Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
As soon as CodeArtifact CDK support is available, CodeArtifact Domains/Repos will become one of the very first building blocks in bootstrapping CFN-based applications. This is because users will want to publish artifacts containing re-usable CDK code into their CodeArtifact repos, and then use these artifacts as part of the build infrastructure for the rest of their application.
What this means is that a commonly desired use case for deploying an application to a new account/region might look like this:
1) Deploy a very basic CFN stack that sets up the CodeArtifact resources.
2) Manually deploy a few artifacts containing CDK library code to the CodeArtifact repos.
3) Deploy CDK pipelines that will handle the rest of the components of the app. These pipelines may have dependencies on those initial artifacts that were deployed to the CodeArtifact repo in step 2.
As part of step 3, it's extremely desirable that a CDK stack is able to use code pulled from the CodeArtifact repos to manage the policy documents of the CodeArtifact domains and repos that were defined in step 1. However, if the only way to manage those policy documents is as part of the original Domain/Repository resource definitions, then this will not be possible.
A concrete example: let's say I have a git repo that has some code in it contains a list of developer IAM users/roles that will need access to the repo, including cross-account users. I can use this code all over the place in CDK to make sure that the developers have all of the permissions that they need for various resources. But if the artifact from that repo needs to be published to a CodeArtifact repo so that it can be shared, then the CodeArtifact repo has to exist first. And if the only place that I can define the policy for the CodeArtifact repo is in the Repository resource itself, then there is a chicken and egg problem, and I can't use the code to manage the policy for the Repository.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Allow users to define the RepositoryPolicy and DomainPolicy resources independently from the Repository and Domain resources. This will allow the policies to be managed in separate CFN stacks, which means that they can be deployed at some time after the stack that defines the Domain and Repository, which means that they can use code that has been published to the CodeArtifact repos.
This is very analogous to S3 BucketPolicy, which is indeed a separate CFN resource type (not contained within the main s3 bucket resource):
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
There is no alternative that I can think of, it's a chicken and egg problem. If you don't allow the policy to be defined as a separate CFN resource, then I cannot use code from a CodeArtifact repo to define the policy. I will be forced to copy/paste the relevant user/role info into two places - one in my library code so that it can be used in other parts of my CDK setup, and one in the definition of the CodeArtifact repo. This will be error-prone and make it easy to mistakenly let them get out of sync.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
As soon as CodeArtifact CDK support is available, CodeArtifact Domains/Repos will become one of the very first building blocks in bootstrapping CFN-based applications. This is because users will want to publish artifacts containing re-usable CDK code into their CodeArtifact repos, and then use these artifacts as part of the build infrastructure for the rest of their application.
What this means is that a commonly desired use case for deploying an application to a new account/region might look like this:
1) Deploy a very basic CFN stack that sets up the CodeArtifact resources. 2) Manually deploy a few artifacts containing CDK library code to the CodeArtifact repos. 3) Deploy CDK pipelines that will handle the rest of the components of the app. These pipelines may have dependencies on those initial artifacts that were deployed to the CodeArtifact repo in step 2.
As part of step 3, it's extremely desirable that a CDK stack is able to use code pulled from the CodeArtifact repos to manage the policy documents of the CodeArtifact domains and repos that were defined in step 1. However, if the only way to manage those policy documents is as part of the original Domain/Repository resource definitions, then this will not be possible.
A concrete example: let's say I have a git repo that has some code in it contains a list of developer IAM users/roles that will need access to the repo, including cross-account users. I can use this code all over the place in CDK to make sure that the developers have all of the permissions that they need for various resources. But if the artifact from that repo needs to be published to a CodeArtifact repo so that it can be shared, then the CodeArtifact repo has to exist first. And if the only place that I can define the policy for the CodeArtifact repo is in the Repository resource itself, then there is a chicken and egg problem, and I can't use the code to manage the policy for the Repository.
Describe the solution you'd like A clear and concise description of what you want to happen.
Allow users to define the
RepositoryPolicyandDomainPolicyresources independently from theRepositoryandDomainresources. This will allow the policies to be managed in separate CFN stacks, which means that they can be deployed at some time after the stack that defines theDomainandRepository, which means that they can use code that has been published to the CodeArtifact repos.This is very analogous to S3
BucketPolicy, which is indeed a separate CFN resource type (not contained within the main s3 bucket resource):https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
There is no alternative that I can think of, it's a chicken and egg problem. If you don't allow the policy to be defined as a separate CFN resource, then I cannot use code from a CodeArtifact repo to define the policy. I will be forced to copy/paste the relevant user/role info into two places - one in my library code so that it can be used in other parts of my CDK setup, and one in the definition of the CodeArtifact repo. This will be error-prone and make it easy to mistakenly let them get out of sync.
Additional context Add any other context or screenshots about the feature request here.