UNPKG

advanced-cdk-constructs

Version:

[![codecov](https://codecov.io/gh/spensireli/advanced-cdk-constructs/graph/badge.svg?token=50IITI207T)](https://codecov.io/gh/spensireli/advanced-cdk-constructs)

github.com/spensireli/advanced-cdk-constructs

spensireli/advanced-cdk-constructs

147 lines (146 loc) 5.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
import { Construct } from 'constructs'; /** * Modes for blocking public access to VPCs. */ export declare enum VpcBlockPublicAccessMode { /** No blocking of public access. */ OFF = "off", /** Block only ingress (incoming) public access. */ BLOCK_INGRESS = "block_ingress", /** Block both ingress and egress (bidirectional) public access. */ BLOCK_BIDIRECTIONAL = "block_bidirectional" } /** * State for allowed images policy. */ export declare enum AllowedImagesState { /** Only allow images from specified providers. */ ENABLED = "enabled", /** Audit mode for allowed images. */ AUDIT_MODE = "audit_mode" } /** * Predefined image providers for allowed images policy. */ export declare enum ImageProvider { /** Amazon-provided images. */ AMAZON = "amazon", /** AWS Marketplace images. */ AWS_MARKETPLACE = "aws_marketplace", /** AWS Backup Vault images. */ AWS_BACKUP_VAULT = "aws_backup_vault" } /** * Options for IMDSv2 HttpTokens requirement. */ export declare enum HttpTokens { /** No preference for HttpTokens. */ NO_PREFERENCE = "no_preference", /** Require HttpTokens. */ REQUIRED = "required", /** HttpTokens are optional. */ OPTIONAL = "optional" } /** * Options for IMDSv2 HttpEndpoint. */ export declare enum HttpEndpoint { /** No preference for HttpEndpoint. */ NO_PREFERENCE = "no_preference", /** Enable HttpEndpoint. */ ENABLED = "enabled", /** Disable HttpEndpoint. */ DISABLED = "disabled" } /** * Options for IMDSv2 Instance Metadata Tags. */ export declare enum InstanceMetadataTags { /** No preference for instance metadata tags. */ NO_PREFERENCE = "no_preference", /** Enable instance metadata tags. */ ENABLED = "enabled", /** Disable instance metadata tags. */ DISABLED = "disabled" } /** * State for blocking public access to EBS snapshots. */ export declare enum SnapshotBlockPublicAccessState { /** Block new sharing of snapshots. */ BLOCK_NEW_SHARING = "block_new_sharing", /** Block all sharing of snapshots. */ BLOCK_ALL_SHARING = "block_all_sharing" } /** * An image provider (predefined or AWS account ID). */ export type ImageProviderOrAccountId = ImageProvider | string; /** * Properties for configuring a DeclarativePolicy. */ export interface DeclarativePolicyProps { /** The target AWS account or organizational unit IDs to which the policy will be attached. */ readonly targetIds: string[]; /** The name of the policy. */ readonly name?: string; /** The description of the policy. */ readonly description?: string; /** Whether to block public access to VPCs. Defaults to true. */ readonly vpcBlockPublicAccess?: boolean; /** Whether to disable serial console access. Defaults to true. */ readonly disableSerialConsoleAccess?: boolean; /** Whether to block public access to AMIs. Defaults to true. */ readonly imageBlockPublicAccess?: boolean; /** Whether to restrict allowed image providers. Defaults to true. */ readonly restrictImageProviders?: boolean; /** Whether to enforce instance metadata service defaults. Defaults to true. */ readonly instanceMetadataDefaults?: boolean; /** Whether to block public sharing of EBS snapshots. Defaults to true. */ readonly blockPublicSnapshots?: boolean; /** The mode for blocking public access to VPCs. */ readonly vpcBlockPublicAccessMode?: VpcBlockPublicAccessMode; /** The state for allowed images policy. */ readonly allowedImagesState?: AllowedImagesState; /** The list of allowed image providers or AWS account IDs. */ readonly allowedImageProviders?: ImageProviderOrAccountId[]; /** The HttpTokens setting for instance metadata service. */ readonly httpTokens?: HttpTokens; /** The hop limit for HTTP PUT responses from the instance metadata service. */ readonly httpPutResponseHopLimit?: number; /** The HttpEndpoint setting for instance metadata service. */ readonly httpEndpoint?: HttpEndpoint; /** The instance metadata tags setting. */ readonly instanceMetadataTags?: InstanceMetadataTags; /** The state for blocking public access to EBS snapshots. */ readonly snapshotBlockPublicAccessState?: SnapshotBlockPublicAccessState; } /** * A CDK construct that creates an AWS Organizations EC2 Declarative Policy. * * This construct allows you to declaratively define and apply EC2-related policies * such as blocking public access to VPCs, restricting AMI providers, enforcing * instance metadata service settings, and more. * * Example: * ```ts * new DeclarativePolicy(this, 'MyPolicy', { * targetIds: ['ou-xxxx-xxxxxxxx'], * vpcBlockPublicAccess: true, * vpcBlockPublicAccessMode: VpcBlockPublicAccessMode.BLOCK_BIDIRECTIONAL, * }); * ``` */ export declare class DeclarativePolicy extends Construct { /** * The ARN of the created declarative policy. */ readonly declarativePolicyArn: string; /** * Create a new DeclarativePolicy. * @param scope The parent construct. * @param id The construct ID. * @param props The policy properties. */ constructor(scope: Construct, id: string, props: DeclarativePolicyProps); }