Merge pull request #1946 from udondan/iam-updates

Author: udondan

CHANGELOG/v0.758.0.md

@@ -0,0 +1,12 @@
+**New actions:**
+
+- cognito-idp:AddUserPoolClientSecret
+- cognito-idp:DeleteUserPoolClientSecret
+- cognito-idp:ListUserPoolClientSecrets
+- es:RollbackElasticsearchServiceSoftwareUpdate
+- es:RollbackServiceSoftwareUpdate
+- ram:ListSourceAssociations
+
+**New condition keys:**
+
+- ram:RetainSharingOnAccountLeaveOrganization

README.md

@@ -16,9 +16,9 @@
 Support for:
 
 - 444 Services
-- 20408 Actions
+- 20414 Actions
 - 2165 Resource Types
-- 2282 Condition keys
+- 2283 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**

VERSION

@@ -1 +1 @@
-0.757.0
+0.758.0

docs/source/conf.py

@@ -24,7 +24,7 @@
 author = 'Daniel Schroeder'
 
 # The full version, including alpha/beta/rc tags
-release = '0.757.0'
+release = '0.758.0'
 
 # -- General configuration ---------------------------------------------------
 

docs/source/index.rst

@@ -31,9 +31,9 @@ AWS IAM policy statement generator with fluent interface.
 Support for:
 
 - 444 Services
-- 20408 Actions
+- 20414 Actions
 - 2165 Resource Types
-- 2282 Condition keys
+- 2283 Condition keys
 
 ..
    /stats

lib/generated/policy-statements/chime.ts

@@ -4010,13 +4010,14 @@ export class Chime extends PolicyStatement {
    *
    * @param meetingId - Identifier for the meetingId.
    * @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
    * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
    *
    * Possible conditions:
    * - .ifAwsResourceTag()
    */
-  public onMeeting(meetingId: string, accountId?: string, partition?: string) {
-    return this.on(`arn:${ partition ?? this.defaultPartition }:chime::${ accountId ?? this.defaultAccount }:meeting/${ meetingId }`);
+  public onMeeting(meetingId: string, accountId?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:chime:${ region ?? this.defaultRegion }:${ accountId ?? this.defaultAccount }:meeting/${ meetingId }`);
   }
 
   /**

lib/generated/policy-statements/cognitouserpools.ts

@@ -29,6 +29,17 @@ export class CognitoIdp extends PolicyStatement {
     return this.to('AddCustomAttributes');
   }
 
+  /**
+   * Grants permission to add a new secret to a confidential client
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AddUserPoolClientSecret.html
+   */
+  public toAddUserPoolClientSecret() {
+    return this.to('AddUserPoolClientSecret');
+  }
+
   /**
    * Grants permission to add any user to any group
    *
@@ -582,6 +593,17 @@ export class CognitoIdp extends PolicyStatement {
     return this.to('DeleteUserPoolClient');
   }
 
+  /**
+   * Grants permission to delete a secret from a list of secrets associated with a client
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteUserPoolClientSecret.html
+   */
+  public toDeleteUserPoolClientSecret() {
+    return this.to('DeleteUserPoolClientSecret');
+  }
+
   /**
    * Grants permission to delete any user pool domain
    *
@@ -972,6 +994,17 @@ export class CognitoIdp extends PolicyStatement {
     return this.to('ListUserImportJobs');
   }
 
+  /**
+   * Grants permission to list all secrets associated with a client
+   *
+   * Access Level: List
+   *
+   * https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPoolClientSecrets.html
+   */
+  public toListUserPoolClientSecrets() {
+    return this.to('ListUserPoolClientSecrets');
+  }
+
   /**
    * Grants permission to list all app clients in user pools
    *
@@ -1327,6 +1360,7 @@ export class CognitoIdp extends PolicyStatement {
   protected accessLevelList: AccessLevelList = {
     Write: [
       'AddCustomAttributes',
+      'AddUserPoolClientSecret',
       'AdminAddUserToGroup',
       'AdminConfirmSignUp',
       'AdminCreateUser',
@@ -1372,6 +1406,7 @@ export class CognitoIdp extends PolicyStatement {
       'DeleteUserAttributes',
       'DeleteUserPool',
       'DeleteUserPoolClient',
+      'DeleteUserPoolClientSecret',
       'DeleteUserPoolDomain',
       'DisassociateWebACL',
       'ForgetDevice',
@@ -1442,6 +1477,7 @@ export class CognitoIdp extends PolicyStatement {
       'ListTagsForResource',
       'ListTerms',
       'ListUserImportJobs',
+      'ListUserPoolClientSecrets',
       'ListUserPoolClients',
       'ListUserPools',
       'ListUsers',

lib/generated/policy-statements/opensearchservice.ts

@@ -1130,6 +1130,28 @@ export class Es extends PolicyStatement {
     return this.to('RevokeVpcEndpointAccess');
   }
 
+  /**
+   * Grants permission to rollback a service software update of an elasticsearch domain to its previous version
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_RollbackServiceSoftwareUpdate.html
+   */
+  public toRollbackElasticsearchServiceSoftwareUpdate() {
+    return this.to('RollbackElasticsearchServiceSoftwareUpdate');
+  }
+
+  /**
+   * Grants permission to rollback a service software update of an opensearch domain to its previous version
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_RollbackServiceSoftwareUpdate.html
+   */
+  public toRollbackServiceSoftwareUpdate() {
+    return this.to('RollbackServiceSoftwareUpdate');
+  }
+
   /**
    * Grants permission to initiate the maintenance on the node
    *
@@ -1341,6 +1363,8 @@ export class Es extends PolicyStatement {
       'RejectInboundConnection',
       'RejectInboundCrossClusterSearchConnection',
       'RevokeVpcEndpointAccess',
+      'RollbackElasticsearchServiceSoftwareUpdate',
+      'RollbackServiceSoftwareUpdate',
       'StartDomainMaintenance',
       'StartElasticsearchServiceSoftwareUpdate',
       'StartServiceSoftwareUpdate',

lib/generated/policy-statements/resourceaccessmanagerram.ts

@@ -46,6 +46,7 @@ export class Ram extends PolicyStatement {
    * - .ifPrincipal()
    * - .ifRequestedResourceType()
    * - .ifResourceArn()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_AssociateResourceShare.html
    */
@@ -113,6 +114,7 @@ export class Ram extends PolicyStatement {
    * - .ifRequestedAllowsExternalPrincipals()
    * - .ifPrincipal()
    * - .ifAllowsExternalPrincipals()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html
    */
@@ -161,6 +163,7 @@ export class Ram extends PolicyStatement {
    * - .ifResourceTag()
    * - .ifResourceShareName()
    * - .ifAllowsExternalPrincipals()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_DeleteResourceShare.html
    */
@@ -181,6 +184,7 @@ export class Ram extends PolicyStatement {
    * - .ifPrincipal()
    * - .ifRequestedResourceType()
    * - .ifResourceArn()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_DisassociateResourceShare.html
    */
@@ -359,6 +363,7 @@ export class Ram extends PolicyStatement {
    * - .ifAwsResourceTag()
    * - .ifResourceShareName()
    * - .ifAllowsExternalPrincipals()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_ListResourceSharePermissions.html
    */
@@ -388,6 +393,17 @@ export class Ram extends PolicyStatement {
     return this.to('ListResources');
   }
 
+  /**
+   * Grants permission to list source associations for resource shares
+   *
+   * Access Level: List
+   *
+   * https://docs.aws.amazon.com/ram/latest/APIReference/API_ListSourceAssociations.html
+   */
+  public toListSourceAssociations() {
+    return this.to('ListSourceAssociations');
+  }
+
   /**
    * Grants permission to create a separate, fully manageable customer managed permission
    *
@@ -499,6 +515,7 @@ export class Ram extends PolicyStatement {
    * - .ifResourceShareName()
    * - .ifAllowsExternalPrincipals()
    * - .ifRequestedAllowsExternalPrincipals()
+   * - .ifRetainSharingOnAccountLeaveOrganization()
    *
    * https://docs.aws.amazon.com/ram/latest/APIReference/API_UpdateResourceShare.html
    */
@@ -545,7 +562,8 @@ export class Ram extends PolicyStatement {
       'ListReplacePermissionAssociationsWork',
       'ListResourceSharePermissions',
       'ListResourceTypes',
-      'ListResources'
+      'ListResources',
+      'ListSourceAssociations'
     ],
     Tagging: [
       'TagResource',
@@ -874,6 +892,25 @@ export class Ram extends PolicyStatement {
     return this.if(`ResourceTag/${ tagKey }`, value, operator ?? 'StringLike');
   }
 
+  /**
+   * Filters access by RetainSharingOnAccountLeaveOrganization value within ResourceShareConfiguration that is set on resource share
+   *
+   * https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition
+   *
+   * Applies to actions:
+   * - .toAssociateResourceShare()
+   * - .toCreateResourceShare()
+   * - .toDeleteResourceShare()
+   * - .toDisassociateResourceShare()
+   * - .toListResourceSharePermissions()
+   * - .toUpdateResourceShare()
+   *
+   * @param value `true` or `false`. **Default:** `true`
+   */
+  public ifRetainSharingOnAccountLeaveOrganization(value?: boolean) {
+    return this.if(`RetainSharingOnAccountLeaveOrganization`, (typeof value !== 'undefined' ? value : true), 'Bool');
+  }
+
   /**
    * Filters access by resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner's account ID
    *

stats/actions/cognito-idp

@@ -1,4 +1,5 @@
 cognito-idp:AddCustomAttributes;Write
+cognito-idp:AddUserPoolClientSecret;Write
 cognito-idp:AdminAddUserToGroup;Write
 cognito-idp:AdminConfirmSignUp;Write
 cognito-idp:AdminCreateUser;Write
@@ -49,6 +50,7 @@ cognito-idp:DeleteUser;Write
 cognito-idp:DeleteUserAttributes;Write
 cognito-idp:DeleteUserPool;Write
 cognito-idp:DeleteUserPoolClient;Write
+cognito-idp:DeleteUserPoolClientSecret;Write
 cognito-idp:DeleteUserPoolDomain;Write
 cognito-idp:DescribeIdentityProvider;Read
 cognito-idp:DescribeManagedLoginBranding;Read
@@ -85,6 +87,7 @@ cognito-idp:ListResourcesForWebACL;List
 cognito-idp:ListTagsForResource;List
 cognito-idp:ListTerms;List
 cognito-idp:ListUserImportJobs;List
+cognito-idp:ListUserPoolClientSecrets;List
 cognito-idp:ListUserPoolClients;List
 cognito-idp:ListUserPools;List
 cognito-idp:ListUsers;List