refactor(aws-iam): move IAM classes cdk to aws-iam (#866)

Fixes #196

BREAKING CHANGE

This change moves the `PolicyDocument`, `PolicyStatement` and
all `PolicyPrincipal` classes from the @aws-cdk/cdk module
and into the @aws-cdk/aws-iam module.

Author: Elad Ben-Israel

Diff for: examples/cdk-examples-typescript/advanced-usage/index.ts

@@ -16,15 +16,15 @@ class PolicyExample extends cdk.Stack {
     // here's how to create an IAM Role with an assume policy for the Lambda
     // service principal.
     const role = new iam.Role(this, 'Role', {
-      assumedBy: new cdk.ServicePrincipal('lambda.amazon.aws.com')
+      assumedBy: new iam.ServicePrincipal('lambda.amazon.aws.com')
     });
 
     // when you call `addToPolicy`, a default policy is defined and attached
     // to the bucket.
     const bucket = new s3.Bucket(this, 'MyBucket');
 
     // the role also has a policy attached to it.
-    role.addToPolicy(new cdk.PolicyStatement()
+    role.addToPolicy(new iam.PolicyStatement()
       .addResource(bucket.arnForObjects('*'))
       .addResource(bucket.bucketArn)
       .addActions('s3:*'));

Diff for: examples/cdk-examples-typescript/bucket-import-export/index.ts

@@ -25,7 +25,7 @@ class ConsumerConstruct extends cdk.Construct {
   constructor(parent: cdk.Construct, name: string, props: ConsumerConstructProps) {
     super(parent, name);
 
-    props.bucket.addToResourcePolicy(new cdk.PolicyStatement().addAction('*'));
+    props.bucket.addToResourcePolicy(new iam.PolicyStatement().addAction('*'));
   }
 }
 

Diff for: examples/cdk-examples-typescript/sns-sqs/index.ts

@@ -1,3 +1,4 @@
+import iam = require('@aws-cdk/aws-iam');
 import sns = require('@aws-cdk/aws-sns');
 import sqs = require('@aws-cdk/aws-sqs');
 import cdk = require('@aws-cdk/cdk');
@@ -28,8 +29,8 @@ class CFN extends cdk.Stack {
       protocol: 'sqs'
     });
 
-    const policyDocument = new cdk.PolicyDocument();
-    policyDocument.addStatement(new cdk.PolicyStatement()
+    const policyDocument = new iam.PolicyDocument();
+    policyDocument.addStatement(new iam.PolicyStatement()
       .addResource(queue.queueArn)
       .addAction('sqs:SendMessage')
       .addServicePrincipal('sns.amazonaws.com')

Diff for: packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts

@@ -1,5 +1,5 @@
+import iam = require('@aws-cdk/aws-iam');
 import lambda = require('@aws-cdk/aws-lambda');
-import cdk = require('@aws-cdk/cdk');
 import { IntegrationOptions } from '../integration';
 import { Method } from '../method';
 import { AwsIntegration } from './aws';
@@ -52,7 +52,7 @@ export class LambdaIntegration extends AwsIntegration {
   }
 
   public bind(method: Method) {
-    const principal = new cdk.ServicePrincipal('apigateway.amazonaws.com');
+    const principal = new iam.ServicePrincipal('apigateway.amazonaws.com');
 
     const desc = `${method.httpMethod}.${method.resource.resourcePath.replace(/\//g, '.')}`;
 

Diff for: packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -66,7 +66,7 @@ export interface RestApiProps extends ResourceOptions {
   /**
    * A policy document that contains the permissions for this RestApi
    */
-  policy?: cdk.PolicyDocument;
+  policy?: iam.PolicyDocument;
 
   /**
    * A description of the purpose of this API Gateway RestApi resource.
@@ -314,7 +314,7 @@ export class RestApi extends RestApiRef implements cdk.IDependable {
 
   private configureCloudWatchRole(apiResource: cloudformation.RestApiResource) {
     const role = new iam.Role(this, 'CloudWatchRole', {
-      assumedBy: new cdk.ServicePrincipal('apigateway.amazonaws.com'),
+      assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
       managedPolicyArns: [ cdk.ArnUtils.fromComponents({
         service: 'iam',
         region: '',

Diff for: packages/@aws-cdk/aws-apigateway/test/test.method.ts

@@ -206,7 +206,7 @@ export = {
     // GIVEN
     const stack = new cdk.Stack();
     const api = new apigateway.RestApi(stack, 'test-api', { deploy: false });
-    const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') });
+    const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') });
 
     // WHEN
     api.root.addMethod('GET', new apigateway.Integration({
@@ -251,7 +251,7 @@ export = {
     // GIVEN
     const stack = new cdk.Stack();
     const api = new apigateway.RestApi(stack, 'test-api', { deploy: false });
-    const role = new iam.Role(stack, 'MyRole', { assumedBy: new cdk.ServicePrincipal('foo') });
+    const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('foo') });
 
     // WHEN
     const integration = new apigateway.Integration({

Diff for: packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -190,7 +190,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el
     }
 
     this.role = new iam.Role(this, 'InstanceRole', {
-      assumedBy: new cdk.ServicePrincipal('ec2.amazonaws.com')
+      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
     });
 
     const iamProfile = new iam.cloudformation.InstanceProfileResource(this, 'InstanceProfile', {
@@ -302,7 +302,7 @@ export class AutoScalingGroup extends cdk.Construct implements cdk.ITaggable, el
   /**
    * Adds a statement to the IAM role assumed by instances of this fleet.
    */
-  public addToRolePolicy(statement: cdk.PolicyStatement) {
+  public addToRolePolicy(statement: iam.PolicyStatement) {
     this.role.addToPolicy(statement);
   }
 

Diff for: packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts

@@ -1,5 +1,6 @@
 import { expect, haveResource, ResourcePart } from '@aws-cdk/assert';
 import ec2 = require('@aws-cdk/aws-ec2');
+import iam = require('@aws-cdk/aws-iam');
 import cdk = require('@aws-cdk/cdk');
 import { Test } from 'nodeunit';
 import autoscaling = require('../lib');
@@ -137,7 +138,7 @@ export = {
       vpc
     });
 
-    fleet.addToRolePolicy(new cdk.PolicyStatement()
+    fleet.addToRolePolicy(new iam.PolicyStatement()
       .addAction('test:SpecialName')
       .addAllResources());
 

Diff for: packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts

@@ -89,7 +89,7 @@ export class PipelineExecuteChangeSetAction extends PipelineCloudFormationAction
       ChangeSetName: props.changeSetName,
     });
 
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addAction('cloudformation:ExecuteChangeSet')
       .addResource(stackArnFromName(props.stackName))
       .addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
@@ -201,19 +201,19 @@ export abstract class PipelineCloudFormationDeployAction extends PipelineCloudFo
       this.role = props.role;
     } else {
       this.role = new iam.Role(this, 'Role', {
-        assumedBy: new cdk.ServicePrincipal('cloudformation.amazonaws.com')
+        assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com')
       });
 
       if (props.fullPermissions) {
-        this.role.addToPolicy(new cdk.PolicyStatement().addAction('*').addAllResources());
+        this.role.addToPolicy(new iam.PolicyStatement().addAction('*').addAllResources());
       }
     }
   }
 
   /**
    * Add statement to the service role assumed by CloudFormation while executing this action.
    */
-  public addToRolePolicy(statement: cdk.PolicyStatement) {
+  public addToRolePolicy(statement: iam.PolicyStatement) {
     return this.role.addToPolicy(statement);
   }
 }
@@ -254,16 +254,16 @@ export class PipelineCreateReplaceChangeSetAction extends PipelineCloudFormation
 
     const stackArn = stackArnFromName(props.stackName);
     // Allow the pipeline to check for Stack & ChangeSet existence
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addAction('cloudformation:DescribeStacks')
       .addResource(stackArn));
     // Allow the pipeline to create & delete the specified ChangeSet
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addActions('cloudformation:CreateChangeSet', 'cloudformation:DeleteChangeSet', 'cloudformation:DescribeChangeSet')
       .addResource(stackArn)
       .addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
     // Allow the pipeline to pass this actions' role to CloudFormation
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addAction('iam:PassRole')
       .addResource(this.role.roleArn));
   }

Diff for: packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts

@@ -170,11 +170,11 @@ class StageDouble implements cpapi.IStage {
 class RoleDouble extends iam.Role {
   public readonly statements = new Array<PolicyStatementJson>();
 
-  constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new cdk.ServicePrincipal('test') }) {
+  constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new iam.ServicePrincipal('test') }) {
     super(parent, id, props);
   }
 
-  public addToPolicy(statement: cdk.PolicyStatement) {
+  public addToPolicy(statement: iam.PolicyStatement) {
     super.addToPolicy(statement);
     this.statements.push(statement.toJson());
   }

Diff for: packages/@aws-cdk/aws-cloudtrail/lib/index.ts

@@ -132,12 +132,12 @@ export class CloudTrail extends cdk.Construct {
     const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.Unencrypted});
     const cloudTrailPrincipal = "cloudtrail.amazonaws.com";
 
-    s3bucket.addToResourcePolicy(new cdk.PolicyStatement()
+    s3bucket.addToResourcePolicy(new iam.PolicyStatement()
       .addResource(s3bucket.bucketArn)
       .addActions('s3:GetBucketAcl')
       .addServicePrincipal(cloudTrailPrincipal));
 
-    s3bucket.addToResourcePolicy(new cdk.PolicyStatement()
+    s3bucket.addToResourcePolicy(new iam.PolicyStatement()
       .addResource(s3bucket.arnForObjects(new cdk.FnConcat('/AWSLogs/', new cdk.AwsAccountId())))
       .addActions("s3:PutObject")
       .addServicePrincipal(cloudTrailPrincipal)
@@ -149,10 +149,10 @@ export class CloudTrail extends cdk.Construct {
       });
       this.cloudWatchLogsGroupArn = logGroup.logGroupArn;
 
-      const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new cdk.ServicePrincipal(cloudTrailPrincipal) });
+      const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
 
       const streamArn = `${this.cloudWatchLogsRoleArn}:log-stream:*`;
-      logsRole.addToPolicy(new cdk.PolicyStatement()
+      logsRole.addToPolicy(new iam.PolicyStatement()
         .addActions("logs:PutLogEvents", "logs:CreateLogStream")
         .addResource(streamArn));
       this.cloudWatchLogsRoleArn = logsRole.roleArn;

Diff for: packages/@aws-cdk/aws-cloudwatch/lib/metric.ts

@@ -90,7 +90,7 @@ export class Metric {
   public static grantPutMetricData(identity?: iam.IIdentityResource) {
     if (!identity) { return; }
 
-    identity.addToPolicy(new cdk.PolicyStatement()
+    identity.addToPolicy(new iam.PolicyStatement()
       .addAllResources()
       .addAction("cloudwatch:PutMetricData"));
   }

Diff for: packages/@aws-cdk/aws-cloudwatch/test/test.metrics.ts

@@ -9,7 +9,7 @@ export = {
     // GIVEN
     const stack = new cdk.Stack();
     const role = new iam.Role(stack, 'SomeRole', {
-      assumedBy: new cdk.Anyone()
+      assumedBy: new iam.Anyone()
     });
 
     // WHEN

Diff for: packages/@aws-cdk/aws-codebuild/lib/pipeline-actions.ts

@@ -1,4 +1,5 @@
 import codepipeline = require('@aws-cdk/aws-codepipeline-api');
+import iam = require('@aws-cdk/aws-iam');
 import cdk = require('@aws-cdk/cdk');
 import { ProjectRef } from './project';
 
@@ -53,7 +54,7 @@ export class PipelineBuildAction extends codepipeline.BuildAction {
       'codebuild:StopBuild',
     ];
 
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addResource(props.project.projectArn)
       .addActions(...actions));
 

Diff for: packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -279,10 +279,10 @@ export abstract class ProjectRef extends cdk.Construct implements events.IEventR
   public asEventRuleTarget(_ruleArn: string, _ruleId: string): events.EventRuleTargetProps {
     if (!this.eventsRole) {
       this.eventsRole = new iam.Role(this, 'EventsRole', {
-        assumedBy: new cdk.ServicePrincipal('events.amazonaws.com')
+        assumedBy: new iam.ServicePrincipal('events.amazonaws.com')
       });
 
-      this.eventsRole.addToPolicy(new cdk.PolicyStatement()
+      this.eventsRole.addToPolicy(new iam.PolicyStatement()
         .addAction('codebuild:StartBuild')
         .addResource(this.projectArn));
     }
@@ -446,7 +446,7 @@ export class Project extends ProjectRef {
     }
 
     this.role = props.role || new iam.Role(this, 'Role', {
-      assumedBy: new cdk.ServicePrincipal('codebuild.amazonaws.com')
+      assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com')
     });
 
     let cache: cloudformation.ProjectResource.ProjectCacheProperty | undefined;
@@ -515,7 +515,7 @@ export class Project extends ProjectRef {
    * Add a permission only if there's a policy attached.
    * @param statement The permissions statement to add
    */
-  public addToRolePolicy(statement: cdk.PolicyStatement) {
+  public addToRolePolicy(statement: iam.PolicyStatement) {
     if (this.role) {
       this.role.addToPolicy(statement);
     }
@@ -531,7 +531,7 @@ export class Project extends ProjectRef {
 
     const logGroupStarArn = `${logGroupArn}:*`;
 
-    const p = new cdk.PolicyStatement();
+    const p = new iam.PolicyStatement();
     p.allow();
     p.addResource(logGroupArn);
     p.addResource(logGroupStarArn);

Diff for: packages/@aws-cdk/aws-codebuild/lib/source.ts

@@ -1,4 +1,5 @@
 import codecommit = require('@aws-cdk/aws-codecommit');
+import iam = require('@aws-cdk/aws-iam');
 import s3 = require('@aws-cdk/aws-s3');
 import cdk = require('@aws-cdk/cdk');
 import { cloudformation } from './codebuild.generated';
@@ -43,7 +44,7 @@ export class CodeCommitSource extends BuildSource {
 
   public bind(project: Project) {
     // https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html
-    project.addToRolePolicy(new cdk.PolicyStatement()
+    project.addToRolePolicy(new iam.PolicyStatement()
       .addAction('codecommit:GitPull')
       .addResource(this.repo.repositoryArn));
   }

Diff for: packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts

@@ -1,4 +1,5 @@
 import codepipeline = require('@aws-cdk/aws-codepipeline-api');
+import iam = require('@aws-cdk/aws-iam');
 import cdk = require('@aws-cdk/cdk');
 import { RepositoryRef } from './repository';
 
@@ -63,7 +64,7 @@ export class PipelineSourceAction extends codepipeline.SourceAction {
       'codecommit:CancelUploadArchive',
     ];
 
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addResource(props.repository.repositoryArn)
       .addActions(...actions));
   }

Diff for: packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts

@@ -1,9 +1,9 @@
 import autoscaling = require("@aws-cdk/aws-autoscaling");
 import codedeploylb = require("@aws-cdk/aws-codedeploy-api");
 import ec2 = require("@aws-cdk/aws-ec2");
+import iam = require('@aws-cdk/aws-iam');
 import s3 = require("@aws-cdk/aws-s3");
 import cdk = require("@aws-cdk/cdk");
-import iam = require("../../aws-iam/lib/role");
 import { ServerApplication, ServerApplicationRef } from "./application";
 import { cloudformation } from './codedeploy.generated';
 import { IServerDeploymentConfig, ServerDeploymentConfig } from "./deployment-config";
@@ -174,7 +174,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupRef {
     this.application = props.application || new ServerApplication(this, 'Application');
 
     this.role = props.role || new iam.Role(this, 'Role', {
-      assumedBy: new cdk.ServicePrincipal('codedeploy.amazonaws.com'),
+      assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
       managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole'],
     });
 

Diff for: packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts

@@ -1,4 +1,5 @@
 import actions = require('@aws-cdk/aws-codepipeline-api');
+import iam = require('@aws-cdk/aws-iam');
 import cdk = require('@aws-cdk/cdk');
 
 /**
@@ -49,7 +50,7 @@ export class PipelineDeployAction extends actions.DeployAction {
       resourceName: props.applicationName,
       sep: ':',
     });
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addResource(applicationArn)
       .addActions(
         'codedeploy:GetApplicationRevision',
@@ -62,7 +63,7 @@ export class PipelineDeployAction extends actions.DeployAction {
       resourceName: `${props.applicationName}/${props.deploymentGroupName}`,
       sep: ':',
     });
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addResource(deploymentGroupArn)
       .addActions(
         'codedeploy:CreateDeployment',
@@ -75,7 +76,7 @@ export class PipelineDeployAction extends actions.DeployAction {
       resourceName: '*',
       sep: ':',
     });
-    props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
+    props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement()
       .addResource(deployConfigArn)
       .addActions(
         'codedeploy:GetDeploymentConfig',

Diff for: packages/@aws-cdk/aws-codedeploy/package.json

@@ -63,6 +63,7 @@
   },
   "dependencies": {
     "@aws-cdk/aws-autoscaling": "^0.10.0",
+    "@aws-cdk/aws-iam": "^0.10.0",
     "@aws-cdk/aws-codedeploy-api": "^0.10.0",
     "@aws-cdk/aws-codepipeline-api": "^0.10.0",
     "@aws-cdk/aws-s3": "^0.10.0",