@aws-cdk/core#Arn TypeScript Examples

The following examples show how to use @aws-cdk/core#Arn. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: efs-filesystem-policy.ts    From amazon-efs-integrations with MIT No Attribution 4 votes vote down vote up 
constructor(
    fileSystem: FileSystem,
    accessPoints: EfsAccessPoints,
    ecsOnEc2Service?: ApplicationLoadBalancedEc2Service,
    ecsOnFargateService?: ApplicationLoadBalancedFargateService,
  ) {
    // We'll be using this value several times throughout.
    const fileSystemArn = Arn.format(
      {service: 'elasticfilesystem', resource: 'file-system', resourceName: fileSystem.fileSystemId},
      fileSystem.stack,
    );

    /*
      Initialize statement list with equivalent of:
        * Disable root access by default
        * Enforce read-only access by default
        * Enforce in-transit encryption for all clients
     */
    const statements: object[] = [
      {
        Sid: 'DisableRootAccessAndEnforceReadOnlyByDefault',
        Effect: 'Allow',
        Action: 'elasticfilesystem:ClientMount',
        Principal: {
          AWS: '*',
        },
        Resource: fileSystemArn,
      },
      {
        Sid: 'EnforceInTransitEncryption',
        Effect: 'Deny',
        Action: ['*'],
        Principal: {
          AWS: '*',
        },
        Resource: fileSystemArn,
        Condition: {
          Bool: {'aws:SecureTransport': false},
        },
      },
    ];

    if (ecsOnEc2Service) {
      // Allow r/w for ECS on EC2 Service to Common, EcsPrivate, and EcsShared
      statements.push({
        Sid: 'EcsOnEc2CloudCmdTaskReadWriteAccess',
        Effect: 'Allow',
        Action: [
          'elasticfilesystem:ClientMount',
          'elasticfilesystem:ClientWrite',
        ],
        Principal: {
          AWS: ecsOnEc2Service.taskDefinition.taskRole.roleArn,
        },
        Resource: fileSystemArn,
        Condition: {
          StringEquals: {
            'elasticfilesystem:AccessPointArn': [
              accessPoints.get('Common')?.getResponseField('AccessPointArn'),
              accessPoints.get('EcsPrivate')?.getResponseField('AccessPointArn'),
              accessPoints.get('EcsShared')?.getResponseField('AccessPointArn'),
            ].filter((arn) => arn),
          },
        },
      });

      if (ecsOnFargateService) {
        // Allow readonly for ECS on EC2 Service to FargateShared, if exists.
        statements.push({
          Sid: 'EcsOnEc2CloudCmdTaskReadAccess',
          Effect: 'Allow',
          Action: [
            'elasticfilesystem:ClientMount',
          ],
          Principal: {
            AWS: ecsOnEc2Service.taskDefinition.taskRole.roleArn,
          },
          Resource: fileSystemArn,
          Condition: {
            StringEquals: {
              'elasticfilesystem:AccessPointArn': [
                accessPoints.get('FargateShared')?.getResponseField('AccessPointArn'),
              ].filter((arn) => arn),
            },
          },
        });
      }
    }

    if (ecsOnFargateService) {
      // Allow r/w for ECS on Fargate Service to Common, FargatePrivate, and FargateShared
      statements.push({
        Sid: 'EcsOnFargateCloudCmdTaskReadWriteAccess',
        Effect: 'Allow',
        Action: [
          'elasticfilesystem:ClientMount',
          'elasticfilesystem:ClientWrite',
        ],
        Principal: {
          AWS: ecsOnFargateService.taskDefinition.taskRole.roleArn,
        },
        Resource: fileSystemArn,
        Condition: {
          StringEquals: {
            'elasticfilesystem:AccessPointArn': [
              accessPoints.get('Common')?.getResponseField('AccessPointArn'),
              accessPoints.get('FargatePrivate')?.getResponseField('AccessPointArn'),
              accessPoints.get('FargateShared')?.getResponseField('AccessPointArn'),
            ].filter((arn) => arn),
          },
        },
      });

      if (ecsOnEc2Service) {
        // Allow readonly for ECS on Fargate Service to EcsShared, if exists.
        statements.push({
          Sid: 'EcsOnFargateCloudCmdTaskReadAccess',
          Effect: 'Allow',
          Action: [
            'elasticfilesystem:ClientMount',
          ],
          Principal: {
            AWS: ecsOnFargateService.taskDefinition.taskRole.roleArn,
          },
          Resource: fileSystemArn,
          Condition: {
            StringEquals: {
              'elasticfilesystem:AccessPointArn': [
                accessPoints.get('EcsShared')?.getResponseField('AccessPointArn'),
              ].filter((arn) => arn),
            },
          },
        });
      }
    }

    const createOrUpdateFileSystemPolicy = {
      action: 'putFileSystemPolicy',
      parameters: {
        FileSystemId: fileSystem.fileSystemId,
        Policy: fileSystem.stack.toJsonString({
          Version: '2012-10-17',
          Statement: statements,
        }),
      },
      physicalResourceId: PhysicalResourceId.fromResponse('FileSystemId'),
      service: 'EFS',
    };

    // Create the actual policy based on the statements assembled above.
    super(
      fileSystem.stack,
      'EfsFileSystemPolicy', {
        onCreate: createOrUpdateFileSystemPolicy,
        onUpdate: createOrUpdateFileSystemPolicy,
        policy: AwsCustomResourcePolicy.fromSdkCalls({
          resources: AwsCustomResourcePolicy.ANY_RESOURCE,
        }),
      },
    );
  }