fix(dynamodb): grant() is not available on ITable

Add missing methods in `ITable` interface. Closes aws#7473
jogold · Apr 27, 2020 · 461747b · 461747b
1 parent f33a266
commit 461747b
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts
@@ -219,6 +219,22 @@ export interface ITable extends IResource {
    */
   readonly tableStreamArn?: string;
 
+  /**
+   * Adds an IAM policy statement associated with this table to an IAM
+   * principal's policy.
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...)
+   */
+  grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+
+  /**
+   * Adds an IAM policy statement associated with this table's stream to an
+   * IAM principal's policy.
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "dynamodb:DescribeStream", "dynamodb:GetRecords", ...)
+   */
+  grantStream(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+
   /**
    * Permits an IAM principal all data read operations from this table:
    * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan.
@@ -256,6 +272,12 @@ export interface ITable extends IResource {
    */
   grantReadWriteData(grantee: iam.IGrantable): iam.Grant;
 
+  /**
+   * Permits all DynamoDB operations ("dynamodb:*") to an IAM principal.
+   * @param grantee The principal to grant access to
+   */
+  grantFullAccess(grantee: iam.IGrantable): iam.Grant;
+
   /**
    * Metric for the number of Errors executing all Lambdas
    */

diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts
@@ -1359,6 +1359,59 @@ describe('grants', () => {
       'Users': [{ 'Ref': 'user2C2B57AE' }],
     });
   });
+
+  test('grant for an imported table', () => {
+    // GIVEN
+    const stack = new Stack();
+    const table = Table.fromTableName(stack, 'MyTable', 'my-table');
+    const user = new iam.User(stack, 'user');
+
+    // WHEN
+    table.grant(user, 'dynamodb:*');
+
+    // THEN
+    expect(stack).toHaveResource('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'dynamodb:*',
+            Effect: 'Allow',
+            Resource: [
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    'arn:',
+                    {
+                      Ref: 'AWS::Partition',
+                    },
+                    ':dynamodb:',
+                    {
+                      Ref: 'AWS::Region',
+                    },
+                    ':',
+                    {
+                      Ref: 'AWS::AccountId',
+                    },
+                    ':table/my-table',
+                  ],
+                ],
+              },
+              {
+                Ref: 'AWS::NoValue',
+              },
+            ],
+          },
+        ],
+        Version: '2012-10-17',
+      },
+      Users: [
+        {
+          Ref: 'user2C2B57AE',
+        },
+      ],
+    });
+  });
 });
 
 describe('secondary indexes', () => {