package awscodebuild import ( _init_ "github.com/aws/aws-cdk-go/awscdk/v2/jsii" _jsii_ "github.com/aws/jsii-runtime-go/runtime" "github.com/aws/aws-cdk-go/awscdk/v2" "github.com/aws/aws-cdk-go/awscdk/v2/awscodebuild/internal" "github.com/aws/aws-cdk-go/awscdk/v2/awsiam" "github.com/aws/constructs-go/constructs/v10" ) // Permissions Boundary for a CodeBuild Project running untrusted code. // // This class is a Policy, intended to be used as a Permissions Boundary // for a CodeBuild project. It allows most of the actions necessary to run // the CodeBuild project, but disallows reading from Parameter Store // and Secrets Manager. // // Use this when your CodeBuild project is running untrusted code (for // example, if you are using one to automatically build Pull Requests // that anyone can submit), and you want to prevent your future self // from accidentally exposing Secrets to this build. // // (The reason you might want to do this is because otherwise anyone // who can submit a Pull Request to your project can write a script // to email those secrets to themselves). // // Example: // var project project // // iam.PermissionsBoundary_Of(project).Apply(codebuild.NewUntrustedCodeBoundaryPolicy(this, jsii.String("Boundary"))) // type UntrustedCodeBoundaryPolicy interface { awsiam.ManagedPolicy // The description of this policy. Description() *string // The policy document. Document() awsiam.PolicyDocument // The environment this resource belongs to. // // For resources that are created and managed by the CDK // (generally, those created by creating new class instances like Role, Bucket, etc.), // this is always the same as the environment of the stack they belong to; // however, for imported resources // (those obtained from static methods like fromRoleArn, fromBucketName, etc.), // that might be different than the stack they were imported into. Env() *awscdk.ResourceEnvironment // The principal to grant permissions to. GrantPrincipal() awsiam.IPrincipal // Returns the ARN of this managed policy. ManagedPolicyArn() *string // The name of this policy. ManagedPolicyName() *string // The tree node. Node() constructs.Node // The path of this policy. Path() *string // Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. // // This value will resolve to one of the following: // - a concrete value (e.g. `"my-awesome-bucket"`) // - `undefined`, when a name should be generated by CloudFormation // - a concrete name generated automatically during synthesis, in // cross-environment scenarios. PhysicalName() *string // The stack in which this resource is defined. Stack() awscdk.Stack // Adds a statement to the policy document. AddStatements(statement ...awsiam.PolicyStatement) // Apply the given removal policy to this resource. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ApplyRemovalPolicy(policy awscdk.RemovalPolicy) // Attaches this policy to a group. AttachToGroup(group awsiam.IGroup) // Attaches this policy to a role. AttachToRole(role awsiam.IRole) // Attaches this policy to a user. AttachToUser(user awsiam.IUser) GeneratePhysicalName() *string // Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`). // // Normally, this token will resolve to `arnAttr`, but if the resource is // referenced across environments, `arnComponents` will be used to synthesize // a concrete ARN with the resource's physical name. Make sure to reference // `this.physicalName` in `arnComponents`. GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string // Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`). // // Normally, this token will resolve to `nameAttr`, but if the resource is // referenced across environments, it will be resolved to `this.physicalName`, // which will be a concrete name. GetResourceNameAttribute(nameAttr *string) *string // Returns a string representation of this construct. ToString() *string } // The jsii proxy struct for UntrustedCodeBoundaryPolicy type jsiiProxy_UntrustedCodeBoundaryPolicy struct { internal.Type__awsiamManagedPolicy } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Description() *string { var returns *string _jsii_.Get( j, "description", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Document() awsiam.PolicyDocument { var returns awsiam.PolicyDocument _jsii_.Get( j, "document", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Env() *awscdk.ResourceEnvironment { var returns *awscdk.ResourceEnvironment _jsii_.Get( j, "env", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) GrantPrincipal() awsiam.IPrincipal { var returns awsiam.IPrincipal _jsii_.Get( j, "grantPrincipal", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) ManagedPolicyArn() *string { var returns *string _jsii_.Get( j, "managedPolicyArn", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) ManagedPolicyName() *string { var returns *string _jsii_.Get( j, "managedPolicyName", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Node() constructs.Node { var returns constructs.Node _jsii_.Get( j, "node", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Path() *string { var returns *string _jsii_.Get( j, "path", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) PhysicalName() *string { var returns *string _jsii_.Get( j, "physicalName", &returns, ) return returns } func (j *jsiiProxy_UntrustedCodeBoundaryPolicy) Stack() awscdk.Stack { var returns awscdk.Stack _jsii_.Get( j, "stack", &returns, ) return returns } func NewUntrustedCodeBoundaryPolicy(scope constructs.Construct, id *string, props *UntrustedCodeBoundaryPolicyProps) UntrustedCodeBoundaryPolicy { _init_.Initialize() if err := validateNewUntrustedCodeBoundaryPolicyParameters(scope, id, props); err != nil { panic(err) } j := jsiiProxy_UntrustedCodeBoundaryPolicy{} _jsii_.Create( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", []interface{}{scope, id, props}, &j, ) return &j } func NewUntrustedCodeBoundaryPolicy_Override(u UntrustedCodeBoundaryPolicy, scope constructs.Construct, id *string, props *UntrustedCodeBoundaryPolicyProps) { _init_.Initialize() _jsii_.Create( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", []interface{}{scope, id, props}, u, ) } // Import a managed policy from one of the policies that AWS manages. // // For this managed policy, you only need to know the name to be able to use it. // // Some managed policy names start with "service-role/", some start with // "job-function/", and some don't start with anything. Include the // prefix when constructing this object. func UntrustedCodeBoundaryPolicy_FromAwsManagedPolicyName(managedPolicyName *string) awsiam.IManagedPolicy { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_FromAwsManagedPolicyNameParameters(managedPolicyName); err != nil { panic(err) } var returns awsiam.IManagedPolicy _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "fromAwsManagedPolicyName", []interface{}{managedPolicyName}, &returns, ) return returns } // Import an external managed policy by ARN. // // For this managed policy, you only need to know the ARN to be able to use it. // This can be useful if you got the ARN from a CloudFormation Export. // // If the imported Managed Policy ARN is a Token (such as a // `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced // managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the // `managedPolicyName` property will not resolve to the correct value. Instead it // will resolve to the first path component. We unfortunately cannot express // the correct calculation of the full path name as a CloudFormation // expression. In this scenario the Managed Policy ARN should be supplied without the // `path` in order to resolve the correct managed policy resource. func UntrustedCodeBoundaryPolicy_FromManagedPolicyArn(scope constructs.Construct, id *string, managedPolicyArn *string) awsiam.IManagedPolicy { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_FromManagedPolicyArnParameters(scope, id, managedPolicyArn); err != nil { panic(err) } var returns awsiam.IManagedPolicy _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "fromManagedPolicyArn", []interface{}{scope, id, managedPolicyArn}, &returns, ) return returns } // Import a customer managed policy from the managedPolicyName. // // For this managed policy, you only need to know the name to be able to use it. func UntrustedCodeBoundaryPolicy_FromManagedPolicyName(scope constructs.Construct, id *string, managedPolicyName *string) awsiam.IManagedPolicy { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_FromManagedPolicyNameParameters(scope, id, managedPolicyName); err != nil { panic(err) } var returns awsiam.IManagedPolicy _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "fromManagedPolicyName", []interface{}{scope, id, managedPolicyName}, &returns, ) return returns } // Checks if `x` is a construct. // // Use this method instead of `instanceof` to properly detect `Construct` // instances, even when the construct library is symlinked. // // Explanation: in JavaScript, multiple copies of the `constructs` library on // disk are seen as independent, completely different libraries. As a // consequence, the class `Construct` in each copy of the `constructs` library // is seen as a different class, and an instance of one class will not test as // `instanceof` the other class. `npm install` will not create installations // like this, but users may manually symlink construct libraries together or // use a monorepo tool: in those cases, multiple copies of the `constructs` // library can be accidentally installed, and `instanceof` will behave // unpredictably. It is safest to avoid using `instanceof`, and using // this type-testing method instead. // // Returns: true if `x` is an object created from a class which extends `Construct`. func UntrustedCodeBoundaryPolicy_IsConstruct(x interface{}) *bool { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_IsConstructParameters(x); err != nil { panic(err) } var returns *bool _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "isConstruct", []interface{}{x}, &returns, ) return returns } // Returns true if the construct was created by CDK, and false otherwise. func UntrustedCodeBoundaryPolicy_IsOwnedResource(construct constructs.IConstruct) *bool { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_IsOwnedResourceParameters(construct); err != nil { panic(err) } var returns *bool _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "isOwnedResource", []interface{}{construct}, &returns, ) return returns } // Check whether the given construct is a Resource. func UntrustedCodeBoundaryPolicy_IsResource(construct constructs.IConstruct) *bool { _init_.Initialize() if err := validateUntrustedCodeBoundaryPolicy_IsResourceParameters(construct); err != nil { panic(err) } var returns *bool _jsii_.StaticInvoke( "aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy", "isResource", []interface{}{construct}, &returns, ) return returns } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) AddStatements(statement ...awsiam.PolicyStatement) { args := []interface{}{} for _, a := range statement { args = append(args, a) } _jsii_.InvokeVoid( u, "addStatements", args, ) } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) ApplyRemovalPolicy(policy awscdk.RemovalPolicy) { if err := u.validateApplyRemovalPolicyParameters(policy); err != nil { panic(err) } _jsii_.InvokeVoid( u, "applyRemovalPolicy", []interface{}{policy}, ) } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) AttachToGroup(group awsiam.IGroup) { if err := u.validateAttachToGroupParameters(group); err != nil { panic(err) } _jsii_.InvokeVoid( u, "attachToGroup", []interface{}{group}, ) } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) AttachToRole(role awsiam.IRole) { if err := u.validateAttachToRoleParameters(role); err != nil { panic(err) } _jsii_.InvokeVoid( u, "attachToRole", []interface{}{role}, ) } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) AttachToUser(user awsiam.IUser) { if err := u.validateAttachToUserParameters(user); err != nil { panic(err) } _jsii_.InvokeVoid( u, "attachToUser", []interface{}{user}, ) } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) GeneratePhysicalName() *string { var returns *string _jsii_.Invoke( u, "generatePhysicalName", nil, // no parameters &returns, ) return returns } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string { if err := u.validateGetResourceArnAttributeParameters(arnAttr, arnComponents); err != nil { panic(err) } var returns *string _jsii_.Invoke( u, "getResourceArnAttribute", []interface{}{arnAttr, arnComponents}, &returns, ) return returns } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) GetResourceNameAttribute(nameAttr *string) *string { if err := u.validateGetResourceNameAttributeParameters(nameAttr); err != nil { panic(err) } var returns *string _jsii_.Invoke( u, "getResourceNameAttribute", []interface{}{nameAttr}, &returns, ) return returns } func (u *jsiiProxy_UntrustedCodeBoundaryPolicy) ToString() *string { var returns *string _jsii_.Invoke( u, "toString", nil, // no parameters &returns, ) return returns }