Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dynamodb): addtoresourcepolicy fix for table (v1) construct #31516

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix(dynamodb): addtoresourcepolicy fix for table (v1) construct #31516

wants to merge 6 commits into from

Conversation

LeeroyHannigan
Copy link
Contributor

Issue # (if applicable)

Closes #30793.

Reason for this change

addToResourcePolicy() was not correctly adding a policy statement to the table

Description of changes

Fixed the method to correctly add the policy to the table constructor.

Description of how you validated changes

Tests added

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team September 21, 2024 09:06
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/small Small work item – less than a day of effort p2 labels Sep 21, 2024
@LeeroyHannigan LeeroyHannigan changed the title fix(dynamodb): addtoresourcepolicy fix for table (v1) fix(dynamodb): addtoresourcepolicy fix for table (v1) construct Sep 21, 2024
everilae
everilae reviewed Sep 23, 2024
View reviewed changes
packages/aws-cdk-lib/aws-dynamodb/lib/table.ts
@@ -564,7 +564,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
* @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...)
*/
public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
return iam.Grant.addToPrincipalOrResource({
return iam.Grant.addToPrincipal({
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this need to become addToPrincipal? We are for example already using the resource policy to grant cross-account access to a table directly. We build the policy in CDK from external account ArnPrincipals.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because addToPrincipalOrResource never adds to the resource, as IAM is missing methods. So I'm putting it back to how it was before I changed it until I have time to implement the missing methods in IAM

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't fully understand what methods are missing. Looking at Grant, it seems to be handling this already, if given the resource in the call: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L145-L157. It's just that Table.addToResourcePolicy is not functional, but instead adds statements to a policy instance not bound with the internal CfnTable.

everilae
everilae reviewed Sep 23, 2024
View reviewed changes
packages/aws-cdk-lib/aws-dynamodb/lib/table.ts
@@ -958,11 +941,11 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc
produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE,
})),
];
const ret = iam.Grant.addToPrincipalOrResource({
const ret = iam.Grant.addToPrincipal({
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, this would break Table v1 for us.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 99284b8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@everilae everilae everilae left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/small Small work item – less than a day of effort p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-dynamodb: addToResourcePolicy has no effect
3 participants
@LeeroyHannigan @aws-cdk-automation @everilae