feat(elasticache): add user support

Author: maramure

packages/aws-cdk-lib/aws-elasticache/lib/iam-user.ts

@@ -0,0 +1,128 @@
+import { Construct } from 'constructs';
+import { UserEngine } from './common';
+import { CfnUser } from './elasticache.generated';
+import { UserBase, UserBaseProps } from './user-base';
+import * as iam from '../../aws-iam';
+import { addConstructMetadata } from '../../core/lib/metadata-resource';
+import { propertyInjectable } from '../../core/lib/prop-injectable';
+
+const ELASTICACHE_IAMUSER_SYMBOL = Symbol.for('@aws-cdk/aws-elasticache.IamUser');
+
+/**
+ * Properties for defining an ElastiCache user with IAM authentication.
+ */
+export interface IamUserProps extends UserBaseProps {
+  /**
+   * The name of the user.
+   */
+  readonly userName: string;
+}
+
+/**
+ * Define an ElastiCache user with IAM authentication.
+ *
+ * @resource AWS::ElastiCache::User
+ */
+@propertyInjectable
+export class IamUser extends UserBase {
+  /**
+   * Uniquely identifies this class.
+   */
+  public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-elasticache.IamUser';
+
+  /**
+   * Return whether the given object is an `IamUser`.
+   */
+  public static isIamUser(x: any) : x is IamUser {
+    return x !== null && typeof(x) === 'object' && ELASTICACHE_IAMUSER_SYMBOL in x;
+  }
+
+  /**
+   * The engine for the user.
+   */
+  public readonly engine?: UserEngine;
+  /**
+   * The user's ID.
+   *
+   * @attribute
+   */
+  public readonly userId: string;
+  /**
+   * The user's name.
+   * For IAM authentication userName must be equal to userId.
+   *
+   * @attribute
+   */
+  public readonly userName?: string;
+  /**
+   * The access string that defines the user's permissions.
+   */
+  public readonly accessString: string;
+  /**
+   * The user's ARN.
+   *
+   * @attribute
+   */
+  public readonly userArn: string;
+  /**
+   * The user's status.
+   * Can be 'active', 'modifying', 'deleting'.
+   *
+   * @attribute
+   */
+  public readonly userStatus: string;
+
+  private readonly resource: CfnUser;
+
+  constructor(scope: Construct, id: string, props: IamUserProps) {
+    super(scope, id);
+
+    // Enhanced CDK Analytics Telemetry
+    addConstructMetadata(this, props);
+
+    this.engine = props.engine ?? UserEngine.VALKEY;
+    this.userId = props.userId;
+    this.userName = props.userName;
+    this.accessString = props.accessControl.accessString;
+
+    this.resource = new CfnUser(this, 'Resource', {
+      engine: this.engine,
+      userId: props.userId,
+      userName: this.userName,
+      accessString: this.accessString,
+      authenticationMode: {
+        Type: 'iam',
+      },
+      noPasswordRequired: false,
+      passwords: undefined,
+    });
+
+    this.userArn = this.resource.attrArn;
+    this.userStatus = this.resource.attrStatus;
+
+    Object.defineProperty(this, ELASTICACHE_IAMUSER_SYMBOL, { value: true });
+  }
+
+  /**
+   * Grant connect permissions to the given IAM identity.
+   *
+   * @param grantee The IAM identity to grant permissions to.
+   */
+  public grantConnect(grantee: iam.IGrantable): iam.Grant {
+    return this.grant(grantee, 'elasticache:Connect');
+  }
+
+  /**
+   * Grant the given identity custom permissions.
+   *
+   * @param grantee The IAM identity to grant permissions to.
+   * @param actions The actions to grant.
+   */
+  public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions,
+      resourceArns: [this.userArn],
+    });
+  }
+}

packages/aws-cdk-lib/aws-elasticache/lib/index.ts

@@ -1 +1,9 @@
 export * from './elasticache.generated';
+export * from './common';
+export * from './user-group';
+export * from './user-base';
+export * from './iam-user';
+export * from './password-user';
+export * from './no-password-user';
+export * from './serverless-cache-base';
+export * from './serverless-cache';

packages/aws-cdk-lib/aws-elasticache/lib/no-password-user.ts

@@ -0,0 +1,110 @@
+import { Construct } from 'constructs';
+import { UserEngine } from './common';
+import { CfnUser } from './elasticache.generated';
+import { UserBase, UserBaseProps } from './user-base';
+import { ValidationError } from '../../core/lib/errors';
+import { addConstructMetadata } from '../../core/lib/metadata-resource';
+import { propertyInjectable } from '../../core/lib/prop-injectable';
+
+const ELASTICACHE_NOPASSWORDUSER_SYMBOL = Symbol.for('@aws-cdk/aws-elasticache.NoPasswordUser');
+
+/**
+ * Properties for defining an ElastiCache user with no password authentication.
+ */
+export interface NoPasswordUserProps extends UserBaseProps {
+  /**
+   * The name of the user.
+   *
+   * @default - Same as userId.
+   */
+  readonly userName?: string;
+}
+
+/**
+ * Define an ElastiCache user with no password authentication.
+ *
+ * @resource AWS::ElastiCache::User
+ */
+@propertyInjectable
+export class NoPasswordUser extends UserBase {
+  /**
+   * Uniquely identifies this class.
+   */
+  public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-elasticache.NoPasswordUser';
+
+  /**
+   * Return whether the given object is a `NoPasswordUser`.
+   */
+  public static isNoPasswordUser(x: any) : x is NoPasswordUser {
+    return x !== null && typeof(x) === 'object' && ELASTICACHE_NOPASSWORDUSER_SYMBOL in x;
+  }
+
+  /**
+   * The engine for the user.
+   */
+  public readonly engine?: UserEngine;
+  /**
+   * The user's ID.
+   *
+   * @attribute
+   */
+  public readonly userId: string;
+  /**
+   * The user's name.
+   *
+   * @attribute
+   */
+  public readonly userName?: string;
+  /**
+   * The access string that defines the user's permissions.
+   */
+  public readonly accessString: string;
+  /**
+   * The user's ARN.
+   *
+   * @attribute
+   */
+  public readonly userArn: string;
+  /**
+   * The user's status.
+   * Can be 'active', 'modifying', 'deleting'.
+   *
+   * @attribute
+   */
+  public readonly userStatus: string;
+
+  private readonly resource: CfnUser;
+
+  constructor(scope: Construct, id: string, props: NoPasswordUserProps) {
+    super(scope, id);
+
+    // Enhanced CDK Analytics Telemetry
+    addConstructMetadata(this, props);
+
+    this.engine = props.engine ?? UserEngine.VALKEY;
+    this.userId = props.userId;
+    this.userName = props.userName ?? props.userId;
+    this.accessString = props.accessControl.accessString;
+
+    if (this.engine === UserEngine.VALKEY ) {
+      throw new ValidationError('Valkey engine does not support no-password authentication.', this);
+    }
+
+    this.resource = new CfnUser(this, 'Resource', {
+      engine: this.engine,
+      userId: props.userId,
+      userName: this.userName,
+      accessString: this.accessString,
+      authenticationMode: {
+        Type: 'no-password-required',
+      },
+      noPasswordRequired: true,
+      passwords: undefined,
+    });
+
+    this.userArn = this.resource.attrArn;
+    this.userStatus = this.resource.attrStatus;
+
+    Object.defineProperty(this, ELASTICACHE_NOPASSWORDUSER_SYMBOL, { value: true });
+  }
+}

packages/aws-cdk-lib/aws-elasticache/lib/password-user.ts

@@ -0,0 +1,117 @@
+import { Construct } from 'constructs';
+import { UserEngine } from './common';
+import { CfnUser } from './elasticache.generated';
+import { UserBase, UserBaseProps } from './user-base';
+import { SecretValue } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
+import { addConstructMetadata } from '../../core/lib/metadata-resource';
+import { propertyInjectable } from '../../core/lib/prop-injectable';
+
+const ELASTICACHE_PASSWORDUSER_SYMBOL = Symbol.for('@aws-cdk/aws-elasticache.PasswordUser');
+
+/**
+ * Properties for defining an ElastiCache user with password authentication.
+ */
+export interface PasswordUserProps extends UserBaseProps {
+  /**
+   * The name of the user.
+   *
+   * @default - Same as userId.
+   */
+  readonly userName?: string;
+  /**
+   * The passwords for the user.
+   * Password authentication requires using 1-2 passwords.
+   */
+  readonly passwords: SecretValue[];
+}
+
+/**
+ * Define an ElastiCache user with password authentication.
+ *
+ * @resource AWS::ElastiCache::User
+ */
+@propertyInjectable
+export class PasswordUser extends UserBase {
+  /**
+   * Uniquely identifies this class.
+   */
+  public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-elasticache.PasswordUser';
+
+  /**
+   * Return whether the given object is a `PasswordUser`.
+   */
+  public static isPasswordUser(x: any) : x is PasswordUser {
+    return x !== null && typeof(x) === 'object' && ELASTICACHE_PASSWORDUSER_SYMBOL in x;
+  }
+
+  /**
+   * The engine for the user.
+   */
+  public readonly engine?: UserEngine;
+  /**
+   * The user's ID.
+   *
+   * @attribute
+   */
+  public readonly userId: string;
+  /**
+   * The user's name.
+   *
+   * @attribute
+   */
+  public readonly userName?: string;
+  /**
+   * The access string that defines the user's permissions.
+   */
+  public readonly accessString: string;
+  /**
+   * The user's ARN.
+   *
+   * @attribute
+   */
+  public readonly userArn: string;
+  /**
+   * The user's status.
+   * Can be 'active', 'modifying', 'deleting'.
+   *
+   * @attribute
+   */
+  public readonly userStatus: string;
+
+  private readonly resource: CfnUser;
+
+  constructor(scope: Construct, id: string, props: PasswordUserProps) {
+    super(scope, id);
+
+    // Enhanced CDK Analytics Telemetry
+    addConstructMetadata(this, props);
+
+    this.engine = props.engine ?? UserEngine.VALKEY;
+    this.userId = props.userId;
+    this.userName = props.userName ?? props.userId;
+    this.accessString = props.accessControl.accessString;
+
+    if (props.passwords.length > 2) {
+      throw new ValidationError('Password authentication requires 1-2 passwords.', this);
+    }
+
+    this.resource = new CfnUser(this, 'Resource', {
+      engine: this.engine,
+      userId: props.userId,
+      userName: this.userName,
+      accessString: this.accessString,
+      authenticationMode: {
+        Type: 'password',
+        Passwords: props.passwords.map(p => p.unsafeUnwrap()),
+      },
+      noPasswordRequired: false,
+      passwords: undefined,
+    });
+
+    this.userArn = this.resource.attrArn;
+    this.userStatus = this.resource.attrStatus;
+
+    Object.defineProperty(this, ELASTICACHE_PASSWORDUSER_SYMBOL, { value: true });
+  }
+}