Operators

Attention

This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json/requirements.txt before it reaches 1.0.0.

Condition operators are available though the Operator class. First import it along with the Statement:

// for use without AWS CDK use the iam-floyd package
import { Operator, Statement } from 'iam-floyd';

// for use with CDK use the cdk-iam-floyd package
import { Operator, Statement } from 'cdk-iam-floyd';

// for use without AWS CDK use the iam-floyd package
const { Operator, Statement } = require('iam-floyd');

// for use with CDK use the cdk-iam-floyd package
const { Operator, Statement } = require('cdk-iam-floyd');

Operators can be simple strings such as StringEquals or get complex with modifiers such as ForAnyValue or IfExists. For simple operators you can use the static properties of the Operator class:

new Statement.Ec2()
  .allow()
  .toStartInstances()
  .ifAwsRequestTag('TagWithSpecialChars', '*John*', Operator.stringEquals)

{
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/TagWithSpecialChars": "*John*"
        }
    },
    "Action": "ec2:StartInstances",
    "Resource": "*",
    "Effect": "Allow"
}

Complex operators can be generated by instantiating the Operator class and calling its methods:

new Statement.Dynamodb()
  .allow()
  .toGetItem()
  .onTable('Thread')
  .ifAttributes(
    ['ID', 'Message', 'Tags'],
    new Operator().stringEquals().forAllValues(),
  )

{
    "Condition": {
        "ForAllValues:StringEquals": {
            "dynamodb:Attributes": [
                "ID",
                "Message",
                "Tags"
            ]
        }
    },
    "Action": "dynamodb:GetItem",
    "Resource": "arn:aws:dynamodb:*:*:table/Thread",
    "Effect": "Allow"
}

new Statement.Dynamodb()
  .deny()
  .toPutItem()
  .onTable('Thread')
  .ifAttributes(
    ['ID', 'PostDateTime'],
    new Operator().stringEquals().forAnyValue(),
  )

{
    "Condition": {
        "ForAnyValue:StringEquals": {
            "dynamodb:Attributes": [
                "ID",
                "PostDateTime"
            ]
        }
    },
    "Action": "dynamodb:PutItem",
    "Resource": "arn:aws:dynamodb:*:*:table/Thread",
    "Effect": "Deny"
}

new Statement.Ec2()
  .allow()
  .toStartInstances()
  .ifAwsRequestTag(
    'Environment',
    ['Production', 'Staging', 'Dev'],
    new Operator().stringEquals().ifExists(),
  )

{
    "Condition": {
        "StringEqualsIfExists": {
            "aws:RequestTag/Environment": [
                "Production",
                "Staging",
                "Dev"
            ]
        }
    },
    "Action": "ec2:StartInstances",
    "Resource": "*",
    "Effect": "Allow"
}