Class: AWSCDK::CodeBuild::UntrustedCodeBoundaryPolicy

Inherits:
IAM::ManagedPolicy
  • Object
show all
Defined in:
code_build/untrusted_code_boundary_policy.rb

Overview

Permissions Boundary for a CodeBuild Project running untrusted code.

This class is a Policy, intended to be used as a Permissions Boundary for a CodeBuild project. It allows most of the actions necessary to run the CodeBuild project, but disallows reading from Parameter Store and Secrets Manager.

Use this when your CodeBuild project is running untrusted code (for example, if you are using one to automatically build Pull Requests that anyone can submit), and you want to prevent your future self from accidentally exposing Secrets to this build.

(The reason you might want to do this is because otherwise anyone who can submit a Pull Request to your project can write a script to email those secrets to themselves).

Examples:

project = nil # AWSCDK::CodeBuild::Project

AWSCDK::IAM::PermissionsBoundary.of(project).apply(AWSCDK::CodeBuild::UntrustedCodeBoundaryPolicy.new(self, "Boundary"))

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(scope, id, props = nil) ⇒ UntrustedCodeBoundaryPolicy

Returns a new instance of UntrustedCodeBoundaryPolicy.

Parameters:



30
31
32
33
34
35
36
# File 'code_build/untrusted_code_boundary_policy.rb', line 30

def initialize(scope, id, props = nil)
  props = props.is_a?(Hash) ? ::AWSCDK::CodeBuild::UntrustedCodeBoundaryPolicyProps.new(**props.transform_keys(&:to_sym)) : props
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  Jsii::Type.check_type(id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "id")
  Jsii::Type.check_type(props, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfY29kZWJ1aWxkLlVudHJ1c3RlZENvZGVCb3VuZGFyeVBvbGljeVByb3BzIn0=")), "props") unless props.nil?
  Jsii::Object.instance_method(:initialize).bind(self).call(scope, id, props)
end

Class Method Details

.jsii_overridable_methodsObject



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# File 'code_build/untrusted_code_boundary_policy.rb', line 38

def self.jsii_overridable_methods
  {
    :node => { kind: :property, name: "node", is_optional: false },
    :env => { kind: :property, name: "env", is_optional: false },
    :physical_name => { kind: :property, name: "physicalName", is_optional: false },
    :stack => { kind: :property, name: "stack", is_optional: false },
    :description => { kind: :property, name: "description", is_optional: false },
    :document => { kind: :property, name: "document", is_optional: false },
    :grant_principal => { kind: :property, name: "grantPrincipal", is_optional: false },
    :managed_policy_arn => { kind: :property, name: "managedPolicyArn", is_optional: false },
    :managed_policy_name => { kind: :property, name: "managedPolicyName", is_optional: false },
    :managed_policy_ref => { kind: :property, name: "managedPolicyRef", is_optional: false },
    :path => { kind: :property, name: "path", is_optional: false },
    :to_string => { kind: :method, name: "toString", is_optional: false },
    :with => { kind: :method, name: "with", is_optional: false },
    :apply_cross_stack_reference_strength => { kind: :method, name: "applyCrossStackReferenceStrength", is_optional: false },
    :apply_removal_policy => { kind: :method, name: "applyRemovalPolicy", is_optional: false },
    :generate_physical_name => { kind: :method, name: "generatePhysicalName", is_optional: false },
    :get_resource_arn_attribute => { kind: :method, name: "getResourceArnAttribute", is_optional: false },
    :get_resource_name_attribute => { kind: :method, name: "getResourceNameAttribute", is_optional: false },
    :add_statements => { kind: :method, name: "addStatements", is_optional: false },
    :attach_to_group => { kind: :method, name: "attachToGroup", is_optional: false },
    :attach_to_role => { kind: :method, name: "attachToRole", is_optional: false },
    :attach_to_user => { kind: :method, name: "attachToUser", is_optional: false },
  }
end

.PROPERTY_INJECTION_IDString

Uniquely identifies this class.

Returns:

  • (String)


111
112
113
# File 'code_build/untrusted_code_boundary_policy.rb', line 111

def self.PROPERTY_INJECTION_ID()
  Jsii::Kernel.instance.get_static("aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "PROPERTY_INJECTION_ID")
end

Instance Method Details

#add_statements(*statement) ⇒ void

This method returns an undefined value.

Adds a statement to the policy document.

Parameters:



258
259
260
261
262
263
# File 'code_build/untrusted_code_boundary_policy.rb', line 258

def add_statements(*statement)
  statement.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeVN0YXRlbWVudCJ9")), "statement[#{index}]")
  end
  jsii_call_method("addStatements", [*statement])
end

#apply_cross_stack_reference_strength(strength) ⇒ void

This method returns an undefined value.

Override the cross-stack reference strength for this resource.

When set, any cross-stack reference to this resource will use the specified mechanism instead of the global default determined by the @aws-cdk/core:defaultCrossStackReferences context key. This is useful for selectively weakening specific references to avoid the "deadly embrace" problem without changing the app-wide default.

Parameters:



197
198
199
200
# File 'code_build/untrusted_code_boundary_policy.rb', line 197

def apply_cross_stack_reference_strength(strength)
  Jsii::Type.check_type(strength, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5SZWZlcmVuY2VTdHJlbmd0aCJ9")), "strength")
  jsii_call_method("applyCrossStackReferenceStrength", [strength])
end

#apply_removal_policy(policy) ⇒ void

This method returns an undefined value.

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:



214
215
216
217
# File 'code_build/untrusted_code_boundary_policy.rb', line 214

def apply_removal_policy(policy)
  Jsii::Type.check_type(policy, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5SZW1vdmFsUG9saWN5In0=")), "policy")
  jsii_call_method("applyRemovalPolicy", [policy])
end

#attach_to_group(group) ⇒ void

This method returns an undefined value.

Attaches this policy to a group.



269
270
271
272
# File 'code_build/untrusted_code_boundary_policy.rb', line 269

def attach_to_group(group)
  Jsii::Type.check_type(group, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19pYW0uSUdyb3VwUmVmIn0=")), "group")
  jsii_call_method("attachToGroup", [group])
end

#attach_to_role(role) ⇒ void

This method returns an undefined value.

Attaches this policy to a role.

Parameters:



278
279
280
281
# File 'code_build/untrusted_code_boundary_policy.rb', line 278

def attach_to_role(role)
  Jsii::Type.check_type(role, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklSb2xlIn0=")), "role")
  jsii_call_method("attachToRole", [role])
end

#attach_to_user(user) ⇒ void

This method returns an undefined value.

Attaches this policy to a user.



287
288
289
290
# File 'code_build/untrusted_code_boundary_policy.rb', line 287

def attach_to_user(user)
  Jsii::Type.check_type(user, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19pYW0uSVVzZXJSZWYifQ==")), "user")
  jsii_call_method("attachToUser", [user])
end

#descriptionString

The description of this policy.

Returns:

  • (String)


118
119
120
# File 'code_build/untrusted_code_boundary_policy.rb', line 118

def description()
  jsii_get_property("description")
end

#documentAWSCDK::IAM::PolicyDocument

The policy document.



125
126
127
# File 'code_build/untrusted_code_boundary_policy.rb', line 125

def document()
  jsii_get_property("document")
end

#envAWSCDK::Interfaces::ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.



83
84
85
# File 'code_build/untrusted_code_boundary_policy.rb', line 83

def env()
  jsii_get_property("env")
end

#generate_physical_nameString

Returns:

  • (String)


220
221
222
# File 'code_build/untrusted_code_boundary_policy.rb', line 220

def generate_physical_name()
  jsii_call_method("generatePhysicalName", [])
end

#get_resource_arn_attribute(arn_attr, arn_components) ⇒ String

Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

Normally, this token will resolve to arn_attr, but if the resource is referenced across environments, arn_components will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arn_components.

Parameters:

  • arn_attr (String)

    The CFN attribute which resolves to the ARN of the resource.

  • arn_components (AWSCDK::ARNComponents)

    The format of the ARN of this resource.

Returns:

  • (String)


234
235
236
237
238
239
# File 'code_build/untrusted_code_boundary_policy.rb', line 234

def get_resource_arn_attribute(arn_attr, arn_components)
  Jsii::Type.check_type(arn_attr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arnAttr")
  arn_components = arn_components.is_a?(Hash) ? ::AWSCDK::ARNComponents.new(**arn_components.transform_keys(&:to_sym)) : arn_components
  Jsii::Type.check_type(arn_components, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5Bcm5Db21wb25lbnRzIn0=")), "arnComponents")
  jsii_call_method("getResourceArnAttribute", [arn_attr, arn_components])
end

#get_resource_name_attribute(name_attr) ⇒ String

Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

Normally, this token will resolve to name_attr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

Parameters:

  • name_attr (String)

    The CFN attribute which resolves to the resource's name.

Returns:

  • (String)


249
250
251
252
# File 'code_build/untrusted_code_boundary_policy.rb', line 249

def get_resource_name_attribute(name_attr)
  Jsii::Type.check_type(name_attr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "nameAttr")
  jsii_call_method("getResourceNameAttribute", [name_attr])
end

#grant_principalAWSCDK::IAM::IPrincipal

The principal to grant permissions to.



132
133
134
# File 'code_build/untrusted_code_boundary_policy.rb', line 132

def grant_principal()
  jsii_get_property("grantPrincipal")
end

#managed_policy_arnString

Returns the ARN of this managed policy.

Returns:

  • (String)


139
140
141
# File 'code_build/untrusted_code_boundary_policy.rb', line 139

def managed_policy_arn()
  jsii_get_property("managedPolicyArn")
end

#managed_policy_nameString

The name of this policy.

Returns:

  • (String)


146
147
148
# File 'code_build/untrusted_code_boundary_policy.rb', line 146

def managed_policy_name()
  jsii_get_property("managedPolicyName")
end

#managed_policy_refAWSCDK::Interfaces::AWSIAM::ManagedPolicyReference

A reference to a ManagedPolicy resource.



153
154
155
# File 'code_build/untrusted_code_boundary_policy.rb', line 153

def managed_policy_ref()
  jsii_get_property("managedPolicyRef")
end

#nodeConstructs::Node

The tree node.

Returns:

  • (Constructs::Node)


68
69
70
# File 'code_build/untrusted_code_boundary_policy.rb', line 68

def node()
  jsii_get_property("node")
end

#pathString

The path of this policy.

Returns:

  • (String)


160
161
162
# File 'code_build/untrusted_code_boundary_policy.rb', line 160

def path()
  jsii_get_property("path")
end

#physical_nameString

Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following:

  • a concrete value (e.g. "my-awesome-bucket")
  • undefined, when a name should be generated by CloudFormation
  • a concrete name generated automatically during synthesis, in cross-environment scenarios.

Returns:

  • (String)


97
98
99
# File 'code_build/untrusted_code_boundary_policy.rb', line 97

def physical_name()
  jsii_get_property("physicalName")
end

#stackAWSCDK::Stack

The stack in which this resource is defined.

Returns:



104
105
106
# File 'code_build/untrusted_code_boundary_policy.rb', line 104

def stack()
  jsii_get_property("stack")
end

#to_stringString

Returns a string representation of this construct.

Returns:

  • (String)


167
168
169
# File 'code_build/untrusted_code_boundary_policy.rb', line 167

def to_string()
  jsii_call_method("toString", [])
end

#with(*mixins) ⇒ Constructs::IConstruct

Applies one or more mixins to this construct.

Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple with() calls if subsequent mixins should apply to added constructs.

Parameters:

  • mixins (Array<Constructs::IMixin>)

Returns:

  • (Constructs::IConstruct)


180
181
182
183
184
185
# File 'code_build/untrusted_code_boundary_policy.rb', line 180

def with(*mixins)
  mixins.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLklNaXhpbiJ9")), "mixins[#{index}]")
  end
  jsii_call_method("with", [*mixins])
end