-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdynamodb.ts
39 lines (34 loc) · 1.59 KB
/
dynamodb.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import type { GuStack } from "../../core";
import { GuAllowPolicy } from "./base-policy";
import type { GuNoStatementsPolicyProps } from "./base-policy";
interface GuDynamoDBPolicyProps {
tableName: string;
}
interface GuDynamoDBPolicyPropsWithActions extends GuNoStatementsPolicyProps, GuDynamoDBPolicyProps {
actions: string[];
}
abstract class GuDynamoDBPolicy extends GuAllowPolicy {
protected constructor(scope: GuStack, id: string, props: GuDynamoDBPolicyPropsWithActions) {
super(scope, id, {
...props,
actions: props.actions.map((action) => `dynamodb:${action}`),
// Note: although the index resource is not supported for all attached actions
// (e.g. BatchWriteItem), it will not cause issues to include it here as it is ignored.
// See: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
resources: [
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`,
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}/index/*`,
],
});
}
}
export class GuDynamoDBReadPolicy extends GuDynamoDBPolicy {
constructor(scope: GuStack, id: string, props: GuDynamoDBPolicyProps) {
super(scope, id, { ...props, actions: ["BatchGetItem", "GetItem", "Scan", "Query", "GetRecords"] });
}
}
export class GuDynamoDBWritePolicy extends GuDynamoDBPolicy {
constructor(scope: GuStack, id: string, props: GuDynamoDBPolicyProps) {
super(scope, id, { ...props, actions: ["BatchWriteItem", "PutItem", "DeleteItem", "UpdateItem"] });
}
}