fix(scheduler-targets-alpha): update inspector target to use IAssessmentTemplate instead of CfnAssessmentTemplate (#33682)

gracelu0 · web-flow · commit 50ba3efabca8 · 2025-03-05T00:47:43.000Z
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Adhere to AWS CDK best practice/design guidelines to not expose L1 resources/properties in L2 APIs. ### Description of changes Changed `InspectorStartAssessmentRun` target constructor to accept `IAssessmentTemplate` instead of `CfnAssessmentTemplate` ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Updated unit tests and integration test - no snapshot changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The `InspectorStartAssessmentRun` target's constructor now accepts `IAssessmentTemplate` instead of `CfnAssessmentTemplate` as its parameter type. To migrate existing code, use the `AssessmentTemplate.fromCfnAssessmentTemplate()` method to convert your `CfnAssessmentTemplate` instances to `IAssessmentTemplate`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md b/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md
@@ -222,7 +222,9 @@ called every hour by EventBridge Scheduler.
 ```ts
 import * as inspector from 'aws-cdk-lib/aws-inspector';
 
-declare const assessmentTemplate: inspector.CfnAssessmentTemplate;
+declare const cfnAssessmentTemplate: inspector.CfnAssessmentTemplate;
+
+const assessmentTemplate = inspector.AssessmentTemplate.fromCfnAssessmentTemplate(this, 'MyAssessmentTemplate', cfnAssessmentTemplate);
 
 new Schedule(this, 'Schedule', {
   schedule: ScheduleExpression.rate(Duration.minutes(60)),
@@ -316,7 +318,7 @@ new Schedule(this, 'Schedule', {
 
 ## Invoke a wider set of AWS API
 
-Use the `Universal` target to invoke AWS API. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html
+Use the `Universal` target to invoke AWS API. See <https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html>
 
 The code snippet below creates an event rule with AWS API as the target which is
 called at midnight every day by EventBridge Scheduler.
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts
@@ -1,22 +1,24 @@
 import { IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
 import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
-import { CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { IAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
 
 /**
  * Use an Amazon Inspector as a target for AWS EventBridge Scheduler.
  */
 export class InspectorStartAssessmentRun extends ScheduleTargetBase implements IScheduleTarget {
   constructor(
-    template: CfnAssessmentTemplate,
+    template: IAssessmentTemplate,
     props: ScheduleTargetBaseProps = {},
   ) {
-    super(props, template.attrArn);
+    super(props, template.assessmentTemplateArn);
   }
 
   protected addTargetActionToRole(role: IRole): void {
     role.addToPrincipalPolicy(new PolicyStatement({
       actions: ['inspector:StartAssessmentRun'],
+      // The wildcard is intentional here as Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM policy statement.
+      // See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html#amazoninspector-resources-for-iam-policies.
       resources: ['*'],
     }));
   }
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/inspector-start-assessment-run.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/inspector-start-assessment-run.test.ts
@@ -2,26 +2,27 @@ import { ScheduleExpression, Schedule, Group } from '@aws-cdk/aws-scheduler-alph
 import { App, Duration, Stack } from 'aws-cdk-lib';
 import { Template } from 'aws-cdk-lib/assertions';
 import { AccountRootPrincipal, Role } from 'aws-cdk-lib/aws-iam';
-import { CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { AssessmentTemplate, CfnAssessmentTarget, CfnAssessmentTemplate, IAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import { InspectorStartAssessmentRun } from '../lib';
 
 describe('schedule target', () => {
   let app: App;
   let stack: Stack;
-  let template: CfnAssessmentTemplate;
+  let template: IAssessmentTemplate;
   const expr = ScheduleExpression.at(new Date(Date.UTC(1969, 10, 20, 0, 0, 0)));
   const roleId = 'SchedulerRoleForTarget78b2d848BF7444';
 
   beforeEach(() => {
     app = new App({ context: { '@aws-cdk/aws-iam:minimizePolicies': true } });
     stack = new Stack(app, 'Stack', { env: { region: 'us-east-1', account: '123456789012' } });
     const assessmentTarget = new CfnAssessmentTarget(stack, 'MyAssessmentTarget');
-    template = new CfnAssessmentTemplate(stack, 'MyTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack, 'MyTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    template = AssessmentTemplate.fromCfnAssessmentTemplate(stack, 'AssessmentTemplate', cfnAssessmentTemplate);
   });
 
   test('creates IAM role and IAM policy for inspector assessment template in the same account', () => {
@@ -278,11 +279,12 @@ describe('schedule target', () => {
       },
     });
     const assessmentTarget = new CfnAssessmentTarget(stack2, 'AnotherTarget');
-    const anotherTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    const anotherTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack2, 'AnotherAssessmentTemplate', cfnAssessmentTemplate);
 
     const inspectorTarget = new InspectorStartAssessmentRun(anotherTemplate);
 
@@ -363,11 +365,12 @@ describe('schedule target', () => {
       },
     });
     const assessmentTarget = new CfnAssessmentTarget(stack2, 'AnotherTarget');
-    const anotherTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    const anotherTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack2, 'AnotherAssessmentTemplate', cfnAssessmentTemplate);
     const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/someRole');
 
     const inspectorTarget = new InspectorStartAssessmentRun(anotherTemplate, {
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts
@@ -1,7 +1,7 @@
 import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
 import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
 import * as cdk from 'aws-cdk-lib';
-import { CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { AssessmentTemplate, CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import { InspectorStartAssessmentRun } from '../lib';
 
 /*
@@ -17,12 +17,12 @@ const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-scheduler-targets-inspector-start-assessment-run');
 
 const assessmentTarget = new CfnAssessmentTarget(stack, 'MyAssessmentTarget');
-const assessmentTemplate = new CfnAssessmentTemplate(stack, 'MyAssessmentTemplate', {
+const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack, 'MyAssessmentTemplate', {
   assessmentTargetArn: assessmentTarget.attrArn,
   durationInSeconds: 3600,
-  // https://docs.aws.amazon.com/inspector/v1/userguide/inspector_rules-arns.html#us-east-1
   rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
 });
+const assessmentTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack, 'AssessmentTemplate', cfnAssessmentTemplate);
 
 new scheduler.Schedule(stack, 'Schedule', {
   schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(10)),
@@ -36,10 +36,10 @@ const integrationTest = new IntegTest(app, 'integrationtest-inspector-start-asse
 
 // Verifies that the assessment run by the scheduler
 integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', {
-  AssessmentTemplateArns: [assessmentTemplate.attrArn],
+  AssessmentTemplateArns: [assessmentTemplate.assessmentTemplateArn],
 }).assertAtPath(
   'assessmentRunArns.0',
-  ExpectedResult.stringLikeRegexp(assessmentTemplate.attrArn),
+  ExpectedResult.stringLikeRegexp(assessmentTemplate.assessmentTemplateArn),
 ).waitForAssertions({
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),
