feat(ec2): let Instance be IGrantable (#4190)

hoegertn · mergify[bot] · commit 87f096e7e035 · 2019-09-25T07:15:10.000Z
diff --git a/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts b/packages/@aws-cdk/aws-ec2/lib/bastion-host.ts
@@ -1,4 +1,4 @@
-import { IRole, PolicyStatement } from "@aws-cdk/aws-iam";
+import { IPrincipal, IRole, PolicyStatement } from "@aws-cdk/aws-iam";
 import { CfnOutput, Construct, Stack } from "@aws-cdk/core";
 import { AmazonLinuxGeneration, AmazonLinuxImage, InstanceClass, InstanceSize, InstanceType } from ".";
 import { Connections } from "./connections";
@@ -81,6 +81,11 @@ export class BastionHostLinux extends Construct implements IInstance {
    */
   public readonly role: IRole;
 
+  /**
+   * The principal to grant permissions to
+   */
+  public readonly grantPrincipal: IPrincipal;
+
   /**
    * The underlying instance resource
    */
@@ -137,6 +142,7 @@ export class BastionHostLinux extends Construct implements IInstance {
 
     this.connections = this.instance.connections;
     this.role = this.instance.role;
+    this.grantPrincipal = this.instance.role;
     this.instanceId = this.instance.instanceId;
     this.instancePrivateIp = this.instance.instancePrivateIp;
     this.instanceAvailabilityZone = this.instance.instanceAvailabilityZone;
diff --git a/packages/@aws-cdk/aws-ec2/lib/instance.ts b/packages/@aws-cdk/aws-ec2/lib/instance.ts
@@ -1,5 +1,6 @@
 import iam = require('@aws-cdk/aws-iam');
 
+import { IGrantable, IPrincipal } from '@aws-cdk/aws-iam';
 import { Construct, Duration, Fn, IResource, Lazy, Resource, Tag } from '@aws-cdk/core';
 import { Connections, IConnectable } from './connections';
 import { CfnInstance } from './ec2.generated';
@@ -14,7 +15,7 @@ import { IVpc, SubnetSelection } from './vpc';
  */
 const NAME_TAG: string = 'Name';
 
-export interface IInstance extends IResource, IConnectable {
+export interface IInstance extends IResource, IConnectable, IGrantable {
   /**
    * The instance's ID
    *
@@ -179,6 +180,11 @@ export class Instance extends Resource implements IInstance {
    */
   public readonly role: iam.IRole;
 
+  /**
+   * The principal to grant permissions to
+   */
+  public readonly grantPrincipal: IPrincipal;
+
   /**
    * UserData for the instance
    */
@@ -234,6 +240,7 @@ export class Instance extends Resource implements IInstance {
     this.role = props.role || new iam.Role(this, 'InstanceRole', {
       assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
     });
+    this.grantPrincipal = this.role;
 
     const iamProfile = new iam.CfnInstanceProfile(this, 'InstanceProfile', {
       roles: [this.role.roleName]
@@ -320,4 +327,5 @@ export class Instance extends Resource implements IInstance {
       };
     }
   }
+
 }
