aws · mergify · Oct 6, 2023 · Mar 30, 2023 · Mar 30, 2023 · Mar 31, 2023
diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/private/database-query-provider/privileges.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/private/database-query-provider/privileges.ts
@@ -1,9 +1,9 @@
 /* eslint-disable-next-line import/no-unresolved */
 import * as AWSLambda from 'aws-lambda';
+import { TablePrivilege, UserTablePrivilegesHandlerProps } from '../handler-props';
 import { executeStatement } from './redshift-data';
 import { ClusterProps } from './types';
 import { makePhysicalId } from './util';
-import { TablePrivilege, UserTablePrivilegesHandlerProps } from '../handler-props';
 
 export async function handler(props: UserTablePrivilegesHandlerProps & ClusterProps, event: AWSLambda.CloudFormationCustomResourceEvent) {
   const username = props.username;
@@ -62,10 +62,26 @@ async function updatePrivileges(
   }
 
   const oldTablePrivileges = oldResourceProperties.tablePrivileges;
-  if (oldTablePrivileges !== tablePrivileges) {
-    await revokePrivileges(username, oldTablePrivileges, clusterProps);
-    await grantPrivileges(username, tablePrivileges, clusterProps);
-    return { replace: false };
+  const tablesToRevoke = oldTablePrivileges.filter(({ tableId, actions }) => (
+    tablePrivileges.find(({ tableId: otherTableId, actions: otherActions }) => (
+      tableId === otherTableId && actions.some(action => !otherActions.includes(action))
+    ))
+  ));
+  if (tablesToRevoke.length > 0) {
+    await revokePrivileges(username, tablesToRevoke, clusterProps);
+  }
+
+  const tablesToGrant = tablePrivileges.filter(({ tableId, tableName, actions }) => {
+    const tableAdded = !oldTablePrivileges.find(({ tableId: otherTableId, tableName: otherTableName }) => (
+      tableId === otherTableId && tableName === otherTableName
+    ));
+    const actionsAdded = oldTablePrivileges.find(({ tableId: otherTableId, actions: otherActions }) => (
+      tableId === otherTableId && otherActions.some(action => !actions.includes(action))
+    ));
+    return tableAdded || actionsAdded;
+  });
+  if (tablesToGrant.length > 0) {
+    await grantPrivileges(username, tablesToGrant, clusterProps);
   }
 
   return { replace: false };

diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/private/handler-props.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/private/handler-props.ts
@@ -25,6 +25,7 @@ export interface TableHandlerProps {
 }
 
 export interface TablePrivilege {
+  readonly tableId: string;
   readonly tableName: string;
   readonly actions: string[];
 }

diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/private/privileges.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/private/privileges.ts
@@ -1,11 +1,11 @@
 import * as cdk from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
-import { DatabaseQuery } from './database-query';
-import { HandlerName } from './database-query-provider/handler-name';
-import { TablePrivilege as SerializedTablePrivilege, UserTablePrivilegesHandlerProps } from './handler-props';
 import { DatabaseOptions } from '../database-options';
 import { ITable, TableAction } from '../table';
 import { IUser } from '../user';
+import { DatabaseQuery } from './database-query';
+import { HandlerName } from './database-query-provider/handler-name';
+import { TablePrivilege as SerializedTablePrivilege, UserTablePrivilegesHandlerProps } from './handler-props';
 
 /**
  * The Redshift table and action that make up a privilege that can be granted to a Redshift user.
@@ -63,23 +63,30 @@ export class UserTablePrivileges extends Construct {
         tablePrivileges: cdk.Lazy.any({
           produce: () => {
             const reducedPrivileges = this.privileges.reduce((privileges, { table, actions }) => {
-              const tableName = table.tableName;
-              if (!(tableName in privileges)) {
-                privileges[tableName] = [];
+              const tableId = table.node.id;
+              if (!(tableId in privileges)) {
+                privileges[tableId] = {
+                  tableName: table.tableName,
+                  actions: [],
+                };
               }
-              actions = actions.concat(privileges[tableName]);
+              actions = actions.concat(privileges[tableId].actions);
               if (actions.includes(TableAction.ALL)) {
                 actions = [TableAction.ALL];
               }
               if (actions.includes(TableAction.UPDATE) || actions.includes(TableAction.DELETE)) {
                 actions.push(TableAction.SELECT);
               }
-              privileges[tableName] = Array.from(new Set(actions));
+              privileges[tableId] = {
+                tableName: table.tableName,
+                actions: Array.from(new Set(actions)),
+              };
               return privileges;
-            }, {} as { [key: string]: TableAction[] });
-            const serializedPrivileges: SerializedTablePrivilege[] = Object.entries(reducedPrivileges).map(([tableName, actions]) => ({
-              tableName: tableName,
-              actions: actions.map(action => TableAction[action]),
+            }, {} as { [key: string]: { tableName: string, actions: TableAction[] } });
+            const serializedPrivileges: SerializedTablePrivilege[] = Object.entries(reducedPrivileges).map(([tableId, config]) => ({
+              tableId,
+              tableName: config.tableName,
+              actions: config.actions.map(action => TableAction[action]),
             }));
             return serializedPrivileges;
           },

diff --git a/packages/@aws-cdk/aws-redshift-alpha/test/database-query-provider/privileges.test.ts b/packages/@aws-cdk/aws-redshift-alpha/test/database-query-provider/privileges.test.ts
@@ -3,7 +3,9 @@ import type * as AWSLambda from 'aws-lambda';
 
 const username = 'username';
 const tableName = 'tableName';
-const tablePrivileges = [{ tableName, actions: ['INSERT', 'SELECT'] }];
+const tableId = 'tableId';
+const actions = ['INSERT', 'SELECT'];
+const tablePrivileges = [{ tableId, tableName, actions }];
 const clusterName = 'clusterName';
 const adminUserArn = 'adminUserArn';
 const databaseName = 'databaseName';
@@ -147,9 +149,27 @@ describe('update', () => {
     }));
   });
 
-  test('does not replace when privileges change', async () => {
+  test('does not replace when table name is changed', async () => {
     const newTableName = 'newTableName';
-    const newTablePrivileges = [{ tableName: newTableName, actions: ['DROP'] }];
+    const newTablePrivileges = [{ tableId, tableName: newTableName, actions }];
+    const newResourceProperties = {
+      ...resourceProperties,
+      tablePrivileges: newTablePrivileges,
+    };
+
+    await expect(managePrivileges(newResourceProperties, event)).resolves.toMatchObject({
+      PhysicalResourceId: physicalResourceId,
+    });
+    expect(mockExecuteStatement).not.toHaveBeenCalledWith(expect.objectContaining({
+      Sql: `REVOKE INSERT, SELECT ON ${newTableName} FROM ${username}`,
+    }));
+    expect(mockExecuteStatement).not.toHaveBeenCalledWith(expect.objectContaining({
+      Sql: expect.stringMatching(new RegExp(`.+ ON ${tableName} TO ${username}`)),
+    }));
+  });
+
+  test('does not replace when table actions are changed', async () => {
+    const newTablePrivileges = [{ tableId, tableName, actions: ['DROP'] }];
     const newResourceProperties = {
       ...resourceProperties,
       tablePrivileges: newTablePrivileges,
@@ -162,7 +182,49 @@ describe('update', () => {
       Sql: `REVOKE INSERT, SELECT ON ${tableName} FROM ${username}`,
     }));
     expect(mockExecuteStatement).toHaveBeenCalledWith(expect.objectContaining({
-      Sql: `GRANT DROP ON ${newTableName} TO ${username}`,
+      Sql: `GRANT DROP ON ${tableName} TO ${username}`,
     }));
   });
-});
+
+  test('does not replace when table id is changed', async () => {
+    const newTableId = 'newTableId';
+    const newTablePrivileges = [{ tableId: newTableId, tableName, actions }];
+    const newResourceProperties = {
+      ...resourceProperties,
+      tablePrivileges: newTablePrivileges,
+    };
+
+    await expect(managePrivileges(newResourceProperties, event)).resolves.toMatchObject({
+      PhysicalResourceId: physicalResourceId,
+    });
+    expect(mockExecuteStatement).not.toHaveBeenCalledWith(expect.objectContaining({
+      Sql: expect.stringMatching(new RegExp(`REVOKE .+ ON ${tableName} FROM ${username}`)),
+    }));
+    expect(mockExecuteStatement).toHaveBeenCalledWith(expect.objectContaining({
+      Sql: expect.stringMatching(new RegExp(`GRANT .+ ON ${tableName} TO ${username}`)),
+    }));
+  });
+
+  test('does not replace when table id is appended', async () => {
+    const newTablePrivileges = [{ tableId: 'newTableId', tableName, actions }];
+    const newResourceProperties = {
+      ...resourceProperties,
+      tablePrivileges: newTablePrivileges,
+    };
+
+    const newEvent = {
+      ...event,
+      OldResourceProperties: {
+        ...event.OldResourceProperties,
+        tablePrivileges: [{ tableName, actions }],
+      },
+    };
+
+    await expect(managePrivileges(newResourceProperties, newEvent)).resolves.toMatchObject({
+      PhysicalResourceId: physicalResourceId,
+    });
+    expect(mockExecuteStatement).not.toHaveBeenCalledWith(expect.objectContaining({
+      Sql: expect.stringMatching(new RegExp(`.+ ON ${tableName} FROM ${username}`)),
+    }));
+  });
+});
diff --git a/...shot/asset.135d36da5a9e712a2792be4734f4cf4b34b551d49646eef9dec0c185fc869c12/privileges.js b/...shot/asset.135d36da5a9e712a2792be4734f4cf4b34b551d49646eef9dec0c185fc869c12/privileges.js