fix(iam): fix managed policies for User (#3221)

Fix adding managed policies to a User upon creation. Rename the
property for `Group`s.

Fixes #2557.

BREAKING CHANGE: `aws-iam.User` and `Group`: `managedPolicyArns` =>
`managedPolicies`.

Author: rix0rrr

allowed-breaking-changes.txt

@@ -8,3 +8,5 @@ removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6Pr
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationLoadBalancer.metricIPv6RequestCount
 removed:@aws-cdk/aws-elasticloadbalancingv2.ApplicationTargetGroup.metricIPv6RequestCount
 removed:@aws-cdk/core.Fn.getAZs
+removed:@aws-cdk/aws-iam.UserProps.managedPolicyArns
+removed:@aws-cdk/aws-iam.GroupProps.managedPolicyArns

packages/@aws-cdk/aws-iam/lib/group.ts

@@ -40,11 +40,13 @@ export interface GroupProps {
   readonly groupName?: string;
 
   /**
-   * A list of ARNs for managed policies associated with group.
+   * A list managed policies associated with this role.
+   *
+   * You can add managed policies later using `attachManagedPolicy(policy)`.
    *
    * @default - No managed policies.
    */
-  readonly managedPolicyArns?: any[];
+  readonly managedPolicies?: IManagedPolicy[];
 
   /**
    * The path to the group. For more information about paths, see [IAM
@@ -130,7 +132,7 @@ export class Group extends GroupBase {
       physicalName: props.groupName,
     });
 
-    this.managedPolicies.push(...props.managedPolicyArns || []);
+    this.managedPolicies.push(...props.managedPolicies || []);
 
     const group = new CfnGroup(this, 'Resource', {
       groupName: this.physicalName,

packages/@aws-cdk/aws-iam/lib/role.ts

@@ -30,7 +30,8 @@ export interface RoleProps {
   readonly externalId?: string;
 
   /**
-   * A list of ARNs for managed policies associated with this role.
+   * A list of managed policies associated with this role.
+   *
    * You can add managed policies later using `attachManagedPolicy(arn)`.
    *
    * @default - No managed policies.

packages/@aws-cdk/aws-iam/lib/user.ts

@@ -24,12 +24,13 @@ export interface UserProps {
   readonly groups?: IGroup[];
 
   /**
-   * A list of ARNs for managed policies attacherd to this user.
-   * You can use `addManagedPolicy(arn)` to attach a managed policy to this user.
+   * A list managed policies associated with this role.
+   *
+   * You can add managed policies later using `attachManagedPolicy(policy)`.
    *
    * @default - No managed policies.
    */
-  readonly managedPolicyArns?: any[];
+  readonly managedPolicies?: IManagedPolicy[];
 
   /**
    * The path for the user name. For more information about paths, see IAM
@@ -108,6 +109,8 @@ export class User extends Resource implements IIdentity {
       physicalName: props.userName,
     });
 
+    this.managedPolicies.push(...props.managedPolicies || []);
+
     const user = new CfnUser(this, 'Resource', {
       userName: this.physicalName,
       groups: undefinedIfEmpty(() => this.groups),

packages/@aws-cdk/aws-iam/test/test.group.ts

@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { Group, User } from '../lib';
+import { Group, ManagedPolicy, User } from '../lib';
 
 export = {
   'default group'(test: Test) {
@@ -35,4 +35,23 @@ export = {
          Properties: { Groups: [ { Ref: 'MyGroupCBA54B1B' } ] } } } });
     test.done();
   },
+
+  'create with managed policy'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Group(stack, 'MyGroup', {
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::Group', {
+      ManagedPolicyArns: [
+        { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+      ]
+    }));
+
+    test.done();
+  }
 };

packages/@aws-cdk/aws-iam/test/test.role.ts

@@ -288,5 +288,6 @@ export = {
       Roles: [ "MyRole" ]
     }));
     test.done();
-  }
+  },
+
 };

packages/@aws-cdk/aws-iam/test/test.user.ts

@@ -1,7 +1,7 @@
-import { expect } from '@aws-cdk/assert';
+import { expect, haveResource } from '@aws-cdk/assert';
 import { App, SecretValue, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { User } from '../lib';
+import { ManagedPolicy, User } from '../lib';
 
 export = {
   'default user'(test: Test) {
@@ -32,6 +32,26 @@ export = {
     const app = new App();
     const stack = new Stack(app, 'MyStack');
     test.throws(() => new User(stack, 'MyUser', { passwordResetRequired: true }));
+    test.done();
+  },
+
+  'create with managed policy'(test: Test) {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'MyStack');
+
+    // WHEN
+    new User(stack, 'MyUser', {
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('asdf')]
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::User', {
+      ManagedPolicyArns: [
+        { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+      ]
+    }));
+
     test.done();
   }
 };