feat(cloud9): support setting environment owner (#23878)

pattasai · web-flow · commit 08a2f363093f · 2023-02-08T17:00:29.000Z
Closes #22474 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [x] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features 1. Setting environment owner . 2. The 'owner' now could be an IAMuser or Account root user(It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user) * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? * [x] Unit test for ownerarn *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-cloud9/README.md b/packages/@aws-cdk/aws-cloud9/README.md
@@ -23,19 +23,19 @@
 
 This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
 
-AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a 
-browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular 
-programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your 
-development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your 
-office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing 
-serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of 
-serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair 
+AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a
+browser. It includes a code editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools for popular
+programming languages, including JavaScript, Python, PHP, and more, so you don’t need to install files or configure your
+development machine to start new projects. Since your Cloud9 IDE is cloud-based, you can work on your projects from your
+office, home, or anywhere using an internet-connected machine. Cloud9 also provides a seamless experience for developing
+serverless applications enabling you to easily define resources, debug, and switch between local and remote execution of
+serverless applications. With Cloud9, you can quickly share your development environment with your team, enabling you to pair
 program and track each other's inputs in real time.
 
 
 ## Creating EC2 Environment
 
-EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify 
+EC2 Environments are defined with `Ec2Environment`. To create an EC2 environment in the private subnet, specify
 `subnetSelection` with private `subnetType`.
 
 
@@ -52,7 +52,7 @@ new cloud9.Ec2Environment(this, 'Cloud9Env2', {
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
 });
 
-// or specify in a different subnetSelection 
+// or specify in a different subnetSelection
 const c9env = new cloud9.Ec2Environment(this, 'Cloud9Env3', {
   vpc,
   subnetSelection: {
@@ -104,3 +104,39 @@ new cloud9.Ec2Environment(this, 'C9Env', {
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
 });
 ```
+
+## Specifying Owners
+
+Every Cloud9 Environment has an **owner**. An owner has full control over the environment, and can invite additional members to the environment for collaboration purposes. For more information, see [Working with shared environments in AWS Cloud9](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html)).
+
+By default, the owner will be the identity that creates the Environment, which is most likely your CloudFormation Execution Role when the Environment is created using CloudFormation. Provider a value for the `owner` property to assign a different owner, either a specific IAM User or the AWS Account Root User.
+
+`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user (but using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices)).
+
+To specify the AWS Account Root User as the environment owner, use `Owner.accountRoot()`
+
+```ts
+declare const vpc: ec2.Vpc;
+new cloud9.Ec2Environment(this, 'C9Env', {
+  vpc,
+  imageId: cloud9.ImageId.AMAZON_LINUX_2,
+
+  owner: cloud9.Owner.accountRoot('111111111')
+})
+```
+
+To specify a specific IAM User as the environment owner, use `Owner.user()`. The user should have the `AWSCloud9Administrator` managed policy
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+
+const user = new iam.User(this, 'user');
+user.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCloud9Administrator'));
+declare const vpc: ec2.Vpc;
+new cloud9.Ec2Environment(this, 'C9Env', {
+  vpc,
+  imageId: cloud9.ImageId.AMAZON_LINUX_2,
+
+  owner: cloud9.Owner.user(user)
+})
+```
diff --git a/packages/@aws-cdk/aws-cloud9/lib/environment.ts b/packages/@aws-cdk/aws-cloud9/lib/environment.ts
@@ -1,5 +1,6 @@
 import * as codecommit from '@aws-cdk/aws-codecommit';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import { IUser } from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnEnvironmentEC2 } from '../lib/cloud9.generated';
@@ -53,11 +54,19 @@ export enum ImageId {
    */
   UBUNTU_18_04 = 'ubuntu-18.04-x86_64'
 }
-
 /**
  * Properties for Ec2Environment
  */
 export interface Ec2EnvironmentProps {
+  /**
+   * Owner of the environment.
+   *
+   * The owner has full control of the environment and can invite additional members.
+   *
+   * @default - The identity that CloudFormation executes under will be the owner
+   */
+  readonly owner?: Owner;
+
   /**
    * The type of instance to connect to the environment.
    *
@@ -182,6 +191,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
     const c9env = new CfnEnvironmentEC2(this, 'Resource', {
       name: props.ec2EnvironmentName,
       description: props.description,
+      ownerArn: props.owner?.ownerArn,
       instanceType: props.instanceType?.toString() ?? ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO).toString(),
       subnetId: this.vpc.selectSubnets(vpcSubnets).subnetIds[0],
       repositories: props.clonedRepositories ? props.clonedRepositories.map(r => ({
@@ -217,3 +227,38 @@ export class CloneRepository {
 
   private constructor(public readonly repositoryUrl: string, public readonly pathComponent: string) {}
 }
+
+/**
+ * An environment owner
+ *
+ *
+ */
+export class Owner {
+  /**
+   * Make an IAM user the environment owner
+   *
+   * User need to have AWSCloud9Administrator permissions
+   * @see https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-about
+   *
+   * @param user the User object to use as the environment owner
+   */
+  public static user(user: IUser): Owner {
+    return { ownerArn: user.userArn };
+  }
+
+
+  /**
+   * Make the Account Root User the environment owner (not recommended)
+   *
+   * @param accountId the AccountId to use as the environment owner.
+   */
+  public static accountRoot(accountId: string): Owner {
+    return { ownerArn: `arn:aws:iam::${accountId}:root` };
+  }
+
+  /**
+   *
+   * @param ownerArn of environment owner.
+   */
+  private constructor(public readonly ownerArn: string) {}
+}
diff --git a/packages/@aws-cdk/aws-cloud9/package.json b/packages/@aws-cdk/aws-cloud9/package.json
@@ -92,13 +92,15 @@
   "dependencies": {
     "@aws-cdk/aws-codecommit": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },
   "homepage": "https://github.com/aws/aws-cdk",
   "peerDependencies": {
     "@aws-cdk/aws-codecommit": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },
diff --git a/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts
@@ -1,9 +1,10 @@
 import { Match, Template } from '@aws-cdk/assertions';
 import * as codecommit from '@aws-cdk/aws-codecommit';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import * as cloud9 from '../lib';
-import { ConnectionType, ImageId } from '../lib';
+import { ConnectionType, ImageId, Owner } from '../lib';
 
 let stack: cdk.Stack;
 let vpc: ec2.IVpc;
@@ -79,7 +80,6 @@ test('throw error when subnetSelection not specified and the provided VPC has no
 test('can use CodeCommit repositories', () => {
   // WHEN
   const repo = codecommit.Repository.fromRepositoryName(stack, 'Repo', 'foo');
-
   new cloud9.Ec2Environment(stack, 'C9Env', {
     vpc,
     clonedRepositories: [
@@ -114,6 +114,37 @@ test('can use CodeCommit repositories', () => {
   });
 });
 
+test('environment owner can be an IAM user', () => {
+  // WHEN
+  const user = new iam.User(stack, 'User', {
+    userName: 'testUser',
+  });
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.user(user),
+  });
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: {
+      'Fn::GetAtt': ['User00B015A1', 'Arn'],
+    },
+  });
+});
+
+test('environment owner can be account root', () => {
+  // WHEN
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.accountRoot('12345678'),
+  });
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: 'arn:aws:iam::12345678:root',
+  });
+});
+
 test.each([
   [ConnectionType.CONNECT_SSH, 'CONNECT_SSH'],
   [ConnectionType.CONNECT_SSM, 'CONNECT_SSM'],
