Adds latest IAM updates from AWS

CHANGELOG/v0.661.0.md

@@ -0,0 +1,21 @@
+**New actions:**
+
+- apigateway:CreateAccessAssociation
+- apigateway:RejectAccessAssociation
+- apigateway:UpdateDomainNameManagementPolicy
+- apigateway:UpdateDomainNamePolicy
+- imagebuilder:ImportDiskImage
+- medialive:ListVersions
+
+**New resource types:**
+
+- apigateway:DomainNameAccessAssociation
+- apigateway:DomainNameAccessAssociations
+- apigateway:PrivateBasePathMapping
+- apigateway:PrivateBasePathMappings
+- apigateway:PrivateDomainName
+
+**New condition keys:**
+
+- apigateway:Request/AccessAssociationSource
+- apigateway:Request/DomainNameArn

README.md

@@ -17,9 +17,9 @@
 Support for:
 
 - 417 Services
-- 18178 Actions
-- 1948 Resource Types
-- 1897 Condition keys
+- 18184 Actions
+- 1953 Resource Types
+- 1899 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**

VERSION

@@ -1 +1 @@
-0.660.0
+0.661.0

docs/source/conf.py

@@ -24,7 +24,7 @@
 author = 'Daniel Schroeder'
 
 # The full version, including alpha/beta/rc tags
-release = '0.660.0'
+release = '0.661.0'
 
 # -- General configuration ---------------------------------------------------
 

docs/source/index.rst

@@ -31,9 +31,9 @@ AWS IAM policy statement generator with fluent interface.
 Support for:
 
 - 417 Services
-- 18178 Actions
-- 1948 Resource Types
-- 1897 Condition keys
+- 18184 Actions
+- 1953 Resource Types
+- 1899 Condition keys
 
 ..
    /stats

lib/generated/policy-statements/apigatewaymanagement.ts

@@ -29,6 +29,17 @@ export class Apigateway extends PolicyStatement {
     return this.to('AddCertificateToDomain');
   }
 
+  /**
+   * Grants permission to create an access association from an access association source to a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toCreateAccessAssociation() {
+    return this.to('CreateAccessAssociation');
+  }
+
   /**
    * Grants permission to delete a particular resource
    *
@@ -100,6 +111,17 @@ export class Apigateway extends PolicyStatement {
     return this.to('PUT');
   }
 
+  /**
+   * Grants permission to reject an existing access association owned by another account to a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toRejectAccessAssociation() {
+    return this.to('RejectAccessAssociation');
+  }
+
   /**
    * Grants permission to remove certificates for mutual TLS authentication from a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS
    *
@@ -122,6 +144,28 @@ export class Apigateway extends PolicyStatement {
     return this.to('SetWebACL');
   }
 
+  /**
+   * Grants permission to update the management policy of a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toUpdateDomainNameManagementPolicy() {
+    return this.to('UpdateDomainNameManagementPolicy');
+  }
+
+  /**
+   * Grants permission to update the invoke policy of a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toUpdateDomainNamePolicy() {
+    return this.to('UpdateDomainNamePolicy');
+  }
+
   /**
    * Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy
    *
@@ -136,8 +180,12 @@ export class Apigateway extends PolicyStatement {
   protected accessLevelList: AccessLevelList = {
     'Permissions management': [
       'AddCertificateToDomain',
+      'CreateAccessAssociation',
+      'RejectAccessAssociation',
       'RemoveCertificateFromDomain',
       'SetWebACL',
+      'UpdateDomainNameManagementPolicy',
+      'UpdateDomainNamePolicy',
       'UpdateRestApiPolicy'
     ],
     Write: [
@@ -440,6 +488,40 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames`);
   }
 
+  /**
+   * Adds a resource of type DomainNameAccessAssociation to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainNameAccessAssociation.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param sourceType - Identifier for the sourceType.
+   * @param sourceId - Identifier for the sourceId.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   */
+  public onDomainNameAccessAssociation(domainName: string, sourceType: string, sourceId: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnameaccessassociations/domainname/${ domainName }/${ sourceType }/${ sourceId }`);
+  }
+
+  /**
+   * Adds a resource of type DomainNameAccessAssociations to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainNameAccessAssociation.html
+   *
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifRequestAccessAssociationSource()
+   * - .ifRequestDomainNameArn()
+   * - .ifAwsResourceTag()
+   */
+  public onDomainNameAccessAssociations(account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnameaccessassociations`);
+  }
+
   /**
    * Adds a resource of type GatewayResponse to the statement
    *
@@ -584,6 +666,61 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/restapis/${ restApiId }/models`);
   }
 
+  /**
+   * Adds a resource of type PrivateBasePathMapping to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_BasePathMapping.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param basePath - Identifier for the basePath.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateBasePathMapping(domainName: string, domainIdentifier: string, basePath: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames/${ domainName }+${ domainIdentifier }/basepathmappings/${ basePath }`);
+  }
+
+  /**
+   * Adds a resource of type PrivateBasePathMappings to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_BasePathMapping.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateBasePathMappings(domainName: string, domainIdentifier: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames/${ domainName }+${ domainIdentifier }/basepathmappings`);
+  }
+
+  /**
+   * Adds a resource of type PrivateDomainName to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainName.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifRequestEndpointType()
+   * - .ifResourceEndpointType()
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateDomainName(domainName: string, domainIdentifier: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnames/${ domainName }+${ domainIdentifier }`);
+  }
+
   /**
    * Adds a resource of type RequestValidator to the statement
    *
@@ -883,6 +1020,21 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/tags/${ urlEncodedResourceARN }`);
   }
 
+  /**
+   * Filters access by access association source. Available during the CreateDomainNameAccessAssociation operation
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html
+   *
+   * Applies to resource types:
+   * - DomainNameAccessAssociations
+   *
+   * @param value The value(s) to check
+   * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+   */
+  public ifRequestAccessAssociationSource(value: string | string[], operator?: Operator | string) {
+    return this.if(`Request/AccessAssociationSource`, value, operator ?? 'StringLike');
+  }
+
   /**
    * Filters access by access log destination. Available during the CreateStage and UpdateStage operations
    *
@@ -998,6 +1150,21 @@ export class Apigateway extends PolicyStatement {
     return this.if(`Request/DisableExecuteApiEndpoint`, (typeof value !== 'undefined' ? value : true), 'Bool');
   }
 
+  /**
+   * Filters access by domain name ARN. Available during the CreateDomainNameAccessAssociation operation
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html
+   *
+   * Applies to resource types:
+   * - DomainNameAccessAssociations
+   *
+   * @param value The value(s) to check
+   * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike`
+   */
+  public ifRequestDomainNameArn(value: string | string[], operator?: Operator | string) {
+    return this.if(`Request/DomainNameArn`, value, operator ?? 'ArnLike');
+  }
+
   /**
    * Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateRestApi, and UpdateRestApi operations
    *
@@ -1006,6 +1173,7 @@ export class Apigateway extends PolicyStatement {
    * Applies to resource types:
    * - DomainName
    * - DomainNames
+   * - PrivateDomainName
    * - RestApi
    * - RestApis
    *
@@ -1209,6 +1377,7 @@ export class Apigateway extends PolicyStatement {
    *
    * Applies to resource types:
    * - DomainName
+   * - PrivateDomainName
    * - RestApi
    *
    * @param value The value(s) to check
@@ -1320,6 +1489,7 @@ export class Apigateway extends PolicyStatement {
    * - DocumentationVersions
    * - DomainName
    * - DomainNames
+   * - DomainNameAccessAssociations
    * - GatewayResponse
    * - GatewayResponses
    * - Integration
@@ -1328,6 +1498,9 @@ export class Apigateway extends PolicyStatement {
    * - MethodResponse
    * - Model
    * - Models
+   * - PrivateBasePathMapping
+   * - PrivateBasePathMappings
+   * - PrivateDomainName
    * - RequestValidator
    * - RequestValidators
    * - Resource

lib/generated/policy-statements/ec2imagebuilder.ts

@@ -516,6 +516,26 @@ export class Imagebuilder extends PolicyStatement {
     return this.to('ImportComponent');
   }
 
+  /**
+   * Grants permission to import a disk image
+   *
+   * Access Level: Write
+   *
+   * Dependent actions:
+   * - iam:CreateServiceLinkedRole
+   * - iam:PassRole
+   * - imagebuilder:GetInfrastructureConfiguration
+   * - imagebuilder:GetWorkflow
+   * - imagebuilder:TagResource
+   * - s3:GetObject
+   * - s3:ListBucket
+   *
+   * https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImportDiskImage.html
+   */
+  public toImportDiskImage() {
+    return this.to('ImportDiskImage');
+  }
+
   /**
    * Grants permission to import an image
    *
@@ -963,6 +983,7 @@ export class Imagebuilder extends PolicyStatement {
       'DeleteLifecyclePolicy',
       'DeleteWorkflow',
       'ImportComponent',
+      'ImportDiskImage',
       'ImportVmImage',
       'SendWorkflowStepAction',
       'StartImagePipelineExecution',
@@ -1316,6 +1337,7 @@ export class Imagebuilder extends PolicyStatement {
    * - .toCreateLifecyclePolicy()
    * - .toCreateWorkflow()
    * - .toImportComponent()
+   * - .toImportDiskImage()
    * - .toImportVmImage()
    * - .toTagResource()
    *
@@ -1378,6 +1400,7 @@ export class Imagebuilder extends PolicyStatement {
    * - .toCreateLifecyclePolicy()
    * - .toCreateWorkflow()
    * - .toImportComponent()
+   * - .toImportDiskImage()
    * - .toImportVmImage()
    * - .toTagResource()
    * - .toUntagResource()

lib/generated/policy-statements/elementalmedialive.ts

@@ -972,6 +972,17 @@ export class Medialive extends PolicyStatement {
     return this.to('ListTagsForResource');
   }
 
+  /**
+   * Grants permission to list available versions of MediaLive
+   *
+   * Access Level: List
+   *
+   * https://docs.aws.amazon.com/medialive/latest/ug/medialive-versions.html
+   */
+  public toListVersions() {
+    return this.to('ListVersions');
+  }
+
   /**
    * Grants permission to the node to poll the cluster
    *
@@ -1508,7 +1519,8 @@ export class Medialive extends PolicyStatement {
       'ListOfferings',
       'ListReservations',
       'ListSignalMaps',
-      'ListTagsForResource'
+      'ListTagsForResource',
+      'ListVersions'
     ]
   };