Skip to content

Commit

Permalink
Allow access on all indexes of a table in GuDynamoDBPolicy
Browse files Browse the repository at this point in the history
This change includes all table indexes in the blanket
GuDynamoDBReadPolicy and GuDynamoDBWritePolicy classes.

Without this consumers will see failures querying of updating items in
Global Secondary Indexes.

Adding read/write access to indexes of a table in these policies is
intended to make it easier to use these policies by allowing access to
indexes as might be expected.
  • Loading branch information
kenoir committed Sep 15, 2023
1 parent 954ea28 commit dc43562
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 31 deletions.
96 changes: 66 additions & 30 deletions src/constructs/iam/policies/dynamodb.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,22 +21,40 @@ describe("The GuDynamoDBReadPolicy construct", () => {
"dynamodb:GetRecords",
],
Effect: "Allow",
Resource: {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
Resource: [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
],
],
],
},
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable/index/*",
],
],
},
],
},
],
},
Expand All @@ -57,22 +75,40 @@ describe("The GuDynamoDBWritePolicy construct", () => {
{
Action: ["dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem"],
Effect: "Allow",
Resource: {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
Resource: [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable",
],
],
],
},
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:",
{
Ref: "AWS::Region",
},
":",
{
Ref: "AWS::AccountId",
},
":table/MyTable/index/*",
],
],
},
],
},
],
},
Expand Down
5 changes: 4 additions & 1 deletion src/constructs/iam/policies/dynamodb.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ abstract class GuDynamoDBPolicy extends GuAllowPolicy {
super(scope, id, {
...props,
actions: props.actions.map((action) => `dynamodb:${action}`),
resources: [`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`],
resources: [
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`,
`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}/index/*`,
],
});
}
}
Expand Down

0 comments on commit dc43562

Please sign in to comment.