Fugue.AWS.IAM.Typed.Policy

Policy documents are described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html

Table of Contents

Module Members

allow

(Function)

Construct a Statement allowing Actions for given Resources.

Example:

allow {
  actions:    [ "s3:ListBucket" ],
  resources:  [ "arn:aws:s3:::example_bucket" ],
  conditions: [ numericLessThanEquals("s3:max-keys", 10.0) ]
  }

Type Signature

 fun { sid: Optional<SId>,
       principals: Optional<List<Wildcard<Entry>>>,
       notPrincipals: Optional<List<Wildcard<Entry>>>,
       actions: Optional<List<String>>,
       notActions: Optional<List<String>>,
       resources: Optional<List<String>>,
       notResources: Optional<List<String>>,
       conditions: Optional<List<Entry>> } -> Statement
Argument: sid

optional statement identifier

Type: Optional<SId>

Argument: principals

optional list of principals that this applies to (can’t set both principals and notPrincipals)

Type: Optional<List<Wildcard<Entry>>>

Argument: notPrincipals

optional list of principals this this doesn’t apply to

Type: Optional<List<Wildcard<Entry>>>

Argument: actions

actions this applies to (must set either actions/notActions but not both)

Type: Optional<List<String>>

Argument: notActions

actions this does not apply to

Type: Optional<List<String>>

Argument: resources

resources this applies to (must set either resources/notResources but not both)

Type: Optional<List<String>>

Argument: notResources

resources this does not apply to

Type: Optional<List<String>>

Argument: conditions

optional conditions under which this applies

Type: Optional<List<Entry>>

Returns:

new allow statement

Type: Statement

aws

(Function)

Construct an AWS entry from a Ludwig.List of Ids.

Example:

principals: [ aws ["123456789012"] ],

Type Signature

 fun (List<Id>) -> Wildcard<Entry>
Argument: ids

list of aws principals

Type: List<Id>

Returns:

specific(non-wildcard) list of aws principals

Type: Wildcard<Entry>

deny

(Function)

Construct a Statement denying Actions for given Resources.

Example:

deny {
  sid: "ExplicitDenyIfNotTheOwner",
  actions: [
    "datapipeline:ActivatePipeline",
    "datapipeline:AddTags",
    ],
  resources: [ "*" ],
  conditions: [ stringNotEquals("datapipeline:PipelineCreator", "${aws:userid}") ]
  }

Type Signature

 fun { sid: Optional<SId>,
       principals: Optional<List<Wildcard<Entry>>>,
       notPrincipals: Optional<List<Wildcard<Entry>>>,
       actions: Optional<List<String>>,
       notActions: Optional<List<String>>,
       resources: Optional<List<String>>,
       notResources: Optional<List<String>>,
       conditions: Optional<List<Entry>> } -> Statement
Argument: sid

optional statement identifier

Type: Optional<SId>

Argument: principals

optional list of principals that this applies to (can’t set both principals and notPrincipals)

Type: Optional<List<Wildcard<Entry>>>

Argument: notPrincipals

optional list of principals this this doesn’t apply to

Type: Optional<List<Wildcard<Entry>>>

Argument: actions

actions this applies to (must set either actions/notActions but not both)

Type: Optional<List<String>>

Argument: notActions

actions this does not apply to

Type: Optional<List<String>>

Argument: resources

resources this applies to (must set either resources/notResources but not both)

Type: Optional<List<String>>

Argument: notResources

resources this does not apply to

Type: Optional<List<String>>

Argument: conditions

optional conditions under which this applies

Type: Optional<List<Entry>>

Returns:

new deny statement

Type: Statement

docFromString

(Function)

Convert a Ludwig.String value to an Optional<Document>. None indicates failure.

Type Signature

 fun (String) -> Optional<Document>
Argument: x
Type: String
Returns:
Type: Optional<Document>

docIsValid

(Function)

ensure policy document is valid

Type Signature

 fun (Document) -> Validation
Argument: doc
Type: Document
Returns:
Type: Validation

docToString

(Function)

Convert a Document to a Ludwig.String value.

Type Signature

 fun (Document) -> String
Argument: x
Type: Document
Returns:
Type: String

federated

(Function)

Construct a Federated entry from a Ludwig.List of Ids.

Example:

principals: [ federated ["accounts.google.com"] ],

Type Signature

 fun (List<Id>) -> Wildcard<Entry>
Argument: ids

list of federated principals

Type: List<Id>

Returns:

specific(non-wildcard) list of federated principals

Type: Wildcard<Entry>

fromString

(Function)

Convert a Ludwig.String value to an Optional<Policy>. None indicates failure.

Type Signature

 fun (String) -> Optional<Policy>
Argument: x
Type: String
Returns:
Type: Optional<Policy>

new

(Function)

Construct a Policy from a list of Statements.

Example:

nullPolicy: Policy.new {
    version: V2012-10-17,
    statements: [
      allow {
        actions:    [ "ec2:*" ],
        resources:  [ "*" ],
        conditions: [ null("aws:TokenIssueTime") ]
        }
     ]
  }

Type Signature

 fun (Document) -> Policy
Argument: doc

document to construct

Type: Document

Returns:

a new Policy

Type: Policy

service

(Function)

Construct a Service entry from a Ludwig.List of Ids.

Example:

principals: [ service [
                "elasticmapreduce.amazonaws.com",
                "datapipeline.amazonaws.com"
                ]
            ],

Type Signature

 fun (List<Id>) -> Wildcard<Entry>
Argument: ids

list of service principals

Type: List<Id>

Returns:

specific(non-wildcard) list of service principals

Type: Wildcard<Entry>

specificActions

(Function)

return the list of specific Actions from a Statement

Type Signature

 fun (Statement) -> List<Action>
Argument: x
Type: Statement
Returns:
Type: List<Action>

specificConditions

(Function)

return the list of specific Entrys from a Statement

Type Signature

 fun (Statement) -> List<Entry>
Argument: x
Type: Statement
Returns:
Type: List<Entry>

specificPrincipals

(Function)

Query convenience functions

Type Signature

 fun (Statement) -> List<Entry>
Argument: x
Type: Statement
Returns:
Type: List<Entry>

specificResources

(Function)

return the list of specific Resources from a Statement

Type Signature

 fun (Statement) -> List<Resource>
Argument: x
Type: Statement
Returns:
Type: List<Resource>

toJSON

(Function)

Convert a Document to a JSON value.

Type Signature

 fun (Document) -> JSON
Argument: doc
Type: Document
Returns:
Type: JSON

toString

(Function)

Convert a Policy to a Ludwig.String value.

Type Signature

 fun (Policy) -> String
Argument: x
Type: Policy
Returns:
Type: String

Document

(Type)

type Document:
  version: Optional<Version>
  id: Optional<Id>
  statements: List<Statement>

IAM policy document record

Record {

Field: version
Type: Optional<Version>
Field: id
Type: Optional<Id>
Field: statements
Type: List<Statement>

}

Effect

(Type)

type Effect:
  | Allow
  | Deny

Allow

(Constructor)

Deny

(Constructor)

IAM policy Effect

Id

(Type)

type Id:
  String

IAM policy Id Ludwig.String

Policy

(Type)

type Policy:
  | Policy Document

Policy

(Constructor)

Argument:
Document

IAM policy document

SId

(Type)

type SId:
  String

IAM policy Sid Ludwig.String

Statement

(Type)

type Statement:
  sid: Optional<SId>
  principals: Optional<Block>
  effect: Effect
  action: Block
  resource: Optional<Block>
  condition: Optional<Block>

IAM policy statement

Record {

Field: sid
Type: Optional<SId>
Field: principals
Type: Optional<Block>
Field: effect
Type: Effect
Field: action
Type: Block
Field: resource
Type: Optional<Block>
Field: condition
Type: Optional<Block>

}

Version

(Type)

type Version:
  | V2008-10-17
  | V2012-10-17

V2008-10-17

(Constructor)

V2012-10-17

(Constructor)

IAM policy version

parse

(Value)

(Parser<Document>) parse:
  fun(x): =>(optionalField(name("Version"), fun(_): parseVersion)(x), fun(v): =>(optionalField(name("Id"), fun(_): parseString)(x), fun(i): =>(requiredField(name("Statement"), fun(_): parseList(parseStatement))(x), fun(stmts): result(version:
                                                                                                                                                                                                                                            v
                                                                                                                                                                                                                                          id:
                                                                                                                                                                                                                                            i
                                                                                                                                                                                                                                          statements:
                                                                                                                                                                                                                                            stmts))))

Convert a JSON value to a Document.

Type Signature

 Parser<Document>