Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dynamodb): add resource polices for table #30251

Merged
merged 20 commits into from
May 29, 2024
Merged

Conversation

LeeroyHannigan
Copy link
Contributor

Issue # (if applicable)

Closes #29600.

#29600
Reason for this change

Adding a new feature
Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb
Description of how you validated changes

integration test integ.dynamodb.policy.ts
Checklist

[X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels May 17, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team May 17, 2024 08:38
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label May 17, 2024
@scanlonp
Copy link
Contributor

@Mergifyio update

Copy link
Contributor

mergify bot commented May 20, 2024

update

✅ Branch has been successfully updated

@JavierLuna
Copy link

Really looking forward to this, resource based policies would simplify our architecture a lot

Copy link
Contributor

@scanlonp scanlonp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LeeroyHannigan, this looks amazing! Just a bit of clean up and some implementation questions. I said in the comments, but I think we can take all of the doc strings and code style from table-v2.ts and copy it to the corresponding places in table.ts.

I see that we are slightly changing the grant implementation; I assume it should not affect its current behavior. I wish we had some grant coverage in our integ tests, but it looks like we do not currently test it beyond a couple grantReadData/grantWriteData calls. However, I see it is thoroughly unit tested, and none were effected, so I feel good.

Lastly, you call out that adding a replica and adding a resource-based policy to that replica in the same deployment (update) is not possible. Is this an error that is thrown on the CloudFormation side? Can you detail how this affects a user creating a TableV2? It sounds to me like a user needs to define all their replicas, deploy, then add all the resource policies, the deploy again. Is that correct?
I do not believe we can validate this at synth time since we are stateless. Calling it out may be the only option.

Again, thanks for submitting this PR and excited for customers being able to use this soon!

Comment on lines 284 to 290
// /**
// * Resource policy to assign to DynamoDB Table.
// *
// * @default - No resource policy statements are added to the created table.
// */
// readonly resourcePolicy?: iam.PolicyDocument;

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's clean this up.

Comment on lines 420 to 424
/**
* @attribute
*/
public resourcePolicy?: PolicyDocument;

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move this below encryptionKey.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting that this should not be readonly as we can add policies to it. Checkout s3/bucket.ts for a similar pattern.

Comment on lines 510 to 513
/**
* Resource policy to assign to table.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy
* @default - No resource policy statement
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can cut down this doc string.

packages/aws-cdk-lib/aws-dynamodb/lib/table.ts Outdated Show resolved Hide resolved
name: 'id',
type: dynamodb.AttributeType.STRING,
},
removalPolicy: RemovalPolicy.DESTROY,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appreciate these removal polices!

Comment on lines 49 to 51
new IntegTest(app, 'resource-policy-integ-test', {
testCases: [stack],
regions: ['us-east-1'],
cdkCommandOptions: {
deploy: {
args: {
rollback: true,
},
},
},
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
new IntegTest(app, 'resource-policy-integ-test', {
testCases: [stack],
regions: ['us-east-1'],
cdkCommandOptions: {
deploy: {
args: {
rollback: true,
},
},
},
});
new IntegTest(app, 'resource-policy-integ-test', {
testCases: [stack],
});

Let's simplify the integ test configuration. Unless there is a specific reason, this may be better for our automation.

Comment on lines 37 to 41
new IntegTest(app, 'table-v2-resource-policy-integ-test', {
testCases: [stack],
regions: ['us-east-1'],
cdkCommandOptions: {
deploy: {
args: {
rollback: true,
},
},
},
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
new IntegTest(app, 'table-v2-resource-policy-integ-test', {
testCases: [stack],
regions: ['us-east-1'],
cdkCommandOptions: {
deploy: {
args: {
rollback: true,
},
},
},
});
new IntegTest(app, 'table-v2-resource-policy-integ-test', {
testCases: [stack],
});

Same thing here. Paring down the config.

});
});

test('throws if trying to add a resource policy to a region other than local region', () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an odd test. It is not actually testing what is says its testing. There is no error added related to policy statements, so we cannot throw in a unit test for that scenario.

This error is already covered by a test in this section, so I suggest we delete this test unless it is testing something related to policy documents.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label May 23, 2024
@scanlonp
Copy link
Contributor

@Mergifyio update

Copy link
Contributor

mergify bot commented May 23, 2024

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/github-merit-badger.yml without workflows permission

@mergify mergify bot dismissed scanlonp’s stale review May 23, 2024 11:15

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label May 23, 2024
scanlonp
scanlonp previously approved these changes May 29, 2024
Copy link
Contributor

@scanlonp scanlonp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks for your hard work on this @LeeroyHannigan

@scanlonp
Copy link
Contributor

@Mergifyio update

Copy link
Contributor

mergify bot commented May 29, 2024

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/github-merit-badger.yml without workflows permission

@mergify mergify bot dismissed scanlonp’s stale review May 29, 2024 21:51

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 5e3b3d1
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented May 29, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 7dc6d27 into aws:main May 29, 2024
11 checks passed
atanaspam pushed a commit to atanaspam/aws-cdk that referenced this pull request Jun 3, 2024
Issue # (if applicable)

Closes aws#29600.

aws#29600
Reason for this change

Adding a new feature
Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb
Description of how you validated changes

integration test integ.dynamodb.policy.ts
Checklist

    [X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
vdahlberg pushed a commit to vdahlberg/aws-cdk that referenced this pull request Jun 10, 2024
Issue # (if applicable)

Closes aws#29600.

aws#29600
Reason for this change

Adding a new feature
Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb
Description of how you validated changes

integration test integ.dynamodb.policy.ts
Checklist

    [X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-cdk-lib.aws_dynamodb: Resource Policy property
4 participants