); + }); + + test('share attribute group with an organization', () => { + attributeGroup.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMSharefc4e194f8114', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + }); + }); + + test('share attribute group with an account', () => { + attributeGroup.shareResource({ + accounts: ['123456789012'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShare40c11ba8ae8b', + Principals: ['123456789012'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + }); + }); + + test('share attribute group with an IAM role', () => { + const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::123456789012:role/myRole'); + + attributeGroup.shareResource({ + roles: [myRole], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShare279fc4078356', + Principals: ['arn:aws:iam::123456789012:role/myRole'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + }); + }); + + test('share attribute group with an IAM user', () => { + const myUser = iam.User.fromUserArn(stack, 'MyUser', 'arn:aws:iam::123456789012:user/myUser'); + + attributeGroup.shareResource({ + users: [myUser], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShareb3d7b61e1c78', + Principals: ['arn:aws:iam::123456789012:user/myUser'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + }); + }); + + test('share attribute group with organization, do not allow external principals', () => { + attributeGroup.shareResource({ + allowExternalPrincipals: false, + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: false, + Name: 'RAMSharefc4e194f8114', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + }); + }); + }); }); From 17438c547b9a7ed1db6a07099f0be0d57251d9c6 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 22 Jun 2022 12:47:52 -0400 Subject: [PATCH 04/20] Documentation additions for sharing --- .../aws-servicecatalogappregistry/README.md | 28 +++++++++++++++++++ .../lib/common.ts | 3 ++ 2 files changed, 31 insertions(+) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index 6fcee1d94bf9c..b1bdc56cfab67 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -124,3 +124,31 @@ const myStack = new Stack(app, 'MyStack'); declare const application: appreg.Application; application.associateStack(myStack); ``` + +## Sharing + +You can share your AppRegistry applications and attribute groups with AWS Organizations, Organizational Units (OUs), AWS accounts within an organization, as well as IAM roles and users. AppRegistry requires that AWS Organizations is enabled in an account before deploying a share of an application or attribute group. + +### Sharing an application + +```ts +declare const application: appreg.Application; +application.shareResource({ + accounts: ['123456789012'], + organizations: ['arn:aws:organizations::123456789012:organization/o-'], + roles: [iam.Role.fromRoleName(this, 'DeveloperRole', 'Developer')], + users: [iam.User.fromUserName(this, 'TesterUser', 'Tester')] +}); +``` + +### Sharing an attribute group + +```ts +declare const attributeGroup: appreg.AttributeGroup; +attributeGroup.shareResource({ + accounts: ['123456789012'], + organizations: ['arn:aws:organizations::123456789012:organization/o-'], + roles: [iam.Role.fromRoleName(this, 'DeveloperRole', 'Developer')], + users: [iam.User.fromUserName(this, 'TesterUser', 'Tester')] +}); +``` diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 9675cdccd6603..369fb83c0f001 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -1,6 +1,9 @@ import * as crypto from 'crypto'; import * as iam from '@aws-cdk/aws-iam'; +/** + * The options that are passed into a share of an Application or Attribute Group. + */ export interface ShareOptions { /** * Explicitly allow share of application with principals outside of your AWS Organization. From ea7b52d8f33f475f0a8c95e26d65aea1c6601a37 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Thu, 23 Jun 2022 10:19:12 -0400 Subject: [PATCH 05/20] Added integ tests for sharing --- .../test/application.integ.snapshot/cdk.out | 2 +- ...talogappregistry-application.template.json | 18 ++++++++++ .../application.integ.snapshot/integ.json | 2 +- .../application.integ.snapshot/manifest.json | 8 ++++- .../test/application.integ.snapshot/tree.json | 34 +++++++++++++++++++ .../attribute-group.integ.snapshot/cdk.out | 2 +- ...gappregistry-attribute-group.template.json | 18 ++++++++++ .../attribute-group.integ.snapshot/integ.json | 2 +- .../manifest.json | 17 +++++++++- .../attribute-group.integ.snapshot/tree.json | 34 +++++++++++++++++++ .../test/integ.application.ts | 5 +++ .../test/integ.attribute-group.ts | 7 +++- 12 files changed, 142 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out index 90bef2e09ad39..2efc89439fab8 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out @@ -1 +1 @@ -{"version":"17.0.0"} \ No newline at end of file +{"version":"18.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index 10dfe70894fd7..c5ae42717c4f5 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -61,6 +61,24 @@ "Name": "myAttributeGroupTest", "Description": "my attribute group description" } + }, + "TestAttributeGroupRAMShare8ecfad67abc5A7122106": { + "Type": "AWS::RAM::ResourceShare", + "Properties": { + "Name": "RAMShare8ecfad67abc5", + "AllowExternalPrincipals": true, + "Principals": [ + "arn:aws:iam::279317280375:role/Developer" + ], + "ResourceArns": [ + { + "Fn::GetAtt": [ + "TestAttributeGroupB1CB284F", + "Arn" + ] + } + ] + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json index 33c5c7648e7aa..d0e4337c6d607 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json @@ -1,7 +1,7 @@ { "version": "18.0.0", "testCases": { - "aws-servicecatalogappregistry/test/integ.application": { + "integ.application": { "stacks": [ "integ-servicecatalogappregistry-application" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json index 34833a17ec6d5..5e2f36a85b01a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "17.0.0", + "version": "18.0.0", "artifacts": { "Tree": { "type": "cdk:tree", @@ -38,6 +38,12 @@ "type": "aws:cdk:logicalId", "data": "TestAttributeGroupB1CB284F" } + ], + "/integ-servicecatalogappregistry-application/TestAttributeGroup/RAMShare8ecfad67abc5": [ + { + "type": "aws:cdk:logicalId", + "data": "TestAttributeGroupRAMShare8ecfad67abc5A7122106" + } ] }, "displayName": "integ-servicecatalogappregistry-application" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index 9d9a35764e691..0c885b23e5432 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -123,12 +123,46 @@ "fqn": "@aws-cdk/aws-servicecatalogappregistry.CfnAttributeGroup", "version": "0.0.0" } + }, + "RAMShare8ecfad67abc5": { + "id": "RAMShare8ecfad67abc5", + "path": "integ-servicecatalogappregistry-application/TestAttributeGroup/RAMShare8ecfad67abc5", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", + "aws:cdk:cloudformation:props": { + "name": "RAMShare8ecfad67abc5", + "allowExternalPrincipals": true, + "principals": [ + "arn:aws:iam::279317280375:role/Developer" + ], + "resourceArns": [ + { + "Fn::GetAtt": [ + "TestAttributeGroupB1CB284F", + "Arn" + ] + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ram.CfnResourceShare", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "@aws-cdk/aws-servicecatalogappregistry.AttributeGroup", "version": "0.0.0" } + }, + "MyRole": { + "id": "MyRole", + "path": "integ-servicecatalogappregistry-application/MyRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out index 90bef2e09ad39..2efc89439fab8 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out @@ -1 +1 @@ -{"version":"17.0.0"} \ No newline at end of file +{"version":"18.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index 72050e4e3b28b..609dc6416d737 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -18,6 +18,24 @@ "Name": "myAttributeGroupTest", "Description": "my attribute group description" } + }, + "TestAttributeGroupRAMSharee756785b881833F2C73F": { + "Type": "AWS::RAM::ResourceShare", + "Properties": { + "Name": "RAMSharee756785b8818", + "AllowExternalPrincipals": true, + "Principals": [ + "arn:aws:iam::279317280375:role/Developer" + ], + "ResourceArns": [ + { + "Fn::GetAtt": [ + "TestAttributeGroupB1CB284F", + "Arn" + ] + } + ] + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json index ebe1502043adc..3bda38bd34229 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json @@ -1,7 +1,7 @@ { "version": "18.0.0", "testCases": { - "aws-servicecatalogappregistry/test/integ.attribute-group": { + "integ.attribute-group": { "stacks": [ "integ-servicecatalogappregistry-attribute-group" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json index eb2988c414171..33b858e3f8e0e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "17.0.0", + "version": "18.0.0", "artifacts": { "Tree": { "type": "cdk:tree", @@ -20,6 +20,21 @@ "type": "aws:cdk:logicalId", "data": "TestAttributeGroupB1CB284F" } + ], + "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharee756785b8818": [ + { + "type": "aws:cdk:logicalId", + "data": "TestAttributeGroupRAMSharee756785b881833F2C73F" + } + ], + "TestAttributeGroupRAMShare1e50ac3f906a4CA6A705": [ + { + "type": "aws:cdk:logicalId", + "data": "TestAttributeGroupRAMShare1e50ac3f906a4CA6A705", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "integ-servicecatalogappregistry-attribute-group" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index 4ab3afe11d2f0..c5f8d148bbc78 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -46,12 +46,46 @@ "fqn": "@aws-cdk/aws-servicecatalogappregistry.CfnAttributeGroup", "version": "0.0.0" } + }, + "RAMSharee756785b8818": { + "id": "RAMSharee756785b8818", + "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharee756785b8818", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", + "aws:cdk:cloudformation:props": { + "name": "RAMSharee756785b8818", + "allowExternalPrincipals": true, + "principals": [ + "arn:aws:iam::279317280375:role/Developer" + ], + "resourceArns": [ + { + "Fn::GetAtt": [ + "TestAttributeGroupB1CB284F", + "Arn" + ] + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ram.CfnResourceShare", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "@aws-cdk/aws-servicecatalogappregistry.AttributeGroup", "version": "0.0.0" } + }, + "MyRole": { + "id": "MyRole", + "path": "integ-servicecatalogappregistry-attribute-group/MyRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts index 809927cd66f58..165917fd7bfed 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts @@ -1,3 +1,4 @@ +import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import * as appreg from '../lib'; @@ -32,6 +33,10 @@ const attributeGroup = new appreg.AttributeGroup(stack, 'TestAttributeGroup', { application.associateStack(stack); application.associateAttributeGroup(attributeGroup); +const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::279317280375:role/Developer'); +attributeGroup.shareResource({ + roles: [myRole], +}); app.synth(); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts index c55983dc6f4fd..eb396fd53b911 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts @@ -1,10 +1,11 @@ +import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import * as appreg from '../lib'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'integ-servicecatalogappregistry-attribute-group'); -new appreg.AttributeGroup(stack, 'TestAttributeGroup', { +const attributeGroup = new appreg.AttributeGroup(stack, 'TestAttributeGroup', { attributeGroupName: 'myAttributeGroupTest', description: 'my attribute group description', attributes: { @@ -20,5 +21,9 @@ new appreg.AttributeGroup(stack, 'TestAttributeGroup', { }, }, }); +const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::279317280375:role/Developer'); +attributeGroup.shareResource({ + roles: [myRole], +}); app.synth(); From a986534f947b6a3643dc7ba7f6f11afec527f397 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Thu, 23 Jun 2022 10:28:24 -0400 Subject: [PATCH 06/20] Fix newlines and documentation --- packages/@aws-cdk/aws-servicecatalogappregistry/README.md | 2 ++ packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts | 2 +- .../aws-servicecatalogappregistry/test/integ.application.ts | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index b1bdc56cfab67..ebc80928ced0a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -132,6 +132,7 @@ You can share your AppRegistry applications and attribute groups with AWS Organi ### Sharing an application ```ts +import * as iam from '@aws-cdk/aws-iam'; declare const application: appreg.Application; application.shareResource({ accounts: ['123456789012'], @@ -144,6 +145,7 @@ application.shareResource({ ### Sharing an attribute group ```ts +import * as iam from '@aws-cdk/aws-iam'; declare const attributeGroup: appreg.AttributeGroup; attributeGroup.shareResource({ accounts: ['123456789012'], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 369fb83c0f001..042fbd5fc7a2e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -67,4 +67,4 @@ export function getPrincipalsforSharing(options: ShareOptions): string[] { throw new Error('An entity must be provided for the share'); } return principals; -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts index 165917fd7bfed..793284fc1d552 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts @@ -39,4 +39,3 @@ attributeGroup.shareResource({ }); app.synth(); - From c785e5846254b3d30734397d522be70acdd0f158 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Mon, 27 Jun 2022 17:09:10 -0700 Subject: [PATCH 07/20] Revised hashing strategy for resource shares, updated tests, revised documentation --- .../aws-servicecatalogappregistry/README.md | 36 +++++-- .../lib/application.ts | 4 +- .../lib/attribute-group.ts | 17 ++- .../lib/common.ts | 2 +- ...talogappregistry-application.template.json | 67 +++++++++--- .../application.integ.snapshot/manifest.json | 19 +++- .../test/application.integ.snapshot/tree.json | 101 +++++++++++++----- .../test/application.test.ts | 10 +- ...gappregistry-attribute-group.template.json | 43 +++++++- .../manifest.json | 14 ++- .../attribute-group.integ.snapshot/tree.json | 59 ++++++++-- .../test/attribute-group.test.ts | 10 +- .../test/integ.application.ts | 6 +- .../test/integ.attribute-group.ts | 4 +- 14 files changed, 312 insertions(+), 80 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index ebc80928ced0a..f3d36e652aa50 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -134,11 +134,23 @@ You can share your AppRegistry applications and attribute groups with AWS Organi ```ts import * as iam from '@aws-cdk/aws-iam'; declare const application: appreg.Application; +declare const myRole: iam.IRole; +declare const myUser: iam.IUser; application.shareResource({ accounts: ['123456789012'], - organizations: ['arn:aws:organizations::123456789012:organization/o-'], - roles: [iam.Role.fromRoleName(this, 'DeveloperRole', 'Developer')], - users: [iam.User.fromUserName(this, 'TesterUser', 'Tester')] + organizations: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], + roles: [myRole], + users: [myUser] +}); +``` + +E.g., sharing an application with multiple accounts: + +```ts +import * as iam from '@aws-cdk/aws-iam'; +declare const application: appreg.Application; +application.shareResource({ + accounts: ['123456789012', '234567890123'], }); ``` @@ -147,10 +159,22 @@ application.shareResource({ ```ts import * as iam from '@aws-cdk/aws-iam'; declare const attributeGroup: appreg.AttributeGroup; +declare const myRole: iam.IRole; +declare const myUser: iam.IUser; attributeGroup.shareResource({ accounts: ['123456789012'], - organizations: ['arn:aws:organizations::123456789012:organization/o-'], - roles: [iam.Role.fromRoleName(this, 'DeveloperRole', 'Developer')], - users: [iam.User.fromUserName(this, 'TesterUser', 'Tester')] + organizations: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], + roles: [myRole], + users: [myUser] +}); +``` + +E.g., sharing an attribute group with multiple accounts: + +```ts +import * as iam from '@aws-cdk/aws-iam'; +declare const attributeGroup: appreg.AttributeGroup; +attributeGroup.shareResource({ + accounts: ['123456789012', '234567890123'], }); ``` diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 842a1af0229ee..e57993ee192a3 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -101,11 +101,11 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { /** * Share application resource with target accounts. * The application will become available to end users within targets. - * @param shareOptions + * @param shareOptions The options for the share. */ public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${hashValues(this.node.addr, ...principals)}`; + const shareName = `RAMShare${this.generateUniqueHash(this.node.addr)}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 567c5fb8351c1..5593b5f84102e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -59,7 +59,7 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${hashValues(this.node.addr, ...principals)}`; + const shareName = `RAMShare${this.generateUniqueHash(this.node.addr)}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, @@ -67,6 +67,11 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou resourceArns: [this.attributeGroupArn], }); } + + /** + * Create a unique id + */ + protected abstract generateUniqueHash(resourceAddress: string): string; } /** @@ -91,6 +96,10 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou class Import extends AttributeGroupBase { public readonly attributeGroupArn = attributeGroupArn; public readonly attributeGroupId = attributeGroupId!; + + protected generateUniqueHash(resourceAddress: string): string { + return hashValues(this.attributeGroupArn, resourceAddress); + } } return new Import(scope, id, { @@ -100,6 +109,7 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou public readonly attributeGroupArn: string; public readonly attributeGroupId: string; + private readonly nodeAddress: string; constructor(scope: Construct, id: string, props: AttributeGroupProps) { super(scope, id); @@ -114,6 +124,7 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou this.attributeGroupArn = attributeGroup.attrArn; this.attributeGroupId = attributeGroup.attrId; + this.nodeAddress = cdk.Names.nodeUniqueId(attributeGroup.node); } private validateAttributeGroupProps(props: AttributeGroupProps) { @@ -121,4 +132,8 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou InputValidator.validateRegex(this.node.path, 'attribute group name', /^[a-zA-Z0-9-_]+$/, props.attributeGroupName); InputValidator.validateLength(this.node.path, 'attribute group description', 0, 1024, props.description); } + + protected generateUniqueHash(resourceAddress: string): string { + return hashValues(this.nodeAddress, resourceAddress); + } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 042fbd5fc7a2e..328c96ac093a6 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -42,7 +42,7 @@ export interface ShareOptions { } /** - * Generates a unique hash identfifer using SHA256 encryption algorithm + * Generates a unique hash identfifer using SHA256 encryption algorithm. */ export function hashValues(...values: string[]): string { const sha256 = crypto.createHash('sha256'); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index c5ae42717c4f5..0d56b530eede8 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -39,6 +39,29 @@ } } }, + "TestApplicationRAMShareb83647b4f06a5A88B554": { + "Type": "AWS::RAM::ResourceShare", + "Properties": { + "Name": "RAMShareb83647b4f06a", + "AllowExternalPrincipals": true, + "Principals": [ + { + "Fn::GetAtt": [ + "MyRoleF48FFE04", + "Arn" + ] + } + ], + "ResourceArns": [ + { + "Fn::GetAtt": [ + "TestApplication2FBC585F", + "Arn" + ] + } + ] + } + }, "TestAttributeGroupB1CB284F": { "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", "Properties": { @@ -62,22 +85,36 @@ "Description": "my attribute group description" } }, - "TestAttributeGroupRAMShare8ecfad67abc5A7122106": { - "Type": "AWS::RAM::ResourceShare", + "MyRoleF48FFE04": { + "Type": "AWS::IAM::Role", "Properties": { - "Name": "RAMShare8ecfad67abc5", - "AllowExternalPrincipals": true, - "Principals": [ - "arn:aws:iam::279317280375:role/Developer" - ], - "ResourceArns": [ - { - "Fn::GetAtt": [ - "TestAttributeGroupB1CB284F", - "Arn" - ] - } - ] + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } } } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json index 5e2f36a85b01a..2b6a322df8ff2 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json @@ -33,16 +33,31 @@ "data": "TestApplicationAttributeGroupAssociation4ba7f5842818B8EE1C6F" } ], + "/integ-servicecatalogappregistry-application/TestApplication/RAMShareb83647b4f06a": [ + { + "type": "aws:cdk:logicalId", + "data": "TestApplicationRAMShareb83647b4f06a5A88B554" + } + ], "/integ-servicecatalogappregistry-application/TestAttributeGroup/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestAttributeGroupB1CB284F" } ], - "/integ-servicecatalogappregistry-application/TestAttributeGroup/RAMShare8ecfad67abc5": [ + "/integ-servicecatalogappregistry-application/MyRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRoleF48FFE04" + } + ], + "TestAttributeGroupRAMShare8ecfad67abc5A7122106": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMShare8ecfad67abc5A7122106" + "data": "TestAttributeGroupRAMShare8ecfad67abc5A7122106", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] } ] }, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index 0c885b23e5432..e50471511333c 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -82,6 +82,37 @@ "fqn": "@aws-cdk/aws-servicecatalogappregistry.CfnAttributeGroupAssociation", "version": "0.0.0" } + }, + "RAMShareb83647b4f06a": { + "id": "RAMShareb83647b4f06a", + "path": "integ-servicecatalogappregistry-application/TestApplication/RAMShareb83647b4f06a", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", + "aws:cdk:cloudformation:props": { + "name": "RAMShareb83647b4f06a", + "allowExternalPrincipals": true, + "principals": [ + { + "Fn::GetAtt": [ + "MyRoleF48FFE04", + "Arn" + ] + } + ], + "resourceArns": [ + { + "Fn::GetAtt": [ + "TestApplication2FBC585F", + "Arn" + ] + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ram.CfnResourceShare", + "version": "0.0.0" + } } }, "constructInfo": { @@ -123,32 +154,6 @@ "fqn": "@aws-cdk/aws-servicecatalogappregistry.CfnAttributeGroup", "version": "0.0.0" } - }, - "RAMShare8ecfad67abc5": { - "id": "RAMShare8ecfad67abc5", - "path": "integ-servicecatalogappregistry-application/TestAttributeGroup/RAMShare8ecfad67abc5", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", - "aws:cdk:cloudformation:props": { - "name": "RAMShare8ecfad67abc5", - "allowExternalPrincipals": true, - "principals": [ - "arn:aws:iam::279317280375:role/Developer" - ], - "resourceArns": [ - { - "Fn::GetAtt": [ - "TestAttributeGroupB1CB284F", - "Arn" - ] - } - ] - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-ram.CfnResourceShare", - "version": "0.0.0" - } } }, "constructInfo": { @@ -159,8 +164,50 @@ "MyRole": { "id": "MyRole", "path": "integ-servicecatalogappregistry-application/MyRole", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-servicecatalogappregistry-application/MyRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnRole", + "version": "0.0.0" + } + } + }, "constructInfo": { - "fqn": "@aws-cdk/core.Resource", + "fqn": "@aws-cdk/aws-iam.Role", "version": "0.0.0" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index ca8757178e3e4..a69109fd6387a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -240,7 +240,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMShare2bc04f06e3de', + //Name: 'RAMShare2bc04f06e3de', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -253,7 +253,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharec9a397e51b48', + Name: 'RAMSharedd13de208efe', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -268,7 +268,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharebcd0cfbb7d94', + Name: 'RAMSharedd13de208efe', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -283,7 +283,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMShare27697fc6a22a', + Name: 'RAMSharedd13de208efe', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -297,7 +297,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShare2bc04f06e3de', + Name: 'RAMSharedd13de208efe', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index 609dc6416d737..b1bfe3e5880ae 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -19,13 +19,18 @@ "Description": "my attribute group description" } }, - "TestAttributeGroupRAMSharee756785b881833F2C73F": { + "TestAttributeGroupRAMShareeb39874141ba1F0BDF3D": { "Type": "AWS::RAM::ResourceShare", "Properties": { - "Name": "RAMSharee756785b8818", + "Name": "RAMShareeb39874141ba", "AllowExternalPrincipals": true, "Principals": [ - "arn:aws:iam::279317280375:role/Developer" + { + "Fn::GetAtt": [ + "MyRoleF48FFE04", + "Arn" + ] + } ], "ResourceArns": [ { @@ -36,6 +41,38 @@ } ] } + }, + "MyRoleF48FFE04": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json index 33b858e3f8e0e..0a5f48675db6b 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json @@ -21,16 +21,22 @@ "data": "TestAttributeGroupB1CB284F" } ], - "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharee756785b8818": [ + "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareeb39874141ba": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMSharee756785b881833F2C73F" + "data": "TestAttributeGroupRAMShareeb39874141ba1F0BDF3D" } ], - "TestAttributeGroupRAMShare1e50ac3f906a4CA6A705": [ + "/integ-servicecatalogappregistry-attribute-group/MyRole/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMShare1e50ac3f906a4CA6A705", + "data": "MyRoleF48FFE04" + } + ], + "TestAttributeGroupRAMSharee756785b881833F2C73F": [ + { + "type": "aws:cdk:logicalId", + "data": "TestAttributeGroupRAMSharee756785b881833F2C73F", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index c5f8d148bbc78..c6054344cc051 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -47,16 +47,21 @@ "version": "0.0.0" } }, - "RAMSharee756785b8818": { - "id": "RAMSharee756785b8818", - "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharee756785b8818", + "RAMShareeb39874141ba": { + "id": "RAMShareeb39874141ba", + "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareeb39874141ba", "attributes": { "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { - "name": "RAMSharee756785b8818", + "name": "RAMShareeb39874141ba", "allowExternalPrincipals": true, "principals": [ - "arn:aws:iam::279317280375:role/Developer" + { + "Fn::GetAtt": [ + "MyRoleF48FFE04", + "Arn" + ] + } ], "resourceArns": [ { @@ -82,8 +87,50 @@ "MyRole": { "id": "MyRole", "path": "integ-servicecatalogappregistry-attribute-group/MyRole", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-servicecatalogappregistry-attribute-group/MyRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnRole", + "version": "0.0.0" + } + } + }, "constructInfo": { - "fqn": "@aws-cdk/core.Resource", + "fqn": "@aws-cdk/aws-iam.Role", "version": "0.0.0" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index 820daf8fc1827..8cce2891bde87 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -199,7 +199,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharefc4e194f8114', + Name: 'RAMSharedc3a8ee5fa0b', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -212,7 +212,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMShare40c11ba8ae8b', + Name: 'RAMSharedc3a8ee5fa0b', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -227,7 +227,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMShare279fc4078356', + Name: 'RAMSharedc3a8ee5fa0b', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -242,7 +242,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMShareb3d7b61e1c78', + Name: 'RAMSharedc3a8ee5fa0b', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -256,7 +256,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMSharefc4e194f8114', + Name: 'RAMSharedc3a8ee5fa0b', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts index 793284fc1d552..7ddd503cb99ee 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts @@ -33,8 +33,10 @@ const attributeGroup = new appreg.AttributeGroup(stack, 'TestAttributeGroup', { application.associateStack(stack); application.associateAttributeGroup(attributeGroup); -const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::279317280375:role/Developer'); -attributeGroup.shareResource({ +const myRole = new iam.Role(stack, 'MyRole', { + assumedBy: new iam.AccountPrincipal(stack.account), +}); +application.shareResource({ roles: [myRole], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts index eb396fd53b911..90f5abb4bad9d 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts @@ -21,7 +21,9 @@ const attributeGroup = new appreg.AttributeGroup(stack, 'TestAttributeGroup', { }, }, }); -const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::279317280375:role/Developer'); +const myRole = new iam.Role(stack, 'MyRole', { + assumedBy: new iam.AccountPrincipal(stack.account), +}); attributeGroup.shareResource({ roles: [myRole], }); From 14c7f813dfedcf3c6f349f8c6c8b1a1287f93f64 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 29 Jun 2022 09:24:01 -0700 Subject: [PATCH 08/20] AWS RAM constructs to stable in order to fix dependency issue --- packages/@aws-cdk/aws-ram/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-ram/package.json b/packages/@aws-cdk/aws-ram/package.json index d778818124a6b..f0fba5fd3df5d 100644 --- a/packages/@aws-cdk/aws-ram/package.json +++ b/packages/@aws-cdk/aws-ram/package.json @@ -99,7 +99,7 @@ "engines": { "node": ">= 14.15.0" }, - "stability": "experimental", + "stability": "stable", "maturity": "cfn-only", "awscdkio": { "announce": false From 3120c491493e2964510fba0548a1781d7b39078a Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 29 Jun 2022 11:17:53 -0700 Subject: [PATCH 09/20] Upgrade constructs dependency --- packages/@aws-cdk/aws-servicecatalogappregistry/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/package.json b/packages/@aws-cdk/aws-servicecatalogappregistry/package.json index 652e938522a20..f4d1243ef7542 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/package.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/package.json @@ -94,13 +94,13 @@ "@aws-cdk/core": "0.0.0", "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-ram": "0.0.0", - "constructs": "^3.3.69" + "constructs": "^10.0.0" }, "peerDependencies": { "@aws-cdk/core": "0.0.0", "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-ram": "0.0.0", - "constructs": "^3.3.69" + "constructs": "^10.0.0" }, "engines": { "node": ">= 14.15.0" From ecb00ecf534c5f9256d7aa59f2486fedf81f4681 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 1 Jul 2022 16:05:07 -0700 Subject: [PATCH 10/20] Revised docstring, using Names methods for naming --- .../lib/application.ts | 3 +- .../lib/attribute-group.ts | 20 +----- .../lib/common.ts | 5 +- .../test/application.integ.snapshot/cdk.out | 2 +- ...catalogappregistry-application.assets.json | 6 +- ...talogappregistry-application.template.json | 4 +- .../application.integ.snapshot/integ.json | 2 +- .../application.integ.snapshot/manifest.json | 10 +-- .../test/application.integ.snapshot/tree.json | 10 +-- .../test/application.test.ts | 10 +-- .../attribute-group.integ.snapshot/cdk.out | 2 +- ...logappregistry-attribute-group.assets.json | 6 +- ...gappregistry-attribute-group.template.json | 42 +++++++++++- .../attribute-group.integ.snapshot/integ.json | 2 +- .../manifest.json | 13 ++-- .../attribute-group.integ.snapshot/tree.json | 66 +++++++++++++++++-- .../test/attribute-group.test.ts | 10 +-- .../test/integ.attribute-group.ts | 5 +- 18 files changed, 151 insertions(+), 67 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 2dee5036b8760..a77ed20f3ea97 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -1,5 +1,6 @@ import { CfnResourceShare } from '@aws-cdk/aws-ram'; import * as cdk from '@aws-cdk/core'; +import { Names } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { IAttributeGroup } from './attribute-group'; import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; @@ -102,7 +103,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { */ public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${this.generateUniqueHash(this.node.addr)}`; + const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 15b5013144849..b530acf8f91cf 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -1,9 +1,10 @@ import { CfnResourceShare } from '@aws-cdk/aws-ram'; import * as cdk from '@aws-cdk/core'; -import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; +import { getPrincipalsforSharing, ShareOptions } from './common'; import { Construct } from 'constructs'; import { InputValidator } from './private/validation'; import { CfnAttributeGroup } from './servicecatalogappregistry.generated'; +import { Names } from '@aws-cdk/core'; /** * A Service Catalog AppRegistry Attribute Group. @@ -56,7 +57,7 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou public shareResource(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${this.generateUniqueHash(this.node.addr)}`; + const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, @@ -64,11 +65,6 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou resourceArns: [this.attributeGroupArn], }); } - - /** - * Create a unique id - */ - protected abstract generateUniqueHash(resourceAddress: string): string; } /** @@ -93,10 +89,6 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou class Import extends AttributeGroupBase { public readonly attributeGroupArn = attributeGroupArn; public readonly attributeGroupId = attributeGroupId!; - - protected generateUniqueHash(resourceAddress: string): string { - return hashValues(this.attributeGroupArn, resourceAddress); - } } return new Import(scope, id, { @@ -106,7 +98,6 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou public readonly attributeGroupArn: string; public readonly attributeGroupId: string; - private readonly nodeAddress: string; constructor(scope: Construct, id: string, props: AttributeGroupProps) { super(scope, id); @@ -121,7 +112,6 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou this.attributeGroupArn = attributeGroup.attrArn; this.attributeGroupId = attributeGroup.attrId; - this.nodeAddress = cdk.Names.nodeUniqueId(attributeGroup.node); } private validateAttributeGroupProps(props: AttributeGroupProps) { @@ -129,8 +119,4 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou InputValidator.validateRegex(this.node.path, 'attribute group name', /^[a-zA-Z0-9-_]+$/, props.attributeGroupName); InputValidator.validateLength(this.node.path, 'attribute group description', 0, 1024, props.description); } - - protected generateUniqueHash(resourceAddress: string): string { - return hashValues(this.nodeAddress, resourceAddress); - } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 328c96ac093a6..57ab25ab6110f 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -6,7 +6,9 @@ import * as iam from '@aws-cdk/aws-iam'; */ export interface ShareOptions { /** - * Explicitly allow share of application with principals outside of your AWS Organization. + * When set to true, this allows sharing of applications and attribute groups + * with accounts outside of your AWS Organization. When set to false, sharing + * is restricted to only accounts and principals which belong to the organization. * * @default true */ @@ -66,5 +68,6 @@ export function getPrincipalsforSharing(options: ShareOptions): string[] { if (principals.length == 0) { throw new Error('An entity must be provided for the share'); } + return principals; } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out index 2efc89439fab8..588d7b269d34f 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/cdk.out @@ -1 +1 @@ -{"version":"18.0.0"} \ No newline at end of file +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json index 17507827bfe90..0e64a1e7e3de6 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json @@ -1,7 +1,7 @@ { - "version": "17.0.0", + "version": "20.0.0", "files": { - "d561cf6d9aa2d98689712d70accb1c3f56f2a54d6cbb1268d35bd72e05675791": { + "d38cefd07b083dfb1814889c0bbb741d1a53333b08007b245296279d3e3510a2": { "source": { "path": "integ-servicecatalogappregistry-application.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d561cf6d9aa2d98689712d70accb1c3f56f2a54d6cbb1268d35bd72e05675791.json", + "objectKey": "d38cefd07b083dfb1814889c0bbb741d1a53333b08007b245296279d3e3510a2.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index 0d56b530eede8..078f5e890170e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -39,10 +39,10 @@ } } }, - "TestApplicationRAMShareb83647b4f06a5A88B554": { + "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38": { "Type": "AWS::RAM::ResourceShare", "Properties": { - "Name": "RAMShareb83647b4f06a", + "Name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", "AllowExternalPrincipals": true, "Principals": [ { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json index d0e4337c6d607..5178be112c70a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "18.0.0", + "version": "20.0.0", "testCases": { "integ.application": { "stacks": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json index 2b6a322df8ff2..148ab638e473e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "18.0.0", + "version": "20.0.0", "artifacts": { "Tree": { "type": "cdk:tree", @@ -33,10 +33,10 @@ "data": "TestApplicationAttributeGroupAssociation4ba7f5842818B8EE1C6F" } ], - "/integ-servicecatalogappregistry-application/TestApplication/RAMShareb83647b4f06a": [ + "/integ-servicecatalogappregistry-application/TestApplication/RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2": [ { "type": "aws:cdk:logicalId", - "data": "TestApplicationRAMShareb83647b4f06a5A88B554" + "data": "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38" } ], "/integ-servicecatalogappregistry-application/TestAttributeGroup/Resource": [ @@ -51,10 +51,10 @@ "data": "MyRoleF48FFE04" } ], - "TestAttributeGroupRAMShare8ecfad67abc5A7122106": [ + "TestApplicationRAMShareb83647b4f06a5A88B554": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMShare8ecfad67abc5A7122106", + "data": "TestApplicationRAMShareb83647b4f06a5A88B554", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index 5326c51da6b2f..252cdcd79a746 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.0.9" + "version": "10.1.33" } }, "integ-servicecatalogappregistry-application": { @@ -83,13 +83,13 @@ "version": "0.0.0" } }, - "RAMShareb83647b4f06a": { - "id": "RAMShareb83647b4f06a", - "path": "integ-servicecatalogappregistry-application/TestApplication/RAMShareb83647b4f06a", + "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2": { + "id": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", + "path": "integ-servicecatalogappregistry-application/TestApplication/RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", "attributes": { "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { - "name": "RAMShareb83647b4f06a", + "name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", "allowExternalPrincipals": true, "principals": [ { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 74f8409a54fa8..643bb63ccc83a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -240,7 +240,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - //Name: 'RAMShare2bc04f06e3de', + Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -253,7 +253,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedd13de208efe', + Name: 'RAMShareMyApplication', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -268,7 +268,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedd13de208efe', + Name: 'RAMShareMyApplication', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -283,7 +283,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedd13de208efe', + Name: 'RAMShareMyApplication', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); @@ -297,7 +297,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMSharedd13de208efe', + Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out index 2efc89439fab8..588d7b269d34f 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/cdk.out @@ -1 +1 @@ -{"version":"18.0.0"} \ No newline at end of file +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json index ad1dbecb5777a..4b97f7bb74c7b 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json @@ -1,7 +1,7 @@ { - "version": "17.0.0", + "version": "20.0.0", "files": { - "c059ea8a1cd78cc14e1411059f2226cf0422fadb9bd8a4853596607856ab81d3": { + "a5742457a84c96e01da273972948dc65084ec63566b7d35f1d8854a1794fb877": { "source": { "path": "integ-servicecatalogappregistry-attribute-group.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c059ea8a1cd78cc14e1411059f2226cf0422fadb9bd8a4853596607856ab81d3.json", + "objectKey": "a5742457a84c96e01da273972948dc65084ec63566b7d35f1d8854a1794fb877.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index b1bfe3e5880ae..20239eefa2c70 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -19,10 +19,10 @@ "Description": "my attribute group description" } }, - "TestAttributeGroupRAMShareeb39874141ba1F0BDF3D": { + "TestAttributeGroupRAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831AA2963D44": { "Type": "AWS::RAM::ResourceShare", "Properties": { - "Name": "RAMShareeb39874141ba", + "Name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", "AllowExternalPrincipals": true, "Principals": [ { @@ -30,6 +30,12 @@ "MyRoleF48FFE04", "Arn" ] + }, + { + "Fn::GetAtt": [ + "MySecondRoleB9F57405", + "Arn" + ] } ], "ResourceArns": [ @@ -73,6 +79,38 @@ "Version": "2012-10-17" } } + }, + "MySecondRoleB9F57405": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json index 3bda38bd34229..c0763c76bc8aa 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "18.0.0", + "version": "20.0.0", "testCases": { "integ.attribute-group": { "stacks": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json index 0a5f48675db6b..90209202dca67 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "18.0.0", + "version": "20.0.0", "artifacts": { "Tree": { "type": "cdk:tree", @@ -21,10 +21,10 @@ "data": "TestAttributeGroupB1CB284F" } ], - "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareeb39874141ba": [ + "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMShareeb39874141ba1F0BDF3D" + "data": "TestAttributeGroupRAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831AA2963D44" } ], "/integ-servicecatalogappregistry-attribute-group/MyRole/Resource": [ @@ -33,13 +33,10 @@ "data": "MyRoleF48FFE04" } ], - "TestAttributeGroupRAMSharee756785b881833F2C73F": [ + "/integ-servicecatalogappregistry-attribute-group/MySecondRole/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMSharee756785b881833F2C73F", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] + "data": "MySecondRoleB9F57405" } ] }, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index d5c4d9544bdf7..da4f4af9c92c7 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.0.9" + "version": "10.1.33" } }, "integ-servicecatalogappregistry-attribute-group": { @@ -47,13 +47,13 @@ "version": "0.0.0" } }, - "RAMShareeb39874141ba": { - "id": "RAMShareeb39874141ba", - "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareeb39874141ba", + "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A": { + "id": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", + "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", "attributes": { "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { - "name": "RAMShareeb39874141ba", + "name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", "allowExternalPrincipals": true, "principals": [ { @@ -61,6 +61,12 @@ "MyRoleF48FFE04", "Arn" ] + }, + { + "Fn::GetAtt": [ + "MySecondRoleB9F57405", + "Arn" + ] } ], "resourceArns": [ @@ -133,6 +139,56 @@ "fqn": "@aws-cdk/aws-iam.Role", "version": "0.0.0" } + }, + "MySecondRole": { + "id": "MySecondRole", + "path": "integ-servicecatalogappregistry-attribute-group/MySecondRole", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-servicecatalogappregistry-attribute-group/MySecondRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Role", + "version": "0.0.0" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index 8cce2891bde87..8141734ad3223 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -199,7 +199,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedc3a8ee5fa0b', + Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -212,7 +212,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedc3a8ee5fa0b', + Name: 'RAMShareMyAttributeGroup', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -227,7 +227,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedc3a8ee5fa0b', + Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -242,7 +242,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: true, - Name: 'RAMSharedc3a8ee5fa0b', + Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); @@ -256,7 +256,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMSharedc3a8ee5fa0b', + Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts index 90f5abb4bad9d..b05fe462d74ed 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts @@ -24,8 +24,11 @@ const attributeGroup = new appreg.AttributeGroup(stack, 'TestAttributeGroup', { const myRole = new iam.Role(stack, 'MyRole', { assumedBy: new iam.AccountPrincipal(stack.account), }); +const mySecondRole = new iam.Role(stack, 'MySecondRole', { + assumedBy: new iam.AccountPrincipal(stack.account), +}); attributeGroup.shareResource({ - roles: [myRole], + roles: [myRole, mySecondRole], }); app.synth(); From 1d625282a362a361db1b1c8d3eba090d8b649bfe Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 22 Jul 2022 17:53:02 -0700 Subject: [PATCH 11/20] Add share permission option and additional tests --- .../lib/application.ts | 21 ++++++++++- .../lib/attribute-group.ts | 21 ++++++++++- .../lib/common.ts | 22 ++++++++++++ ...catalogappregistry-application.assets.json | 4 +-- ...talogappregistry-application.template.json | 3 ++ .../application.integ.snapshot/manifest.json | 9 ----- .../test/application.integ.snapshot/tree.json | 5 ++- .../test/application.test.ts | 34 ++++++++++++++++++ ...logappregistry-attribute-group.assets.json | 4 +-- ...gappregistry-attribute-group.template.json | 3 ++ .../attribute-group.integ.snapshot/tree.json | 5 ++- .../test/attribute-group.test.ts | 35 +++++++++++++++++++ 12 files changed, 149 insertions(+), 17 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index a77ed20f3ea97..ae1e2b642bddd 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -3,10 +3,13 @@ import * as cdk from '@aws-cdk/core'; import { Names } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { IAttributeGroup } from './attribute-group'; -import { getPrincipalsforSharing, hashValues, ShareOptions } from './common'; +import { getPrincipalsforSharing, hashValues, ShareOptions, SharePermission } from './common'; import { InputValidator } from './private/validation'; import { CfnApplication, CfnAttributeGroupAssociation, CfnResourceAssociation } from './servicecatalogappregistry.generated'; +const APPLICATION_READ_ONLY_RAM_PERMISSION_ARN = 'arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'; +const APPLICATION_ALLOW_ACCESS_RAM_PERMISSION_ARN = 'arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation'; + /** * A Service Catalog AppRegistry Application. */ @@ -109,6 +112,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, principals: principals, resourceArns: [this.applicationArn], + permissionArns: [this.getApplicationSharePermissionARN(shareOptions)], }); } @@ -116,6 +120,21 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { * Create a unique id */ protected abstract generateUniqueHash(resourceAddress: string): string; + + /** + * Get the correct permission ARN based on the SharePermission + */ + private getApplicationSharePermissionARN(shareOptions: ShareOptions): string { + switch (shareOptions.sharePermission) { + case SharePermission.ALLOW_ACCESS: + return APPLICATION_ALLOW_ACCESS_RAM_PERMISSION_ARN; + case SharePermission.READ_ONLY: + return APPLICATION_READ_ONLY_RAM_PERMISSION_ARN; + + default: + return shareOptions.sharePermission ?? APPLICATION_READ_ONLY_RAM_PERMISSION_ARN; + } + } } /** diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index b530acf8f91cf..50651fff79eb9 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -1,11 +1,14 @@ import { CfnResourceShare } from '@aws-cdk/aws-ram'; import * as cdk from '@aws-cdk/core'; -import { getPrincipalsforSharing, ShareOptions } from './common'; +import { getPrincipalsforSharing, ShareOptions, SharePermission } from './common'; import { Construct } from 'constructs'; import { InputValidator } from './private/validation'; import { CfnAttributeGroup } from './servicecatalogappregistry.generated'; import { Names } from '@aws-cdk/core'; +const ATTRIBUTE_GROUP_READ_ONLY_RAM_PERMISSION_ARN = 'arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'; +const ATTRIBUTE_GROUP_ALLOW_ACCESS_RAM_PERMISSION_ARN = 'arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation'; + /** * A Service Catalog AppRegistry Attribute Group. */ @@ -63,8 +66,24 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, principals: principals, resourceArns: [this.attributeGroupArn], + permissionArns: [this.getAttributeGroupSharePermissionARN(shareOptions)], }); } + + /** + * Get the correct permission ARN based on the SharePermission + */ + protected getAttributeGroupSharePermissionARN(shareOptions: ShareOptions): string { + switch (shareOptions.sharePermission) { + case SharePermission.ALLOW_ACCESS: + return ATTRIBUTE_GROUP_ALLOW_ACCESS_RAM_PERMISSION_ARN; + case SharePermission.READ_ONLY: + return ATTRIBUTE_GROUP_READ_ONLY_RAM_PERMISSION_ARN; + + default: + return shareOptions.sharePermission ?? ATTRIBUTE_GROUP_READ_ONLY_RAM_PERMISSION_ARN; + } + } } /** diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 57ab25ab6110f..84ef43552b851 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -1,6 +1,21 @@ import * as crypto from 'crypto'; import * as iam from '@aws-cdk/aws-iam'; +/** + * Supported permissions for sharing applications or attribute groups with principals using AWS RAM. + */ +export enum SharePermission { + /** + * Allows principals in the share to only view the application or attribute group. + */ + READ_ONLY, + + /** + * Allows principals in the share to associate resources and attribute groups with applications. + */ + ALLOW_ACCESS, +}; + /** * The options that are passed into a share of an Application or Attribute Group. */ @@ -35,6 +50,13 @@ export interface ShareOptions { */ readonly roles?: iam.IRole[]; + /** + * An option to manage access to the application or attribute group. + * + * @default - Principals will be assigned read only permissions on the application or attribute group. + */ + readonly sharePermission?: SharePermission | string; + /** * A list of AWS IAM users that the application will be shared with. * diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json index 0e64a1e7e3de6..d55a0a5b78bfd 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "d38cefd07b083dfb1814889c0bbb741d1a53333b08007b245296279d3e3510a2": { + "69e3e576c88849b1bcc29caef556a86a1005734a0a9c4dd835f629ef6f3a7b76": { "source": { "path": "integ-servicecatalogappregistry-application.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d38cefd07b083dfb1814889c0bbb741d1a53333b08007b245296279d3e3510a2.json", + "objectKey": "69e3e576c88849b1bcc29caef556a86a1005734a0a9c4dd835f629ef6f3a7b76.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index 078f5e890170e..4b33afd35c897 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -44,6 +44,9 @@ "Properties": { "Name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", "AllowExternalPrincipals": true, + "PermissionArns": [ + "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" + ], "Principals": [ { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json index 148ab638e473e..490ef8a2ab665 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json @@ -50,15 +50,6 @@ "type": "aws:cdk:logicalId", "data": "MyRoleF48FFE04" } - ], - "TestApplicationRAMShareb83647b4f06a5A88B554": [ - { - "type": "aws:cdk:logicalId", - "data": "TestApplicationRAMShareb83647b4f06a5A88B554", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "integ-servicecatalogappregistry-application" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index 252cdcd79a746..87d2a23f2cb90 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.51" } }, "integ-servicecatalogappregistry-application": { @@ -91,6 +91,9 @@ "aws:cdk:cloudformation:props": { "name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", "allowExternalPrincipals": true, + "permissionArns": [ + "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" + ], "principals": [ { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 643bb63ccc83a..5ca4113fcad18 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -243,6 +243,7 @@ describe('Application', () => { Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], }); }); @@ -256,6 +257,7 @@ describe('Application', () => { Name: 'RAMShareMyApplication', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], }); }); @@ -271,6 +273,7 @@ describe('Application', () => { Name: 'RAMShareMyApplication', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], }); }); @@ -286,6 +289,7 @@ describe('Application', () => { Name: 'RAMShareMyApplication', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], }); }); @@ -300,6 +304,36 @@ describe('Application', () => { Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], + }); + }); + + test('share application with organization, give explicit read only access to an application', () => { + application.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + sharePermission: appreg.SharePermission.READ_ONLY, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + Name: 'RAMShareMyApplication', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], + }); + }); + + test('share application with organization, allow access to associate resources and attribute group with an application', () => { + application.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + sharePermission: appreg.SharePermission.ALLOW_ACCESS, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShareMyApplication', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation'], }); }); }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json index 4b97f7bb74c7b..1c512213b755a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "a5742457a84c96e01da273972948dc65084ec63566b7d35f1d8854a1794fb877": { + "c14fdef4b99386d4edec709b2079a9c3238da063b02a600f720a01e32b2561a7": { "source": { "path": "integ-servicecatalogappregistry-attribute-group.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a5742457a84c96e01da273972948dc65084ec63566b7d35f1d8854a1794fb877.json", + "objectKey": "c14fdef4b99386d4edec709b2079a9c3238da063b02a600f720a01e32b2561a7.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index 20239eefa2c70..4c4af5e21c8fa 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -24,6 +24,9 @@ "Properties": { "Name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", "AllowExternalPrincipals": true, + "PermissionArns": [ + "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" + ], "Principals": [ { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index da4f4af9c92c7..bd731254b6155 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.51" } }, "integ-servicecatalogappregistry-attribute-group": { @@ -55,6 +55,9 @@ "aws:cdk:cloudformation:props": { "name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", "allowExternalPrincipals": true, + "permissionArns": [ + "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" + ], "principals": [ { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index 8141734ad3223..44918d4b104c3 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -202,6 +202,7 @@ describe('Attribute Group', () => { Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], }); }); @@ -215,6 +216,7 @@ describe('Attribute Group', () => { Name: 'RAMShareMyAttributeGroup', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], }); }); @@ -230,6 +232,7 @@ describe('Attribute Group', () => { Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], }); }); @@ -245,6 +248,7 @@ describe('Attribute Group', () => { Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], }); }); @@ -259,6 +263,37 @@ describe('Attribute Group', () => { Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], + }); + }); + + test('share attribute group with organization, give explicit read only access to the attribute group', () => { + attributeGroup.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + sharePermission: appreg.SharePermission.READ_ONLY, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShareMyAttributeGroup', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], + }); + }); + + test('share attribute group with organization, give access to mutate attribute groups', () => { + attributeGroup.shareResource({ + organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + sharePermission: appreg.SharePermission.ALLOW_ACCESS, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: true, + Name: 'RAMShareMyAttributeGroup', + Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], + PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation'], }); }); }); From c4358c546055abd64f600da0e8341a6267f81b1f Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 22 Jul 2022 18:06:42 -0700 Subject: [PATCH 12/20] Remove option to allow external principals, should always be false for AppReg --- .../lib/application.ts | 2 +- .../lib/attribute-group.ts | 2 +- .../lib/common.ts | 9 ------- ...catalogappregistry-application.assets.json | 4 +-- ...talogappregistry-application.template.json | 2 +- .../test/application.integ.snapshot/tree.json | 2 +- .../test/application.test.ts | 26 +++++------------- ...logappregistry-attribute-group.assets.json | 4 +-- ...gappregistry-attribute-group.template.json | 2 +- .../attribute-group.integ.snapshot/tree.json | 2 +- .../test/attribute-group.test.ts | 27 +++++-------------- 11 files changed, 22 insertions(+), 60 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index ae1e2b642bddd..ab8cdcca8c6ea 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -109,7 +109,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { name: shareName, - allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, + allowExternalPrincipals: false, principals: principals, resourceArns: [this.applicationArn], permissionArns: [this.getApplicationSharePermissionARN(shareOptions)], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 50651fff79eb9..93d115dd44824 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -63,7 +63,7 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { name: shareName, - allowExternalPrincipals: shareOptions.allowExternalPrincipals ?? true, + allowExternalPrincipals: false, principals: principals, resourceArns: [this.attributeGroupArn], permissionArns: [this.getAttributeGroupSharePermissionARN(shareOptions)], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 84ef43552b851..db16a78dca719 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -20,15 +20,6 @@ export enum SharePermission { * The options that are passed into a share of an Application or Attribute Group. */ export interface ShareOptions { - /** - * When set to true, this allows sharing of applications and attribute groups - * with accounts outside of your AWS Organization. When set to false, sharing - * is restricted to only accounts and principals which belong to the organization. - * - * @default true - */ - readonly allowExternalPrincipals?: boolean; - /** * A list of AWS accounts that the application will be shared with. * diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json index d55a0a5b78bfd..69f7ee9590e01 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "69e3e576c88849b1bcc29caef556a86a1005734a0a9c4dd835f629ef6f3a7b76": { + "8f9e7676e5f82cb21762cd42f8f01d049871f02d962ff19e2850735614ca3524": { "source": { "path": "integ-servicecatalogappregistry-application.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "69e3e576c88849b1bcc29caef556a86a1005734a0a9c4dd835f629ef6f3a7b76.json", + "objectKey": "8f9e7676e5f82cb21762cd42f8f01d049871f02d962ff19e2850735614ca3524.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index 4b33afd35c897..c389273e5da77 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -43,7 +43,7 @@ "Type": "AWS::RAM::ResourceShare", "Properties": { "Name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", - "AllowExternalPrincipals": true, + "AllowExternalPrincipals": false, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index 87d2a23f2cb90..cf7b75d1a2d5e 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -90,7 +90,7 @@ "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { "name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", - "allowExternalPrincipals": true, + "allowExternalPrincipals": false, "permissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 5ca4113fcad18..30357eeb155d9 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -239,7 +239,7 @@ describe('Application', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], @@ -253,7 +253,7 @@ describe('Application', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], @@ -269,7 +269,7 @@ describe('Application', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], @@ -284,25 +284,10 @@ describe('Application', () => { users: [myUser], }); - Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, - Name: 'RAMShareMyApplication', - Principals: ['arn:aws:iam::123456789012:user/myUser'], - ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], - PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], - }); - }); - - test('share application with organization, do not allow external principals', () => { - application.shareResource({ - allowExternalPrincipals: false, - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], - }); - Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', - Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], }); @@ -315,6 +300,7 @@ describe('Application', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { + AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], @@ -329,7 +315,7 @@ describe('Application', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyApplication', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json index 1c512213b755a..25d231fbf9cfe 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "c14fdef4b99386d4edec709b2079a9c3238da063b02a600f720a01e32b2561a7": { + "3577534a308adb58ea13bd8ac00e1b70c4eaa2bf05099072110b9a30a791c554": { "source": { "path": "integ-servicecatalogappregistry-attribute-group.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c14fdef4b99386d4edec709b2079a9c3238da063b02a600f720a01e32b2561a7.json", + "objectKey": "3577534a308adb58ea13bd8ac00e1b70c4eaa2bf05099072110b9a30a791c554.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index 4c4af5e21c8fa..7ce3fdb8fb377 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -23,7 +23,7 @@ "Type": "AWS::RAM::ResourceShare", "Properties": { "Name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", - "AllowExternalPrincipals": true, + "AllowExternalPrincipals": false, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index bd731254b6155..2500e3285db3f 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -54,7 +54,7 @@ "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { "name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", - "allowExternalPrincipals": true, + "allowExternalPrincipals": false, "permissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" ], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index 44918d4b104c3..6a619030ee0c1 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -198,7 +198,7 @@ describe('Attribute Group', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], @@ -212,7 +212,7 @@ describe('Attribute Group', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], @@ -228,7 +228,7 @@ describe('Attribute Group', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], @@ -243,25 +243,10 @@ describe('Attribute Group', () => { users: [myUser], }); - Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, - Name: 'RAMShareMyAttributeGroup', - Principals: ['arn:aws:iam::123456789012:user/myUser'], - ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], - PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], - }); - }); - - test('share attribute group with organization, do not allow external principals', () => { - attributeGroup.shareResource({ - allowExternalPrincipals: false, - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], - }); - Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', - Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], }); @@ -274,7 +259,7 @@ describe('Attribute Group', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], @@ -289,7 +274,7 @@ describe('Attribute Group', () => { }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { - AllowExternalPrincipals: true, + AllowExternalPrincipals: false, Name: 'RAMShareMyAttributeGroup', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], From db7e438c50f4fed82a88d2f42820ca72258b8e60 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 27 Jul 2022 10:43:03 -0700 Subject: [PATCH 13/20] Rename organizations to organizationArns, update README --- .../aws-servicecatalogappregistry/README.md | 14 ++++++++------ .../aws-servicecatalogappregistry/lib/common.ts | 4 ++-- .../test/application.test.ts | 6 +++--- .../test/attribute-group.test.ts | 6 +++--- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index f3d36e652aa50..8501eb76a98a4 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -138,19 +138,20 @@ declare const myRole: iam.IRole; declare const myUser: iam.IUser; application.shareResource({ accounts: ['123456789012'], - organizations: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], roles: [myRole], - users: [myUser] + users: [myUser], }); ``` -E.g., sharing an application with multiple accounts: +E.g., sharing an application with multiple accounts and allowing the accounts to associate resources to the application. ```ts import * as iam from '@aws-cdk/aws-iam'; declare const application: appreg.Application; application.shareResource({ accounts: ['123456789012', '234567890123'], + sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); ``` @@ -163,18 +164,19 @@ declare const myRole: iam.IRole; declare const myUser: iam.IUser; attributeGroup.shareResource({ accounts: ['123456789012'], - organizations: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], roles: [myRole], - users: [myUser] + users: [myUser], }); ``` -E.g., sharing an attribute group with multiple accounts: +E.g., sharing an application with multiple accounts and allowing the accounts to associate applications to the attribute group. ```ts import * as iam from '@aws-cdk/aws-iam'; declare const attributeGroup: appreg.AttributeGroup; attributeGroup.shareResource({ accounts: ['123456789012', '234567890123'], + sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); ``` diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index db16a78dca719..9b5543179a25c 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -32,7 +32,7 @@ export interface ShareOptions { * * @default - No AWS Organizations or OUs specified for share */ - readonly organizations?: string[]; + readonly organizationArns?: string[]; /** * A list of AWS IAM roles that the application will be shared with. @@ -73,7 +73,7 @@ export function hashValues(...values: string[]): string { export function getPrincipalsforSharing(options: ShareOptions): string[] { const principals = [ ...options.accounts ?? [], - ...options.organizations ?? [], + ...options.organizationArns ?? [], ...options.users ? options.users.map(user => user.userArn) : [], ...options.roles ? options.roles.map(role => role.roleArn) : [], ]; diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 30357eeb155d9..4df02fd6c9567 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -235,7 +235,7 @@ describe('Application', () => { test('share application with an organization', () => { application.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { @@ -295,7 +295,7 @@ describe('Application', () => { test('share application with organization, give explicit read only access to an application', () => { application.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.READ_ONLY, }); @@ -310,7 +310,7 @@ describe('Application', () => { test('share application with organization, allow access to associate resources and attribute group with an application', () => { application.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index 6a619030ee0c1..eafe3ca8a454c 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -194,7 +194,7 @@ describe('Attribute Group', () => { test('share attribute group with an organization', () => { attributeGroup.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], }); Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { @@ -254,7 +254,7 @@ describe('Attribute Group', () => { test('share attribute group with organization, give explicit read only access to the attribute group', () => { attributeGroup.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.READ_ONLY, }); @@ -269,7 +269,7 @@ describe('Attribute Group', () => { test('share attribute group with organization, give access to mutate attribute groups', () => { attributeGroup.shareResource({ - organizations: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], + organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); From e3e4599eb2af9b2b2d654bd9ba0be7f7c1074a10 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Thu, 28 Jul 2022 14:58:35 -0700 Subject: [PATCH 14/20] Change shareResource to shareApplication and shareAttributeGroup respectively --- .../aws-servicecatalogappregistry/README.md | 8 ++++---- .../lib/application.ts | 10 +++++----- .../lib/attribute-group.ts | 4 ++-- .../test/application.test.ts | 14 +++++++------- .../test/attribute-group.test.ts | 14 +++++++------- .../test/integ.application.ts | 2 +- .../test/integ.attribute-group.ts | 2 +- 7 files changed, 27 insertions(+), 27 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index 8501eb76a98a4..290ebb8007106 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -136,7 +136,7 @@ import * as iam from '@aws-cdk/aws-iam'; declare const application: appreg.Application; declare const myRole: iam.IRole; declare const myUser: iam.IUser; -application.shareResource({ +application.shareApplication({ accounts: ['123456789012'], organizationArns: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], roles: [myRole], @@ -149,7 +149,7 @@ E.g., sharing an application with multiple accounts and allowing the accounts to ```ts import * as iam from '@aws-cdk/aws-iam'; declare const application: appreg.Application; -application.shareResource({ +application.shareApplication({ accounts: ['123456789012', '234567890123'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); @@ -162,7 +162,7 @@ import * as iam from '@aws-cdk/aws-iam'; declare const attributeGroup: appreg.AttributeGroup; declare const myRole: iam.IRole; declare const myUser: iam.IUser; -attributeGroup.shareResource({ +attributeGroup.shareAttributeGroup({ accounts: ['123456789012'], organizationArns: ['arn:aws:organizations::123456789012:organization/o-my-org-id'], roles: [myRole], @@ -175,7 +175,7 @@ E.g., sharing an application with multiple accounts and allowing the accounts to ```ts import * as iam from '@aws-cdk/aws-iam'; declare const attributeGroup: appreg.AttributeGroup; -attributeGroup.shareResource({ +attributeGroup.shareAttributeGroup({ accounts: ['123456789012', '234567890123'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index ab8cdcca8c6ea..86b1385333e42 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -39,10 +39,10 @@ export interface IApplication extends cdk.IResource { associateStack(stack: cdk.Stack): void; /** - * Share this resource with other IAM entities, accounts, or OUs. + * Share this application with other IAM entities, accounts, or OUs. * @param shareOptions The options for the share. */ - shareResource(shareOptions: ShareOptions): void; + shareApplication(shareOptions: ShareOptions): void; } /** @@ -100,11 +100,11 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { } /** - * Share application resource with target accounts. - * The application will become available to end users within targets. + * Share an application with accounts, organizations and OUs, and IAM roles and users. + * The application will become available to end users within those principals. * @param shareOptions The options for the share. */ - public shareResource(shareOptions: ShareOptions): void { + public shareApplication(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 93d115dd44824..3d8648b8d19ca 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -29,7 +29,7 @@ export interface IAttributeGroup extends cdk.IResource { * Share the attribute group resource with other IAM entities, accounts, or OUs. * @param shareOptions The options for the share. */ - shareResource(shareOptions: ShareOptions): void; + shareAttributeGroup(shareOptions: ShareOptions): void; } /** @@ -58,7 +58,7 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou public abstract readonly attributeGroupArn: string; public abstract readonly attributeGroupId: string; - public shareResource(shareOptions: ShareOptions): void { + public shareAttributeGroup(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; new CfnResourceShare(this, shareName, { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index 4df02fd6c9567..b0518c70f2872 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -229,12 +229,12 @@ describe('Application', () => { test('fails for sharing application without principals', () => { expect(() => { - application.shareResource({}); + application.shareApplication({}); }).toThrow(/An entity must be provided for the share/); }); test('share application with an organization', () => { - application.shareResource({ + application.shareApplication({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], }); @@ -248,7 +248,7 @@ describe('Application', () => { }); test('share application with an account', () => { - application.shareResource({ + application.shareApplication({ accounts: ['123456789012'], }); @@ -264,7 +264,7 @@ describe('Application', () => { test('share application with an IAM role', () => { const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::123456789012:role/myRole'); - application.shareResource({ + application.shareApplication({ roles: [myRole], }); @@ -280,7 +280,7 @@ describe('Application', () => { test('share application with an IAM user', () => { const myUser = iam.User.fromUserArn(stack, 'MyUser', 'arn:aws:iam::123456789012:user/myUser'); - application.shareResource({ + application.shareApplication({ users: [myUser], }); @@ -294,7 +294,7 @@ describe('Application', () => { }); test('share application with organization, give explicit read only access to an application', () => { - application.shareResource({ + application.shareApplication({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.READ_ONLY, }); @@ -309,7 +309,7 @@ describe('Application', () => { }); test('share application with organization, allow access to associate resources and attribute group with an application', () => { - application.shareResource({ + application.shareApplication({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index eafe3ca8a454c..d63070a75e17b 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -188,12 +188,12 @@ describe('Attribute Group', () => { test('fails for sharing attribute group without principals', () => { expect(() => { - attributeGroup.shareResource({}); + attributeGroup.shareAttributeGroup({}); }).toThrow(/An entity must be provided for the share/); }); test('share attribute group with an organization', () => { - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], }); @@ -207,7 +207,7 @@ describe('Attribute Group', () => { }); test('share attribute group with an account', () => { - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ accounts: ['123456789012'], }); @@ -223,7 +223,7 @@ describe('Attribute Group', () => { test('share attribute group with an IAM role', () => { const myRole = iam.Role.fromRoleArn(stack, 'MyRole', 'arn:aws:iam::123456789012:role/myRole'); - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ roles: [myRole], }); @@ -239,7 +239,7 @@ describe('Attribute Group', () => { test('share attribute group with an IAM user', () => { const myUser = iam.User.fromUserArn(stack, 'MyUser', 'arn:aws:iam::123456789012:user/myUser'); - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ users: [myUser], }); @@ -253,7 +253,7 @@ describe('Attribute Group', () => { }); test('share attribute group with organization, give explicit read only access to the attribute group', () => { - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.READ_ONLY, }); @@ -268,7 +268,7 @@ describe('Attribute Group', () => { }); test('share attribute group with organization, give access to mutate attribute groups', () => { - attributeGroup.shareResource({ + attributeGroup.shareAttributeGroup({ organizationArns: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], sharePermission: appreg.SharePermission.ALLOW_ACCESS, }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts index 7ddd503cb99ee..d51cad051252c 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application.ts @@ -36,7 +36,7 @@ application.associateAttributeGroup(attributeGroup); const myRole = new iam.Role(stack, 'MyRole', { assumedBy: new iam.AccountPrincipal(stack.account), }); -application.shareResource({ +application.shareApplication({ roles: [myRole], }); diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts index b05fe462d74ed..6d5ccb59b8ef2 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.attribute-group.ts @@ -27,7 +27,7 @@ const myRole = new iam.Role(stack, 'MyRole', { const mySecondRole = new iam.Role(stack, 'MySecondRole', { assumedBy: new iam.AccountPrincipal(stack.account), }); -attributeGroup.shareResource({ +attributeGroup.shareAttributeGroup({ roles: [myRole, mySecondRole], }); From 5ce92cd1c944d74acaab4e40ad06c09b63088b36 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 29 Jul 2022 19:34:38 -0700 Subject: [PATCH 15/20] Allow for multiple shares per Application or AttributeGroup --- .../lib/application.ts | 2 +- .../lib/attribute-group.ts | 4 ++-- ...ervicecatalogappregistry-application.assets.json | 4 ++-- ...vicecatalogappregistry-application.template.json | 4 ++-- .../test/application.integ.snapshot/manifest.json | 13 +++++++++++-- .../test/application.integ.snapshot/tree.json | 8 ++++---- .../test/application.test.ts | 12 ++++++------ ...cecatalogappregistry-attribute-group.assets.json | 4 ++-- ...catalogappregistry-attribute-group.template.json | 4 ++-- .../attribute-group.integ.snapshot/manifest.json | 4 ++-- .../test/attribute-group.integ.snapshot/tree.json | 8 ++++---- .../test/attribute-group.test.ts | 12 ++++++------ 12 files changed, 44 insertions(+), 35 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 86b1385333e42..3fc38569b8144 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -106,7 +106,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { */ public shareApplication(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; + const shareName = `RAMShare${hashValues(Names.nodeUniqueId(this.node), this.node.children.length.toString())}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: false, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 3d8648b8d19ca..9a56b0ae746d0 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -1,6 +1,6 @@ import { CfnResourceShare } from '@aws-cdk/aws-ram'; import * as cdk from '@aws-cdk/core'; -import { getPrincipalsforSharing, ShareOptions, SharePermission } from './common'; +import { getPrincipalsforSharing, hashValues, ShareOptions, SharePermission } from './common'; import { Construct } from 'constructs'; import { InputValidator } from './private/validation'; import { CfnAttributeGroup } from './servicecatalogappregistry.generated'; @@ -60,7 +60,7 @@ abstract class AttributeGroupBase extends cdk.Resource implements IAttributeGrou public shareAttributeGroup(shareOptions: ShareOptions): void { const principals = getPrincipalsforSharing(shareOptions); - const shareName = `RAMShare${Names.uniqueResourceName(this, {})}`; + const shareName = `RAMShare${hashValues(Names.nodeUniqueId(this.node), this.node.children.length.toString())}`; new CfnResourceShare(this, shareName, { name: shareName, allowExternalPrincipals: false, diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json index 69f7ee9590e01..7f5db7d1e1328 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "8f9e7676e5f82cb21762cd42f8f01d049871f02d962ff19e2850735614ca3524": { + "d03aa6239eb3b20f4b72fb3dd44a4082d06d7a5451d0ac3855bd1aa78aecfbe9": { "source": { "path": "integ-servicecatalogappregistry-application.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8f9e7676e5f82cb21762cd42f8f01d049871f02d962ff19e2850735614ca3524.json", + "objectKey": "d03aa6239eb3b20f4b72fb3dd44a4082d06d7a5451d0ac3855bd1aa78aecfbe9.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json index c389273e5da77..a083f478debfd 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/integ-servicecatalogappregistry-application.template.json @@ -39,10 +39,10 @@ } } }, - "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38": { + "TestApplicationRAMSharead8ba81b8cdd40199FD1": { "Type": "AWS::RAM::ResourceShare", "Properties": { - "Name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", + "Name": "RAMSharead8ba81b8cdd", "AllowExternalPrincipals": false, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json index 490ef8a2ab665..e4ec7abf302a2 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/manifest.json @@ -33,10 +33,10 @@ "data": "TestApplicationAttributeGroupAssociation4ba7f5842818B8EE1C6F" } ], - "/integ-servicecatalogappregistry-application/TestApplication/RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2": [ + "/integ-servicecatalogappregistry-application/TestApplication/RAMSharead8ba81b8cdd": [ { "type": "aws:cdk:logicalId", - "data": "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38" + "data": "TestApplicationRAMSharead8ba81b8cdd40199FD1" } ], "/integ-servicecatalogappregistry-application/TestAttributeGroup/Resource": [ @@ -50,6 +50,15 @@ "type": "aws:cdk:logicalId", "data": "MyRoleF48FFE04" } + ], + "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38": [ + { + "type": "aws:cdk:logicalId", + "data": "TestApplicationRAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB233482C38", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "integ-servicecatalogappregistry-application" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json index cf7b75d1a2d5e..7e7c3a99234d4 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.integ.snapshot/tree.json @@ -83,13 +83,13 @@ "version": "0.0.0" } }, - "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2": { - "id": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", - "path": "integ-servicecatalogappregistry-application/TestApplication/RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", + "RAMSharead8ba81b8cdd": { + "id": "RAMSharead8ba81b8cdd", + "path": "integ-servicecatalogappregistry-application/TestApplication/RAMSharead8ba81b8cdd", "attributes": { "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { - "name": "RAMShareintegservicecatalogappregistryapplicationTestApplicationF7821DB2", + "name": "RAMSharead8ba81b8cdd", "allowExternalPrincipals": false, "permissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts index b0518c70f2872..33f1ca2628cdb 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/application.test.ts @@ -240,7 +240,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], @@ -254,7 +254,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], @@ -270,7 +270,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], @@ -286,7 +286,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], @@ -301,7 +301,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly'], @@ -316,7 +316,7 @@ describe('Application', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyApplication', + Name: 'RAMSharee6e0e560e6f8', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyApplication5C63EC1D', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation'], diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json index 25d231fbf9cfe..f3f8d64d86ef0 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.assets.json @@ -1,7 +1,7 @@ { "version": "20.0.0", "files": { - "3577534a308adb58ea13bd8ac00e1b70c4eaa2bf05099072110b9a30a791c554": { + "3dece22dad73361a79cb380f2880362a20ffc5c0cc75ddc6707e26b5a88cf93f": { "source": { "path": "integ-servicecatalogappregistry-attribute-group.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "3577534a308adb58ea13bd8ac00e1b70c4eaa2bf05099072110b9a30a791c554.json", + "objectKey": "3dece22dad73361a79cb380f2880362a20ffc5c0cc75ddc6707e26b5a88cf93f.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json index 7ce3fdb8fb377..5588a96737393 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/integ-servicecatalogappregistry-attribute-group.template.json @@ -19,10 +19,10 @@ "Description": "my attribute group description" } }, - "TestAttributeGroupRAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831AA2963D44": { + "TestAttributeGroupRAMSharec67f7d80e5baA10EFB4E": { "Type": "AWS::RAM::ResourceShare", "Properties": { - "Name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", + "Name": "RAMSharec67f7d80e5ba", "AllowExternalPrincipals": false, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json index 90209202dca67..f9c67b5df26ef 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/manifest.json @@ -21,10 +21,10 @@ "data": "TestAttributeGroupB1CB284F" } ], - "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A": [ + "/integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharec67f7d80e5ba": [ { "type": "aws:cdk:logicalId", - "data": "TestAttributeGroupRAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831AA2963D44" + "data": "TestAttributeGroupRAMSharec67f7d80e5baA10EFB4E" } ], "/integ-servicecatalogappregistry-attribute-group/MyRole/Resource": [ diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json index 2500e3285db3f..13fb0f632832a 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.integ.snapshot/tree.json @@ -47,13 +47,13 @@ "version": "0.0.0" } }, - "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A": { - "id": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", - "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", + "RAMSharec67f7d80e5ba": { + "id": "RAMSharec67f7d80e5ba", + "path": "integ-servicecatalogappregistry-attribute-group/TestAttributeGroup/RAMSharec67f7d80e5ba", "attributes": { "aws:cdk:cloudformation:type": "AWS::RAM::ResourceShare", "aws:cdk:cloudformation:props": { - "name": "RAMShareintegservicecatalogappregistryattributegroupTestAttributeGroup7BCD831A", + "name": "RAMSharec67f7d80e5ba", "allowExternalPrincipals": false, "permissionArns": [ "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly" diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts index d63070a75e17b..5230071cd50f1 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/test/attribute-group.test.ts @@ -199,7 +199,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], @@ -213,7 +213,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['123456789012'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], @@ -229,7 +229,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['arn:aws:iam::123456789012:role/myRole'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], @@ -245,7 +245,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['arn:aws:iam::123456789012:user/myUser'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], @@ -260,7 +260,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly'], @@ -275,7 +275,7 @@ describe('Attribute Group', () => { Template.fromStack(stack).hasResourceProperties('AWS::RAM::ResourceShare', { AllowExternalPrincipals: false, - Name: 'RAMShareMyAttributeGroup', + Name: 'RAMShare76d2681489c0', Principals: ['arn:aws:organizations::123456789012:organization/o-70oi5564q1'], ResourceArns: [{ 'Fn::GetAtt': ['MyAttributeGroup99099500', 'Arn'] }], PermissionArns: ['arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation'], From 6a32574b9cf04ef8c2774aca1f7e6d85894a5d92 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 29 Jul 2022 19:45:35 -0700 Subject: [PATCH 16/20] Revert RAM constructs to experimental per (#21208) --- packages/@aws-cdk/aws-ram/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-ram/package.json b/packages/@aws-cdk/aws-ram/package.json index f0fba5fd3df5d..d778818124a6b 100644 --- a/packages/@aws-cdk/aws-ram/package.json +++ b/packages/@aws-cdk/aws-ram/package.json @@ -99,7 +99,7 @@ "engines": { "node": ">= 14.15.0" }, - "stability": "stable", + "stability": "experimental", "maturity": "cfn-only", "awscdkio": { "announce": false From bebfc13b8deabb629dc604ce9139364614601f9c Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 29 Jul 2022 19:51:42 -0700 Subject: [PATCH 17/20] Added extra blank line above each @param --- .../aws-servicecatalogappregistry/lib/application.ts | 6 ++++++ .../aws-servicecatalogappregistry/lib/attribute-group.ts | 3 +++ .../@aws-cdk/aws-servicecatalogappregistry/lib/common.ts | 1 + 3 files changed, 10 insertions(+) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 3fc38569b8144..59205e9b4be48 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -28,18 +28,21 @@ export interface IApplication extends cdk.IResource { /** * Associate thisapplication with an attribute group. + * * @param attributeGroup AppRegistry attribute group */ associateAttributeGroup(attributeGroup: IAttributeGroup): void; /** * Associate this application with a CloudFormation stack. + * * @param stack a CFN stack */ associateStack(stack: cdk.Stack): void; /** * Share this application with other IAM entities, accounts, or OUs. + * * @param shareOptions The options for the share. */ shareApplication(shareOptions: ShareOptions): void; @@ -102,6 +105,7 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication { /** * Share an application with accounts, organizations and OUs, and IAM roles and users. * The application will become available to end users within those principals. + * * @param shareOptions The options for the share. */ public shareApplication(shareOptions: ShareOptions): void { @@ -145,7 +149,9 @@ export class Application extends ApplicationBase { * Imports an Application construct that represents an external application. * * @param scope The parent creating construct (usually `this`). + * * @param id The construct's name. + * * @param applicationArn the Amazon Resource Name of the existing AppRegistry Application */ public static fromApplicationArn(scope: Construct, id: string, applicationArn: string): IApplication { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index 9a56b0ae746d0..be63c2b8960ae 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -27,6 +27,7 @@ export interface IAttributeGroup extends cdk.IResource { /** * Share the attribute group resource with other IAM entities, accounts, or OUs. + * * @param shareOptions The options for the share. */ shareAttributeGroup(shareOptions: ShareOptions): void; @@ -94,7 +95,9 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou * Imports an attribute group construct that represents an external attribute group. * * @param scope The parent creating construct (usually `this`). + * * @param id The construct's name. + * * @param attributeGroupArn the Amazon Resource Name of the existing AppRegistry attribute group */ public static fromAttributeGroupArn(scope: Construct, id: string, attributeGroupArn: string): IAttributeGroup { diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts index 9b5543179a25c..148ddb1637c03 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/common.ts @@ -67,6 +67,7 @@ export function hashValues(...values: string[]): string { /** * Reformats share targets into a collapsed list necessary for handler. + * * @param options The share target options * @returns flat list of target ARNs */ From 6d0fcb2aacd2c2cfceacfcae87bd28f6a92a9155 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 3 Aug 2022 16:38:03 -0700 Subject: [PATCH 18/20] Update packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts Co-authored-by: Calvin Combs <66279577+comcalvi@users.noreply.github.com> --- .../aws-servicecatalogappregistry/lib/attribute-group.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts index be63c2b8960ae..ea5a893422aa5 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/attribute-group.ts @@ -95,9 +95,7 @@ export class AttributeGroup extends AttributeGroupBase implements IAttributeGrou * Imports an attribute group construct that represents an external attribute group. * * @param scope The parent creating construct (usually `this`). - * * @param id The construct's name. - * * @param attributeGroupArn the Amazon Resource Name of the existing AppRegistry attribute group */ public static fromAttributeGroupArn(scope: Construct, id: string, attributeGroupArn: string): IAttributeGroup { From 2c8034c906c9d13097fa5c0d0e2bf58875fa2ac5 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Wed, 3 Aug 2022 16:38:14 -0700 Subject: [PATCH 19/20] Update packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts Co-authored-by: Calvin Combs <66279577+comcalvi@users.noreply.github.com> --- .../@aws-cdk/aws-servicecatalogappregistry/lib/application.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts index 59205e9b4be48..256de4099afd0 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts @@ -149,9 +149,7 @@ export class Application extends ApplicationBase { * Imports an Application construct that represents an external application. * * @param scope The parent creating construct (usually `this`). - * * @param id The construct's name. - * * @param applicationArn the Amazon Resource Name of the existing AppRegistry Application */ public static fromApplicationArn(scope: Construct, id: string, applicationArn: string): IApplication { From 34bbfdbfed8e7cd38b2e0f2aaf21dc68c09e53b4 Mon Sep 17 00:00:00 2001 From: Alex Makoviecki Date: Fri, 5 Aug 2022 17:06:20 -0700 Subject: [PATCH 20/20] Update table of contents in README --- packages/@aws-cdk/aws-servicecatalogappregistry/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md index 290ebb8007106..e96a13bc8b2db 100644 --- a/packages/@aws-cdk/aws-servicecatalogappregistry/README.md +++ b/packages/@aws-cdk/aws-servicecatalogappregistry/README.md @@ -31,6 +31,9 @@ enables organizations to create and manage repositores of applications and assoc - [Associations](#associations) - [Associating application with an attribute group](#attribute-group-association) - [Associating application with a stack](#resource-association) +- [Sharing](#sharing) + - [Sharing an application](#sharing-an-application) + - [Sharing an attribute group](#sharing-an-attribute-group) The `@aws-cdk/aws-servicecatalogappregistry` package contains resources that enable users to automate governance and management of their AWS resources at scale.