Skip to content

Commit

Permalink
feat(IAM): Optimize IAM policy statements for size (#916)
Browse files Browse the repository at this point in the history 
* feat(IAM): Optimize IAM policy statements for size

Attempts to reduce policy sizes by performing a number of optimizations:
- `FnConcat` pre-concatenates string literals that are not tokens, to reduce rendered size
- Redundant patterns in `Action` and `Resource` policy elements get de-duplicated (aka:
  `["iam:GetObject", "iam:Get*"]` becomes `["iam:Get*"]`, since this implies `"iam:GetObject"`)
- Redundant statements get de-duplicated (if a statement offers strictly broader permissions
  than another one, then the later will be removed).
- Statements that differ only in `Resource` content get merged (adding entries to the `Resource` element).

IAM policy statements that have an `Sid` are not merged with anything (this could lead to the `Sid`
mis-representing the statement's intention). They are also not de-duplicated (unless the other statement
has the exact same `Sid`, which is likely symptom of a programming error).

This causes widespread changes to the IAM policy documents (and some occurrences of `Fn::Join` intrinsic
all over the place, so this commit is... massive). Generally speaking, this appears to make for smaller
templates, which at least is not a bad thing.

Fixes #924
  • Loading branch information
@RomainMuller
RomainMuller authored Oct 16, 2018
1 parent 81b533c commit 5996442
Show file tree
Hide file tree
Showing 83 changed files with 3,386 additions and 2,748 deletions.
30 changes: 8 additions & 22 deletions packages/@aws-cdk/assets/test/integ.assets.directory.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,31 +17,25 @@
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand All @@ -56,18 +50,11 @@
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand Down Expand Up @@ -101,8 +88,7 @@
}
]
}
],
"Version": "2012-10-17"
]
},
"PolicyName": "MyUserDefaultPolicy7B897426",
"Users": [
Expand Down
30 changes: 8 additions & 22 deletions packages/@aws-cdk/assets/test/integ.assets.file.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,31 +17,25 @@
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand All @@ -56,18 +50,11 @@
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand Down Expand Up @@ -101,8 +88,7 @@
}
]
}
],
"Version": "2012-10-17"
]
},
"PolicyName": "MyUserDefaultPolicy7B897426",
"Users": [
Expand Down
30 changes: 8 additions & 22 deletions packages/@aws-cdk/assets/test/integ.assets.permissions.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,31 +17,25 @@
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "MyFileS3BucketACE13C36"
}
Expand All @@ -56,18 +50,11 @@
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "MyFileS3BucketACE13C36"
}
Expand Down Expand Up @@ -101,8 +88,7 @@
}
]
}
],
"Version": "2012-10-17"
]
},
"PolicyName": "MyUserGroupDefaultPolicy50C5D742",
"Groups": [
Expand Down
33 changes: 9 additions & 24 deletions packages/@aws-cdk/assets/test/integ.assets.refs.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,7 @@
"Fn::Join": [
"",
[
"https://",
"s3.",
"https://s3.",
{
"Ref": "AWS::Region"
},
Expand Down Expand Up @@ -124,31 +123,25 @@
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand All @@ -163,18 +156,11 @@
"Fn::Join": [
"",
[
"arn",
":",
"arn:",
{
"Ref": "AWS::Partition"
},
":",
"s3",
":",
"",
":",
"",
":",
":s3:::",
{
"Ref": "SampleAssetS3BucketE6B2908E"
}
Expand Down Expand Up @@ -208,8 +194,7 @@
}
]
}
],
"Version": "2012-10-17"
]
},
"PolicyName": "MyUserDefaultPolicy7B897426",
"Users": [
Expand Down
18 changes: 9 additions & 9 deletions packages/@aws-cdk/assets/test/test.asset.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,17 +71,17 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ["s3:GetObject*", "s3:GetBucket*", "s3:List*"],
Action: ["s3:GetBucket*", "s3:GetObject*", "s3:List*"],
Resource: [
{"Fn::Join": ["", ["arn", ":", {Ref: "AWS::Partition"}, ":", "s3", ":", "", ":", "", ":", {Ref: "MyAssetS3Bucket68C9B344"}]]},
{"Fn::Join": ["", ["arn:", {Ref: "AWS::Partition"}, ":s3:::", {Ref: "MyAssetS3Bucket68C9B344"}]]},
{"Fn::Join": [ "", [
{"Fn::Join": ["", [ "arn", ":", {Ref: "AWS::Partition"}, ":", "s3", ":", "", ":", "", ":", {Ref: "MyAssetS3Bucket68C9B344"}]]},
"/",
{"Fn::Join": ["", [
{"Fn::Select": [
0,
{"Fn::Split": [ "||", { Ref: "MyAssetS3VersionKey68E1A45D"}]}
]},
{"Fn::Join": ["", [ "arn:", {Ref: "AWS::Partition"}, ":s3:::", {Ref: "MyAssetS3Bucket68C9B344"}]]},
"/",
{"Fn::Join": ["", [
{"Fn::Select": [
0,
{"Fn::Split": [ "||", { Ref: "MyAssetS3VersionKey68E1A45D"}]}
]},
"*"
]]}
]]}
Expand Down
Loading

0 comments on commit 5996442

Please sign in to comment.