fix(iam): IAM Policies are too large to deploy

packages/@aws-cdk/aws-iam/.npmignore

@@ -21,8 +21,10 @@ tsconfig.json
 .eslintrc.js
 jest.config.js
 
+docs/
+
 # exclude cdk artifacts
 **/cdk.out
 junit.xml
 test/
-!*.lit.ts
+!*.lit.ts

packages/@aws-cdk/aws-iam/docs/policy-merging.als

@@ -0,0 +1,116 @@
+/*
+Alloy model to confirm the logic behind merging IAM Statements.
+
+This proves that merging two statements based on the following conditions:
+
+- Effects are the same, and one of:
+  - Both have some Actions and the rest of the statements is the same
+  - Both have some Resources and the rest of the statements is the same
+  - Both have some Principals and the rest of the statements is the same
+
+Is sound, as the model doesn't find any examples of where the meaning
+of statements is changed by merging.
+
+Find Alloy at https://alloytools.org/.
+*/
+
+---------------------------------------------------------
+-- Base Statement definitions
+enum Effect { Allow, Deny }
+enum Resource { ResourceA, ResourceB }
+enum Action { ActionA, ActionB }
+enum Principal { PrincipalA, PrincipalB }
+
+sig Statement {
+  effect: Effect,
+  principal: set Principal,
+  notPrincipal: set Principal,
+  action: set Action,
+  notAction: set Action,
+  resource: set Resource,
+  notResource: set Resource,
+} {
+  // Exactly one of Xxx and notXxx is non-empty
+  (some principal) iff not (some notPrincipal)
+  (some action) iff not (some notAction)
+  (some resource) iff not (some notResource)
+}
+
+---------------------------------------------------------
+-- Requests and evaluations
+sig Request {
+  principal: Principal,
+  resource: Resource,
+  action: Action,
+}
+
+// Whether the statement applies to the given request
+pred applies[s: Statement, req: Request] {
+  req.principal in s.principal or req.principal not in s.notPrincipal
+  req.action in s.action or req.action not in s.notAction
+  req.resource in s.resource or req.resource not in s.notResource
+}
+
+// Whether or not to allow the given request according to the given statements
+//
+// A request is allowed if there's at least one statement allowing it and
+// no statements denying it.
+pred allow[req: Request, ss: some Statement] {
+  some s: ss | applies[s, req] and s.effect = Allow
+  no s: ss | applies[s, req] and s.effect = Deny
+}
+
+---------------------------------------------------------
+-- Statement merging
+
+// Helpers to assert that certain fields are the same
+let sameAction[a, b] = { a.action = b.action and a.notAction = b.notAction }
+let sameResource[a, b] = { a.resource = b.resource and a.notResource = b.notResource }
+let samePrincipal[a, b] = { a.principal = b.principal and a.notPrincipal = b.notPrincipal }
+
+// Assert that m is the merged version of a and b
+//
+// This encodes the important logic: the rules of merging.
+pred merged[a: Statement, b: Statement, m: Statement] {
+  m.effect = a.effect and m.effect = b.effect 
+  {
+    // Writing 'some a.action', 'some b.action' here is critical
+    // This asserts we are dealing with a POSITIVE action and not
+    // a notAction (that's excluded by the fact on Statement that only
+    // one of the two can be set.
+    //
+    // We can show that we have a bug if you uncomment the next line.
+    some a.action and some b.action // Excludes notAction
+
+    // The constraint on notAction here is not necessary, because
+    // in practice it must always the empty set, but it is necessary to
+    // correctly show the bug in action if the previous line is commented out.
+    m.action = a.action + b.action and m.notAction = a.notAction + b.notAction
+    sameResource[a, b] and sameResource[b, m]
+    samePrincipal[a, b] and samePrincipal[b, m]
+  } or {
+    some a.resource and some b.resource // Excludes notResource
+    m.resource = a.resource + b.resource and m.notResource = a.notResource + b.notResource
+    sameAction[a, b] and sameAction[b, m]
+    samePrincipal[a, b] and samePrincipal[b, m]
+  } or {
+    some a.principal and some b.principal // Excludes notPrincipal
+    m.principal = a.principal + b.principal and m.notPrincipal = a.notPrincipal + b.notPrincipal
+    sameAction[a, b] and sameAction[b, m]
+    sameResource[a, b] and sameResource[b, m]
+  }
+}
+
+// Maximum merging of all statements in orig
+pred maxMerged[orig: some Statement, merged: some Statement] {
+}
+
+// There are no statements so that if they are merged, 
+// the evaluation of the separate statements is different than the evaluation
+// of the merged statement
+check merging_does_not_change_evaluation {
+  no a: Statement, b: Statement, m: Statement, r: Request {
+    merged[a, b, m]
+    allow[r, a + b] iff not allow[r, m]
+  }
+} for 5

packages/@aws-cdk/aws-iam/lib/policy-document.ts

@@ -1,5 +1,7 @@
 import * as cdk from '@aws-cdk/core';
+import * as cxapi from '@aws-cdk/cx-api';
 import { PolicyStatement } from './policy-statement';
+import { PostProcessPolicyDocument } from './private/postprocess-policy-document';
 
 /**
  * Properties for a new PolicyDocument
@@ -18,6 +20,24 @@ export interface PolicyDocumentProps {
    * @default - No statements
    */
   readonly statements?: PolicyStatement[];
+
+  /**
+   * Try to minimize the policy by merging statements
+   *
+   * To avoid overrunning the maximum policy size, combine statements if they produce
+   * the same result. Merging happens according to the following rules:
+   *
+   * - The Effect of both statements is the same
+   * - Neither of the statements have a 'Sid'
+   * - Combine Principals if the rest of the statement is exactly the same.
+   * - Combine Resources if the rest of the statement is exactly the same.
+   * - Combine Actions if the rest of the statement is exactly the same.
+   * - We will never combine NotPrincipals, NotResources or NotActions, because doing
+   *   so would change the meaning of the policy document.
+   *
+   * @default - false, unless the feature flag `@aws-cdk/aws-iam:minimizePolicies` is set
+   */
+  readonly minimize?: boolean;
 }
 
 /**
@@ -43,16 +63,21 @@ export class PolicyDocument implements cdk.IResolvable {
   public readonly creationStack: string[];
   private readonly statements = new Array<PolicyStatement>();
   private readonly autoAssignSids: boolean;
+  private readonly minimize?: boolean;
 
   constructor(props: PolicyDocumentProps = {}) {
     this.creationStack = cdk.captureStackTrace();
     this.autoAssignSids = !!props.assignSids;
+    this.minimize = props.minimize;
 
     this.addStatements(...props.statements || []);
   }
 
   public resolve(context: cdk.IResolveContext): any {
-    context.registerPostProcessor(new RemoveDuplicateStatements(this.autoAssignSids));
+    context.registerPostProcessor(new PostProcessPolicyDocument(
+      this.autoAssignSids,
+      this.minimize ?? cdk.FeatureFlags.of(context.scope).isEnabled(cxapi.IAM_MINIMIZE_POLICIES) ?? false,
+    ));
     return this.render();
   }
 
@@ -153,42 +178,3 @@ export class PolicyDocument implements cdk.IResolvable {
     return doc;
   }
 }
-
-/**
- * Removes duplicate statements and assign Sids if necessary
- */
-class RemoveDuplicateStatements implements cdk.IPostProcessor {
-  constructor(private readonly autoAssignSids: boolean) {
-  }
-
-  public postProcess(input: any, _context: cdk.IResolveContext): any {
-    if (!input || !input.Statement) {
-      return input;
-    }
-
-    const jsonStatements = new Set<string>();
-    const uniqueStatements: any[] = [];
-
-    for (const statement of input.Statement) {
-      const jsonStatement = JSON.stringify(statement);
-      if (!jsonStatements.has(jsonStatement)) {
-        uniqueStatements.push(statement);
-        jsonStatements.add(jsonStatement);
-      }
-    }
-
-    // assign unique SIDs (the statement index) if `autoAssignSids` is enabled
-    const statements = uniqueStatements.map((s, i) => {
-      if (this.autoAssignSids && !s.Sid) {
-        s.Sid = i.toString();
-      }
-
-      return s;
-    });
-
-    return {
-      ...input,
-      Statement: statements,
-    };
-  }
-}