Update docs add PR doc mod check (#179)

* Update docs add PR doc mod check * Set working-dir
pwrdrvr · Dec 5, 2021 · 45dfbee · 45dfbee
1 parent 572c298
commit 45dfbee
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 14 deletions.
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -101,3 +101,9 @@ jobs:
         run: |
           npm ci
           npm run build
+
+      - name: Confirm No Doc Changes
+        working-directory: packages/microapps-cdk/
+        run: |
+          npm run post-compile
+          git diff --ignore-space-at-eol --exit-code
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -146,7 +146,9 @@ jobs:
           path: dist
 
       - name: Apply Version to Everything
-        run: cat dist/version.txt && npm version v$(cat dist/version.txt) --no-git-tag-version --workspaces
+        run: |
+          cat dist/version.txt
+          npm version v$(cat dist/version.txt) --no-git-tag-version --workspaces
 
       - name: Install Node Modules
         run: npm ci

diff --git a/packages/microapps-cdk/API.md b/packages/microapps-cdk/API.md
@@ -142,41 +142,94 @@ AWS Region that the stack is being deployed to, this is required for importing t
 
 ---
 
-##### `s3PolicyBypassAROA`<sup>Required</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.s3PolicyBypassAROA"></a>
+##### `assetNameSuffix`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.assetNameSuffix"></a>
 
 - *Type:* `string`
+- *Default:* none
+
+Suffix to add to asset names, such as -[env]-pr-[prNum].
+
+---
+
+##### `autoDeleteEverything`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.autoDeleteEverything"></a>
+
+- *Type:* `boolean`
+- *Default:* false
 
-AROA of the IAM Role to exclude from the DENY rules on the S3 Bucket Policy.
+Automatically destroy all assets when stack is deleted.
+
+---
 
+##### `s3PolicyBypassAROAs`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.s3PolicyBypassAROAs"></a>
+
+- *Type:* `string`[]
+
+Applies when using s3StrictBucketPolicy = true.
+
+AROAs of the IAM Role to exclude from the DENY rules on the S3 Bucket Policy.
 This allows sessions that assume the IAM Role to be excluded from the
 DENY rules on the S3 Bucket Policy.
 
----
+Typically any admin roles / users that need to view or manage the S3 Bucket
+would be added to this list.
 
-##### `s3PolicyBypassRoleName`<sup>Required</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.s3PolicyBypassRoleName"></a>
+Roles / users that are used directly, not assumed, can be added to `s3PolicyBypassRoleNames` instead.
 
-- *Type:* `string`
-- *Default:* AdminAccess
+Note: This AROA must be specified to prevent this policy from locking
+out non-root sessions that have assumed the admin role.
+
+The notPrincipals will only match the role name exactly and will not match
+any session that has assumed the role since notPrincipals does not allow
+wildcard matches and does not do wildcard matches implicitly either.
+
+The AROA must be used because there are only 3 Principal variables available:
+  https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
+  aws:username, aws:userid, aws:PrincipalTag
+
+For an assumed role, aws:username is blank, aws:userid is:
+  [unique id AKA AROA for Role]:[session name]
+
+Table of unique ID prefixes such as AROA:
+  https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes
 
-IAM Role name to exclude from the DENY rules on the S3 Bucket Policy.
+The name of the role is simply not available for an assumed role and, if it was,
+a complicated comparison would be requierd to prevent exclusion
+of applying the Deny Rule to roles from other accounts.
+
+To get the AROA with the AWS CLI:
+   aws iam get-role --role-name ROLE-NAME
+   aws iam get-user -–user-name USER-NAME
+
+> s3StrictBucketPolicy
 
 ---
 
-##### `assetNameSuffix`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.assetNameSuffix"></a>
+##### `s3PolicyBypassPrincipalARNs`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.s3PolicyBypassPrincipalARNs"></a>
 
-- *Type:* `string`
-- *Default:* none
+- *Type:* `string`[]
 
-Suffix to add to asset names, such as -[env]-pr-[prNum].
+Applies when using s3StrictBucketPolicy = true.
+
+IAM Role or IAM User names to exclude from the DENY rules on the S3 Bucket Policy.
+
+Roles that are Assumed must instead have their AROA added to `s3PolicyBypassAROAs`.
+
+Typically any admin roles / users that need to view or manage the S3 Bucket
+would be added to this list.
+
+> s3PolicyBypassAROAs
 
 ---
 
-##### `autoDeleteEverything`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.autoDeleteEverything"></a>
+##### `s3StrictBucketPolicy`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsProps.s3StrictBucketPolicy"></a>
 
 - *Type:* `boolean`
 - *Default:* false
 
-Automatically destroy all assets when stack is deleted.
+Use a strict S3 Bucket Policy that prevents applications from reading/writing/modifying/deleting files in the S3 Bucket outside of the path that is specific to their app/version.
+
+This setting should be used when applications are less than
+fully trusted.
 
 ---