diff --git a/packages/@aws-cdk/aws-cloud9/README.md b/packages/@aws-cdk/aws-cloud9/README.md index 84b00eb03218e..f87860ae71b3d 100644 --- a/packages/@aws-cdk/aws-cloud9/README.md +++ b/packages/@aws-cdk/aws-cloud9/README.md @@ -23,19 +23,19 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. -AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a -browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular -programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your -development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your -office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing -serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of -serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair +AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a +browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular +programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your +development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your +office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing +serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of +serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair program and track each other's inputs in real time. ## Creating EC2 Environment -EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify +EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify `subnetSelection` with private `subnetType`. @@ -52,7 +52,7 @@ new cloud9.Ec2Environment(this, 'Cloud9Env2', { imageId: cloud9.ImageId.AMAZON_LINUX_2, }); -// or specify in a different subnetSelection +// or specify in a different subnetSelection const c9env = new cloud9.Ec2Environment(this, 'Cloud9Env3', { vpc, subnetSelection: { @@ -104,3 +104,39 @@ new cloud9.Ec2Environment(this, 'C9Env', { imageId: cloud9.ImageId.AMAZON_LINUX_2, }); ``` + +## Specifying Owners + +Every Cloud9 Environment has an **owner**. An owner has full control over the environment, and can invite additional members to the environment for collaboration purposes. For more information, see [Working with shared environments in AWS Cloud9](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html)). + +By default, the owner will be the identity that creates the Environment, which is most likely your CloudFormation Execution Role when the Environment is created using CloudFormation. Provider a value for the `owner` property to assign a different owner, either a specific IAM User or the AWS Account Root User. + +`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user (but using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices)). + +To specify the AWS Account Root User as the environment owner, use `Owner.accountRoot()` + +```ts +declare const vpc: ec2.Vpc; +new cloud9.Ec2Environment(this, 'C9Env', { + vpc, + imageId: cloud9.ImageId.AMAZON_LINUX_2, + + owner: cloud9.Owner.accountRoot('111111111') +}) +``` + +To specify a specific IAM User as the environment owner, use `Owner.user()`. The user should have the `AWSCloud9Administrator` managed policy + +```ts +import * as iam from '@aws-cdk/aws-iam'; + +const user = new iam.User(this, 'user'); +user.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCloud9Administrator')); +declare const vpc: ec2.Vpc; +new cloud9.Ec2Environment(this, 'C9Env', { + vpc, + imageId: cloud9.ImageId.AMAZON_LINUX_2, + + owner: cloud9.Owner.user(user) +}) +``` diff --git a/packages/@aws-cdk/aws-cloud9/lib/environment.ts b/packages/@aws-cdk/aws-cloud9/lib/environment.ts index 15d7390dd6ee5..d1e4565f786ff 100644 --- a/packages/@aws-cdk/aws-cloud9/lib/environment.ts +++ b/packages/@aws-cdk/aws-cloud9/lib/environment.ts @@ -1,5 +1,6 @@ import * as codecommit from '@aws-cdk/aws-codecommit'; import * as ec2 from '@aws-cdk/aws-ec2'; +import { IUser } from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import { Construct } from 'constructs'; import { CfnEnvironmentEC2 } from '../lib/cloud9.generated'; @@ -53,11 +54,19 @@ export enum ImageId { */ UBUNTU_18_04 = 'ubuntu-18.04-x86_64' } - /** * Properties for Ec2Environment */ export interface Ec2EnvironmentProps { + /** + * Owner of the environment. + * + * The owner has full control of the environment and can invite additional members. + * + * @default - The identity that CloudFormation executes under will be the owner + */ + readonly owner?: Owner; + /** * The type of instance to connect to the environment. * @@ -182,6 +191,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment { const c9env = new CfnEnvironmentEC2(this, 'Resource', { name: props.ec2EnvironmentName, description: props.description, + ownerArn: props.owner?.ownerArn, instanceType: props.instanceType?.toString() ?? ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO).toString(), subnetId: this.vpc.selectSubnets(vpcSubnets).subnetIds[0], repositories: props.clonedRepositories ? props.clonedRepositories.map(r => ({ @@ -217,3 +227,38 @@ export class CloneRepository { private constructor(public readonly repositoryUrl: string, public readonly pathComponent: string) {} } + +/** + * An environment owner + * + * + */ +export class Owner { + /** + * Make an IAM user the environment owner + * + * User need to have AWSCloud9Administrator permissions + * @see https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-about + * + * @param user the User object to use as the environment owner + */ + public static user(user: IUser): Owner { + return { ownerArn: user.userArn }; + } + + + /** + * Make the Account Root User the environment owner (not recommended) + * + * @param accountId the AccountId to use as the environment owner. + */ + public static accountRoot(accountId: string): Owner { + return { ownerArn: `arn:aws:iam::${accountId}:root` }; + } + + /** + * + * @param ownerArn of environment owner. + */ + private constructor(public readonly ownerArn: string) {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloud9/package.json b/packages/@aws-cdk/aws-cloud9/package.json index c52e71087c1e2..b76154609d311 100644 --- a/packages/@aws-cdk/aws-cloud9/package.json +++ b/packages/@aws-cdk/aws-cloud9/package.json @@ -92,6 +92,7 @@ "dependencies": { "@aws-cdk/aws-codecommit": "0.0.0", "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/core": "0.0.0", "constructs": "^10.0.0" }, @@ -99,6 +100,7 @@ "peerDependencies": { "@aws-cdk/aws-codecommit": "0.0.0", "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/core": "0.0.0", "constructs": "^10.0.0" }, diff --git a/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts index 948cfa5bee9ec..69210bf01a135 100644 --- a/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts +++ b/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts @@ -1,9 +1,10 @@ import { Match, Template } from '@aws-cdk/assertions'; import * as codecommit from '@aws-cdk/aws-codecommit'; import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; import * as cloud9 from '../lib'; -import { ConnectionType, ImageId } from '../lib'; +import { ConnectionType, ImageId, Owner } from '../lib'; let stack: cdk.Stack; let vpc: ec2.IVpc; @@ -79,7 +80,6 @@ test('throw error when subnetSelection not specified and the provided VPC has no test('can use CodeCommit repositories', () => { // WHEN const repo = codecommit.Repository.fromRepositoryName(stack, 'Repo', 'foo'); - new cloud9.Ec2Environment(stack, 'C9Env', { vpc, clonedRepositories: [ @@ -114,6 +114,37 @@ test('can use CodeCommit repositories', () => { }); }); +test('environment owner can be an IAM user', () => { + // WHEN + const user = new iam.User(stack, 'User', { + userName: 'testUser', + }); + new cloud9.Ec2Environment(stack, 'C9Env', { + vpc, + imageId: cloud9.ImageId.AMAZON_LINUX_2, + owner: Owner.user(user), + }); + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', { + OwnerArn: { + 'Fn::GetAtt': ['User00B015A1', 'Arn'], + }, + }); +}); + +test('environment owner can be account root', () => { + // WHEN + new cloud9.Ec2Environment(stack, 'C9Env', { + vpc, + imageId: cloud9.ImageId.AMAZON_LINUX_2, + owner: Owner.accountRoot('12345678'), + }); + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', { + OwnerArn: 'arn:aws:iam::12345678:root', + }); +}); + test.each([ [ConnectionType.CONNECT_SSH, 'CONNECT_SSH'], [ConnectionType.CONNECT_SSM, 'CONNECT_SSM'],