Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dynamodb): grant permission to specific indexes when using fromTableAttributes to create a table construct #21451

Closed
wants to merge 3 commits into from
Closed

feat(dynamodb): grant permission to specific indexes when using fromTableAttributes to create a table construct #21451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7a9046c
a basic idea of solution
YichenQian09 Aug 3, 2022
54f0da6
a basic solution for grant secondary permissions
YichenQian09 Aug 12, 2022
16feffd
change readme.md
YichenQian09 Aug 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-dynamodb/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ If you intend to use the `tableStreamArn` (including indirectly, for example by
`@aws-cdk/aws-lambda-event-source.DynamoEventSource` on the imported table), you *must* use the
`Table.fromTableAttributes` method and the `tableStreamArn` property *must* be populated.

In order to grant permissions to indexes on imported tables you can either set `grantIndexPermissions` to `true`, or you can provide the indexes via the `globalIndexes` or `localIndexes` properties. This will enable `grant*` methods to also grant permissions to *all* table indexes.
In order to grant permissions to indexes on imported tables you can either set `grantIndexPermissions` to `true`, This will enable `grant*` methods to also grant permissions to *all* table indexes; or you can provide the indexes via the `globalIndexes` or `localIndexes` properties, this will enable `grant*` methods to also grant permissions to specific table indexes that you provide.

## Keys

Expand Down
35 changes: 25 additions & 10 deletions packages/@aws-cdk/aws-dynamodb/lib/table.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -635,6 +635,9 @@ abstract class TableBase extends Resource implements ITable {

protected readonly regionalArns = new Array<string>();

//the indexes that the user wants to grant permission to
protected readonly indexes= new Array<string>();

/**
* Adds an IAM policy statement associated with this table to an IAM
* principal's policy.
Expand All @@ -651,11 +654,15 @@ abstract class TableBase extends Resource implements ITable {
actions,
resourceArns: [
this.tableArn,
Lazy.string({ produce: () => this.hasIndex ? `${this.tableArn}/index/*` : Aws.NO_VALUE }),
...this.regionalArns,
...this.regionalArns.map(arn => Lazy.string({
produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE,
//for each index the user specify, generate an arn
...this.indexes.map(index => Lazy.string({
produce: () => this.indexes.length>0 ? `${this.tableArn}/index/${index}` : Aws.NO_VALUE,
})),
...(this.regionalArns.map(arn => this.indexes.length>0 ?
this.indexes.map((index)=>{
return Lazy.string({ produce: () => `${arn}/index/${index}` });
}).flat() : Aws.NO_VALUE)) as string[],
],
scope: this,
});
Expand Down Expand Up @@ -987,17 +994,21 @@ abstract class TableBase extends Resource implements ITable {
* @param grantee The principal (no-op if undefined)
* @param opts Options for keyActions, tableActions and streamActions
*/
//use the specific indexes to format Arn name of resources
private combinedGrant(
grantee: iam.IGrantable,
opts: { keyActions?: string[], tableActions?: string[], streamActions?: string[] },
): iam.Grant {
if (opts.tableActions) {
const resources = [this.tableArn,
Lazy.string({ produce: () => this.hasIndex ? `${this.tableArn}/index/*` : Aws.NO_VALUE }),
...this.indexes.map(index => Lazy.string({
produce: () => this.indexes.length>0 ? `${this.tableArn}/index/${index}` : Aws.NO_VALUE,
})),
...this.regionalArns,
...this.regionalArns.map(arn => Lazy.string({
produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE,
}))];
...(this.regionalArns.map(arn => this.indexes.length>0 ?
this.indexes.map((index)=>{
return Lazy.string({ produce: () => `${arn}/index/${index}` });
}).flat() : Aws.NO_VALUE)) as string[]];
const ret = iam.Grant.addToPrincipal({
grantee,
actions: opts.tableActions,
Expand Down Expand Up @@ -1089,9 +1100,13 @@ export class Table extends TableBase {
public readonly tableArn: string;
public readonly tableStreamArn?: string;
public readonly encryptionKey?: kms.IKey;
protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) ||
(attrs.globalIndexes ?? []).length > 0 ||
(attrs.localIndexes ?? []).length > 0;
//change hasIndex to a string array which contains specific indexes
// protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) ||
// (attrs.globalIndexes ?? []).length > 0 ||
// (attrs.localIndexes ?? []).length > 0;
protected readonly hasIndex = attrs.grantIndexPermissions ?? false;
// the indexes that the user want to grant permission to
protected readonly indexes = ([] as string[]).concat(attrs.globalIndexes ?? []).concat(attrs.localIndexes?? []);

constructor(_tableArn: string, tableName: string, tableStreamArn?: string) {
super(scope, id);
Expand Down
Loading