77 lines
3.1 KiB
TypeScript
77 lines
3.1 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import type { IBucket } from './bucket';
|
|
import type { BucketPolicyReference, IBucketPolicyRef } from './s3.generated';
|
|
import { CfnBucketPolicy } from './s3.generated';
|
|
import { PolicyDocument } from '../../aws-iam';
|
|
import type { RemovalPolicy } from '../../core';
|
|
import { Resource } from '../../core';
|
|
export interface BucketPolicyProps {
|
|
/**
|
|
* The Amazon S3 bucket that the policy applies to.
|
|
*/
|
|
readonly bucket: IBucket;
|
|
/**
|
|
* Policy to apply when the policy is removed from this stack.
|
|
*
|
|
* @default - RemovalPolicy.DESTROY.
|
|
*/
|
|
readonly removalPolicy?: RemovalPolicy;
|
|
/**
|
|
* Policy document to apply to the bucket.
|
|
*
|
|
* @default - A new empty PolicyDocument will be created.
|
|
*/
|
|
readonly document?: PolicyDocument;
|
|
}
|
|
/**
|
|
* The bucket policy for an Amazon S3 bucket
|
|
*
|
|
* Policies define the operations that are allowed on this resource.
|
|
*
|
|
* You almost never need to define this construct directly.
|
|
*
|
|
* All AWS resources that support resource policies have a method called
|
|
* `addToResourcePolicy()`, which will automatically create a new resource
|
|
* policy if one doesn't exist yet, otherwise it will add to the existing
|
|
* policy.
|
|
*
|
|
* The bucket policy method is implemented differently than `addToResourcePolicy()`
|
|
* as `BucketPolicy()` creates a new policy without knowing one earlier existed.
|
|
* e.g. if during Bucket creation, if `autoDeleteObject:true`, these policies are
|
|
* added to the bucket policy:
|
|
* ["s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy"],
|
|
* and when you add a new BucketPolicy with ["s3:GetObject", "s3:ListBucket"] on
|
|
* this existing bucket, invoking `BucketPolicy()` will create a new Policy
|
|
* without knowing one earlier exists already, so it creates a new one.
|
|
* In this case, the custom resource handler will not have access to
|
|
* `s3:GetBucketTagging` action which will cause failure during deletion of stack.
|
|
*
|
|
* Hence its strongly recommended to use `addToResourcePolicy()` method to add
|
|
* new permissions to existing policy.
|
|
*
|
|
*/
|
|
export declare class BucketPolicy extends Resource implements IBucketPolicyRef {
|
|
/** Uniquely identifies this class. */
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Create a mutable `BucketPolicy` from a `CfnBucketPolicy`.
|
|
*/
|
|
static fromCfnBucketPolicy(cfnBucketPolicy: CfnBucketPolicy): BucketPolicy;
|
|
readonly bucketPolicyRef: BucketPolicyReference;
|
|
/**
|
|
* A policy document containing permissions to add to the specified bucket.
|
|
* For more information, see Access Policy Language Overview in the Amazon
|
|
* Simple Storage Service Developer Guide.
|
|
*/
|
|
readonly document: PolicyDocument;
|
|
/** The Bucket this Policy applies to. */
|
|
readonly bucket: IBucket;
|
|
private resource;
|
|
constructor(scope: Construct, id: string, props: BucketPolicyProps);
|
|
/**
|
|
* Sets the removal policy for the BucketPolicy.
|
|
* @param removalPolicy the RemovalPolicy to set.
|
|
*/
|
|
applyRemovalPolicy(removalPolicy: RemovalPolicy): void;
|
|
}
|