From dc43562ee5c61182d5ea42efb38481ecd638d417 Mon Sep 17 00:00:00 2001 From: Robert Kenny Date: Fri, 15 Sep 2023 14:33:59 +0100 Subject: [PATCH] Allow access on all indexes of a table in GuDynamoDBPolicy This change includes all table indexes in the blanket GuDynamoDBReadPolicy and GuDynamoDBWritePolicy classes. Without this consumers will see failures querying of updating items in Global Secondary Indexes. Adding read/write access to indexes of a table in these policies is intended to make it easier to use these policies by allowing access to indexes as might be expected. --- src/constructs/iam/policies/dynamodb.test.ts | 96 ++++++++++++++------ src/constructs/iam/policies/dynamodb.ts | 5 +- 2 files changed, 70 insertions(+), 31 deletions(-) diff --git a/src/constructs/iam/policies/dynamodb.test.ts b/src/constructs/iam/policies/dynamodb.test.ts index aa7b07a937..6be03aa321 100644 --- a/src/constructs/iam/policies/dynamodb.test.ts +++ b/src/constructs/iam/policies/dynamodb.test.ts @@ -21,22 +21,40 @@ describe("The GuDynamoDBReadPolicy construct", () => { "dynamodb:GetRecords", ], Effect: "Allow", - Resource: { - "Fn::Join": [ - "", - [ - "arn:aws:dynamodb:", - { - Ref: "AWS::Region", - }, - ":", - { - Ref: "AWS::AccountId", - }, - ":table/MyTable", + Resource: [ + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable", + ], ], - ], - }, + }, + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable/index/*", + ], + ], + }, + ], }, ], }, @@ -57,22 +75,40 @@ describe("The GuDynamoDBWritePolicy construct", () => { { Action: ["dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem"], Effect: "Allow", - Resource: { - "Fn::Join": [ - "", - [ - "arn:aws:dynamodb:", - { - Ref: "AWS::Region", - }, - ":", - { - Ref: "AWS::AccountId", - }, - ":table/MyTable", + Resource: [ + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable", + ], ], - ], - }, + }, + { + "Fn::Join": [ + "", + [ + "arn:aws:dynamodb:", + { + Ref: "AWS::Region", + }, + ":", + { + Ref: "AWS::AccountId", + }, + ":table/MyTable/index/*", + ], + ], + }, + ], }, ], }, diff --git a/src/constructs/iam/policies/dynamodb.ts b/src/constructs/iam/policies/dynamodb.ts index b84b7e6b30..c607dbfad7 100644 --- a/src/constructs/iam/policies/dynamodb.ts +++ b/src/constructs/iam/policies/dynamodb.ts @@ -15,7 +15,10 @@ abstract class GuDynamoDBPolicy extends GuAllowPolicy { super(scope, id, { ...props, actions: props.actions.map((action) => `dynamodb:${action}`), - resources: [`arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`], + resources: [ + `arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}`, + `arn:aws:dynamodb:${scope.region}:${scope.account}:table/${props.tableName}/index/*`, + ], }); } }