feat(aws-iam): grants support non-identity principals

design/aws-guidelines.md

@@ -326,9 +326,9 @@ export interface IFoo extends cdk.IConstruct, ISomething {
   readonly connections: ec2.Connections;
 
   // permission grants (adds statements to the principal's policy)
-  grant(principal?: iam.IPrincipal, ...actions: string[]): void;
-  grantFoo(principal?: iam.IPrincipal): void;
-  grantBar(principal?: iam.IPrincipal): void;
+  grant(grantee?: iam.IGrantable, ...actions: string[]): void;
+  grantFoo(grantee?: iam.IGrantable): void;
+  grantBar(grantee?: iam.IGrantable): void;
 
   // resource policy (if applicable)
   addToResourcePolicy(statement: iam.PolicyStatement): void;
@@ -364,7 +364,7 @@ export abstract class FooBase extends cdk.Construct implements IFoo {
   public abstract export(): FooAttributes;
 
   // grants can usually be shared
-  public grantYyy(principal?: iam.IPrincipal) {
+  public grantYyy(grantee?: iam.IGrantable) {
     // ...
   }
 

packages/@aws-cdk/assets-docker/test/test.image-asset.ts

@@ -61,22 +61,13 @@ export = {
                   ":",
                   { "Ref": "AWS::AccountId" },
                   ":repository/",
-                  {
-                      "Fn::GetAtt": [
-                        "ImageAdoptRepositoryE1E84E35",
-                        "RepositoryName"
-                      ]
-                  }
+                  { "Fn::GetAtt": [ "ImageAdoptRepositoryE1E84E35", "RepositoryName" ] }
                 ]
               ]
             }
           },
           {
-            "Action": [
-              "ecr:GetAuthorizationToken",
-              "logs:CreateLogStream",
-              "logs:PutLogEvents"
-            ],
+            "Action": "ecr:GetAuthorizationToken",
             "Effect": "Allow",
             "Resource": "*"
           }

packages/@aws-cdk/assets/lib/asset.ts

@@ -36,7 +36,7 @@ export interface GenericAssetProps {
    * A list of principals that should be able to read this asset from S3.
    * You can use `asset.grantRead(principal)` to grant read permissions later.
    */
-  readonly readers?: iam.IPrincipal[];
+  readonly readers?: iam.IGrantable[];
 }
 
 /**
@@ -171,12 +171,12 @@ export class Asset extends cdk.Construct {
   /**
    * Grants read permissions to the principal on the asset's S3 object.
    */
-  public grantRead(principal?: iam.IPrincipal) {
+  public grantRead(grantee: iam.IGrantable) {
     // We give permissions on all files with the same prefix. Presumably
     // different versions of the same file will have the same prefix
     // and we don't want to accidentally revoke permission on old versions
     // when deploying a new version.
-    this.bucket.grantRead(principal, `${this.s3Prefix}*`);
+    this.bucket.grantRead(grantee, `${this.s3Prefix}*`);
   }
 }
 
@@ -190,7 +190,7 @@ export interface FileAssetProps {
    * A list of principals that should be able to read this file asset from S3.
    * You can use `asset.grantRead(principal)` to grant read permissions later.
    */
-  readonly readers?: iam.IPrincipal[];
+  readonly readers?: iam.IGrantable[];
 }
 
 /**
@@ -212,7 +212,7 @@ export interface ZipDirectoryAssetProps {
    * A list of principals that should be able to read this ZIP file from S3.
    * You can use `asset.grantRead(principal)` to grant read permissions later.
    */
-  readonly readers?: iam.IPrincipal[];
+  readonly readers?: iam.IGrantable[];
 }
 
 /**

packages/@aws-cdk/aws-cloudwatch/lib/metric.ts

@@ -85,14 +85,14 @@ export class Metric {
   /**
    * Grant permissions to the given identity to write metrics.
    *
-   * @param identity The IAM identity to give permissions to.
+   * @param grantee The IAM identity to give permissions to.
    */
-  public static grantPutMetricData(identity?: iam.IPrincipal) {
-    if (!identity) { return; }
-
-    identity.addToPolicy(new iam.PolicyStatement()
-      .addAllResources()
-      .addAction("cloudwatch:PutMetricData"));
+  public static grantPutMetricData(grantee: iam.IGrantable): iam.Grant {
+    return iam.Grant.onPrincipal({
+      grantee,
+      actions: ['cloudwatch:PutMetricData'],
+      resourceArns: ['*']
+    });
   }
 
   public readonly dimensions?: DimensionHash;

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -24,7 +24,7 @@ export interface IProject extends cdk.IConstruct, events.IEventRuleTarget {
   readonly projectName: string;
 
   /** The IAM service Role of this Project. Undefined for imported Projects. */
-  readonly role?: iam.IRole;
+  readonly role: iam.IRole;
 
   /**
    * Defines a CloudWatch event rule triggered when the build project state
@@ -162,8 +162,8 @@ export abstract class ProjectBase extends cdk.Construct implements IProject {
   /** The human-visible name of this Project. */
   public abstract readonly projectName: string;
 
-  /** The IAM service Role of this Project. Undefined for imported Projects. */
-  public abstract readonly role?: iam.IRole;
+  /** The IAM service Role of this Project. */
+  public abstract readonly role: iam.IRole;
 
   /** A role used by CloudWatch events to trigger a build */
   private eventsRole?: iam.Role;
@@ -371,7 +371,7 @@ export abstract class ProjectBase extends cdk.Construct implements IProject {
 class ImportedProject extends ProjectBase {
   public readonly projectArn: string;
   public readonly projectName: string;
-  public readonly role?: iam.Role = undefined;
+  public readonly role: iam.Role = undefined;
 
   constructor(scope: cdk.Construct, id: string, private readonly props: ProjectImportProps) {
     super(scope, id);
@@ -575,7 +575,7 @@ export class Project extends ProjectBase {
   /**
    * The IAM role for this project.
    */
-  public readonly role?: iam.IRole;
+  public readonly role: iam.IRole;
 
   /**
    * The ARN of the project.

packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts

@@ -194,7 +194,7 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo
       throw new Error('A pre-hook function is already defined for this deployment group');
     }
     this.preHook = preHook;
-    this.grantPutLifecycleEventHookExecutionStatus(this.preHook.role);
+    this.grantPutLifecycleEventHookExecutionStatus(this.preHook);
     this.preHook.grantInvoke(this.role);
   }
 
@@ -208,7 +208,7 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo
       throw new Error('A post-hook function is already defined for this deployment group');
     }
     this.postHook = postHook;
-    this.grantPutLifecycleEventHookExecutionStatus(this.postHook.role);
+    this.grantPutLifecycleEventHookExecutionStatus(this.postHook);
     this.postHook.grantInvoke(this.role);
   }
 
@@ -217,12 +217,12 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo
    * on this deployment group resource.
    * @param principal to grant permission to
    */
-  public grantPutLifecycleEventHookExecutionStatus(principal?: iam.IPrincipal): void {
-    if (principal) {
-      principal.addToPolicy(new iam.PolicyStatement()
-        .addResource(this.deploymentGroupArn)
-        .addAction('codedeploy:PutLifecycleEventHookExecutionStatus'));
-    }
+  public grantPutLifecycleEventHookExecutionStatus(grantee: iam.IGrantable): iam.Grant {
+    return iam.Grant.onPrincipal({
+      grantee,
+      resourceArns: [this.deploymentGroupArn],
+      actions: ['codedeploy:PutLifecycleEventHookExecutionStatus'],
+    });
   }
 
   public export(): LambdaDeploymentGroupImportProps {

packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/test.pipeline-actions.ts

@@ -317,11 +317,11 @@ class PipelineDouble extends cdk.Construct implements codepipeline.IPipeline {
     throw new Error('asEventRuleTarget() is unsupported in PipelineDouble');
   }
 
-  public grantBucketRead(_identity?: iam.IPrincipal): void {
+  public grantBucketRead(_identity?: iam.IGrantable): iam.Grant {
     throw new Error('grantBucketRead() is unsupported in PipelineDouble');
   }
 
-  public grantBucketReadWrite(_identity?: iam.IPrincipal): void {
+  public grantBucketReadWrite(_identity?: iam.IGrantable): iam.Grant {
     throw new Error('grantBucketReadWrite() is unsupported in PipelineDouble');
   }
 }
@@ -369,9 +369,10 @@ class RoleDouble extends iam.Role {
     super(scope, id, props);
   }
 
-  public addToPolicy(statement: iam.PolicyStatement) {
+  public addToPolicy(statement: iam.PolicyStatement): boolean {
     super.addToPolicy(statement);
     this.statements.push(statement);
+    return true;
   }
 }
 

packages/@aws-cdk/aws-codepipeline/lib/action.ts

@@ -83,14 +83,14 @@ export interface IPipeline extends cdk.IConstruct, events.IEventRuleTarget {
    *
    * @param identity the IAM Identity to grant the permissions to
    */
-  grantBucketRead(identity?: iam.IPrincipal): void;
+  grantBucketRead(identity: iam.IGrantable): iam.Grant;
 
   /**
    * Grants read & write permissions to the Pipeline's S3 Bucket to the given Identity.
    *
    * @param identity the IAM Identity to grant the permissions to
    */
-  grantBucketReadWrite(identity?: iam.IPrincipal): void;
+  grantBucketReadWrite(identity: iam.IGrantable): iam.Grant;
 }
 
 /**

packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts

@@ -293,12 +293,12 @@ export class Pipeline extends cdk.Construct implements IPipeline {
     return this.stages.length;
   }
 
-  public grantBucketRead(identity?: iam.IPrincipal): void {
-    this.artifactBucket.grantRead(identity);
+  public grantBucketRead(identity: iam.IGrantable): iam.Grant {
+    return this.artifactBucket.grantRead(identity);
   }
 
-  public grantBucketReadWrite(identity?: iam.IPrincipal): void {
-    this.artifactBucket.grantReadWrite(identity);
+  public grantBucketReadWrite(identity: iam.IGrantable): iam.Grant {
+    return this.artifactBucket.grantReadWrite(identity);
   }
 
   /**

packages/@aws-cdk/aws-dynamodb-global/.nycrc

@@ -0,0 +1 @@
+/Users/huijbers/Workspaces/PublicCDK/aws-cdk/tools/cdk-build-tools/config/nycrc

packages/@aws-cdk/aws-dynamodb-global/lib/aws-dynamodb-global.d.ts

@@ -0,0 +1,98 @@
+import dynamodb = require("@aws-cdk/aws-dynamodb");
+import cdk = require("@aws-cdk/cdk");
+import { LambdaGlobalDynamoDBMaker } from "./lambda-global-dynamodb";
+import { MultiDynamoDBStack } from "./multi-dynamodb-stack";
+/**
+ * NOTE: These props should match dynamodb.TableProps exactly
+ * EXCEPT for tableName is now required (for global tables to work, the
+ * table name must match across regions)
+ */
+export interface GlobalDynamoDBProps {
+    /**
+     * Partition key attribute definition.
+     */
+    partitionKey: dynamodb.Attribute;
+    /**
+     * Table sort key attribute definition.
+     *
+     * @default no sort key
+     */
+    sortKey?: dynamodb.Attribute;
+    /**
+     * The read capacity for the table. Careful if you add Global Secondary Indexes, as
+     * those will share the table's provisioned throughput.
+     *
+     * Can only be provided if billingMode is Provisioned.
+     *
+     * @default 5
+     */
+    readCapacity?: number;
+    /**
+     * The write capacity for the table. Careful if you add Global Secondary Indexes, as
+     * those will share the table's provisioned throughput.
+     *
+     * Can only be provided if billingMode is Provisioned.
+     *
+     * @default 5
+     */
+    writeCapacity?: number;
+    /**
+     * Specify how you are charged for read and write throughput and how you manage capacity.
+     * @default Provisioned
+     */
+    billingMode?: dynamodb.BillingMode;
+    /**
+     * Enforces a particular physical table name.
+     * @default <generated>
+     */
+    tableName: string;
+    /**
+     * Whether point-in-time recovery is enabled.
+     * @default undefined, point-in-time recovery is disabled
+     */
+    pitrEnabled?: boolean;
+    /**
+     * Whether server-side encryption with an AWS managed customer master key is enabled.
+     * @default undefined, server-side encryption is enabled with an AWS owned customer master key
+     */
+    sseEnabled?: boolean;
+    /**
+     * When an item in the table is modified, StreamViewType determines what information
+     * is written to the stream for this table. Valid values for StreamViewType are:
+     * @default dynamodb.StreamViewType.NewAndOldImages, streams must be enabled
+     */
+    streamSpecification?: dynamodb.StreamViewType;
+    /**
+     * The name of TTL attribute.
+     * @default undefined, TTL is disabled
+     */
+    ttlAttributeName?: string;
+}
+/**
+ * Properties for the mutliple DynamoDB tables to mash together into a
+ * global table
+ */
+export interface DynamoDBGlobalStackProps extends cdk.StackProps {
+    /**
+     * Properties for DynamoDB Tables
+     * All the properties must be exactly the same
+     * to make the tables mesh together as a global table
+     */
+    dynamoProps: GlobalDynamoDBProps;
+    /**
+     * Array of environments to create DynamoDB tables in
+     * Accounts should be omitted, or at least all identical
+     */
+    regions: string[];
+}
+export declare class GlobalTable extends cdk.Construct {
+    /**
+     * Creates dynamoDB tables across regions that will be able to be globbed together into a global table
+     */
+    tables: MultiDynamoDBStack[];
+    /**
+     * Creates the cloudformation custom resource that launches a lambda to tie it all together
+     */
+    lambdaGlobalDynamodbMaker: LambdaGlobalDynamoDBMaker;
+    constructor(scope: cdk.Construct, id: string, props: DynamoDBGlobalStackProps);
+}