/** * Which roles to include in the StackSet */ export declare enum StackSetRoleSelection { /** Include only the changeset role (CdkChangesetRole) */ CHANGESET_ONLY = "CHANGESET_ONLY", /** Include only the drift role (CdkDriftRole) */ DRIFT_ONLY = "DRIFT_ONLY", /** Include both roles (default) */ BOTH = "BOTH" } /** * Configuration for StackSet auto-deployment */ export interface StackSetAutoDeployment { /** Enable auto-deployment to new accounts in target OUs (default: true) */ readonly enabled?: boolean; /** Retain stacks when account leaves OU (default: false) */ readonly retainStacksOnAccountRemoval?: boolean; } /** * GitHub repository restrictions for OIDC authentication */ export interface GitHubOidcConfig { /** * GitHub organization or username (e.g., 'my-org' or 'my-username') */ readonly owner: string; /** * Repository names allowed to assume the role (e.g., ['repo1', 'repo2']) * Use ['*'] to allow all repos in the organization */ readonly repositories: string[]; /** * Branch patterns allowed (e.g., ['main', 'release/*']) * Default: ['*'] (all branches) */ readonly branches?: string[]; /** * Additional subject claims for fine-grained access * e.g., ['pull_request', 'environment:production'] */ readonly additionalClaims?: string[]; } /** * Props for generating StackSet templates (no Projen dependency) */ export interface CdkDiffIamTemplateStackSetGeneratorProps { /** GitHub OIDC configuration for repo/branch restrictions */ readonly githubOidc: GitHubOidcConfig; /** Name of the GitHub OIDC role (default: 'GitHubOIDCRole') */ readonly oidcRoleName?: string; /** Name of the CdkChangesetRole (default: 'CdkChangesetRole') */ readonly changesetRoleName?: string; /** Name of the CdkDriftRole (default: 'CdkDriftRole') */ readonly driftRoleName?: string; /** Which roles to include (default: BOTH) */ readonly roleSelection?: StackSetRoleSelection; /** Description for the StackSet */ readonly description?: string; /** * Skip creating the OIDC provider (use existing one). * Set to true if accounts already have a GitHub OIDC provider. * The template will reference the existing provider by ARN. * Default: false */ readonly skipOidcProviderCreation?: boolean; } /** * Props for generating StackSet CLI commands (no Projen dependency) */ export interface CdkDiffIamTemplateStackSetCommandsProps { /** Name of the StackSet (default: 'cdk-diff-workflow-iam-stackset') */ readonly stackSetName?: string; /** Path to the template file (default: 'cdk-diff-workflow-stackset-template.yaml') */ readonly templatePath?: string; /** Target OUs for deployment (e.g., ['ou-xxxx-xxxxxxxx', 'r-xxxx']) */ readonly targetOrganizationalUnitIds?: string[]; /** Target regions for deployment (e.g., ['us-east-1', 'eu-west-1']) */ readonly regions?: string[]; /** Auto-deployment configuration */ readonly autoDeployment?: StackSetAutoDeployment; /** * Whether to use delegated admin mode for StackSet operations. * If true, adds --call-as DELEGATED_ADMIN to commands. * Default: true */ readonly delegatedAdmin?: boolean; } /** * Pure generator class for StackSet templates and commands. * No Projen dependency - can be used in any project. */ export declare class CdkDiffIamTemplateStackSetGenerator { /** * Generate the CloudFormation StackSet template as a YAML string. */ static generateTemplate(props: CdkDiffIamTemplateStackSetGeneratorProps): string; /** * Generate AWS CLI commands for StackSet operations. * Returns a map of command names to shell commands. */ static generateCommands(props?: CdkDiffIamTemplateStackSetCommandsProps): Record; private static generateTemplateLines; private static generateOidcProviderLines; private static generateOidcRoleLines; private static buildSubjectClaims; private static generateChangesetRoleLines; private static generateDriftRoleLines; private static generateOidcOutputLines; private static generateOidcRoleOutputLines; private static generateChangesetOutputLines; private static generateDriftOutputLines; } /** * Props for the Projen-integrated StackSet construct */ export interface CdkDiffIamTemplateStackSetProps extends CdkDiffIamTemplateStackSetGeneratorProps { /** Projen project instance */ readonly project: any; /** Name of the StackSet (default: 'cdk-diff-workflow-iam-stackset') */ readonly stackSetName?: string; /** Output path for the template file (default: 'cdk-diff-workflow-stackset-template.yaml') */ readonly outputPath?: string; /** Target OUs for deployment (e.g., ['ou-xxxx-xxxxxxxx', 'r-xxxx']) */ readonly targetOrganizationalUnitIds?: string[]; /** Target regions for deployment (e.g., ['us-east-1', 'eu-west-1']) */ readonly regions?: string[]; /** Auto-deployment configuration */ readonly autoDeployment?: StackSetAutoDeployment; /** * Whether to use delegated admin mode for StackSet operations. * If true, adds --call-as DELEGATED_ADMIN to commands. * If false, assumes running from the management account. * Default: true */ readonly delegatedAdmin?: boolean; } /** * Projen construct that creates a CloudFormation StackSet template for org-wide deployment of * GitHub OIDC provider, OIDC role, and CDK Diff/Drift IAM roles. * * This provides a self-contained per-account deployment with no role chaining required. * * For non-Projen projects, use `CdkDiffIamTemplateStackSetGenerator` directly. */ export declare class CdkDiffIamTemplateStackSet { constructor(props: CdkDiffIamTemplateStackSetProps); }