From b754f1ffdc736e9738dd77b149c401f5070123d6 Mon Sep 17 00:00:00 2001 From: Jakob Berg Date: Tue, 23 Apr 2024 22:15:25 -0400 Subject: [PATCH 1/2] in progress fix --- packages/@aws-cdk/aws-service-spec/build/scrutinies.ts | 5 +++++ packages/@aws-cdk/service-spec-types/src/types/resource.ts | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts b/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts index 7731512ad..7deccdb44 100644 --- a/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts +++ b/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts @@ -93,6 +93,11 @@ export class Scrutinies { this.setResourceScrutiny('AWS::EC2::SecurityGroupEgress', ResourceScrutinyType.EgressRuleResource); this.setPropertyScrutiny('AWS::EC2::SecurityGroup', 'SecurityGroupIngress', PropertyScrutinyType.IngressRules); this.setPropertyScrutiny('AWS::EC2::SecurityGroup', 'SecurityGroupEgress', PropertyScrutinyType.EgressRules); + + // AWS IAM Identity Center (formerly AWS SSO) + this.setResourceScrutiny('AWS::SSO::Assignment', ResourceScrutinyType.SsoResource); + this.setResourceScrutiny('AWS::SSO::PermissionSet', ResourceScrutinyType.SsoResource); + this.setResourceScrutiny('AWS::SSO::InstanceAccessControlAttributeConfiguration', ResourceScrutinyType.SsoResource); } private setResourceScrutiny(cfnType: string, scrutiny: ResourceScrutinyType) { diff --git a/packages/@aws-cdk/service-spec-types/src/types/resource.ts b/packages/@aws-cdk/service-spec-types/src/types/resource.ts index 40a5b5f7c..eaeae9024 100644 --- a/packages/@aws-cdk/service-spec-types/src/types/resource.ts +++ b/packages/@aws-cdk/service-spec-types/src/types/resource.ts @@ -400,6 +400,11 @@ export enum ResourceScrutinyType { * A set of egress rules */ EgressRuleResource = 'EgressRuleResource', + + /** + * SsoResource + */ + SsoResource = 'SsoResource', } /** From e06496155b7a3af112507b8c8d43e62c006122a5 Mon Sep 17 00:00:00 2001 From: Jakob Berg Date: Fri, 26 Apr 2024 11:21:53 -0400 Subject: [PATCH 2/2] in progress fix --- .../aws-service-spec/build/scrutinies.ts | 11 +++++----- .../service-spec-types/src/types/resource.ts | 20 +++++++++++++++++-- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts b/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts index 7deccdb44..3a096f57f 100644 --- a/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts +++ b/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts @@ -57,8 +57,8 @@ export class Scrutinies { private autoPropertyScrutiny(propertyName: string, property: Property): PropertyScrutinyType | undefined { const richDb = new RichSpecDatabase(this.db); - // Detect fields named like ManagedPolicyArns - if (propertyName === 'ManagedPolicyArns') { + // Detect fields named like ManagedPolicyArns or ManagedPolicies (AWS::SSO::PermissionSet, for example) + if (propertyName === 'ManagedPolicyArns' || propertyName === 'ManagedPolicies') { return PropertyScrutinyType.ManagedPolicies; } @@ -95,9 +95,10 @@ export class Scrutinies { this.setPropertyScrutiny('AWS::EC2::SecurityGroup', 'SecurityGroupEgress', PropertyScrutinyType.EgressRules); // AWS IAM Identity Center (formerly AWS SSO) - this.setResourceScrutiny('AWS::SSO::Assignment', ResourceScrutinyType.SsoResource); - this.setResourceScrutiny('AWS::SSO::PermissionSet', ResourceScrutinyType.SsoResource); - this.setResourceScrutiny('AWS::SSO::InstanceAccessControlAttributeConfiguration', ResourceScrutinyType.SsoResource); + // eslint-disable-next-line prettier/prettier + this.setResourceScrutiny('AWS::SSO::InstanceAccessControlAttributeConfiguration', ResourceScrutinyType.SsoInstanceACAConfigResource); + this.setResourceScrutiny('AWS::SSO::Assignment', ResourceScrutinyType.SsoAssignmentResource); + this.setResourceScrutiny('AWS::SSO::PermissionSet', ResourceScrutinyType.SsoPermissionSet); } private setResourceScrutiny(cfnType: string, scrutiny: ResourceScrutinyType) { diff --git a/packages/@aws-cdk/service-spec-types/src/types/resource.ts b/packages/@aws-cdk/service-spec-types/src/types/resource.ts index eaeae9024..1233f1847 100644 --- a/packages/@aws-cdk/service-spec-types/src/types/resource.ts +++ b/packages/@aws-cdk/service-spec-types/src/types/resource.ts @@ -402,9 +402,25 @@ export enum ResourceScrutinyType { EgressRuleResource = 'EgressRuleResource', /** - * SsoResource + * AWS::SSO::Assignment + * + * IAM Identity Center (formerly known as SSO) + */ + SsoAssignmentResource = 'SsoAssignmentResource', + + /** + * AWS::SSO::InstanceAccessControlAttributeConfiguration + * + * IAM Identity Center (formerly known as SSO) + */ + SsoInstanceACAConfigResource = 'SsoInstanceACAConfigResource', + + /** + * AWS::SSO::PermissionSet + * + * IAM Identity Center (formerly known as SSO) */ - SsoResource = 'SsoResource', + SsoPermissionSet = 'SsoPermissionSet', } /**