-
Notifications
You must be signed in to change notification settings - Fork 1k
Expand file tree
/
Copy pathlambda-verified-permissions-stack.ts
More file actions
71 lines (63 loc) · 2.75 KB
/
Copy pathlambda-verified-permissions-stack.ts
File metadata and controls
71 lines (63 loc) · 2.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import * as cdk from 'aws-cdk-lib';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as verifiedpermissions from 'aws-cdk-lib/aws-verifiedpermissions';
import { Construct } from 'constructs';
export class LambdaVerifiedPermissionsStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create policy store with Cedar schema
const policyStore = new verifiedpermissions.CfnPolicyStore(this, 'PolicyStore', {
validationSettings: { mode: 'STRICT' },
schema: {
cedarJson: JSON.stringify({
'MyApp': {
entityTypes: {
User: { shape: { type: 'Record', attributes: { role: { type: 'String' } } } },
Document: { shape: { type: 'Record', attributes: { owner: { type: 'String' }, classification: { type: 'String' } } } }
},
actions: {
Read: { appliesTo: { principalTypes: ['User'], resourceTypes: ['Document'] } },
Write: { appliesTo: { principalTypes: ['User'], resourceTypes: ['Document'] } },
Delete: { appliesTo: { principalTypes: ['User'], resourceTypes: ['Document'] } }
}
}
})
}
});
// Create policies
new verifiedpermissions.CfnPolicy(this, 'AdminPolicy', {
policyStoreId: policyStore.attrPolicyStoreId,
definition: {
static: {
statement: 'permit(principal, action, resource) when { principal.role == "admin" };',
description: 'Admins can perform any action'
}
}
});
new verifiedpermissions.CfnPolicy(this, 'ReaderPolicy', {
policyStoreId: policyStore.attrPolicyStoreId,
definition: {
static: {
statement: 'permit(principal, action == MyApp::Action::"Read", resource) when { principal.role == "reader" };',
description: 'Readers can only read documents'
}
}
});
// Lambda authorizer function
const authFn = new lambda.Function(this, 'AuthorizerFn', {
runtime: lambda.Runtime.NODEJS_22_X,
handler: 'index.handler',
code: lambda.Code.fromAsset('src'),
environment: { POLICY_STORE_ID: policyStore.attrPolicyStoreId },
timeout: cdk.Duration.seconds(10)
});
authFn.addToRolePolicy(new iam.PolicyStatement({
actions: ['verifiedpermissions:IsAuthorized'],
resources: [`arn:aws:verifiedpermissions::${this.account}:policy-store/${policyStore.attrPolicyStoreId}`]
}));
const fnUrl = authFn.addFunctionUrl({ authType: lambda.FunctionUrlAuthType.AWS_IAM });
new cdk.CfnOutput(this, 'FunctionUrl', { value: fnUrl.url });
new cdk.CfnOutput(this, 'PolicyStoreId', { value: policyStore.attrPolicyStoreId });
}
}