Add CloudWatchFullAccessV2 managed policy (#2913) (#2978)

Signed-off-by: Justin CT Liu <[email protected]> Co-authored-by: Ian Wahbe <[email protected]>
pulumi · Nov 21, 2023 · 165cbee · 165cbee
1 parent 71af455
commit 165cbee
Show file tree

Hide file tree

Showing 10 changed files with 127 additions and 100 deletions.
diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json
@@ -64368,7 +64368,12 @@
                 },
                 {
                     "name": "CloudWatchFullAccess",
-                    "value": "arn:aws:iam::aws:policy/CloudWatchFullAccess"
+                    "value": "arn:aws:iam::aws:policy/CloudWatchFullAccess",
+                    "deprecationMessage": "This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead."
+                },
+                {
+                    "name": "CloudWatchFullAccessV2",
+                    "value": "arn:aws:iam::aws:policy/CloudWatchFullAccessV2"
                 },
                 {
                     "name": "CloudWatchInternetMonitorServiceRolePolicy",

diff --git a/provider/resources.go b/provider/resources.go
@@ -5672,7 +5672,12 @@ $ pulumi import aws:networkfirewall/resourcePolicy:ResourcePolicy example arn:aw
 					{Name: "CloudWatchEventsInvocationAccess", Value: "arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess"},
 					{Name: "CloudWatchEventsReadOnlyAccess", Value: "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess"},
 					{Name: "CloudWatchEventsServiceRolePolicy", Value: "arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy"},
-					{Name: "CloudWatchFullAccess", Value: "arn:aws:iam::aws:policy/CloudWatchFullAccess"},
+					{
+						Name:               "CloudWatchFullAccess",
+						Value:              "arn:aws:iam::aws:policy/CloudWatchFullAccess",
+						DeprecationMessage: "This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead.",
+					},
+					{Name: "CloudWatchFullAccessV2", Value: "arn:aws:iam::aws:policy/CloudWatchFullAccessV2"},
 					{Name: "CloudWatchInternetMonitorServiceRolePolicy", Value: "arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy"},
 					{Name: "CloudWatchLambdaInsightsExecutionRolePolicy", Value: "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"},
 					{Name: "CloudWatchLogsCrossAccountSharingConfiguration", Value: "arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration"},

diff --git a/sdk/dotnet/Iam/Enums.cs b/sdk/dotnet/Iam/Enums.cs
@@ -999,7 +999,9 @@ private ManagedPolicy(string value)
         public static ManagedPolicy CloudWatchEventsInvocationAccess { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess");
         public static ManagedPolicy CloudWatchEventsReadOnlyAccess { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess");
         public static ManagedPolicy CloudWatchEventsServiceRolePolicy { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy");
+        [Obsolete(@"This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead.")]
         public static ManagedPolicy CloudWatchFullAccess { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/CloudWatchFullAccess");
+        public static ManagedPolicy CloudWatchFullAccessV2 { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/CloudWatchFullAccessV2");
         public static ManagedPolicy CloudWatchInternetMonitorServiceRolePolicy { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy");
         public static ManagedPolicy CloudWatchLambdaInsightsExecutionRolePolicy { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy");
         public static ManagedPolicy CloudWatchLogsCrossAccountSharingConfiguration { get; } = new ManagedPolicy("arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration");

diff --git a/sdk/go/aws/iam/pulumiEnums.go b/sdk/go/aws/iam/pulumiEnums.go
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/enums/ManagedPolicy.java b/sdk/java/src/main/java/com/pulumi/aws/iam/enums/ManagedPolicy.java
@@ -1088,7 +1088,13 @@ public enum ManagedPolicy {
         CloudWatchEventsInvocationAccess("arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess"),
         CloudWatchEventsReadOnlyAccess("arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess"),
         CloudWatchEventsServiceRolePolicy("arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy"),
+        /**
+         * @deprecated
+         * This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead.
+         */
+        @Deprecated /* This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead. */
         CloudWatchFullAccess("arn:aws:iam::aws:policy/CloudWatchFullAccess"),
+        CloudWatchFullAccessV2("arn:aws:iam::aws:policy/CloudWatchFullAccessV2"),
         CloudWatchInternetMonitorServiceRolePolicy("arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy"),
         CloudWatchLambdaInsightsExecutionRolePolicy("arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"),
         CloudWatchLogsCrossAccountSharingConfiguration("arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration"),

diff --git a/sdk/nodejs/iam/managedPolicies.ts b/sdk/nodejs/iam/managedPolicies.ts
@@ -487,8 +487,10 @@ export module ManagedPolicies {
     export const CloudWatchEventsInvocationAccess: ARN = "arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess";
     /** Use ManagedPolicy.CloudWatchEventsReadOnlyAccess instead. */
     export const CloudWatchEventsReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess";
-    /** Use ManagedPolicy.CloudWatchFullAccess instead. */
+    /** @deprecated This policy is deprecated and will no longer be supported after December 7, 2023. Use ManagedPolicy.CloudWatchFullAccessV2 instead. */
     export const CloudWatchFullAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchFullAccess";
+    /** Use ManagedPolicy.CloudWatchFullAccessV2 instead. */
+    export const CloudWatchFullAccessV2: ARN = "arn:aws:iam::aws:policy/CloudWatchFullAccessV2";
     /** Use ManagedPolicy.CloudWatchLogsFullAccess instead. */
     export const CloudWatchLogsFullAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess";
     /** Use ManagedPolicy.CloudWatchLogsReadOnlyAccess instead. */

diff --git a/sdk/nodejs/kinesis/kinesisMixins.ts b/sdk/nodejs/kinesis/kinesisMixins.ts
@@ -42,7 +42,7 @@ export interface StreamEventSubscriptionArgs {
      * * `ReportBatchItemFailures`
      */
     readonly functionResponseTypes?: string[];
-    
+
     /**
      * The maximum amount of time to gather records before invoking the function, in seconds. Records will continue to buffer
      * until either maximum_batching_window_in_seconds expires or batch_size has been met. Defaults to as soon as records
@@ -163,7 +163,7 @@ function createFunctionFromEventHandler(
             policies: [
                 iam.ManagedPolicy.AWSLambdaKinesisExecutionRole,
                 iam.ManagedPolicy.AmazonKinesisFullAccess,
-                iam.ManagedPolicy.CloudWatchFullAccess,
+                iam.ManagedPolicy.CloudWatchFullAccessV2,
                 iam.ManagedPolicy.CloudWatchEventsFullAccess,
                 iam.ManagedPolicy.LambdaFullAccess,
             ],

diff --git a/sdk/nodejs/lambda/lambdaMixins.ts b/sdk/nodejs/lambda/lambdaMixins.ts
@@ -271,7 +271,7 @@ export function createFunctionFromEventHandler<E, R>(
  * details on this process.
  * If no IAM Role is specified, CallbackFunction will automatically use the following managed policies:
  * `AWSLambda_FullAccess`
- * `CloudWatchFullAccess`
+ * `CloudWatchFullAccessV2`
  * `CloudWatchEventsFullAccess`
  * `AmazonS3FullAccess`
  * `AmazonDynamoDBFullAccess`
@@ -313,7 +313,7 @@ export class CallbackFunction<E, R> extends LambdaFunction {
 
             if (!args.policies) {
 
-                const policies = [iam.ManagedPolicy.LambdaFullAccess, iam.ManagedPolicy.CloudWatchFullAccess,
+                const policies = [iam.ManagedPolicy.LambdaFullAccess, iam.ManagedPolicy.CloudWatchFullAccessV2,
                     iam.ManagedPolicy.CloudWatchEventsFullAccess, iam.ManagedPolicy.AmazonS3FullAccess,
                     iam.ManagedPolicy.AmazonDynamoDBFullAccess, iam.ManagedPolicy.AmazonSQSFullAccess,
                     iam.ManagedPolicy.AmazonKinesisFullAccess, iam.ManagedPolicy.AmazonCognitoPowerUser,

diff --git a/sdk/nodejs/types/enums/iam/index.ts b/sdk/nodejs/types/enums/iam/index.ts
@@ -1033,7 +1033,11 @@ export const ManagedPolicy = {
     CloudWatchEventsInvocationAccess: "arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess",
     CloudWatchEventsReadOnlyAccess: "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess",
     CloudWatchEventsServiceRolePolicy: "arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy",
+    /**
+     * @deprecated This policy is deprecated and will no longer be supported by AWS after December 7, 2023. Use CloudWatchFullAccessV2 instead.
+     */
     CloudWatchFullAccess: "arn:aws:iam::aws:policy/CloudWatchFullAccess",
+    CloudWatchFullAccessV2: "arn:aws:iam::aws:policy/CloudWatchFullAccessV2",
     CloudWatchInternetMonitorServiceRolePolicy: "arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy",
     CloudWatchLambdaInsightsExecutionRolePolicy: "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
     CloudWatchLogsCrossAccountSharingConfiguration: "arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration",

diff --git a/sdk/python/pulumi_aws/iam/_enums.py b/sdk/python/pulumi_aws/iam/_enums.py
@@ -969,6 +969,7 @@ class ManagedPolicy(str, Enum):
     CLOUD_WATCH_EVENTS_READ_ONLY_ACCESS = "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess"
     CLOUD_WATCH_EVENTS_SERVICE_ROLE_POLICY = "arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy"
     CLOUD_WATCH_FULL_ACCESS = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
+    CLOUD_WATCH_FULL_ACCESS_V2 = "arn:aws:iam::aws:policy/CloudWatchFullAccessV2"
     CLOUD_WATCH_INTERNET_MONITOR_SERVICE_ROLE_POLICY = "arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy"
     CLOUD_WATCH_LAMBDA_INSIGHTS_EXECUTION_ROLE_POLICY = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
     CLOUD_WATCH_LOGS_CROSS_ACCOUNT_SHARING_CONFIGURATION = "arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration"