diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json new file mode 100644 index 0000000000000..8193c8bf97527 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json @@ -0,0 +1,20 @@ +{ + "version": "36.0.0", + "files": { + "192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849": { + "source": { + "path": "ResourcePolicyTest-v2.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-eu-west-1": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1", + "objectKey": "192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849.json", + "region": "eu-west-1", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-eu-west-1" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json new file mode 100644 index 0000000000000..5932811ef4cf1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json @@ -0,0 +1,89 @@ +{ + "Resources": { + "TableTestV215EEA02B7": { + "Type": "AWS::DynamoDB::GlobalTable", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "Replicas": [ + { + "Region": "eu-west-1", + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..32e11a1d2250a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json @@ -0,0 +1,22 @@ +{ + "version": "36.0.0", + "testCases": { + "table-v2-resource-policy-integ-test/DefaultTest": { + "stacks": [ + "ResourcePolicyTest-v2" + ], + "regions": [ + "us-east-1" + ], + "cdkCommandOptions": { + "deploy": { + "args": { + "rollback": true + } + } + }, + "assertionStack": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert", + "assertionStackName": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..3c95c2ac52ac0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "36.0.0", + "artifacts": { + "ResourcePolicyTest-v2.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ResourcePolicyTest-v2.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ResourcePolicyTest-v2": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/eu-west-1", + "properties": { + "templateFile": "ResourcePolicyTest-v2.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-eu-west-1", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-eu-west-1", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1/192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ResourcePolicyTest-v2.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-eu-west-1", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ResourcePolicyTest-v2.assets" + ], + "metadata": { + "/ResourcePolicyTest-v2/TableTestV2-1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTestV215EEA02B7" + } + ], + "/ResourcePolicyTest-v2/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ResourcePolicyTest-v2/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ResourcePolicyTest-v2" + }, + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets" + ], + "metadata": { + "/table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json new file mode 100644 index 0000000000000..8b15846a49e27 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..3a0a1c50405d4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json @@ -0,0 +1,168 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "ResourcePolicyTest-v2": { + "id": "ResourcePolicyTest-v2", + "path": "ResourcePolicyTest-v2", + "children": { + "TableTestV2-1": { + "id": "TableTestV2-1", + "path": "ResourcePolicyTest-v2/TableTestV2-1", + "children": { + "Resource": { + "id": "Resource", + "path": "ResourcePolicyTest-v2/TableTestV2-1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::GlobalTable", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "billingMode": "PAY_PER_REQUEST", + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "replicas": [ + { + "region": "eu-west-1", + "resourcePolicy": { + "policyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnGlobalTable", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.TableV2", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "ResourcePolicyTest-v2/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "ResourcePolicyTest-v2/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "table-v2-resource-policy-integ-test": { + "id": "table-v2-resource-policy-integ-test", + "path": "table-v2-resource-policy-integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "table-v2-resource-policy-integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "table-v2-resource-policy-integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts new file mode 100644 index 0000000000000..5a30de692de21 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts @@ -0,0 +1,41 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +const app = new App(); + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const docu = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:*'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + // table with resource policy + const table = new dynamodb.TableV2(this, 'TableTestV2-1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: docu, + }); + + table.grantReadData(new iam.AccountPrincipal('123456789012')); + } +} + +const stack = new TestStack(app, 'ResourcePolicyTest-v2', { env: { region: 'eu-west-1' } }); + +new IntegTest(app, 'table-v2-resource-policy-integ-test', { + testCases: [stack], +}); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..61d445eeb6f54 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json @@ -0,0 +1,22 @@ +{ + "version": "36.0.0", + "testCases": { + "resource-policy-integ-test/DefaultTest": { + "stacks": [ + "resource-policy-stack" + ], + "regions": [ + "us-east-1" + ], + "cdkCommandOptions": { + "deploy": { + "args": { + "rollback": true + } + } + }, + "assertionStack": "resource-policy-integ-test/DefaultTest/DeployAssert", + "assertionStackName": "resourcepolicyintegtestDefaultTestDeployAssert9778837B" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..ffa0d288174ae --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json @@ -0,0 +1,122 @@ +{ + "version": "36.0.0", + "artifacts": { + "resource-policy-stack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resource-policy-stack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resource-policy-stack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resource-policy-stack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resource-policy-stack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resource-policy-stack.assets" + ], + "metadata": { + "/resource-policy-stack/TableTest1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTest143E55AA2" + } + ], + "/resource-policy-stack/TableTest2/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTest21D137FC9", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] + } + ], + "/resource-policy-stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-stack" + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "metadata": { + "/resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json new file mode 100644 index 0000000000000..7c0077eab1646 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1": { + "source": { + "path": "resource-policy-stack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json new file mode 100644 index 0000000000000..1d36ff78393a6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json @@ -0,0 +1,114 @@ +{ + "Resources": { + "TableTest143E55AA2": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + }, + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "TableTest21D137FC9": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "PK", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "PK", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json new file mode 100644 index 0000000000000..0861153b87513 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..72ee67ca075e2 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json @@ -0,0 +1,225 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "resource-policy-stack": { + "id": "resource-policy-stack", + "path": "resource-policy-stack", + "children": { + "TableTest1": { + "id": "TableTest1", + "path": "resource-policy-stack/TableTest1", + "children": { + "Resource": { + "id": "Resource", + "path": "resource-policy-stack/TableTest1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + }, + "resourcePolicy": { + "policyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "resource-policy-stack/TableTest1/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "TableTest2": { + "id": "TableTest2", + "path": "resource-policy-stack/TableTest2", + "children": { + "Resource": { + "id": "Resource", + "path": "resource-policy-stack/TableTest2/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "PK", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "PK", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "resource-policy-stack/TableTest2/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "resource-policy-integ-test": { + "id": "resource-policy-integ-test", + "path": "resource-policy-integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "resource-policy-integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "resource-policy-integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts new file mode 100644 index 0000000000000..8b9ade678aec4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -0,0 +1,51 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +export class TestStack extends Stack { + + readonly table: dynamodb.Table; + readonly tableTwo: dynamodb.Table; + + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:*'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + this.table = new dynamodb.Table(this, 'TableTest1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: doc, + }); + + this.tableTwo = new dynamodb.Table(this, 'TableTest2', { + partitionKey: { + name: 'PK', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + }); + + this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012')); + } +} + +const app = new App(); +const stack = new TestStack(app, 'resource-policy-stack', {}); + +new IntegTest(app, 'resource-policy-integ-test', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-dynamodb/README.md b/packages/aws-cdk-lib/aws-dynamodb/README.md index d7a8eb1fcf16a..83d3e35c7d2f2 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/README.md +++ b/packages/aws-cdk-lib/aws-dynamodb/README.md @@ -644,6 +644,36 @@ If you intend to use the `tableStreamArn` (including indirectly, for example by To grant permissions to indexes for a referenced table you can either set `grantIndexPermissions` to `true`, or you can provide the indexes via the `globalIndexes` or `localIndexes` properties. This will enable `grant*` methods to also grant permissions to *all* table indexes. +## Resource Policy + +Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table in the form of a `PolicyDocument`: + +``` + // resource policy document + const policy = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + // table with resource policy + new dynamodb.TableV2(this, 'TableTestV2-1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: policy, + }); +``` + +TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. +To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy. + ## Grants Using any of the `grant*` methods on an instance of the `TableV2` construct will only apply to the primary table, its indexes, and any associated `encryptionKey`. As an example, `grantReadData` used below will only apply the table in `us-west-2`: diff --git a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md index 730c73e5a6273..ae5049af56cd8 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md +++ b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md @@ -237,3 +237,29 @@ const table = new dynamodb.Table(this, 'Table', { deletionProtection: true, }); ``` +## Resource Policy + +Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table in the form of a `PolicyDocument`: + +```ts +const policy = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], +}); + +new dynamodb.Table(this, 'MyTable', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: policy, +}); +``` + +If you have a global table replica, note that it does not support the addition of a resource-based policy. \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts index 168302320077e..89276fae405f4 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts @@ -2,7 +2,7 @@ import { DynamoDBMetrics } from './dynamodb-canned-metrics.generated'; import * as perms from './perms'; import { Operation, SystemErrorsForOperationsMetricOptions, OperationsMetricOptions, ITable } from './shared'; import { IMetric, MathExpression, Metric, MetricOptions, MetricProps } from '../../aws-cloudwatch'; -import { Grant, IGrantable } from '../../aws-iam'; +import { AddToResourcePolicyResult, Grant, IGrantable, IResourceWithPolicy, PolicyDocument, PolicyStatement } from '../../aws-iam'; import { IKey } from '../../aws-kms'; import { Resource } from '../../core'; @@ -21,7 +21,7 @@ export interface ITableV2 extends ITable { /** * Base class for a DynamoDB table. */ -export abstract class TableBaseV2 extends Resource implements ITableV2 { +export abstract class TableBaseV2 extends Resource implements ITableV2, IResourceWithPolicy { /** * The ARN of the table. * @@ -55,6 +55,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { */ public abstract readonly encryptionKey?: IKey; + /** + * The resource policy for the table + */ + public abstract resourcePolicy?: PolicyDocument; + protected abstract readonly region: string; protected abstract get hasIndex(): boolean; @@ -71,11 +76,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { public grant(grantee: IGrantable, ...actions: string[]): Grant { const resourceArns = [this.tableArn]; this.hasIndex && resourceArns.push(`${this.tableArn}/index/*`); - return Grant.addToPrincipal({ + return Grant.addToPrincipalOrResource({ grantee, actions, resourceArns, - scope: this, + resource: this, }); } @@ -426,11 +431,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { if (options.tableActions) { const resourceArns = [this.tableArn]; this.hasIndex && resourceArns.push(`${this.tableArn}/index/*`); - return Grant.addToPrincipal({ + return Grant.addToPrincipalOrResource({ grantee, actions: options.tableActions, resourceArns, - scope: this, + resource: this, }); } @@ -457,4 +462,22 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { account: props?.account ?? this.stack.account, }); } + + /** + * Adds a statement to the resource policy associated with this file system. + * A resource policy will be automatically created upon the first call to `addToResourcePolicy`. + * + * Note that this does not work with imported file systems. + * + * @param statement The policy statement to add + */ + public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult { + + this.resourcePolicy = this.resourcePolicy ?? new PolicyDocument({ statements: [] }); + this.resourcePolicy.addStatements(statement); + return { + statementAdded: true, + policyDependable: this, + }; + } } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts index 5fc1532d6b922..a309c994d33ad 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts @@ -9,6 +9,7 @@ import { SecondaryIndexProps, BillingMode, ProjectionType, } from './shared'; import { TableBaseV2, ITableV2 } from './table-v2-base'; +import { PolicyDocument } from '../../aws-iam'; import { IStream } from '../../aws-kinesis'; import { IKey, Key } from '../../aws-kms'; import { ArnFormat, CfnTag, Lazy, PhysicalName, RemovalPolicy, Stack, Token } from '../../core'; @@ -121,6 +122,13 @@ export interface TableOptionsV2 { * @default - no tags */ readonly tags?: CfnTag[]; + + /** + * Resource policy to assign to DynamoDB Table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-globaltable-replicaspecification.html#cfn-dynamodb-globaltable-replicaspecification-resourcepolicy + * @default - No resource policy statements are added to the created table. + */ + readonly resourcePolicy?: PolicyDocument; } /** @@ -354,13 +362,14 @@ export class TableV2 extends TableBaseV2 { public readonly tableId?: string; public readonly tableStreamArn?: string; public readonly encryptionKey?: IKey; + public readonly resourcePolicy?: PolicyDocument; protected readonly region: string; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; - public constructor(tableArn: string, tableName: string, tableId?: string, tableStreamArn?: string) { + public constructor(tableArn: string, tableName: string, tableId?: string, tableStreamArn?: string, resourcePolicy?: PolicyDocument) { super(scope, id, { environmentFromArn: tableArn }); const resourceRegion = stack.splitArn(tableArn, ArnFormat.SLASH_RESOURCE_NAME).region; @@ -374,6 +383,7 @@ export class TableV2 extends TableBaseV2 { this.tableId = tableId; this.tableStreamArn = tableStreamArn; this.encryptionKey = attrs.encryptionKey; + this.resourcePolicy = resourcePolicy; } } @@ -429,6 +439,11 @@ export class TableV2 extends TableBaseV2 { public readonly encryptionKey?: IKey; + /** + * @attribute + */ + public resourcePolicy?: PolicyDocument; + protected readonly region: string; private readonly billingMode: string; @@ -600,6 +615,7 @@ export class TableV2 extends TableBaseV2 { private configureReplicaTable(props: ReplicaTableProps): CfnGlobalTable.ReplicaSpecificationProperty { const pointInTimeRecovery = props.pointInTimeRecovery ?? this.tableOptions.pointInTimeRecovery; const contributorInsights = props.contributorInsights ?? this.tableOptions.contributorInsights; + const resourcePolicy = props.resourcePolicy ?? this.tableOptions.resourcePolicy; return { region: props.region, @@ -620,6 +636,9 @@ export class TableV2 extends TableBaseV2 { ? props.readCapacity._renderReadCapacity() : this.readProvisioning, tags: props.tags, + resourcePolicy: resourcePolicy + ? { policyDocument: resourcePolicy } + : undefined, }; } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 270ab71b06cf0..5d38902414514 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -370,6 +370,13 @@ export interface TableOptions extends SchemaOptions { * @default - no data import from the S3 bucket */ readonly importSource?: ImportSourceSpecification; + + /** + * Resource policy to assign to table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy + * @default - No resource policy statement + */ + readonly resourcePolicy?: iam.PolicyDocument; } /** @@ -479,7 +486,7 @@ export interface TableAttributes { readonly grantIndexPermissions?: boolean; } -export abstract class TableBase extends Resource implements ITable { +export abstract class TableBase extends Resource implements ITable, iam.IResourceWithPolicy { /** * @attribute */ @@ -500,6 +507,12 @@ export abstract class TableBase extends Resource implements ITable { */ public abstract readonly encryptionKey?: kms.IKey; + /** + * Resource policy to assign to table. + * @attribute + */ + public abstract resourcePolicy?: iam.PolicyDocument; + protected readonly regionalArns = new Array(); /** @@ -513,7 +526,7 @@ export abstract class TableBase extends Resource implements ITable { * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) */ public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { - return iam.Grant.addToPrincipal({ + return iam.Grant.addToPrincipalOrResource({ grantee, actions, resourceArns: [ @@ -524,10 +537,9 @@ export abstract class TableBase extends Resource implements ITable { produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, })), ], - scope: this, + resource: this, }); } - /** * Adds an IAM policy statement associated with this table's stream to an * IAM principal's policy. @@ -641,6 +653,23 @@ export abstract class TableBase extends Resource implements ITable { return this.combinedGrant(grantee, { keyActions, tableActions: ['dynamodb:*'] }); } + /** + * Adds a statement to the resource policy associated with this file system. + * A resource policy will be automatically created upon the first call to `addToResourcePolicy`. + * + * Note that this does not work with imported file systems. + * + * @param statement The policy statement to add + */ + public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult { + this.resourcePolicy = this.resourcePolicy ?? new iam.PolicyDocument({ statements: [] }); + this.resourcePolicy.addStatements(statement); + return { + statementAdded: true, + policyDependable: this, + }; + } + /** * Return the given named metric for this Table * @@ -891,11 +920,11 @@ export abstract class TableBase extends Resource implements ITable { produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, })), ]; - const ret = iam.Grant.addToPrincipal({ + const ret = iam.Grant.addToPrincipalOrResource({ grantee, actions: opts.tableActions, resourceArns: resources, - scope: this, + resource: this, }); return ret; } @@ -904,11 +933,11 @@ export abstract class TableBase extends Resource implements ITable { throw new Error(`DynamoDB Streams must be enabled on the table ${this.node.path}`); } const resources = [this.tableStreamArn]; - const ret = iam.Grant.addToPrincipal({ + const ret = iam.Grant.addToPrincipalOrResource({ grantee, actions: opts.streamActions, resourceArns: resources, - scope: this, + resource: this, }); return ret; } @@ -979,6 +1008,7 @@ export class Table extends TableBase { public readonly tableArn: string; public readonly tableStreamArn?: string; public readonly encryptionKey?: kms.IKey; + public resourcePolicy?: iam.PolicyDocument; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; @@ -1017,6 +1047,13 @@ export class Table extends TableBase { public readonly encryptionKey?: kms.IKey; + /** + * Resource policy to assign to DynamoDB Table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-resourcepolicy.html + * @default - No resource policy statements are added to the created table. + */ + public resourcePolicy?: iam.PolicyDocument; + /** * @attribute */ @@ -1095,6 +1132,9 @@ export class Table extends TableBase { kinesisStreamSpecification: props.kinesisStream ? { streamArn: props.kinesisStream.streamArn } : undefined, deletionProtectionEnabled: props.deletionProtection, importSourceSpecification: this.renderImportSourceSpecification(props.importSource), + resourcePolicy: props.resourcePolicy + ? { policyDocument: props.resourcePolicy } + : undefined, }); this.table.applyRemovalPolicy(props.removalPolicy); diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts index 9bbf19b59518e..51ff5d58a01eb 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts @@ -3482,3 +3482,53 @@ describe('import source', () => { }).toThrow(`Delimiter must be a single character and one of the following: comma (,), tab (\\t), colon (:), semicolon (;), pipe (|), space ( ), got '${delimiter}'`); }); }); + +test('Resource policy test', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Stack'); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN + const table = new Table(stack, 'Table', { + partitionKey: { name: 'id', type: AttributeType.STRING }, + resourcePolicy: doc, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + KeySchema: [ + { AttributeName: 'id', KeyType: 'HASH' }, + ], + AttributeDefinitions: [ + { AttributeName: 'id', AttributeType: 'S' }, + ], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + 'ResourcePolicy': { + 'PolicyDocument': { + 'Version': '2012-10-17', + 'Statement': [ + { + 'Principal': { + 'AWS': 'arn:aws:iam::111122223333:user/foobar', + }, + 'Effect': 'Allow', + 'Action': 'dynamodb:GetItem', + 'Resource': '*', + }, + ], + }, + }, + }); +}); diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts index fc8db61eebbc4..81e9205211a0b 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts @@ -1,4 +1,5 @@ import { Match, Template } from '../../assertions'; +import { ArnPrincipal, PolicyDocument, PolicyStatement } from '../../aws-iam'; import { Stream } from '../../aws-kinesis'; import { Key } from '../../aws-kms'; import { CfnDeletionPolicy, Lazy, RemovalPolicy, Stack } from '../../core'; @@ -2805,3 +2806,50 @@ describe('imports', () => { }).toThrow('Table ARN must be of the form: arn::dynamodb:::table/'); }); }); + +test('Resource policy test', () => { + // GIVEN + const stack = new Stack(undefined, 'Stack'); + + const doc = new PolicyDocument({ + statements: [ + new PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN + const table = new TableV2(stack, 'Table', { + partitionKey: { name: 'metric', type: AttributeType.STRING }, + resourcePolicy: doc, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::GlobalTable', { + Replicas: [ + { + Region: { + Ref: 'AWS::Region', + }, + ResourcePolicy: { + PolicyDocument: { + Statement: [ + { + Action: 'dynamodb:GetItem', + Effect: 'Allow', + Principal: { + AWS: 'arn:aws:iam::111122223333:user/foobar', + }, + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + }, + }, + ], + }); +}); \ No newline at end of file