Skip to content

Commit

Permalink
feat: Allow access on all indexes of a table in GuDynamoDBPolicy (#2024)
Browse files Browse the repository at this point in the history 
* feat: Allow access on all indexes of a table in GuDynamoDBPolicy

This change includes all table indexes in the blanket
GuDynamoDBReadPolicy and GuDynamoDBWritePolicy classes.

Without this consumers will see failures querying of updating items in
Global Secondary Indexes.

Adding read/write access to indexes of a table in these policies is
intended to make it easier to use these policies by allowing access to
indexes as might be expected.

* update snapshots and associated ddb tests

* prettier

* snapshot test updates

* add comment on unsupported actions with multiple resources
  • Loading branch information
@kenoir
kenoir authored Sep 18, 2023
1 parent 954ea28 commit 63c5f7f
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 46 deletions.
96 changes: 66 additions & 30 deletions src/constructs/iam/policies/dynamodb.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,22 +21,40 @@ describe("The GuDynamoDBReadPolicy construct", () => {
"dynamodb:GetRecords",
],
Effect: "Allow",
Resource: {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
Resource: [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
],
],
],
},
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable/index/*",
],
],
},
],
},
],
},
Expand All @@ -57,22 +75,40 @@ describe("The GuDynamoDBWritePolicy construct", () => {
{
Action: ["dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem"],
Effect: "Allow",
Resource: {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
Resource: [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
],
],
],
},
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable/index/*",
],
],
},
],
},
],
},
Expand Down
8 changes: 7 additions & 1 deletion src/constructs/iam/policies/dynamodb.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@ abstract class GuDynamoDBPolicy extends GuAllowPolicy {
super(scope, id, {
...props,
actions: props.actions.map((action) => `dynamodb:${action}`),
resources: [`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`],
// Note: although the index resource is not supported for all attached actions
// (e.g. BatchWriteItem), it will not cause issues to include it here as it is ignored.
// See: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
resources: [
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`,
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}/index/*`,
],
});
}
}
Expand Down
48 changes: 33 additions & 15 deletions src/patterns/ec2-app/base.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,22 +406,40 @@ describe("the GuEC2App pattern", function () {
{
Action: ["dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem"],
Effect: "Allow",
Resource: {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/my-dynamo-table",
Resource: [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/my-dynamo-table",
],
],
],
},
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/my-dynamo-table/index/*",
],
],
},
],
},
],
},
Expand Down

0 comments on commit 63c5f7f

Please sign in to comment.