ExamplesΒΆ

Attention

This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json/requirements.txt before it reaches 1.0.0.

const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Ec2()
      .allow()
      .toStartInstances()
      .ifAwsRequestTag('Owner', '${aws:username}'),
    new statement.Ec2()
      .allow()
      .toStopInstances()
      .ifResourceTag('Owner', '${aws:username}'),
    new statement.Ec2() //
      .allow()
      .allListActions()
      .allReadActions(),
  ],
};
const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Ec2()
      .allow()
      .toStartInstances()
      .ifAwsRequestTag('Owner', '${aws:username}'),
    new statement.Ec2()
      .allow()
      .toStopInstances()
      .ifResourceTag('Owner', '${aws:username}'),
    new statement.Ec2() //
      .allow()
      .allListActions()
      .allReadActions(),
  ],
};
policy = {
    'Version': '2012-10-17',
    'Statement': [
        statement.Ec2()
        .allow()
        .to_start_instances()
        .if_aws_request_tag('Owner', '${aws:username}')
        .to_json(),
        statement.Ec2()
        .allow()
        .to_stop_instances()
        .if_resource_tag('Owner', '${aws:username}')
        .to_json(),
        statement.Ec2()
        .allow()
        .all_list_actions()
        .all_read_actions()
        .to_json()
    ]
}
const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Cloudformation() // allow all CFN actions
      .allow()
      .allActions(),
    new statement.All() // allow absolutely everything that is triggered via CFN
      .allow()
      .allActions()
      .ifAwsCalledVia('cloudformation.amazonaws.com'),
    new statement.S3() // allow access to the CDK staging bucket
      .allow()
      .allActions()
      .on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
    new statement.Account() // even when triggered via CFN, do not allow modifications of the account
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
    new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
  ],
};
const policy = {
  Version: '2012-10-17',
  Statement: [
    new statement.Cloudformation() // allow all CFN actions
      .allow()
      .allActions(),
    new statement.All() // allow absolutely everything that is triggered via CFN
      .allow()
      .allActions()
      .ifAwsCalledVia('cloudformation.amazonaws.com'),
    new statement.S3() // allow access to the CDK staging bucket
      .allow()
      .allActions()
      .on('arn:aws:s3:::cdktoolkit-stagingbucket-*'),
    new statement.Account() // even when triggered via CFN, do not allow modifications of the account
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
    new statement.Organizations() // even when triggered via CFN, do not allow modifications of the organization
      .deny()
      .allPermissionManagementActions()
      .allWriteActions(),
  ],
};
policy = {
    'Version': '2012-10-17',
    'Statement': [
        # allow all CFN actions
        statement.Cloudformation() \
        .allow() \
        .all_actions() \
        .to_json(),
        # allow access to the CDK staging bucket
        statement.All() \
        .allow() \
        .all_actions() \
        .if_aws_called_via('cloudformation.amazonaws.com') \
        .to_json(),
        # allow access to the CDK staging bucket
        statement.S3() \
        .allow() \
        .all_actions() \
        .on('arn:aws:s3:::cdktoolkit-stagingbucket-*') \
        .to_json(),
        # even when triggered via CFN, do not allow modifications of the
        #  account
        statement.Account() \
        .deny() \
        .all_permission_management_actions() \
        .all_write_actions() \
        .to_json(),
        # even when triggered via CFN, do not allow modifications of the
        #  organization
        statement.Organizations() \
        .deny() \
        .all_permission_management_actions() \
        .all_write_actions() \
        .to_json()
    ]
}