feat(codeguruprofiler): setup L2 construct to create profiler group a…

…nd setup functions to add publish/read policies to IGrantable

packages/@aws-cdk/aws-codeguruprofiler/README.md

@@ -29,8 +29,6 @@ const publishAppRole = new Role(stack, 'PublishAppRole', {
   assumedBy: new AccountRootPrincipal(),
 });
 
-const profilingGroup = new ProfilingGroup(stack, 'MyProfilingGroup', {
-  profilingGroupName: 'MyAwesomeProfilingGroup',
-});
+const profilingGroup = new ProfilingGroup(stack, 'MyProfilingGroup');
 profilingGroup.grantPublish(publishAppRole);
 ```

packages/@aws-cdk/aws-codeguruprofiler/lib/index.ts

@@ -1,2 +1,3 @@
 // AWS::CodeGuruProfiler CloudFormation Resources:
 export * from './codeguruprofiler.generated';
+export * from './profiling-group';

packages/@aws-cdk/aws-codeguruprofiler/lib/profiling-group.ts

@@ -1,6 +1,90 @@
-import { Construct, Lazy, Stack } from '@aws-cdk/core';
+import { Grant, IGrantable } from '@aws-cdk/aws-iam';
+import { Construct, IResource, Lazy, Resource, Stack } from '@aws-cdk/core';
 import { CfnProfilingGroup } from './codeguruprofiler.generated';
-import { IProfilingGroup, ProfilingGroupBase } from './profiling-group-base';
+
+/**
+ * IResource represents a Profiling Group.
+ */
+export interface IProfilingGroup extends IResource {
+
+  /**
+   * A name for the profiling group.
+   *
+   * @attribute
+   */
+  readonly profilingGroupName: string;
+
+  /**
+   * Grant access to publish profiling information to the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:ConfigureAgent
+   *  - codeguru-profiler:PostAgentProfile
+   *
+   * @param grantee Principal to grant publish rights to
+   */
+  grantPublish(grantee: IGrantable): Grant;
+
+  /**
+   * Grant access to read profiling information from the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:GetProfile
+   *  - codeguru-profiler:DescribeProfilingGroup
+   *
+   * @param grantee Principal to grant read rights to
+   */
+  grantRead(grantee: IGrantable): Grant;
+
+}
+
+abstract class ProfilingGroupBase extends Resource implements IProfilingGroup {
+
+  public abstract readonly profilingGroupName: string;
+
+  public abstract readonly profilingGroupArn: string;
+
+  /**
+   * Grant access to publish profiling information to the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:ConfigureAgent
+   *  - codeguru-profiler:PostAgentProfile
+   *
+   * @param grantee Principal to grant publish rights to
+   */
+  public grantPublish(grantee: IGrantable) {
+    // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control
+    return Grant.addToPrincipal({
+      grantee,
+      actions: ['codeguru-profiler:ConfigureAgent', 'codeguru-profiler:PostAgentProfile'],
+      resourceArns: [this.profilingGroupArn],
+    });
+  }
+
+  /**
+   * Grant access to read profiling information from the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:GetProfile
+   *  - codeguru-profiler:DescribeProfilingGroup
+   *
+   * @param grantee Principal to grant read rights to
+   */
+  public grantRead(grantee: IGrantable) {
+    // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control
+    return Grant.addToPrincipal({
+      grantee,
+      actions: ['codeguru-profiler:GetProfile', 'codeguru-profiler:DescribeProfilingGroup'],
+      resourceArns: [this.profilingGroupArn],
+    });
+  }
+
+}
 
 /**
  * Properties for creating a new Profiling Group.
@@ -20,6 +104,13 @@ export interface ProfilingGroupProps {
  */
 export class ProfilingGroup extends ProfilingGroupBase {
 
+  /**
+   * Import an existing Profiling Group provided a Profiling Group Name.
+   *
+   * @param scope The parent creating construct
+   * @param id The construct's name
+   * @param profilingGroupName Profiling Group Name
+   */
   public static fromProfilingGroupName(scope: Construct, id: string, profilingGroupName: string): IProfilingGroup {
     const stack = Stack.of(scope);
 
@@ -30,6 +121,13 @@ export class ProfilingGroup extends ProfilingGroupBase {
     }));
   }
 
+  /**
+   * Import an existing Profiling Group provided an ARN.
+   *
+   * @param scope The parent creating construct
+   * @param id The construct's name
+   * @param profilingGroupArn Profiling Group ARN
+   */
   public static fromProfilingGroupArn(scope: Construct, id: string, profilingGroupArn: string): IProfilingGroup {
     class Import extends ProfilingGroupBase {
       public readonly profilingGroupName = Stack.of(scope).parseArn(profilingGroupArn).resource;
@@ -39,12 +137,23 @@ export class ProfilingGroup extends ProfilingGroupBase {
     return new Import(scope, id);
   }
 
+  /**
+   * The name of the Profiling Group.
+   *
+   * @attribute
+   */
   public readonly profilingGroupName: string;
+
+  /**
+   * The ARN of the Profiling Group.
+   *
+   * @attribute
+   */
   public readonly profilingGroupArn: string;
 
-  constructor(scope: Construct, id: string, props: ProfilingGroupProps) {
+  constructor(scope: Construct, id: string, props: ProfilingGroupProps = {}) {
     super(scope, id, {
-      physicalName: props.profilingGroupName || Lazy.stringValue({ produce: () => this.node.uniqueId }),
+      physicalName: props.profilingGroupName ?? Lazy.stringValue({ produce: () => this.generateUniqueId() }),
     });
 
     const profilingGroup = new CfnProfilingGroup(this, 'ProfilingGroup', {
@@ -60,4 +169,12 @@ export class ProfilingGroup extends ProfilingGroupBase {
     });
   }
 
+  private generateUniqueId(): string {
+    const name = this.node.uniqueId;
+    if (name.length > 240) {
+      return name.substring(0, 120) + name.substring(name.length - 120);
+    }
+    return name;
+  }
+
 }

packages/@aws-cdk/aws-codeguruprofiler/package.json

@@ -77,7 +77,8 @@
   },
   "peerDependencies": {
     "@aws-cdk/core": "0.0.0",
-    "@aws-cdk/aws-iam": "0.0.0"
+    "@aws-cdk/aws-iam": "0.0.0",
+    "constructs": "^3.0.2"
   },
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"

packages/@aws-cdk/aws-codeguruprofiler/test/integ.profiler-group.expected.json

@@ -3,7 +3,7 @@
     "MyProfilingGroup829F0507": {
       "Type": "AWS::CodeGuruProfiler::ProfilingGroup",
       "Properties": {
-        "ProfilingGroupName": "MyAwesomeProfilingGroup"
+        "ProfilingGroupName": "ProfilerGroupIntegrationTestMyProfilingGroup81DA69A3"
       }
     },
     "PublishAppRole9FEBD682": {

packages/@aws-cdk/aws-codeguruprofiler/test/integ.profiler-group.ts

@@ -1,14 +1,12 @@
 import { AccountRootPrincipal, Role } from '@aws-cdk/aws-iam';
 import { App, Stack, StackProps } from '@aws-cdk/core';
-import { ProfilingGroup } from '../lib/profiling-group';
+import { ProfilingGroup } from '../lib';
 
 class ProfilerGroupIntegrationTest extends Stack {
   constructor(scope: App, id: string, props?: StackProps) {
     super(scope, id, props);
 
-    const profilingGroup = new ProfilingGroup(this, 'MyProfilingGroup', {
-      profilingGroupName: 'MyAwesomeProfilingGroup',
-    });
+    const profilingGroup = new ProfilingGroup(this, 'MyProfilingGroup');
 
     const publishAppRole = new Role(this, 'PublishAppRole', {
       assumedBy: new AccountRootPrincipal(),

packages/@aws-cdk/aws-codeguruprofiler/test/profiling-group.test.ts

@@ -1,7 +1,7 @@
 import { expect } from '@aws-cdk/assert';
 import { AccountRootPrincipal, Role } from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
-import { ProfilingGroup } from '../lib/profiling-group';
+import { ProfilingGroup } from '../lib';
 
 // tslint:disable:object-literal-key-quotes