diff --git a/src/constructs/iam/policies/dynamodb.test.ts b/src/constructs/iam/policies/dynamodb.test.ts index aa7b07a937..6be03aa321 100644 --- a/src/constructs/iam/policies/dynamodb.test.ts +++ b/src/constructs/iam/policies/dynamodb.test.ts @@ -21,22 +21,40 @@ describe("The GuDynamoDBReadPolicy construct", () => { "dynamodb:GetRecords", ], Effect: "Allow", - Resource: { - "Fn::Join": [ - "", - [ - "arn:aws:dynamodb:", - { - Ref: "AWS::Region", - }, - ":", - { - Ref: "AWS::AccountId", - }, - ":table/MyTable", + Resource: [ + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable", + ], ], - ], - }, + }, + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable/index/*", + ], + ], + }, + ], }, ], }, @@ -57,22 +75,40 @@ describe("The GuDynamoDBWritePolicy construct", () => { { Action: ["dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem"], Effect: "Allow", - Resource: { - "Fn::Join": [ - "", - [ - "arn:aws:dynamodb:", - { - Ref: "AWS::Region", - }, - ":", - { - Ref: "AWS::AccountId", - }, - ":table/MyTable", + Resource: [ + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable", + ], ], - ], - }, + }, + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable/index/*", + ], + ], + }, + ], }, ], }, diff --git a/src/constructs/iam/policies/dynamodb.ts b/src/constructs/iam/policies/dynamodb.ts index b84b7e6b30..c607dbfad7 100644 --- a/src/constructs/iam/policies/dynamodb.ts +++ b/src/constructs/iam/policies/dynamodb.ts @@ -15,7 +15,10 @@ abstract class GuDynamoDBPolicy extends GuAllowPolicy { super(scope, id, { ...props, actions: props.actions.map((action) => `dynamodb:${action}`), - resources: [`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`], + resources: [ + `arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`, + `arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}/index/*`, + ], }); } }