forked from aws/amazon-genomics-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpermissions-stack.ts
More file actions
66 lines (57 loc) · 1.81 KB
/
permissions-stack.ts
File metadata and controls
66 lines (57 loc) · 1.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import * as cdk from '@aws-cdk/core';
import { ManagedPolicy, PolicyDocument } from '@aws-cdk/aws-iam';
import * as stmt from './policy-statements';
export class AgcPermissionsStack extends cdk.Stack {
adminPolicy: ManagedPolicy;
userPolicy: ManagedPolicy;
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// The code that defines your stack goes here
let agcAdminPolicy = new ManagedPolicy(this, 'agc-admin-policy', {
description: "managed policy for amazon genomics cli admins"
})
let agcUserPolicy = new ManagedPolicy(this, 'agc-user-policy', {
description: "managed policy for amazon genomics cli users"
});
let perms = new stmt.AgcPermissions(this);
agcAdminPolicy.addStatements(
// explicit permissions
...perms.vpc(),
...perms.s3Create(),
...perms.s3Destroy(),
...perms.s3Read(),
...perms.s3Write(),
...perms.dynamodbCreate(),
...perms.dynamodbRead(),
...perms.dynamodbWrite(),
...perms.dynamodbDestroy(),
...perms.ssmCreate(),
...perms.ssmRead(),
...perms.ssmDestroy(),
...perms.cloudformationAdmin(),
...perms.ecr(),
...perms.deactivate(),
);
agcUserPolicy.addStatements(
// poweruser + iam permissions is sufficient
...perms.iam(),
...perms.ec2(),
...perms.s3Read(),
...perms.s3Write(),
...perms.dynamodbRead(),
...perms.dynamodbWrite(),
...perms.ssmRead(),
...perms.cloudformationUser(),
...perms.batch(),
...perms.ecs(),
...perms.elb(),
...perms.apigw(),
...perms.efs(),
...perms.cloudmap(),
...perms.logs(),
...perms.route53(),
);
this.adminPolicy = agcAdminPolicy;
this.userPolicy = agcUserPolicy;
}
}