iam-floyd
Version:
AWS IAM policy statement generator with fluent interface
1,224 lines • 128 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.Eks = void 0;
const shared_1 = require("../../shared");
/**
* Statement provider for service [eks](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html).
*
* @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
*/
class Eks extends shared_1.PolicyStatement {
/**
* Statement provider for service [eks](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html).
*
* @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
*/
constructor(sid) {
super(sid);
this.servicePrefix = 'eks';
this.accessLevelList = {
Read: [
'AccessKubernetesApi',
'DescribeAccessEntry',
'DescribeAddon',
'DescribeAddonConfiguration',
'DescribeAddonVersions',
'DescribeCluster',
'DescribeClusterVersions',
'DescribeEksAnywhereSubscription',
'DescribeFargateProfile',
'DescribeIdentityProviderConfig',
'DescribeInsight',
'DescribeNodegroup',
'DescribePodIdentityAssociation',
'DescribeUpdate',
'ListTagsForResource'
],
Write: [
'AssociateAccessPolicy',
'AssociateEncryptionConfig',
'AssociateIdentityProviderConfig',
'CreateAccessEntry',
'CreateAddon',
'CreateCluster',
'CreateEksAnywhereSubscription',
'CreateFargateProfile',
'CreateNodegroup',
'CreatePodIdentityAssociation',
'DeleteAccessEntry',
'DeleteAddon',
'DeleteCluster',
'DeleteEksAnywhereSubscription',
'DeleteFargateProfile',
'DeleteNodegroup',
'DeletePodIdentityAssociation',
'DeregisterCluster',
'DisassociateAccessPolicy',
'DisassociateIdentityProviderConfig',
'RegisterCluster',
'UpdateAccessEntry',
'UpdateAddon',
'UpdateClusterConfig',
'UpdateClusterVersion',
'UpdateEksAnywhereSubscription',
'UpdateNodegroupConfig',
'UpdateNodegroupVersion',
'UpdatePodIdentityAssociation'
],
List: [
'ListAccessEntries',
'ListAccessPolicies',
'ListAddons',
'ListAssociatedAccessPolicies',
'ListClusters',
'ListEksAnywhereSubscriptions',
'ListFargateProfiles',
'ListIdentityProviderConfigs',
'ListInsights',
'ListNodegroups',
'ListPodIdentityAssociations',
'ListUpdates'
],
Tagging: [
'TagResource',
'UntagResource'
]
};
}
/**
* Grants permission to view Kubernetes objects via AWS EKS console
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html
*/
toAccessKubernetesApi() {
return this.to('AccessKubernetesApi');
}
/**
* Grants permission to associate an Amazon EKS access policy to an Amazon EKS access entry
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyArn()
* - .ifNamespaces()
* - .ifAccessScope()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateAccessPolicy.html
*/
toAssociateAccessPolicy() {
return this.to('AssociateAccessPolicy');
}
/**
* Grants permission to associate encryption configuration to a cluster
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateEncryptionConfig.html
*/
toAssociateEncryptionConfig() {
return this.to('AssociateEncryptionConfig');
}
/**
* Grants permission to associate an identity provider configuration to a cluster
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifClientId()
* - .ifIssuerUrl()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateIdentityProviderConfig.html
*/
toAssociateIdentityProviderConfig() {
return this.to('AssociateIdentityProviderConfig');
}
/**
* Grants permission to create an Amazon EKS access entry
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifPrincipalArn()
* - .ifKubernetesGroups()
* - .ifUsername()
* - .ifAccessEntryType()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAccessEntry.html
*/
toCreateAccessEntry() {
return this.to('CreateAccessEntry');
}
/**
* Grants permission to create an Amazon EKS add-on
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html
*/
toCreateAddon() {
return this.to('CreateAddon');
}
/**
* Grants permission to create an Amazon EKS cluster
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifBootstrapClusterCreatorAdminPermissions()
* - .ifBootstrapSelfManagedAddons()
* - .ifAuthenticationMode()
* - .ifSupportType()
* - .ifComputeConfigEnabled()
* - .ifElasticLoadBalancingEnabled()
* - .ifBlockStorageEnabled()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html
*/
toCreateCluster() {
return this.to('CreateCluster');
}
/**
* Grants permission to create an EKS Anywhere subscription
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateEksAnywhereSubscription.html
*/
toCreateEksAnywhereSubscription() {
return this.to('CreateEksAnywhereSubscription');
}
/**
* Grants permission to create an AWS Fargate profile
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateFargateProfile.html
*/
toCreateFargateProfile() {
return this.to('CreateFargateProfile');
}
/**
* Grants permission to create an Amazon EKS Nodegroup
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateNodegroup.html
*/
toCreateNodegroup() {
return this.to('CreateNodegroup');
}
/**
* Grants permission to create an EKS Pod Identity association
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_CreatePodIdentityAssociation.html
*/
toCreatePodIdentityAssociation() {
return this.to('CreatePodIdentityAssociation');
}
/**
* Grants permission to delete an Amazon EKS access entry
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteAccessEntry.html
*/
toDeleteAccessEntry() {
return this.to('DeleteAccessEntry');
}
/**
* Grants permission to delete an Amazon EKS add-on
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteAddon.html
*/
toDeleteAddon() {
return this.to('DeleteAddon');
}
/**
* Grants permission to delete an Amazon EKS cluster
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteCluster.html
*/
toDeleteCluster() {
return this.to('DeleteCluster');
}
/**
* Grants permission to describe an EKS Anywhere subscription
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteEksAnywhereSubscription.html
*/
toDeleteEksAnywhereSubscription() {
return this.to('DeleteEksAnywhereSubscription');
}
/**
* Grants permission to delete an AWS Fargate profile
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteFargateProfile.html
*/
toDeleteFargateProfile() {
return this.to('DeleteFargateProfile');
}
/**
* Grants permission to delete an Amazon EKS Nodegroup
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeleteNodegroup.html
*/
toDeleteNodegroup() {
return this.to('DeleteNodegroup');
}
/**
* Grants permission to delete an EKS Pod Identity association
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeletePodIdentityAssociation.html
*/
toDeletePodIdentityAssociation() {
return this.to('DeletePodIdentityAssociation');
}
/**
* Grants permission to deregister an External cluster
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DeregisterCluster.html
*/
toDeregisterCluster() {
return this.to('DeregisterCluster');
}
/**
* Grants permission to describe an Amazon EKS access entry
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAccessEntry.html
*/
toDescribeAccessEntry() {
return this.to('DescribeAccessEntry');
}
/**
* Grants permission to retrieve descriptive information about an Amazon EKS add-on
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddon.html
*/
toDescribeAddon() {
return this.to('DescribeAddon');
}
/**
* Grants permission to list configuration options about an Amazon EKS add-on
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddonConfiguration.html
*/
toDescribeAddonConfiguration() {
return this.to('DescribeAddonConfiguration');
}
/**
* Grants permission to retrieve descriptive version information about the add-ons that Amazon EKS Add-ons supports
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddonVersions.html
*/
toDescribeAddonVersions() {
return this.to('DescribeAddonVersions');
}
/**
* Grants permission to retrieve descriptive information about an Amazon EKS cluster
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html
*/
toDescribeCluster() {
return this.to('DescribeCluster');
}
/**
* Grants permission to retrieve descriptive information about Kubernetes versions that Amazon EKS clusters support
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeClusterVersions.html
*/
toDescribeClusterVersions() {
return this.to('DescribeClusterVersions');
}
/**
* Grants permission to describe an EKS Anywhere subscription
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeEksAnywhereSubscription.html
*/
toDescribeEksAnywhereSubscription() {
return this.to('DescribeEksAnywhereSubscription');
}
/**
* Grants permission to retrieve descriptive information about an AWS Fargate profile associated with a cluster
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeFargateProfile.html
*/
toDescribeFargateProfile() {
return this.to('DescribeFargateProfile');
}
/**
* Grants permission to retrieve descriptive information about an Idp config associated with a cluster
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeIdentityProviderConfig.html
*/
toDescribeIdentityProviderConfig() {
return this.to('DescribeIdentityProviderConfig');
}
/**
* Grants permission to retrieve descriptive information of a detected insight for a specified cluster
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeInsight.html
*/
toDescribeInsight() {
return this.to('DescribeInsight');
}
/**
* Grants permission to retrieve descriptive information about an Amazon EKS nodegroup
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeNodegroup.html
*/
toDescribeNodegroup() {
return this.to('DescribeNodegroup');
}
/**
* Grants permission to describe an EKS Pod Identity association
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribePodIdentityAssociation.html
*/
toDescribePodIdentityAssociation() {
return this.to('DescribePodIdentityAssociation');
}
/**
* Grants permission to retrieve a given update for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region)
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeUpdate.html
*/
toDescribeUpdate() {
return this.to('DescribeUpdate');
}
/**
* Grants permission to disassociate an Amazon EKS access policy from an Amazon EKS acces entry
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyArn()
* - .ifNamespaces()
* - .ifAccessScope()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DisassociateAccessPolicy.html
*/
toDisassociateAccessPolicy() {
return this.to('DisassociateAccessPolicy');
}
/**
* Grants permission to delete an asssociated Idp config
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_DisassociateIdentityProviderConfig.html
*/
toDisassociateIdentityProviderConfig() {
return this.to('DisassociateIdentityProviderConfig');
}
/**
* Grants permission to list all Amazon EKS access entries
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAccessEntries.html
*/
toListAccessEntries() {
return this.to('ListAccessEntries');
}
/**
* Grants permission to list Amazon EKS access policies
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAccessPolicies.html
*/
toListAccessPolicies() {
return this.to('ListAccessPolicies');
}
/**
* Grants permission to list the Amazon EKS add-ons in your AWS account (in the specified or default region) for a given cluster
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAddons.html
*/
toListAddons() {
return this.to('ListAddons');
}
/**
* Grants permission to list associated access policy on and Amazon EKS access entry
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAssociatedAccessPolicies.html
*/
toListAssociatedAccessPolicies() {
return this.to('ListAssociatedAccessPolicies');
}
/**
* Grants permission to list the Amazon EKS clusters in your AWS account (in the specified or default region)
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html
*/
toListClusters() {
return this.to('ListClusters');
}
/**
* Grants permission to list EKS Anywhere subscriptions
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListEksAnywhereSubscriptions.html
*/
toListEksAnywhereSubscriptions() {
return this.to('ListEksAnywhereSubscriptions');
}
/**
* Grants permission to list the AWS Fargate profiles in your AWS account (in the specified or default region) associated with a given cluster
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListFargateProfiles.html
*/
toListFargateProfiles() {
return this.to('ListFargateProfiles');
}
/**
* Grants permission to list the Idp configs in your AWS account (in the specified or default region) associated with a given cluster
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListIdentityProviderConfigs.html
*/
toListIdentityProviderConfigs() {
return this.to('ListIdentityProviderConfigs');
}
/**
* Grants permission to list all detected insights for a specified cluster
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListInsights.html
*/
toListInsights() {
return this.to('ListInsights');
}
/**
* Grants permission to list the Amazon EKS nodegroups in your AWS account (in the specified or default region) attached to given cluster
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListNodegroups.html
*/
toListNodegroups() {
return this.to('ListNodegroups');
}
/**
* Grants permission to list EKS Pod Identity associations
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListPodIdentityAssociations.html
*/
toListPodIdentityAssociations() {
return this.to('ListPodIdentityAssociations');
}
/**
* Grants permission to list tags for the specified resource
*
* Access Level: Read
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListTagsForResource.html
*/
toListTagsForResource() {
return this.to('ListTagsForResource');
}
/**
* Grants permission to list the updates for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region)
*
* Access Level: List
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_ListUpdates.html
*/
toListUpdates() {
return this.to('ListUpdates');
}
/**
* Grants permission to register an External cluster
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_RegisterCluster.html
*/
toRegisterCluster() {
return this.to('RegisterCluster');
}
/**
* Grants permission to tag the specified resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_TagResource.html
*/
toTagResource() {
return this.to('TagResource');
}
/**
* Grants permission to untag the specified resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UntagResource.html
*/
toUntagResource() {
return this.to('UntagResource');
}
/**
* Grants permission to update an Amazon EKS access entry
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAccessEntry.html
*/
toUpdateAccessEntry() {
return this.to('UpdateAccessEntry');
}
/**
* Grants permission to update Amazon EKS add-on configurations, such as the VPC-CNI version
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html
*/
toUpdateAddon() {
return this.to('UpdateAddon');
}
/**
* Grants permission to update Amazon EKS cluster configurations (eg: API server endpoint access)
*
* Access Level: Write
*
* Possible conditions:
* - .ifAuthenticationMode()
* - .ifSupportType()
* - .ifComputeConfigEnabled()
* - .ifElasticLoadBalancingEnabled()
* - .ifBlockStorageEnabled()
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateClusterConfig.html
*/
toUpdateClusterConfig() {
return this.to('UpdateClusterConfig');
}
/**
* Grants permission to update the Kubernetes version of an Amazon EKS cluster
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateClusterVersion.html
*/
toUpdateClusterVersion() {
return this.to('UpdateClusterVersion');
}
/**
* Grants permission to update an EKS Anywhere subscription
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateEksAnywhereSubscription.html
*/
toUpdateEksAnywhereSubscription() {
return this.to('UpdateEksAnywhereSubscription');
}
/**
* Grants permission to update Amazon EKS nodegroup configurations (eg: min/max/desired capacity or labels)
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateNodegroupConfig.html
*/
toUpdateNodegroupConfig() {
return this.to('UpdateNodegroupConfig');
}
/**
* Grants permission to update the Kubernetes version of an Amazon EKS nodegroup
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateNodegroupVersion.html
*/
toUpdateNodegroupVersion() {
return this.to('UpdateNodegroupVersion');
}
/**
* Grants permission to update an EKS Pod Identity association
*
* Access Level: Write
*
* https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdatePodIdentityAssociation.html
*/
toUpdatePodIdentityAssociation() {
return this.to('UpdatePodIdentityAssociation');
}
/**
* Adds a resource of type cluster to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/clusters.html
*
* @param clusterName - Identifier for the clusterName.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onCluster(clusterName, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:cluster/${clusterName}`);
}
/**
* Adds a resource of type nodegroup to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
*
* @param clusterName - Identifier for the clusterName.
* @param nodegroupName - Identifier for the nodegroupName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onNodegroup(clusterName, nodegroupName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:nodegroup/${clusterName}/${nodegroupName}/${uUID}`);
}
/**
* Adds a resource of type addon to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
*
* @param clusterName - Identifier for the clusterName.
* @param addonName - Identifier for the addonName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onAddon(clusterName, addonName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:addon/${clusterName}/${addonName}/${uUID}`);
}
/**
* Adds a resource of type fargateprofile to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html
*
* @param clusterName - Identifier for the clusterName.
* @param fargateProfileName - Identifier for the fargateProfileName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onFargateprofile(clusterName, fargateProfileName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:fargateprofile/${clusterName}/${fargateProfileName}/${uUID}`);
}
/**
* Adds a resource of type identityproviderconfig to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html
*
* @param clusterName - Identifier for the clusterName.
* @param identityProviderType - Identifier for the identityProviderType.
* @param identityProviderConfigName - Identifier for the identityProviderConfigName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onIdentityproviderconfig(clusterName, identityProviderType, identityProviderConfigName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:identityproviderconfig/${clusterName}/${identityProviderType}/${identityProviderConfigName}/${uUID}`);
}
/**
* Adds a resource of type eks-anywhere-subscription to the statement
*
* https://anywhere.eks.amazonaws.com/docs/clustermgmt/support/cluster-license/
*
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onEksAnywhereSubscription(uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:eks-anywhere-subscription/${uUID}`);
}
/**
* Adds a resource of type podidentityassociation to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html
*
* @param clusterName - Identifier for the clusterName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onPodidentityassociation(clusterName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:podidentityassociation/${clusterName}/${uUID}`);
}
/**
* Adds a resource of type access-entry to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
*
* @param clusterName - Identifier for the clusterName.
* @param iamIdentityType - Identifier for the iamIdentityType.
* @param iamIdentityAccountID - Identifier for the iamIdentityAccountID.
* @param iamIdentityName - Identifier for the iamIdentityName.
* @param uUID - Identifier for the uUID.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
* - .ifAccessEntryType()
* - .ifClusterName()
* - .ifKubernetesGroups()
* - .ifPrincipalArn()
* - .ifUsername()
*/
onAccessEntry(clusterName, iamIdentityType, iamIdentityAccountID, iamIdentityName, uUID, account, region, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks:${region ?? this.defaultRegion}:${account ?? this.defaultAccount}:access-entry/${clusterName}/${iamIdentityType}/${iamIdentityAccountID}/${iamIdentityName}/${uUID}`);
}
/**
* Adds a resource of type access-policy to the statement
*
* https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html
*
* @param accessPolicyName - Identifier for the accessPolicyName.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*/
onAccessPolicy(accessPolicyName, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:eks::aws:cluster-access-policy/${accessPolicyName}`);
}
/**
* Filters access by a key that is present in the request the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags
*
* Applies to actions:
* - .toAssociateIdentityProviderConfig()
* - .toCreateAccessEntry()
* - .toCreateAddon()
* - .toCreateCluster()
* - .toCreateEksAnywhereSubscription()
* - .toCreateFargateProfile()
* - .toCreateNodegroup()
* - .toCreatePodIdentityAssociation()
* - .toRegisterCluster()
* - .toTagResource()
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsRequestTag(tagKey, value, operator) {
return this.if(`aws:RequestTag/${tagKey}`, value, operator ?? 'StringLike');
}
/**
* Filters access by a tag key and value pair
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags
*
* Applies to resource types:
* - cluster
* - nodegroup
* - addon
* - fargateprofile
* - identityproviderconfig
* - eks-anywhere-subscription
* - podidentityassociation
* - access-entry
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsResourceTag(tagKey, value, operator) {
return this.if(`aws:ResourceTag/${tagKey}`, value, operator ?? 'StringLike');
}
/**
* Filters access by the list of all the tag key names present in the request the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags
*
* Applies to actions:
* - .toAssociateIdentityProviderConfig()
* - .toCreateAccessEntry()
* - .toCreateAddon()
* - .toCreateCluster()
* - .toCreateEksAnywhereSubscription()
* - .toCreateFargateProfile()
* - .toCreateNodegroup()
* - .toCreatePodIdentityAssociation()
* - .toRegisterCluster()
* - .toTagResource()
* - .toUntagResource()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsTagKeys(value, operator) {
return this.if(`aws:TagKeys`, value, operator ?? 'StringLike');
}
/**
* Filters access by the access entry type present in the access entry requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateAccessEntry()
*
* Applies to resource types:
* - access-entry
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAccessEntryType(value, operator) {
return this.if(`accessEntryType`, value, operator ?? 'StringLike');
}
/**
* Filters access by the accessScope present in the associate / disassociate access policy requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toAssociateAccessPolicy()
* - .toDisassociateAccessPolicy()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAccessScope(value, operator) {
return this.if(`accessScope`, value, operator ?? 'StringLike');
}
/**
* Filters access by the authenticationMode present in the create / update cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
* - .toUpdateClusterConfig()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAuthenticationMode(value, operator) {
return this.if(`authenticationMode`, value, operator ?? 'StringLike');
}
/**
* Filters access by the block storage enabled parameter in the create / update cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
* - .toUpdateClusterConfig()
*
* @param value `true` or `false`. **Default:** `true`
*/
ifBlockStorageEnabled(value) {
return this.if(`blockStorageEnabled`, (typeof value !== 'undefined' ? value : true), 'Bool');
}
/**
* Filters access by the bootstrapClusterCreatorAdminPermissions present in the create cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
*
* @param value `true` or `false`. **Default:** `true`
*/
ifBootstrapClusterCreatorAdminPermissions(value) {
return this.if(`bootstrapClusterCreatorAdminPermissions`, (typeof value !== 'undefined' ? value : true), 'Bool');
}
/**
* Filters access by the bootstrapSelfManagedAddons present in the create cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
*
* @param value `true` or `false`. **Default:** `true`
*/
ifBootstrapSelfManagedAddons(value) {
return this.if(`bootstrapSelfManagedAddons`, (typeof value !== 'undefined' ? value : true), 'Bool');
}
/**
* Filters access by the clientId present in the associateIdentityProviderConfig request the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toAssociateIdentityProviderConfig()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifClientId(value, operator) {
return this.if(`clientId`, value, operator ?? 'StringLike');
}
/**
* Filters access by the clusterName present in the access entry requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to resource types:
* - access-entry
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifClusterName(value, operator) {
return this.if(`clusterName`, value, operator ?? 'StringLike');
}
/**
* Filters access by the compute config enabled parameter in the create / update cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
* - .toUpdateClusterConfig()
*
* @param value `true` or `false`. **Default:** `true`
*/
ifComputeConfigEnabled(value) {
return this.if(`computeConfigEnabled`, (typeof value !== 'undefined' ? value : true), 'Bool');
}
/**
* Filters access by the elastic load balancing enabled parameter in the create / update cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
* - .toUpdateClusterConfig()
*
* @param value `true` or `false`. **Default:** `true`
*/
ifElasticLoadBalancingEnabled(value) {
return this.if(`elasticLoadBalancingEnabled`, (typeof value !== 'undefined' ? value : true), 'Bool');
}
/**
* Filters access by the issuerUrl present in the associateIdentityProviderConfig request the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toAssociateIdentityProviderConfig()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifIssuerUrl(value, operator) {
return this.if(`issuerUrl`, value, operator ?? 'StringLike');
}
/**
* Filters access by the kubernetesGroups present in the access entry requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateAccessEntry()
*
* Applies to resource types:
* - access-entry
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifKubernetesGroups(value, operator) {
return this.if(`kubernetesGroups`, value, operator ?? 'StringLike');
}
/**
* Filters access by the namespaces present in the associate / disassociate access policy requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toAssociateAccessPolicy()
* - .toDisassociateAccessPolicy()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifNamespaces(value, operator) {
return this.if(`namespaces`, value, operator ?? 'StringLike');
}
/**
* Filters access by the policyArn present in the access entry requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toAssociateAccessPolicy()
* - .toDisassociateAccessPolicy()
*
* @param value The value(s) to check
* @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike`
*/
ifPolicyArn(value, operator) {
return this.if(`policyArn`, value, operator ?? 'ArnLike');
}
/**
* Filters access by the principalArn present in the access entry requests requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateAccessEntry()
*
* Applies to resource types:
* - access-entry
*
* @param value The value(s) to check
* @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike`
*/
ifPrincipalArn(value, operator) {
return this.if(`principalArn`, value, operator ?? 'ArnLike');
}
/**
* Filters access by the supportType present in the create / update cluster request
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateCluster()
* - .toUpdateClusterConfig()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifSupportType(value, operator) {
return this.if(`supportType`, value, operator ?? 'StringLike');
}
/**
* Filters access by the Kubernetes username present in the access entry requests the user makes to the EKS service
*
* https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
*
* Applies to actions:
* - .toCreateAccessEntry()
*
* Applies to resource types:
* - access-entry
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifUsername(value, operator) {
return this.if(`username`, value, operator ?? 'StringLike');
}
}
exports.Eks = Eks;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWxhc3RpY2t1YmVybmV0ZXNzZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiZWxhc3RpY2t1YmVybmV0ZXNzZXJ2aWNlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUNBLHlDQUF5RDtBQUV6RDs7OztHQUlHO0FBQ0gsTUFBYSxHQUFJLFNBQVEsd0JBQWU7SUFHdEM7Ozs7T0FJRztJQUNILFlBQVksR0FBWTtRQUN0QixLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFSTixrQkFBYSxHQUFHLEtBQUssQ0FBQztRQWt0Qm5CLG9CQUFlLEdBQW9CO1lBQzNDLElBQUksRUFBRTtnQkFDSixxQkFBcUI7Z0JBQ3JCLHFCQUFxQjtnQkFDckIsZUFBZTtnQkFDZiw0QkFBNEI7Z0JBQzVCLHVCQUF1QjtnQkFDdkIsaUJBQWlCO2dCQUNqQix5QkFBeUI7Z0JBQ3pCLGlDQUFpQztnQkFDakMsd0JBQXdCO2dCQUN4QixnQ0FBZ0M7Z0JBQ2hDLGlCQUFpQjtnQkFDakIsbUJBQW1CO2dCQUNuQixnQ0FBZ0M7Z0JBQ2hDLGdCQUFnQjtnQkFDaEIscUJBQXFCO2FBQ3RCO1lBQ0QsS0FBSyxFQUFFO2dCQUNMLHVCQUF1QjtnQkFDdkIsMkJBQTJCO2dCQUMzQixpQ0FBaUM7Z0JBQ2pDLG1CQUFtQjtnQkFDbkIsYUFBYTtnQkFDYixlQUFlO2dCQUNmLCtCQUErQjtnQkFDL0Isc0JBQXNCO2dCQUN0QixpQkFBaUI7Z0JBQ2pCLDhCQUE4QjtnQkFDOUIsbUJBQW1CO2dCQUNuQixhQUFhO2dCQUNiLGVBQWU7Z0JBQ2YsK0JBQStCO2dCQUMvQixzQkFBc0I7Z0JBQ3RCLGlCQUFpQjtnQkFDakIsOEJBQThCO2dCQUM5QixtQkFBbUI7Z0JBQ25CLDBCQUEwQjtnQkFDMUIsb0NBQW9DO2dCQUNwQyxpQkFBaUI7Z0JBQ2pCLG1CQUFtQjtnQkFDbkIsYUFBYTtnQkFDYixxQkFBcUI7Z0JBQ3JCLHNCQUFzQjtnQkFDdEIsK0JBQStCO2dCQUMvQix1QkFBdUI7Z0JBQ3ZCLHdCQUF3QjtnQkFDeEIsOEJBQThCO2FBQy9CO1lBQ0QsSUFBSSxFQUFFO2dCQUNKLG1CQUFtQjtnQkFDbkIsb0JBQW9CO2dCQUNwQixZQUFZO2dCQUNaLDhCQUE4QjtnQkFDOUIsY0FBYztnQkFDZCw4QkFBOEI7Z0JBQzlCLHFCQUFxQjtnQkFDckIsNkJBQTZCO2dCQUM3QixjQUFjO2dCQUNkLGdCQUFnQjtnQkFDaEIsNkJBQTZCO2dCQUM3QixhQUFhO2FBQ2Q7WUFDRCxPQUFPLEVBQUU7Z0JBQ1AsYUFBYTtnQkFDYixlQUFlO2FBQ2hCO1NBQ0YsQ0FBQztJQTV3QkYsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHFCQUFxQjtRQUMxQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMscUJBQXFCLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7O09BV0c7SUFDSSx1QkFBdUI7UUFDNUIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLHVCQUF1QixDQUFDLENBQUM7SUFDMUMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLDJCQUEyQjtRQUNoQyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsMkJBQTJCLENBQUMsQ0FBQztJQUM5QyxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7OztPQVlHO0lBQ0ksaUNBQWlDO1FBQ3RDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFDO0