diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out index ae4b03c54e770..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json index 8fcd0e362a9dd..2dfb1c03164f9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.assets.json @@ -1,7 +1,7 @@ { - "version": "30.0.0", + "version": "39.0.0", "files": { - "514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a": { + "c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2": { "source": { "path": "integ-iam-role-1.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a.json", + "objectKey": "c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json index 2a6784d4f7504..8cbd61fab40c2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ-iam-role-1.template.json @@ -105,7 +105,7 @@ "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "aws:PrincipalOrgID": "o-1234" + "aws:PrincipalOrgID": "o-12345abcde" } }, "Effect": "Allow", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json index fb19d898ca1a4..286e5da87896c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "39.0.0", "testCases": { "integ-iam-role/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json index bbcbe43c78388..d73f764b004a2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/integiamroleDefaultTestDeployAssert48737E31.assets.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json index 1064dbf931db6..8888333fb488d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "39.0.0", "artifacts": { "integ-iam-role-1.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integ-iam-role-1.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/514f5ee3a1aa7cfaa68a26e8992753c2a8dfaa4e62da39ff85fba52545f07a2a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c2c6194246bf85091584a53bc8375b8bbf23344aa5024c626b51ca6e3ce4fec2.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,30 +34,198 @@ "integ-iam-role-1.assets" ], "metadata": { + "/integ-iam-role-1/TestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/integ-iam-role-1/TestRole/ImportTestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRole6C9272DF" } ], + "/integ-iam-role-1/TestRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/integ-iam-role-1/TestRole/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRoleDefaultPolicyD1C92014" } ], + "/integ-iam-role-1/HelloPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + } + ], "/integ-iam-role-1/HelloPolicy/Resource": [ { "type": "aws:cdk:logicalId", "data": "HelloPolicyD59007DF" } ], + "/integ-iam-role-1/TestImportedRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/integ-iam-role-1/TestRole2": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "externalIds": "*" + } + } + ], + "/integ-iam-role-1/TestRole2/ImportTestRole2": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole2/Resource": [ { "type": "aws:cdk:logicalId", "data": "TestRole25D98AB21" } ], + "/integ-iam-role-1/TestRole3": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + } + ], + "/integ-iam-role-1/TestRole3/ImportTestRole3": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-iam-role-1/TestRole3/Resource": [ { "type": "aws:cdk:logicalId", @@ -91,6 +260,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integiamroleDefaultTestDeployAssert48737E31.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json index 507038fa79bba..a2575aa5e44b1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/tree.json @@ -16,8 +16,11 @@ "id": "ImportTestRole", "path": "integ-iam-role-1/TestRole/ImportTestRole", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -41,7 +44,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } }, @@ -74,20 +77,71 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0", + "metadata": [ + "*", + { + "attachToRole": [ + "*" + ] + }, + { + "attachToRole": [ + "*" + ] + }, + { + "addStatements": [ + {} + ] + } + ] } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + }, + { + "addToPolicy": [ + {} + ] + }, + { + "addToPrincipalPolicy": [ + {} + ] + }, + { + "attachInlinePolicy": [ + "*" + ] + }, + { + "attachInlinePolicy": [ + "*" + ] + }, + { + "attachInlinePolicy": [ + "*" + ] + } + ] } }, "HelloPolicy": { @@ -119,14 +173,50 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0", + "metadata": [ + { + "policyName": "*" + }, + { + "addStatements": [ + {} + ] + }, + { + "attachToRole": [ + "*" + ] + }, + { + "attachToRole": [ + "*" + ] + }, + { + "attachToRole": [ + "*" + ] + } + ] + } + }, + "TestImportedRole": { + "id": "TestImportedRole", + "path": "integ-iam-role-1/TestImportedRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "TestRole2": { @@ -137,8 +227,11 @@ "id": "ImportTestRole2", "path": "integ-iam-role-1/TestRole2/ImportTestRole2", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -182,14 +275,23 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "externalIds": "*" + } + ] } }, "TestRole3": { @@ -200,8 +302,11 @@ "id": "ImportTestRole3", "path": "integ-iam-role-1/TestRole3/ImportTestRole3", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -216,7 +321,7 @@ "Action": "sts:AssumeRole", "Condition": { "StringEquals": { - "aws:PrincipalOrgID": "o-1234" + "aws:PrincipalOrgID": "o-12345abcde" } }, "Effect": "Allow", @@ -230,21 +335,29 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + ] } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "integ-iam-role-1/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -252,13 +365,13 @@ "id": "CheckBootstrapVersion", "path": "integ-iam-role-1/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } }, @@ -275,7 +388,7 @@ "path": "integ-iam-role/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.249" + "version": "10.4.2" } }, "DeployAssert": { @@ -286,7 +399,7 @@ "id": "BootstrapVersion", "path": "integ-iam-role/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -294,25 +407,25 @@ "id": "CheckBootstrapVersion", "path": "integ-iam-role/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } }, @@ -321,12 +434,12 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.249" + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.App", + "fqn": "aws-cdk-lib.App", "version": "0.0.0" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts index ca3a161594ac5..28b54ac51d47b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.ts @@ -28,7 +28,7 @@ new Role(stack, 'TestRole2', { // Role with an org new Role(stack, 'TestRole3', { - assumedBy: new OrganizationPrincipal('o-1234'), + assumedBy: new OrganizationPrincipal('o-12345abcde'), }); new IntegTest(app, 'integ-iam-role', { diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts index 498cc4273d5b4..746618be630cf 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/principals.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/principals.ts @@ -32,7 +32,7 @@ export interface IGrantable { * Notifications Service). * * A single logical Principal may also map to a set of physical principals. - * For example, `new OrganizationPrincipal('o-1234')` represents all + * For example, `new OrganizationPrincipal('o-12345abcde')` represents all * identities that are part of the given AWS Organization. */ export interface IPrincipal extends IGrantable { @@ -603,6 +603,9 @@ export class ServicePrincipal extends PrincipalBase { /** * A principal that represents an AWS Organization + * + * Property organizationId must match regex pattern ^o-[a-z0-9]{10,32}$ + * @see https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html */ export class OrganizationPrincipal extends PrincipalBase { /** @@ -611,6 +614,9 @@ export class OrganizationPrincipal extends PrincipalBase { */ constructor(public readonly organizationId: string) { super(); + if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) { + throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`); + } } public get policyFragment(): PrincipalPolicyFragment { diff --git a/packages/aws-cdk-lib/aws-iam/test/principals.test.ts b/packages/aws-cdk-lib/aws-iam/test/principals.test.ts index 1b67bc843c64f..2f85ac153d9e6 100644 --- a/packages/aws-cdk-lib/aws-iam/test/principals.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/principals.test.ts @@ -518,3 +518,15 @@ test('ServicePrinciple construct by default reset the principle name to the defa }, }); }); + +test('throw error when Organization ID does not match regex pattern', () => { + // GIVEN + const shortOrgId = 'o-shortname'; + const noOOrgName = 'no-o-name'; + const longOrgName = 'o-thisnameistoooooooooooooooooolong'; + + // THEN + expect(() => new iam.OrganizationPrincipal(shortOrgId)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${shortOrgId}`); + expect(() => new iam.OrganizationPrincipal(noOOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${noOOrgName}`); + expect(() => new iam.OrganizationPrincipal(longOrgName)).toThrow(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${longOrgName}`); +}); diff --git a/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts b/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts index 4c86986e8b4a6..86367e249eff3 100644 --- a/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/via-service-principal.test.ts @@ -23,7 +23,7 @@ test('Via service, principal with conditions', () => { // WHEN const statement = new iam.PolicyStatement({ actions: ['abc:call'], - principals: [new kms.ViaServicePrincipal('bla.amazonaws.com', new iam.OrganizationPrincipal('o-1234'))], + principals: [new kms.ViaServicePrincipal('bla.amazonaws.com', new iam.OrganizationPrincipal('o-12345abcde'))], resources: ['*'], }); @@ -33,7 +33,7 @@ test('Via service, principal with conditions', () => { Condition: { StringEquals: { 'kms:ViaService': 'bla.amazonaws.com', - 'aws:PrincipalOrgID': 'o-1234', + 'aws:PrincipalOrgID': 'o-12345abcde', }, }, Effect: 'Allow', diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index 83569f1d20194..dfc55c29b7541 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -191,7 +191,7 @@ describe('function', () => { test('can supply principalOrgID via permission property', () => { const stack = new cdk.Stack(); const fn = newTestLambda(stack); - const org = new iam.OrganizationPrincipal('o-xxxxxxxxxx'); + const org = new iam.OrganizationPrincipal('o-12345abcde'); const account = new iam.AccountPrincipal('123456789012'); fn.addPermission('S3Permission', { @@ -223,7 +223,7 @@ describe('function', () => { fn.addPermission('S1', { principal: new iam.ServicePrincipal('my-service') }); fn.addPermission('S2', { principal: new iam.AccountPrincipal('account') }); fn.addPermission('S3', { principal: new iam.ArnPrincipal('my:arn') }); - fn.addPermission('S4', { principal: new iam.OrganizationPrincipal('my:org') }); + fn.addPermission('S4', { principal: new iam.OrganizationPrincipal('o-12345abcde') }); }); test('does not show warning if skipPermissions is set', () => { @@ -1745,7 +1745,7 @@ describe('function', () => { handler: 'index.handler', runtime: lambda.Runtime.NODEJS_LATEST, }); - const org = new iam.OrganizationPrincipal('my-org-id'); + const org = new iam.OrganizationPrincipal('o-12345abcde'); // WHEN fn.grantInvoke(org); @@ -1760,7 +1760,7 @@ describe('function', () => { ], }, Principal: '*', - PrincipalOrgID: 'my-org-id', + PrincipalOrgID: 'o-12345abcde', }); }); @@ -1974,7 +1974,7 @@ describe('function', () => { new iam.AccountPrincipal('1234'), new iam.ServicePrincipal('apigateway.amazonaws.com'), new iam.ArnPrincipal('arn:aws:iam::123456789012:role/someRole'), - new iam.OrganizationPrincipal('my-org-id'), + new iam.OrganizationPrincipal('o-12345abcde'), ); const fn = new lambda.Function(stack, 'Function', { @@ -2026,7 +2026,7 @@ describe('function', () => { ], }, Principal: '*', - PrincipalOrgID: 'my-org-id', + PrincipalOrgID: 'o-12345abcde', }); }); }); diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 352ba91750042..f7e7bfc893e5e 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -1776,7 +1776,7 @@ describe('bucket', () => { const bucket = new s3.Bucket(stack, 'MyBucket', { encryption: s3.BucketEncryption.KMS }); // WHEN - bucket.grantRead(new iam.OrganizationPrincipal('o-1234')); + bucket.grantRead(new iam.OrganizationPrincipal('o-12345abcde')); // THEN Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { @@ -1785,7 +1785,7 @@ describe('bucket', () => { 'Statement': [ { Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-1234' } }, + 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-12345abcde' } }, 'Effect': 'Allow', 'Principal': { AWS: '*' }, 'Resource': [ @@ -1806,7 +1806,7 @@ describe('bucket', () => { 'Effect': 'Allow', 'Resource': '*', 'Principal': { AWS: '*' }, - 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-1234' } }, + 'Condition': { 'StringEquals': { 'aws:PrincipalOrgID': 'o-12345abcde' } }, }, ]), 'Version': '2012-10-17',