feat(spec2cdk): add actions() method to Grants classes

[otaviomacedo]

Overview

We have a mechanism to generate specific grant methods (in <Resource>Grants) classes using a grants.json file as a source of truth. So, for instance, if we configure methods publish and subscribe in the file, we will get a publish() and a subscribe() method in the class.

But it's also important to have an open ended method, that allows users to assign arbitrary permissions to the resource in question. This is already being done in the manually written Grants classes, and the convention that arose was to call this methods actions(). This PR introduces the generation of such methods, alongside the specific ones declared in the file.

An example:

/**
 * Grant the given identity custom permissions
 */
public actions(grantee: iam.IGrantable, actions: Array<string>, options: cdk.EncryptedPermissionsOptions): iam.Grant {
  const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({
    actions: actions,
    grantee: grantee,
    resourceArns: (options.resourceArns ?? [sns.CfnTopic.arnForTopic(this.resource)]),
    resource: this.policyResource
  }) : iam.Grant.addToPrincipal({
    actions: actions,
    grantee: grantee,
    resourceArns: (options.resourceArns ?? [sns.CfnTopic.arnForTopic(this.resource)])
  }));
  if ((options.keyActions && (options.keyActions.length > 0))) this.encryptedResource?.grantOnKey(grantee, ...options.keyActions);
  return result;
}

Implementation notes

The method signature takes three parameter: grantee, actions and options. Let's focus on options because the other two are straightforward. The type of this parameter can be either PermissionsOptions or EncryptedPermissionsOptions, depending on whether the resource is an "encrypted resource". See definitions below.

/**
 * Options for configuring permissions in the `<Resource>.actions()` method.
 */
export interface PermissionsOptions {
  /**
   * The ARNs of the resources to grant permissions on.
   *
   * @default - The ARN of the resource associated with the grant is used.
   */
  readonly resourceArns?: Array<string>;
}

/**
 * Options for configuring permissions on encrypted resources.
 */
export interface EncryptedPermissionsOptions extends PermissionsOptions {
  /**
   * The KMS key actions to grant permissions for.
   *
   * @default - No permission is added to the KMS key, even if it exists
   */
  readonly keyActions?: Array<string>;
}

A resource is considered encrypted (a better name would have been "encryptable", but it's too late now), if at least one of the specific methods define a keyActions array, or if the attribute isEncrypted is set to true for the resource. This is a new attribute, being introduced in this PR.

The generated code of the specific methods was now changed to take advantage of this new common method. So, for example, the methods in TopicGrants are now:

public publish(grantee: iam.IGrantable): iam.Grant {
  const actions = ["sns:Publish"];
  return this.actions(grantee, actions, {
    keyActions: ["kms:Decrypt","kms:GenerateDataKey*"]
  });
}

public subscribe(grantee: iam.IGrantable): iam.Grant {
  const actions = ["sns:Subscribe"];
  return this.actions(grantee, actions, {});
}

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mrgrain]

Whatever needs changing to make this to import from core directly

Suggested change

	import * as cdk from "aws-cdk-lib";
	import * as cdk from "aws-cdk-lib/core";

[otaviomacedo]

Hmm this test is misleading, because in @aws-cdk/aws-elasticache-alpha, we already have:

import * as cdk from "aws-cdk-lib/core";

and in aws-sns we have:

import * as cdk from "../../core/lib";

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

Rule: default-squash

---

• ✅ Entered queue — 2026-02-17 10:46 UTC
• ✅ Checks started · in-place
• 🚫 Left the queue — 2026-02-17 11:15 UTC · at 46d39b485be25305be0482044e311f5b75b848db

This pull request spent 28 minutes 54 seconds in the queue, with no time running CI.

Required conditions to merge

• any of [🛡 GitHub branch protection]:
  • check-neutral = build
  • check-skipped = build
  • check-success = build
• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr

Reason

The merge conditions cannot be satisfied due to failing checks

Hint

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-02-17 10:46 UTC · Rule: default-squash
• ✅ Checks started · in-place
• 🚫 Left the queue — 2026-02-17 11:15 UTC · at 46d39b485be25305be0482044e311f5b75b848db

This pull request spent 28 minutes 54 seconds in the queue, with no time running CI.

Required conditions to merge

• any of [🛡 GitHub branch protection]:
  • check-neutral = build
  • check-skipped = build
  • check-success = build
• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr

Reason

The merge conditions cannot be satisfied due to failing checks

Hint

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-12 17:54 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-03-12 17:54 UTC · at d4500e612bd62e008f27a3b355d968c1e8afc007

This pull request spent 7 seconds in the queue, with no time running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(spec2cdk): add actions() method to Grants classes #36987
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.