Class GuInstanceRole

Creates an IAM role with common policies that are needed by most Guardian applications.

More specifically:

  1. Allows for ssh access to an EC2 instance via ssm-scala (instead of standard ssh).
  2. Allows EC2 instances to communicate with Wazuh, for security monitoring.
  3. Allows EC2 instances to download an artifact from AWS S3, for application deployment.
  4. Allows EC2 instances to download private configuration from AWS Parameter Store. See [[GuParameterStoreReadPolicy]] for specific details.
  5. Allows EC2 instances to write logs into our central ELK stack via Kinesis.

If additional IAM permissions are required, create custom policies and pass them in via the additionalPolicies prop.

If log shipping is not required, opt out by setting the withoutLogShipping prop to true.

Hierarchy

Constructors

constructor

Properties

assumeRoleAction assumeRolePolicy? env grantPrincipal idWithApp node permissionsBoundary? physicalName policyFragment principalAccount roleArn roleName stack

Accessors

roleId

Methods

_enableCrossEnvironment addManagedPolicy addToPolicy addToPrincipalPolicy applyRemovalPolicy attachInlinePolicy generatePhysicalName getResourceArnAttribute getResourceNameAttribute grant grantAssumeRole grantPassRole toString withoutPolicyUpdates customizeRoles fromRoleArn fromRoleName isConstruct isOwnedResource isResource isRole

Constructors

constructor

Properties

Readonly assumeRoleAction

assumeRoleAction: string

Optional Readonly assumeRolePolicy

assumeRolePolicy?: PolicyDocument

The assume role policy document associated with this role.

Readonly env

env: ResourceEnvironment

Readonly grantPrincipal

grantPrincipal: IPrincipal

Readonly idWithApp

idWithApp: string

The ID of the construct with the App suffix. This should be used in place of id when trying to reference the construct.

Readonly node

node: Node

The tree node.

Optional Readonly permissionsBoundary

permissionsBoundary?: IManagedPolicy

Returns the permissions boundary attached to this role

Protected Readonly physicalName

physicalName: string

Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following:

  • a concrete value (e.g. "my-awesome-bucket")
  • undefined, when a name should be generated by CloudFormation
  • a concrete name generated automatically during synthesis, in cross-environment scenarios.

Readonly policyFragment

policyFragment: PrincipalPolicyFragment

Returns the role.

Readonly principalAccount

principalAccount: undefined | string

Readonly roleArn

roleArn: string

Returns the ARN of this role.

Readonly roleName

roleName: string

Returns the name of the role.

Readonly stack

stack: Stack

Accessors

roleId

  • get roleId(): string

  • Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.

    Returns string

    Attribute

Methods

_enableCrossEnvironment

  • _enableCrossEnvironment(): void
  • Internal

    Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

    Returns void

addManagedPolicy

  • addManagedPolicy(policy): void

  • Attaches a managed policy to this role.

    Parameters

    • policy: IManagedPolicy

      The the managed policy to attach.

    Returns void

addToPolicy

  • addToPolicy(statement): boolean

  • Parameters

    • statement: PolicyStatement

    Returns boolean

addToPrincipalPolicy

  • addToPrincipalPolicy(statement): AddToPrincipalPolicyResult

  • Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.

    Parameters

    • statement: PolicyStatement

      The permission statement to add to the policy document

    Returns AddToPrincipalPolicyResult

applyRemovalPolicy

  • applyRemovalPolicy(policy): void

  • Apply the given removal policy to this resource

    The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

    The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

    Parameters

    • policy: RemovalPolicy

    Returns void

attachInlinePolicy

  • attachInlinePolicy(policy): void

  • Attaches a policy to this role.

    Parameters

    • policy: Policy

      The policy to attach

    Returns void

Protected generatePhysicalName

  • generatePhysicalName(): string

  • Returns string

Protected getResourceArnAttribute

  • getResourceArnAttribute(arnAttr, arnComponents): string

  • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

    Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.

    Parameters

    • arnAttr: string

      The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

    • arnComponents: ArnComponents

      The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

    Returns string

Protected getResourceNameAttribute

  • getResourceNameAttribute(nameAttr): string

  • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

    Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

    Parameters

    • nameAttr: string

      The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

    Returns string

grant

  • grant(grantee, ...actions): Grant

  • Grant the actions defined in actions to the identity Principal on this resource.

    Parameters

    • grantee: IPrincipal
    • Rest ...actions: string[]

    Returns Grant

grantAssumeRole

  • grantAssumeRole(identity): Grant

  • Grant permissions to the given principal to assume this role.

    Parameters

    • identity: IPrincipal

    Returns Grant

grantPassRole

  • grantPassRole(identity): Grant

  • Grant permissions to the given principal to pass this role.

    Parameters

    • identity: IPrincipal

    Returns Grant

toString

  • toString(): string

  • Returns a string representation of an object.

    Returns string

withoutPolicyUpdates

  • withoutPolicyUpdates(options?): IRole

  • Return a copy of this Role object whose Policies will not be updated

    Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

    If you do, you are responsible for adding the correct statements to the Role's policies yourself.

    Parameters

    • Optional options: WithoutPolicyUpdatesOptions

    Returns IRole

Static customizeRoles

  • customizeRoles(scope, options?): void

  • Customize the creation of IAM roles within the given scope

    It is recommended that you do not use this method and instead allow CDK to manage role creation. This should only be used in environments where CDK applications are not allowed to created IAM roles.

    This can be used to prevent the CDK application from creating roles within the given scope and instead replace the references to the roles with precreated role names. A report will be synthesized in the cloud assembly (i.e. cdk.out) that will contain the list of IAM roles that would have been created along with the IAM policy statements that the role should contain. This report can then be used to create the IAM roles outside of CDK and then the created role names can be provided in usePrecreatedRoles.

    Parameters

    • scope: Construct

      construct scope to customize role creation

    • Optional options: CustomizeRolesOptions

      options for configuring role creation

    Returns void

    Example

    declare const app: App;
    iam.Role.customizeRoles(app, {
      usePrecreatedRoles: {
        'ConstructPath/To/Role': 'my-precreated-role-name',
      },
    });

Static fromRoleArn

  • fromRoleArn(scope, id, roleArn, options?): IRole

  • Import an external role by ARN.

    If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

    Parameters

    • scope: Construct

      construct scope

    • id: string

      construct id

    • roleArn: string

      the ARN of the role to import

    • Optional options: FromRoleArnOptions

      allow customizing the behavior of the returned role

    Returns IRole

Static fromRoleName

  • fromRoleName(scope, id, roleName, options?): IRole

  • Import an external role by name.

    The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

    Parameters

    • scope: Construct

      construct scope

    • id: string

      construct id

    • roleName: string

      the name of the role to import

    • Optional options: FromRoleNameOptions

      allow customizing the behavior of the returned role

    Returns IRole

Static isConstruct

  • isConstruct(x): x is Construct

  • Checks if x is a construct.

    Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

    Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

    Parameters

    • x: any

      Any object

    Returns x is Construct

    true if x is an object created from a class which extends Construct.

Static isOwnedResource

  • isOwnedResource(construct): boolean

  • Returns true if the construct was created by CDK, and false otherwise

    Parameters

    • construct: IConstruct

    Returns boolean

Static isResource

  • isResource(construct): construct is Resource

  • Check whether the given construct is a Resource

    Parameters

    • construct: IConstruct

    Returns construct is Resource

Static isRole

  • isRole(x): x is Role

  • Return whether the given object is a Role

    Parameters

    • x: any

    Returns x is Role

Settings

Member Visibility

Theme

On This Page

constructorassumeRoleActionassumeRolePolicyenvgrantPrincipalidWithAppnodepermissionsBoundaryphysicalNamepolicyFragmentprincipalAccountroleArnroleNamestackroleId_enableCrossEnvironmentaddManagedPolicyaddToPolicyaddToPrincipalPolicyapplyRemovalPolicyattachInlinePolicygeneratePhysicalNamegetResourceArnAttributegetResourceNameAttributegrantgrantAssumeRolegrantPassRoletoStringwithoutPolicyUpdatescustomizeRolesfromRoleArnfromRoleNameisConstructisOwnedResourceisResourceisRole