package com.aws.samples.cdk.helpers; import com.aws.samples.cdk.constructs.iam.policies.*; import io.vavr.collection.HashMap; import io.vavr.collection.List; import io.vavr.collection.Map; import software.amazon.awscdk.core.Construct; import software.amazon.awscdk.core.Stack; import software.amazon.awscdk.services.iam.*; import static com.aws.samples.cdk.constructs.iam.policies.CloudWatchLogsPolicies.minimalCloudWatchEventsLoggingPolicy; import static com.aws.samples.cdk.helpers.IotHelper.DESCRIBE_ENDPOINT_POLICY_STATEMENT; import static com.aws.samples.cdk.helpers.IotHelper.getPublishToTopicPolicyStatement; public class RoleHelper { public static Role buildPublishToTopicRole(Stack stack, String rolePrefix, String topic, List policyStatements, List managedPolicies, IPrincipal iPrincipal) { PolicyStatement iotPolicyStatement = getPublishToTopicPolicyStatement(stack, topic); List policyStatementList = List.of(iotPolicyStatement) .appendAll(policyStatements) .append(DESCRIBE_ENDPOINT_POLICY_STATEMENT); return buildRoleAssumedByPrincipal(stack, String.join("", rolePrefix, "Role"), policyStatementList, managedPolicies, iPrincipal); } public static Role buildRoleAssumedByLambda(Construct construct, String roleName, List policyStatements, List managedPolicies) { return buildRoleAssumedByPrincipal(construct, roleName, policyStatements, managedPolicies, LambdaPolicies.LAMBDA_SERVICE_PRINCIPAL); } public static Role buildRoleAssumedByFirehose(Construct construct, String roleName, List policyStatements, List managedPolicies) { return buildRoleAssumedByPrincipal(construct, roleName, policyStatements, managedPolicies, KinesisFirehosePolicies.FIREHOSE_SERVICE_PRINCIPAL); } public static Role buildRoleAssumedBySystemsManager(Construct construct, String roleName, List policyStatements, List managedPolicies) { return buildRoleAssumedByPrincipal(construct, roleName, policyStatements, managedPolicies, SystemsManagerPolicies.SYSTEMS_MANAGER_SERVICE_PRINCIPAL); } public static Role buildRoleAssumedByKinesis(Construct construct, String roleName, List policyStatements, List managedPolicies) { return buildRoleAssumedByPrincipal(construct, roleName, policyStatements, managedPolicies, KinesisPolicies.KINESIS_SERVICE_PRINCIPAL); } public static Role buildRoleAssumedByIot(Construct construct, String roleName, List policyStatements, List managedPolicies) { return buildRoleAssumedByPrincipal(construct, roleName, policyStatements, managedPolicies, IotPolicies.IOT_SERVICE_PRINCIPAL); } public static Role buildRoleAssumedByPrincipal(Construct construct, String roleName, List policyStatements, List managedPolicies, IPrincipal iPrincipal) { List allPolicyStatements = List.of(minimalCloudWatchEventsLoggingPolicy) .appendAll(policyStatements); PolicyDocumentProps policyDocumentProps = PolicyDocumentProps.builder() .statements(allPolicyStatements.asJava()) .build(); PolicyDocument policyDocument = new PolicyDocument(policyDocumentProps); Map policyDocuments = HashMap.of("root", policyDocument); RoleProps roleProps = RoleProps.builder() .assumedBy(iPrincipal) .inlinePolicies(policyDocuments.toJavaMap()) .managedPolicies(managedPolicies.asJava()) .build(); return new Role(construct, roleName, roleProps); } public static Role buildPublishToTopicPrefixIotEventRole(Stack stack, String rolePrefix, String topicPrefix, List policyStatements, List managedPolicies, IPrincipal iPrincipal) { return buildPublishToTopicRole(stack, rolePrefix, topicPrefix + "/*", policyStatements, managedPolicies, iPrincipal); } }