fix(iam): adding organization id pattern verification

[IkeNefcy]

Issue

Closes #32756

Reason for this change

The original issue was related to over permissive s3 permissions. Which originally was being caused by what seems to be something related to an undefined iam.OrgranizationPrincipal being allowed. However when using 2.178.2, I'm not seeing this particular issue, but the policy that is generated could still be incorrectly created by leaving a blank string.
iam.OrgranizationPrincipal('')
This can be avoided with a simple check. Although this is not a golden solution since it's not able to check if that organization exists, but for the use case it's better than nothing.

Description of changes

Adding a regex check that matches the Organization ID regex pattern in the docs;
https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html

    if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) {
      throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
    }

Description of how you validated changes

Added a test for bad names

test('throw error when Organization ID does not match regex pattern', () => {
  // GIVEN
  const shortOrgId = 'o-shortname';
  const noOOrgName = 'no-o-name';
  const longOrgName = 'o-thisnameistoooooooooooooooooolong';

  // THEN
  expect(() => new iam.OrganizationPrincipal(shortOrgId)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${shortOrgId}`);
  expect(() => new iam.OrganizationPrincipal(noOOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${noOOrgName}`);
  expect(() => new iam.OrganizationPrincipal(longOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${longOrgName}`);
});

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.21%. Comparing base (a6bfe3c) to head (3531d7c).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33555   +/-   ##
=======================================
  Coverage   82.21%   82.21%           
=======================================
  Files         119      119           
  Lines        6876     6876           
  Branches     1162     1162           
=======================================
  Hits         5653     5653           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.21% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 3531d7c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.