advanced-cdk-constructs
Version:
[](https://codecov.io/gh/spensireli/advanced-cdk-constructs)
91 lines • 10.9 kB
JavaScript
;
var _a;
Object.defineProperty(exports, "__esModule", { value: true });
exports.ResourceControlPolicy = void 0;
const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
const aws_cdk_lib_1 = require("aws-cdk-lib");
const constructs_1 = require("constructs");
/**
* A CDK construct that creates and attaches an AWS Organizations Resource Control Policy.
*
* This policy can enforce Confused Deputy Protection and Secure Transport requirements
* across specified AWS accounts, OUs, or roots.
*/
class ResourceControlPolicy extends constructs_1.Construct {
/**
* Creates a new {@link ResourceControlPolicy}.
*
* @param scope The parent construct.
* @param id The construct ID.
* @param props The properties for the resource control policy.
*/
constructor(scope, id, props) {
super(scope, id);
const statements = [];
if (props.enforceConfusedDeputyProtection) {
const EnforceDeputyProtectionStatement = {
Sid: 'EnforceConfusedDeputyProtection',
Effect: 'Deny',
Principal: '*',
Action: [
's3:*',
'sqs:*',
'kms:*',
'secretsmanager:*',
'sts:*',
],
Resource: '*',
Condition: {
StringNotEqualsIfExists: {
'aws:SourceOrgID': props.sourceOrgID,
...(props.sourceAccount && { 'aws:SourceAccount': props.sourceAccount }),
},
Bool: {
'aws:PrincipalIsAWSService': 'true',
},
Null: {
'aws:SourceArn': 'false',
},
},
};
statements.push(EnforceDeputyProtectionStatement);
}
if (props.enforceSecureTransport) {
const EnforceSecureTransportStatement = {
Sid: 'EnforceSecureTransport',
Effect: 'Deny',
Principal: '*',
Action: [
'sts:*',
's3:*',
'sqs:*',
'secretsmanager:*',
'kms:*',
],
Resource: '*',
Condition: {
BoolIfExists: {
'aws:SecureTransport': 'false',
},
},
};
statements.push(EnforceSecureTransportStatement);
}
const resourceControlPolicy = {
Version: '2012-10-17',
Statement: statements,
};
const applyResourceControlPolicy = new aws_cdk_lib_1.aws_organizations.CfnPolicy(this, 'ResourceControlPolicy', {
content: resourceControlPolicy,
name: props.name ?? `ResourceControlPolicy-${this.node.id}`,
type: 'RESOURCE_CONTROL_POLICY',
description: 'Resource Control Policy from Advanced CDK Constructs',
targetIds: props.targetIds,
});
this.resourceControlPolicyArn = applyResourceControlPolicy.attrArn;
}
}
exports.ResourceControlPolicy = ResourceControlPolicy;
_a = JSII_RTTI_SYMBOL_1;
ResourceControlPolicy[_a] = { fqn: "advanced-cdk-constructs.ResourceControlPolicy", version: "0.0.14" };
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVzb3VyY2UtY29udHJvbC1wb2xpY2llcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9yZXNvdXJjZS1jb250cm9sLXBvbGljaWVzL3Jlc291cmNlLWNvbnRyb2wtcG9saWNpZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSw2Q0FBaUU7QUFDakUsMkNBQXVDO0FBd0N2Qzs7Ozs7R0FLRztBQUNILE1BQWEscUJBQXNCLFNBQVEsc0JBQVM7SUFNbEQ7Ozs7OztPQU1HO0lBQ0gsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUFpQztRQUN6RSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLE1BQU0sVUFBVSxHQUFVLEVBQUUsQ0FBQztRQUU3QixJQUFJLEtBQUssQ0FBQywrQkFBK0IsRUFBRSxDQUFDO1lBQzFDLE1BQU0sZ0NBQWdDLEdBQUc7Z0JBQ3ZDLEdBQUcsRUFBRSxpQ0FBaUM7Z0JBQ3RDLE1BQU0sRUFBRSxNQUFNO2dCQUNkLFNBQVMsRUFBRSxHQUFHO2dCQUNkLE1BQU0sRUFBRTtvQkFDTixNQUFNO29CQUNOLE9BQU87b0JBQ1AsT0FBTztvQkFDUCxrQkFBa0I7b0JBQ2xCLE9BQU87aUJBQ1I7Z0JBQ0QsUUFBUSxFQUFFLEdBQUc7Z0JBQ2IsU0FBUyxFQUFFO29CQUNULHVCQUF1QixFQUFFO3dCQUN2QixpQkFBaUIsRUFBRSxLQUFLLENBQUMsV0FBVzt3QkFDcEMsR0FBRyxDQUFDLEtBQUssQ0FBQyxhQUFhLElBQUksRUFBRSxtQkFBbUIsRUFBRSxLQUFLLENBQUMsYUFBYSxFQUFFLENBQUM7cUJBQ3pFO29CQUNELElBQUksRUFBRTt3QkFDSiwyQkFBMkIsRUFBRSxNQUFNO3FCQUNwQztvQkFDRCxJQUFJLEVBQUU7d0JBQ0osZUFBZSxFQUFFLE9BQU87cUJBQ3pCO2lCQUNGO2FBQ0YsQ0FBQztZQUNGLFVBQVUsQ0FBQyxJQUFJLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztRQUNwRCxDQUFDO1FBRUQsSUFBSSxLQUFLLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUNqQyxNQUFNLCtCQUErQixHQUFHO2dCQUN0QyxHQUFHLEVBQUUsd0JBQXdCO2dCQUM3QixNQUFNLEVBQUUsTUFBTTtnQkFDZCxTQUFTLEVBQUUsR0FBRztnQkFDZCxNQUFNLEVBQUU7b0JBQ04sT0FBTztvQkFDUCxNQUFNO29CQUNOLE9BQU87b0JBQ1Asa0JBQWtCO29CQUNsQixPQUFPO2lCQUNSO2dCQUNELFFBQVEsRUFBRSxHQUFHO2dCQUNiLFNBQVMsRUFBRTtvQkFDVCxZQUFZLEVBQUU7d0JBQ1oscUJBQXFCLEVBQUUsT0FBTztxQkFDL0I7aUJBQ0Y7YUFDRixDQUFDO1lBQ0YsVUFBVSxDQUFDLElBQUksQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1FBQ25ELENBQUM7UUFFRCxNQUFNLHFCQUFxQixHQUFHO1lBQzVCLE9BQU8sRUFBRSxZQUFZO1lBQ3JCLFNBQVMsRUFBRSxVQUFVO1NBQ3RCLENBQUM7UUFDRixNQUFNLDBCQUEwQixHQUFHLElBQUksK0JBQWEsQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLHVCQUF1QixFQUFFO1lBQzVGLE9BQU8sRUFBRSxxQkFBcUI7WUFDOUIsSUFBSSxFQUFFLEtBQUssQ0FBQyxJQUFJLElBQUkseUJBQXlCLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxFQUFFO1lBQzNELElBQUksRUFBRSx5QkFBeUI7WUFDL0IsV0FBVyxFQUFFLHNEQUFzRDtZQUNuRSxTQUFTLEVBQUUsS0FBSyxDQUFDLFNBQVM7U0FDM0IsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLHdCQUF3QixHQUFHLDBCQUEwQixDQUFDLE9BQU8sQ0FBQztJQUVyRSxDQUFDOztBQWxGSCxzREFtRkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBhd3Nfb3JnYW5pemF0aW9ucyBhcyBvcmdhbml6YXRpb25zIH0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSAnY29uc3RydWN0cyc7XG5cbi8qKlxuICogUHJvcGVydGllcyBmb3IgY29uZmlndXJpbmcgYSB7QGxpbmsgUmVzb3VyY2VDb250cm9sUG9saWN5fS5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBSZXNvdXJjZUNvbnRyb2xQb2xpY3lQcm9wcyB7XG4gIC8qKlxuICAgKiBUaGUgbGlzdCBvZiB0YXJnZXQgSURzIChhY2NvdW50cywgT1VzLCBvciByb290cykgdG8gd2hpY2ggdGhlIHBvbGljeSB3aWxsIGJlIGF0dGFjaGVkLlxuICAgKi9cbiAgcmVhZG9ubHkgdGFyZ2V0SWRzOiBzdHJpbmdbXTtcblxuICAvKipcbiAgICogVGhlIEFXUyBPcmdhbml6YXRpb24gSUQgdG8gZW5mb3JjZSBhcyB0aGUgc291cmNlIG9yZ2FuaXphdGlvbiBpbiB0aGUgcG9saWN5LlxuICAgKi9cbiAgcmVhZG9ubHkgc291cmNlT3JnSUQ6IHN0cmluZztcblxuICAvKipcbiAgICogVGhlIG5hbWUgb2YgdGhlIHJlc291cmNlIGNvbnRyb2wgcG9saWN5LlxuICAgKiBJZiBub3QgcHJvdmlkZWQsIGEgZGVmYXVsdCBuYW1lIHdpbGwgYmUgZ2VuZXJhdGVkLlxuICAgKiBAZGVmYXVsdCAtIEF1dG9tYXRpY2FsbHkgZ2VuZXJhdGVkIG5hbWUgYmFzZWQgb24gY29uc3RydWN0IElELlxuICAgKi9cbiAgcmVhZG9ubHkgbmFtZT86IHN0cmluZztcblxuICAvKipcbiAgICogT3B0aW9uYWwgbGlzdCBvZiBhbGxvd2VkIHNvdXJjZSBBV1MgYWNjb3VudCBJRHMuXG4gICAqIElmIHByb3ZpZGVkLCBvbmx5IHRoZXNlIGFjY291bnRzIGFyZSBhbGxvd2VkIGFzIHNvdXJjZSBhY2NvdW50cy5cbiAgICovXG4gIHJlYWRvbmx5IHNvdXJjZUFjY291bnQ/OiBzdHJpbmdbXTtcblxuICAvKipcbiAgICogV2hldGhlciB0byBlbmZvcmNlIENvbmZ1c2VkIERlcHV0eSBQcm90ZWN0aW9uIGluIHRoZSBwb2xpY3kuXG4gICAqL1xuICByZWFkb25seSBlbmZvcmNlQ29uZnVzZWREZXB1dHlQcm90ZWN0aW9uOiBib29sZWFuO1xuXG4gIC8qKlxuICAgKiBXaGV0aGVyIHRvIGVuZm9yY2UgU2VjdXJlIFRyYW5zcG9ydCBpbiB0aGUgcG9saWN5LlxuICAgKi9cbiAgcmVhZG9ubHkgZW5mb3JjZVNlY3VyZVRyYW5zcG9ydDogYm9vbGVhbjtcbn1cblxuLyoqXG4gKiBBIENESyBjb25zdHJ1Y3QgdGhhdCBjcmVhdGVzIGFuZCBhdHRhY2hlcyBhbiBBV1MgT3JnYW5pemF0aW9ucyBSZXNvdXJjZSBDb250cm9sIFBvbGljeS5cbiAqXG4gKiBUaGlzIHBvbGljeSBjYW4gZW5mb3JjZSBDb25mdXNlZCBEZXB1dHkgUHJvdGVjdGlvbiBhbmQgU2VjdXJlIFRyYW5zcG9ydCByZXF1aXJlbWVudHNcbiAqIGFjcm9zcyBzcGVjaWZpZWQgQVdTIGFjY291bnRzLCBPVXMsIG9yIHJvb3RzLlxuICovXG5leHBvcnQgY2xhc3MgUmVzb3VyY2VDb250cm9sUG9saWN5IGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgLyoqXG4gICAqIFRoZSBBUk4gb2YgdGhlIGNyZWF0ZWQgUmVzb3VyY2UgQ29udHJvbCBQb2xpY3kuXG4gICAqL1xuICBwdWJsaWMgcmVhZG9ubHkgcmVzb3VyY2VDb250cm9sUG9saWN5QXJuITogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBDcmVhdGVzIGEgbmV3IHtAbGluayBSZXNvdXJjZUNvbnRyb2xQb2xpY3l9LlxuICAgKlxuICAgKiBAcGFyYW0gc2NvcGUgVGhlIHBhcmVudCBjb25zdHJ1Y3QuXG4gICAqIEBwYXJhbSBpZCBUaGUgY29uc3RydWN0IElELlxuICAgKiBAcGFyYW0gcHJvcHMgVGhlIHByb3BlcnRpZXMgZm9yIHRoZSByZXNvdXJjZSBjb250cm9sIHBvbGljeS5cbiAgICovXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBSZXNvdXJjZUNvbnRyb2xQb2xpY3lQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICBjb25zdCBzdGF0ZW1lbnRzOiBhbnlbXSA9IFtdO1xuXG4gICAgaWYgKHByb3BzLmVuZm9yY2VDb25mdXNlZERlcHV0eVByb3RlY3Rpb24pIHtcbiAgICAgIGNvbnN0IEVuZm9yY2VEZXB1dHlQcm90ZWN0aW9uU3RhdGVtZW50ID0ge1xuICAgICAgICBTaWQ6ICdFbmZvcmNlQ29uZnVzZWREZXB1dHlQcm90ZWN0aW9uJyxcbiAgICAgICAgRWZmZWN0OiAnRGVueScsXG4gICAgICAgIFByaW5jaXBhbDogJyonLFxuICAgICAgICBBY3Rpb246IFtcbiAgICAgICAgICAnczM6KicsXG4gICAgICAgICAgJ3NxczoqJyxcbiAgICAgICAgICAna21zOionLFxuICAgICAgICAgICdzZWNyZXRzbWFuYWdlcjoqJyxcbiAgICAgICAgICAnc3RzOionLFxuICAgICAgICBdLFxuICAgICAgICBSZXNvdXJjZTogJyonLFxuICAgICAgICBDb25kaXRpb246IHtcbiAgICAgICAgICBTdHJpbmdOb3RFcXVhbHNJZkV4aXN0czoge1xuICAgICAgICAgICAgJ2F3czpTb3VyY2VPcmdJRCc6IHByb3BzLnNvdXJjZU9yZ0lELFxuICAgICAgICAgICAgLi4uKHByb3BzLnNvdXJjZUFjY291bnQgJiYgeyAnYXdzOlNvdXJjZUFjY291bnQnOiBwcm9wcy5zb3VyY2VBY2NvdW50IH0pLFxuICAgICAgICAgIH0sXG4gICAgICAgICAgQm9vbDoge1xuICAgICAgICAgICAgJ2F3czpQcmluY2lwYWxJc0FXU1NlcnZpY2UnOiAndHJ1ZScsXG4gICAgICAgICAgfSxcbiAgICAgICAgICBOdWxsOiB7XG4gICAgICAgICAgICAnYXdzOlNvdXJjZUFybic6ICdmYWxzZScsXG4gICAgICAgICAgfSxcbiAgICAgICAgfSxcbiAgICAgIH07XG4gICAgICBzdGF0ZW1lbnRzLnB1c2goRW5mb3JjZURlcHV0eVByb3RlY3Rpb25TdGF0ZW1lbnQpO1xuICAgIH1cblxuICAgIGlmIChwcm9wcy5lbmZvcmNlU2VjdXJlVHJhbnNwb3J0KSB7XG4gICAgICBjb25zdCBFbmZvcmNlU2VjdXJlVHJhbnNwb3J0U3RhdGVtZW50ID0ge1xuICAgICAgICBTaWQ6ICdFbmZvcmNlU2VjdXJlVHJhbnNwb3J0JyxcbiAgICAgICAgRWZmZWN0OiAnRGVueScsXG4gICAgICAgIFByaW5jaXBhbDogJyonLFxuICAgICAgICBBY3Rpb246IFtcbiAgICAgICAgICAnc3RzOionLFxuICAgICAgICAgICdzMzoqJyxcbiAgICAgICAgICAnc3FzOionLFxuICAgICAgICAgICdzZWNyZXRzbWFuYWdlcjoqJyxcbiAgICAgICAgICAna21zOionLFxuICAgICAgICBdLFxuICAgICAgICBSZXNvdXJjZTogJyonLFxuICAgICAgICBDb25kaXRpb246IHtcbiAgICAgICAgICBCb29sSWZFeGlzdHM6IHtcbiAgICAgICAgICAgICdhd3M6U2VjdXJlVHJhbnNwb3J0JzogJ2ZhbHNlJyxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfTtcbiAgICAgIHN0YXRlbWVudHMucHVzaChFbmZvcmNlU2VjdXJlVHJhbnNwb3J0U3RhdGVtZW50KTtcbiAgICB9XG5cbiAgICBjb25zdCByZXNvdXJjZUNvbnRyb2xQb2xpY3kgPSB7XG4gICAgICBWZXJzaW9uOiAnMjAxMi0xMC0xNycsXG4gICAgICBTdGF0ZW1lbnQ6IHN0YXRlbWVudHMsXG4gICAgfTtcbiAgICBjb25zdCBhcHBseVJlc291cmNlQ29udHJvbFBvbGljeSA9IG5ldyBvcmdhbml6YXRpb25zLkNmblBvbGljeSh0aGlzLCAnUmVzb3VyY2VDb250cm9sUG9saWN5Jywge1xuICAgICAgY29udGVudDogcmVzb3VyY2VDb250cm9sUG9saWN5LFxuICAgICAgbmFtZTogcHJvcHMubmFtZSA/PyBgUmVzb3VyY2VDb250cm9sUG9saWN5LSR7dGhpcy5ub2RlLmlkfWAsXG4gICAgICB0eXBlOiAnUkVTT1VSQ0VfQ09OVFJPTF9QT0xJQ1knLFxuICAgICAgZGVzY3JpcHRpb246ICdSZXNvdXJjZSBDb250cm9sIFBvbGljeSBmcm9tIEFkdmFuY2VkIENESyBDb25zdHJ1Y3RzJyxcbiAgICAgIHRhcmdldElkczogcHJvcHMudGFyZ2V0SWRzLFxuICAgIH0pO1xuICAgIHRoaXMucmVzb3VyY2VDb250cm9sUG9saWN5QXJuID0gYXBwbHlSZXNvdXJjZUNvbnRyb2xQb2xpY3kuYXR0ckFybjtcblxuICB9XG59Il19