Merge pull request #1870 from udondan/iam-updates

Author: udondan

CHANGELOG/v0.747.0.md

@@ -0,0 +1,7 @@
+**Updated action access level:**
+
+- deadline:ListTagsForResource: List -> Read
+- deadline:SearchJobs: List -> Read
+- deadline:SearchSteps: List -> Read
+- deadline:SearchTasks: List -> Read
+- deadline:SearchWorkers: List -> Read

VERSION

@@ -1 +1 @@
-0.746.0
+0.747.0

docs/source/conf.py

@@ -24,7 +24,7 @@
 author = 'Daniel Schroeder'
 
 # The full version, including alpha/beta/rc tags
-release = '0.746.0'
+release = '0.747.0'
 
 # -- General configuration ---------------------------------------------------
 

lib/generated/policy-statements/bedrockagentcore.ts

@@ -1998,14 +1998,15 @@ export class BedrockAgentcore extends PolicyStatement {
    * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browserProfile.html
    *
    * @param browserProfileId - Identifier for the browserProfileId.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
    * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
    * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
    *
    * Possible conditions:
    * - .ifAwsResourceTag()
    */
-  public onBrowserProfile(browserProfileId: string, region?: string, partition?: string) {
-    return this.on(`arn:${ partition ?? this.defaultPartition }:bedrock-agentcore:${ region ?? this.defaultRegion }:aws:browser-profile/${ browserProfileId }`);
+  public onBrowserProfile(browserProfileId: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:bedrock-agentcore:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:browser-profile/${ browserProfileId }`);
   }
 
   /**

lib/generated/policy-statements/deadlinecloud.ts

@@ -254,6 +254,10 @@ export class Deadline extends PolicyStatement {
    *
    * Access Level: Write
    *
+   * Possible conditions:
+   * - .ifAwsRequestTag()
+   * - .ifAwsTagKeys()
+   *
    * Dependent actions:
    * - deadline:GetJobTemplate
    * - identitystore:ListGroupMembershipsForMember
@@ -670,7 +674,7 @@ export class Deadline extends PolicyStatement {
    *
    * Access Level: Read
    *
-   * https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_GetApplicationVersion.html
+   * https://docs.aws.amazon.com/deadline-cloud/latest/userguide/deadline-cloud-jobs.html
    */
   public toGetApplicationVersion() {
     return this.to('GetApplicationVersion');
@@ -736,6 +740,8 @@ export class Deadline extends PolicyStatement {
    * Grants permission to read job template
    *
    * Access Level: Read
+   *
+   * https://docs.aws.amazon.com/deadline-cloud/latest/userguide/working-with-deadline-monitor.html
    */
   public toGetJobTemplate() {
     return this.to('GetJobTemplate');
@@ -1324,7 +1330,7 @@ export class Deadline extends PolicyStatement {
   /**
    * Grants permission to list all tags on specified Deadline Cloud resources
    *
-   * Access Level: List
+   * Access Level: Read
    *
    * Possible conditions:
    * - .ifCalledAction()
@@ -1377,7 +1383,7 @@ export class Deadline extends PolicyStatement {
   /**
    * Grants permission to search for jobs in multiple queues
    *
-   * Access Level: List
+   * Access Level: Read
    *
    * Dependent actions:
    * - identitystore:ListGroupMembershipsForMember
@@ -1391,7 +1397,7 @@ export class Deadline extends PolicyStatement {
   /**
    * Grants permission to search the steps within a single job or to search the steps for multiple queues
    *
-   * Access Level: List
+   * Access Level: Read
    *
    * Dependent actions:
    * - identitystore:ListGroupMembershipsForMember
@@ -1405,7 +1411,7 @@ export class Deadline extends PolicyStatement {
   /**
    * Grants permission to search the tasks within a single job or to search the tasks for multiple queues
    *
-   * Access Level: List
+   * Access Level: Read
    *
    * Dependent actions:
    * - identitystore:ListGroupMembershipsForMember
@@ -1419,7 +1425,7 @@ export class Deadline extends PolicyStatement {
   /**
    * Grants permission to search for workers in multiple fleets
    *
-   * Access Level: List
+   * Access Level: Read
    *
    * Dependent actions:
    * - identitystore:ListGroupMembershipsForMember
@@ -1790,6 +1796,11 @@ export class Deadline extends PolicyStatement {
       'GetStorageProfileForQueue',
       'GetTask',
       'GetWorker',
+      'ListTagsForResource',
+      'SearchJobs',
+      'SearchSteps',
+      'SearchTasks',
+      'SearchWorkers',
       'StartSessionsStatisticsAggregation'
     ],
     List: [
@@ -1819,13 +1830,8 @@ export class Deadline extends PolicyStatement {
       'ListSteps',
       'ListStorageProfiles',
       'ListStorageProfilesForQueue',
-      'ListTagsForResource',
       'ListTasks',
-      'ListWorkers',
-      'SearchJobs',
-      'SearchSteps',
-      'SearchTasks',
-      'SearchWorkers'
+      'ListWorkers'
     ],
     Tagging: [
       'TagResource',
@@ -1903,6 +1909,7 @@ export class Deadline extends PolicyStatement {
    * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
    *
    * Possible conditions:
+   * - .ifAwsResourceTag()
    * - .ifFarmMembershipLevels()
    * - .ifJobMembershipLevels()
    * - .ifQueueMembershipLevels()
@@ -1995,6 +2002,7 @@ export class Deadline extends PolicyStatement {
    * - .toCreateBudget()
    * - .toCreateFarm()
    * - .toCreateFleet()
+   * - .toCreateJob()
    * - .toCreateLicenseEndpoint()
    * - .toCreateMonitor()
    * - .toCreateQueue()
@@ -2018,6 +2026,7 @@ export class Deadline extends PolicyStatement {
    * - budget
    * - farm
    * - fleet
+   * - job
    * - license-endpoint
    * - monitor
    * - queue
@@ -2040,6 +2049,7 @@ export class Deadline extends PolicyStatement {
    * - .toCreateBudget()
    * - .toCreateFarm()
    * - .toCreateFleet()
+   * - .toCreateJob()
    * - .toCreateLicenseEndpoint()
    * - .toCreateMonitor()
    * - .toCreateQueue()

stats/actions/deadline

@@ -86,14 +86,14 @@ deadline:ListStepDependencies;List
 deadline:ListSteps;List
 deadline:ListStorageProfiles;List
 deadline:ListStorageProfilesForQueue;List
-deadline:ListTagsForResource;List
+deadline:ListTagsForResource;Read
 deadline:ListTasks;List
 deadline:ListWorkers;List
 deadline:PutMeteredProduct;Write
-deadline:SearchJobs;List
-deadline:SearchSteps;List
-deadline:SearchTasks;List
-deadline:SearchWorkers;List
+deadline:SearchJobs;Read
+deadline:SearchSteps;Read
+deadline:SearchTasks;Read
+deadline:SearchWorkers;Read
 deadline:StartSessionsStatisticsAggregation;Read
 deadline:TagResource;Tagging
 deadline:UntagResource;Tagging