From 73eb6e20fc70dad1e6a8686b8e8981b4d3799652 Mon Sep 17 00:00:00 2001
From: Bryan Pan <bryanpan342@gmail.com>
Date: Thu, 13 May 2021 08:48:46 -0700
Subject: [PATCH] chore(appsync): rds data source service integration with
 grantDataApi (#14671)

Utilize the `grantDataApi` from RDS to complete service integration.

Fixes: #13189

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../@aws-cdk/aws-appsync/lib/data-source.ts   |  4 +++-
 .../aws-appsync/test/appsync-rds.test.ts      | 20 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/packages/@aws-cdk/aws-appsync/lib/data-source.ts b/packages/@aws-cdk/aws-appsync/lib/data-source.ts
index 4c1280c2196d9..b7570be255fac 100644
--- a/packages/@aws-cdk/aws-appsync/lib/data-source.ts
+++ b/packages/@aws-cdk/aws-appsync/lib/data-source.ts
@@ -350,12 +350,14 @@ export class RdsDataSource extends BackedDataSource {
     props.secretStore.grantRead(this);
 
     // Change to grant with RDS grant becomes implemented
+
+    props.serverlessCluster.grantDataApiAccess(this);
+
     Grant.addToPrincipal({
       grantee: this,
       actions: [
         'rds-data:DeleteItems',
         'rds-data:ExecuteSql',
-        'rds-data:ExecuteStatement',
         'rds-data:GetItems',
         'rds-data:InsertItems',
         'rds-data:UpdateItems',
diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts
index 1f7c942811791..9a328b0fe65a0 100644
--- a/packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts
+++ b/packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts
@@ -58,11 +58,29 @@ describe('Rds Data Source configuration', () => {
           Effect: 'Allow',
           Resource: { Ref: 'AuroraSecret41E6E877' },
         },
+        {
+          Action: [
+            'rds-data:BatchExecuteStatement',
+            'rds-data:BeginTransaction',
+            'rds-data:CommitTransaction',
+            'rds-data:ExecuteStatement',
+            'rds-data:RollbackTransaction',
+          ],
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: [
+            'secretsmanager:GetSecretValue',
+            'secretsmanager:DescribeSecret',
+          ],
+          Effect: 'Allow',
+          Resource: { Ref: 'AuroraClusterSecretAttachmentDB8032DA' },
+        },
         {
           Action: [
             'rds-data:DeleteItems',
             'rds-data:ExecuteSql',
-            'rds-data:ExecuteStatement',
             'rds-data:GetItems',
             'rds-data:InsertItems',
             'rds-data:UpdateItems',