Skip to content

Commit

Permalink
Remove env check on Schedule and the target
Browse files Browse the repository at this point in the history
  • Loading branch information
@samson-keung
samson-keung committed Oct 17, 2024
1 parent 7815144 commit beca3d7
Show file tree
Hide file tree
Showing 11 changed files with 44 additions and 195 deletions.
23 changes: 6 additions & 17 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codebuild-start-build.ts
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,23 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IProject } from 'aws-cdk-lib/aws-codebuild';
import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an AWS CodeBuild as a target for AWS EventBridge Scheduler.
*/
export class CodeBuildStartBuild extends ScheduleTargetBase implements IScheduleTarget {
private readonly project: IProject;

constructor(
private readonly project: IProject,
private readonly props: ScheduleTargetBaseProps = {},
project: IProject,
props: ScheduleTargetBaseProps = {},
) {
super(props, project.projectArn);
this.project = project;
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.project.env.region, schedule.env.region)) {
throw new Error(`Cannot assign project in region ${this.project.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the project must be in the same region.`);
}

if (!sameEnvDimension(this.project.env.account, schedule.env.account)) {
throw new Error(`Cannot assign project in account ${this.project.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the project must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, schedule.env.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
role.addToPrincipalPolicy(new PolicyStatement({
actions: ['codebuild:StartBuild'],
resources: [this.project.projectArn],
Expand Down
26 changes: 6 additions & 20 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codepipeline-start-pipeline-execution.ts
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,23 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IPipeline } from 'aws-cdk-lib/aws-codepipeline';
import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an AWS CodePipeline pipeline as a target for AWS EventBridge Scheduler.
*/
export class CodePipelineStartPipelineExecution extends ScheduleTargetBase implements IScheduleTarget {
private readonly pipeline: IPipeline;

constructor(
private readonly pipeline: IPipeline,
private readonly props: ScheduleTargetBaseProps = {},
pipeline: IPipeline,
props: ScheduleTargetBaseProps = {},
) {
super(props, pipeline.pipelineArn);
this.pipeline = pipeline;
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
const region = this.pipeline.env.region ?? '';
const account = this.pipeline.env.account ?? '';

if (!sameEnvDimension(region, schedule.env.region)) {
throw new Error(`Cannot assign pipeline in region ${region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the pipeline must be in the same region.`);
}

if (!sameEnvDimension(account, schedule.env.account)) {
throw new Error(`Cannot assign pipeline in account ${account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the pipeline must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.pipeline.node)} in account ${account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
role.addToPrincipalPolicy(new PolicyStatement({
actions: ['codepipeline:StartPipelineExecution'],
resources: [this.pipeline.pipelineArn],
Expand Down
17 changes: 1 addition & 16 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/event-bridge-put-events.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
import { IScheduleTarget, ISchedule, ScheduleTargetInput, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import * as events from 'aws-cdk-lib/aws-events';
import { IRole } from 'aws-cdk-lib/aws-iam';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* An entry to be sent to EventBridge
Expand Down Expand Up @@ -60,21 +58,8 @@ export class EventBridgePutEvents extends ScheduleTargetBase implements ISchedul
}
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
const eventBus = this.entry.eventBus;
const eventBusEnv = eventBus.env;
if (!sameEnvDimension(eventBusEnv.region, schedule.env.region)) {
throw new Error(`Cannot assign eventBus in region ${eventBusEnv.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the eventBus must be in the same region.`);
}

if (!sameEnvDimension(eventBusEnv.account, schedule.env.account)) {
throw new Error(`Cannot assign eventBus in account ${eventBusEnv.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the eventBus must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, eventBusEnv.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(eventBus.node)} in account ${eventBusEnv.account}. Both the target and the execution role must be in the same account.`);
}

eventBus.grantPutEventsTo(role);
}

Expand Down
20 changes: 3 additions & 17 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,20 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an Amazon Inspector as a target for AWS EventBridge Scheduler.
*/
export class InspectorStartAssessmentRun extends ScheduleTargetBase implements IScheduleTarget {
constructor(
private readonly template: CfnAssessmentTemplate,
private readonly props: ScheduleTargetBaseProps = {},
template: CfnAssessmentTemplate,
props: ScheduleTargetBaseProps = {},
) {
super(props, template.attrArn);
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.template.stack.region, schedule.env.region)) {
throw new Error(`Cannot assign assessment template in region ${this.template.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the assessment template must be in the same region.`);
}

if (!sameEnvDimension(this.template.stack.account, schedule.env.account)) {
throw new Error(`Cannot assign assessment template in account ${this.template.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the assessment template must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.template.stack.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.template.node)} in account ${this.template.stack.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
role.addToPrincipalPolicy(new PolicyStatement({
actions: ['inspector:StartAssessmentRun'],
resources: ['*'],
Expand Down
23 changes: 6 additions & 17 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-data-firehose-put-record.ts
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,23 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { CfnDeliveryStream } from 'aws-cdk-lib/aws-kinesisfirehose';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an Amazon Kinesis Data Firehose as a target for AWS EventBridge Scheduler.
*/
export class KinesisDataFirehosePutRecord extends ScheduleTargetBase implements IScheduleTarget {
private readonly deliveryStream: CfnDeliveryStream;

constructor(
private readonly deliveryStream: CfnDeliveryStream,
private readonly props: ScheduleTargetBaseProps = {},
deliveryStream: CfnDeliveryStream,
props: ScheduleTargetBaseProps = {},
) {
super(props, deliveryStream.attrArn);
this.deliveryStream = deliveryStream;
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.deliveryStream.stack.region, schedule.env.region)) {
throw new Error(`Cannot assign the Firehose delivery stream in region ${this.deliveryStream.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the Firehose delivery stream must be in the same region.`);
}

if (!sameEnvDimension(this.deliveryStream.stack.account, schedule.env.account)) {
throw new Error(`Cannot assign the Firehose delivery stream in account ${this.deliveryStream.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the Firehose delivery stream must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.deliveryStream.stack.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.deliveryStream.node)} in account ${this.deliveryStream.stack.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
role.addToPrincipalPolicy(new PolicyStatement({
actions: ['firehose:PutRecord'],
resources: [this.deliveryStream.attrArn],
Expand Down
20 changes: 1 addition & 19 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
import { ISchedule, IScheduleTarget, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha';
import { Names, Token } from 'aws-cdk-lib';
import { IRole } from 'aws-cdk-lib/aws-iam';
import * as kinesis from 'aws-cdk-lib/aws-kinesis';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Properties for a Kinesis Data Streams Target
Expand All @@ -28,25 +26,9 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched
private readonly props: KinesisStreamPutRecordProps,
) {
super(props, stream.streamArn);

if (!Token.isUnresolved(props.partitionKey) && (props.partitionKey.length < 1 || props.partitionKey.length > 256)) {
throw new Error(`partitionKey length must be between 1 and 256, got ${props.partitionKey.length}`);
}
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.stream.env.region, schedule.env.region)) {
throw new Error(`Cannot assign stream in region ${this.stream.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the stream must be in the same region.`);
}

if (!sameEnvDimension(this.stream.env.account, schedule.env.account)) {
throw new Error(`Cannot assign stream in account ${this.stream.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the stream must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.stream.env.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.stream.node)} in account ${this.stream.env.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
this.stream.grantWrite(role);
}

Expand Down
23 changes: 6 additions & 17 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,23 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole } from 'aws-cdk-lib/aws-iam';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an AWS Lambda function as a target for AWS EventBridge Scheduler.
*/
export class LambdaInvoke extends ScheduleTargetBase implements IScheduleTarget {
private readonly func: lambda.IFunction;

constructor(
private readonly func: lambda.IFunction,
private readonly props: ScheduleTargetBaseProps,
func: lambda.IFunction,
props: ScheduleTargetBaseProps,
) {
super(props, func.functionArn);
this.func = func;
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.func.env.region, schedule.env.region)) {
throw new Error(`Cannot assign function in region ${this.func.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the function must be in the same region.`);
}

if (!sameEnvDimension(this.func.env.account, schedule.env.account)) {
throw new Error(`Cannot assign function in account ${this.func.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the function must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.func.env.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.func.node)} in account ${this.func.env.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
this.func.grantInvoke(role);
}
}
20 changes: 1 addition & 19 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sage-maker-start-pipeline-execution.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
import { ISchedule, IScheduleTarget, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole } from 'aws-cdk-lib/aws-iam';
import { IPipeline } from 'aws-cdk-lib/aws-sagemaker';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Properties for a pipeline parameter
Expand Down Expand Up @@ -45,25 +43,9 @@ export class SageMakerStartPipelineExecution extends ScheduleTargetBase implemen
private readonly props: SageMakerStartPipelineExecutionProps = {},
) {
super(props, pipeline.pipelineArn);

if (props.pipelineParameterList !== undefined && props.pipelineParameterList.length > 200) {
throw new Error(`pipelineParameterList length must be between 0 and 200, got ${props.pipelineParameterList.length}`);
}
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.pipeline.stack.region, schedule.env.region)) {
throw new Error(`Cannot assign pipeline in region ${this.pipeline.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the pipeline must be in the same region.`);
}

if (!sameEnvDimension(this.pipeline.stack.account, schedule.env.account)) {
throw new Error(`Cannot assign pipeline in account ${this.pipeline.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the pipeline must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.pipeline.stack.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.pipeline.node)} in account ${this.pipeline.stack.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
this.pipeline.grantStartPipelineExecution(role);
}

Expand Down
26 changes: 6 additions & 20 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sns-publish.ts
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,23 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole } from 'aws-cdk-lib/aws-iam';
import * as sns from 'aws-cdk-lib/aws-sns';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an Amazon SNS topic as a target for AWS EventBridge Scheduler.
*/
export class SnsPublish extends ScheduleTargetBase implements IScheduleTarget {
private readonly topic: sns.ITopic;

constructor(
private readonly topic: sns.ITopic,
private readonly props: ScheduleTargetBaseProps = {},
topic: sns.ITopic,
props: ScheduleTargetBaseProps = {},
) {
super(props, topic.topicArn);
this.topic = topic;
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
// Check if target and schedule are in the region
if (!sameEnvDimension(this.topic.env.region, schedule.env.region)) {
throw new Error(`Cannot assign topic in region ${this.topic.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the topic must be in the same region.`);
}

// Check if target and schedule are in the same account
if (!sameEnvDimension(this.topic.env.account, schedule.env.account)) {
throw new Error(`Cannot assign topic in account ${this.topic.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${role.env.account}. Both the schedule and the topic must be in the same account.`);
}

// Check if target and role are in the same account
if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.topic.env.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to publish to target ${Names.nodeUniqueId(this.topic.node)} in account ${this.topic.env.account}. Both the target and the execution role must be in the same account.`);
}

protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void {
this.topic.grantPublish(role);
}
}
Loading

0 comments on commit beca3d7

Please sign in to comment.