Operators
Attention
This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json
/requirements.txt
before it reaches 1.0.0.
Condition operators are available though the Operator
class. First import it along with the Statement
:
// for use without AWS CDK use the iam-floyd package
import { Operator, Statement } from 'iam-floyd';
// for use with CDK use the cdk-iam-floyd package
import { Operator, Statement } from 'cdk-iam-floyd';
// for use without AWS CDK use the iam-floyd package
const { Operator, Statement } = require('iam-floyd');
// for use with CDK use the cdk-iam-floyd package
const { Operator, Statement } = require('cdk-iam-floyd');
Operators can be simple strings such as StringEquals
or get complex with modifiers such as ForAnyValue
or IfExists
. For simple operators you can use the static properties of the Operator
class:
new Statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('TagWithSpecialChars', '*John*', Operator.stringEquals)
{
"Condition": {
"StringEquals": {
"aws:RequestTag/TagWithSpecialChars": "*John*"
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}
Complex operators can be generated by instantiating the Operator
class and calling its methods:
new Statement.Dynamodb()
.allow()
.toGetItem()
.onTable('Thread')
.ifAttributes(
['ID', 'Message', 'Tags'],
new Operator().stringEquals().forAllValues(),
)
{
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"ID",
"Message",
"Tags"
]
}
},
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:*:*:table/Thread",
"Effect": "Allow"
}
new Statement.Dynamodb()
.deny()
.toPutItem()
.onTable('Thread')
.ifAttributes(
['ID', 'PostDateTime'],
new Operator().stringEquals().forAnyValue(),
)
{
"Condition": {
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": [
"ID",
"PostDateTime"
]
}
},
"Action": "dynamodb:PutItem",
"Resource": "arn:aws:dynamodb:*:*:table/Thread",
"Effect": "Deny"
}
new Statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag(
'Environment',
['Production', 'Staging', 'Dev'],
new Operator().stringEquals().ifExists(),
)
{
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/Environment": [
"Production",
"Staging",
"Dev"
]
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}