Merge branch 'main' into robertd/batch

aws · Jul 7, 2022 · b867e80 · b867e80
2 parents c84f4dd + e6015a9
commit b867e80
Show file tree

Hide file tree

Showing 17 changed files with 325 additions and 177 deletions.
diff --git a/packages/@aws-cdk/integ-tests/README.md b/packages/@aws-cdk/integ-tests/README.md
@@ -264,6 +264,34 @@ integ.assertions.awsApiCall('SQS', 'receiveMessage', {
 });
 ```
 
+By default, the `AwsApiCall` construct will automatically add the correct IAM policies
+to allow the Lambda function to make the API call. It does this based on the `service`
+and `api` that is provided. In the above example the service is `SQS` and the api is
+`receiveMessage` so it will create a policy with `Action: 'sqs:ReceiveMessage`.
+
+There are some cases where the permissions do not exactly match the service/api call, for
+example the S3 `listObjectsV2` api. In these cases it is possible to add the correct policy
+by accessing the `provider` object.
+
+```ts
+declare const app: App;
+declare const stack: Stack;
+declare const integ: IntegTest;
+
+const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+  Bucket: 'mybucket',
+});
+
+apiCall.provider.addToRolePolicy({
+  Effect: 'Allow',
+  Action: ['s3:GetObject', 's3:ListBucket'],
+  Resource: ['*'],
+});
+```
+
+Note that addToRolePolicy() uses direct IAM JSON policy blobs, not a iam.PolicyStatement
+object like you will see in the rest of the CDK.
+
 ### EqualsAssertion
 
 This library currently provides the ability to assert that two values are equal

diff --git a/packages/@aws-cdk/integ-tests/lib/assertions/providers/provider.ts b/packages/@aws-cdk/integ-tests/lib/assertions/providers/provider.ts
@@ -134,6 +134,24 @@ class SingletonFunction extends Construct {
     return new LambdaFunctionProvider(Stack.of(this), constructName);
   }
 
+  /**
+   * Add an IAM policy statement to the inline policy of the
+   * lambdas function's role
+   *
+   * **Please note**: this is a direct IAM JSON policy blob, *not* a `iam.PolicyStatement`
+   * object like you will see in the rest of the CDK.
+   *
+   *
+   * singleton.addToRolePolicy({
+   *   Effect: 'Allow',
+   *   Action: 's3:GetObject',
+   *   Resources: '*',
+   * });
+   */
+  public addToRolePolicy(statement: any): void {
+    this.policies.push(statement);
+  }
+
   /**
    * Create a policy statement from a specific api call
    */
@@ -216,6 +234,26 @@ export class AssertionsProvider extends Construct {
   public addPolicyStatementFromSdkCall(service: string, api: string, resources?: string[]): void {
     this.handler.addPolicyStatementFromSdkCall(service, api, resources);
   }
+
+  /**
+   * Add an IAM policy statement to the inline policy of the
+   * lambdas function's role
+   *
+   * **Please note**: this is a direct IAM JSON policy blob, *not* a `iam.PolicyStatement`
+   * object like you will see in the rest of the CDK.
+   *
+   *
+   * @example
+   * declare const provider: AssertionsProvider;
+   * provider.addToRolePolicy({
+   *   Effect: 'Allow',
+   *   Action: 's3:GetObject',
+   *   Resources: '*',
+   * });
+   */
+  public addToRolePolicy(statement: any): void {
+    this.handler.addToRolePolicy(statement);
+  }
 }
 
 function slugify(x: string): string {

diff --git a/packages/@aws-cdk/integ-tests/lib/assertions/sdk.ts b/packages/@aws-cdk/integ-tests/lib/assertions/sdk.ts
@@ -9,6 +9,20 @@ import { AssertionsProvider, SDK_RESOURCE_TYPE_PREFIX } from './providers';
  * an API call using the AWS SDK
  */
 export interface IAwsApiCall extends IConstruct {
+  /**
+   * access the AssertionsProvider. This can be used to add additional IAM policies
+   * the the provider role policy
+   *
+   * @example
+   * declare const apiCall: AwsApiCall;
+   * apiCall.provider.addToRolePolicy({
+   *   Effect: 'Allow',
+   *   Action: ['s3:GetObject'],
+   *   Resource: ['*'],
+   * });
+   */
+  readonly provider: AssertionsProvider;
+
   /**
    * Returns the value of an attribute of the custom resource of an arbitrary
    * type. Attributes are returned from the custom resource provider through the
@@ -110,7 +124,7 @@ export class AwsApiCall extends Construct implements IAwsApiCall {
   private flattenResponse: string = 'false';
   private readonly name: string;
 
-  protected provider: AssertionsProvider;
+  public readonly provider: AssertionsProvider;
 
   constructor(scope: Construct, id: string, props: AwsApiCallProps) {
     super(scope, id);

diff --git a/packages/@aws-cdk/integ-tests/rosetta/default.ts-fixture b/packages/@aws-cdk/integ-tests/rosetta/default.ts-fixture
@@ -11,6 +11,7 @@ import {
   AssertionType,
   LambdaInvokeFunction,
   Match,
+  AssertionsProvider,
 } from '@aws-cdk/integ-tests';
 import { Construct } from 'constructs';
 import {

diff --git a/packages/@aws-cdk/integ-tests/test/assertions/sdk.test.ts b/packages/@aws-cdk/integ-tests/test/assertions/sdk.test.ts
@@ -44,6 +44,55 @@ describe('AwsApiCall', () => {
         param2: 2,
       },
     });
+
+  });
+
+  test('add policy to provider', () => {
+    // GIVEN
+    const app = new App();
+    const deplossert = new DeployAssert(app);
+
+    // WHEN
+    const apiCall = deplossert.awsApiCall('MyService', 'MyApi', {
+      param1: 'val1',
+      param2: 2,
+    });
+    apiCall.provider.addToRolePolicy({
+      Effect: 'Allow',
+      Action: ['s3:GetObject'],
+      Resource: ['*'],
+    });
+
+    Template.fromStack(deplossert.scope).hasResourceProperties('AWS::IAM::Role', {
+      Policies: [
+        {
+          PolicyName: 'Inline',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [
+              {
+                Action: [
+                  'myservice:MyApi',
+                ],
+                Effect: 'Allow',
+                Resource: [
+                  '*',
+                ],
+              },
+              {
+                Action: [
+                  's3:GetObject',
+                ],
+                Effect: 'Allow',
+                Resource: [
+                  '*',
+                ],
+              },
+            ],
+          },
+        },
+      ],
+    });
   });
 
   describe('get attribute', () => {

diff --git a/packages/@aws-cdk/triggers/lib/trigger.ts b/packages/@aws-cdk/triggers/lib/trigger.ts
@@ -86,7 +86,7 @@ export class Trigger extends Construct implements ITrigger {
         {
           Effect: 'Allow',
           Action: ['lambda:InvokeFunction'],
-          Resource: [handlerArn],
+          Resource: [`${props.handler.functionArn}:*`],
         },
       ],
     });

diff --git a/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.assets.json b/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.assets.json
@@ -1,28 +1,28 @@
 {
   "version": "20.0.0",
   "files": {
-    "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2": {
+    "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a": {
       "source": {
-        "path": "asset.6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2",
+        "path": "asset.f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a",
         "packaging": "zip"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2.zip",
+          "objectKey": "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "6bb39f8bdf6e500ea85c95a13e1f30987a51708e29cb763a3a5c88e37ce9b690": {
+    "7701977a8021a9eaa249c838112381b8da272518c33b9ff336e889c3ce55be79": {
       "source": {
         "path": "MyStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "6bb39f8bdf6e500ea85c95a13e1f30987a51708e29cb763a3a5c88e37ce9b690.json",
+          "objectKey": "7701977a8021a9eaa249c838112381b8da272518c33b9ff336e889c3ce55be79.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.template.json b/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.template.json
@@ -119,7 +119,18 @@
          ],
          "Resource": [
           {
-           "Ref": "MyFunctionCurrentVersion197490AF2cb2bc11080c1ef11d3b49c1f1603957"
+           "Fn::Join": [
+            "",
+            [
+             {
+              "Fn::GetAtt": [
+               "MyFunction3BAA72D1",
+               "Arn"
+              ]
+             },
+             ":*"
+            ]
+           ]
           }
          ]
         }
@@ -134,7 +145,7 @@
    "Properties": {
     "Code": {
      "S3Bucket": {
-      "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879"
+      "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681"
      },
      "S3Key": {
       "Fn::Join": [
@@ -147,7 +158,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B"
+             "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E"
             }
            ]
           }
@@ -160,7 +171,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B"
+             "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E"
             }
            ]
           }
@@ -187,17 +198,17 @@
   }
  },
  "Parameters": {
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681": {
    "Type": "String",
-   "Description": "S3 bucket for asset \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "S3 bucket for asset \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   },
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E": {
    "Type": "String",
-   "Description": "S3 key for asset version \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "S3 key for asset version \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   },
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2ArtifactHash29DBC1FA": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aArtifactHashE7245343": {
    "Type": "String",
-   "Description": "Artifact hash for asset \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "Artifact hash for asset \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   }
  }
 }