Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dynamodb): add resource polices for table #29818

Closed
wants to merge 13 commits into from

Conversation

LeeroyHannigan
Copy link
Contributor

Issue # (if applicable)

Closes #29600.

#29600

Reason for this change

Adding a new feature

Description of changes

Add resourcePolicy for DynamoDB Table component in aws-dynamodb

Description of how you validated changes

integration test integ.dynamodb.policy.ts

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team April 12, 2024 18:43
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Apr 12, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@@ -370,6 +370,13 @@ export interface TableOptions extends SchemaOptions {
* @default - no data import from the S3 bucket
*/
readonly importSource?: ImportSourceSpecification;

/**
* Resource policy to assign to DynamoDB Table.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Resource policy to assign to the table.


new TestStack(app, 'ResourcePolicyTest');

app.synth();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you run this with yarn integ-runner... ? It should produce a snapshot.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can. I was just running cdk synth. So yarn integ-runner filename.js is the way to run it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes when you update any integ.*.ts under framework-integ, you should run yarn integ to update the snapshots.
https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md#integration-tests

@msambol
Copy link
Contributor

msambol commented Apr 14, 2024

Title: feat(dynamodb): add resource policy for table

@paulhcsun paulhcsun changed the title feat(aws-dynamodb) Add resource polices to DynamoDB Table feat(dynamodb) add resource polices for DynamoDB Table Apr 19, 2024
@toutou826
Copy link

toutou826 commented Apr 22, 2024

Hi @LeeroyHannigan ,

I am interested to use this functionality, thank you taking on this feature!

It would be great to change the grant functions in Table construct:

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts#L442

from using Grant.addToPrincipal to Grant.addToPrincipalOrResource so people could use TableV2.grant and related functions for resource based permission as well

*
* @default - No resource policy statements are added to the created table.
*/
readonly resourcePolicy?: iam.PolicyDocument;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't expose the resourcePolicy like this, integrate it with the L2's grant methods (try using addToPrincipalOrResource). You'll need to put this under a feature flag, because otherwise this will be modifying people's IAM permissions on a version bump, which is a breaking change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same suggestion that @toutou826 made here: #29818 (comment).

Copy link
Contributor

@GavinZZ GavinZZ May 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@comcalvi can you explain how it will work with the grant methods and why it would be backward incompatible?

My understanding of grant, specifically addToPrincipalOrResource will first add IAM policy to the principal of the grantee resource and fall back to adding resource-based policy addToResourcePolicy on fail. For all existing grant usage for dynamodb table, it calls addToPrincipal which tries to add IAM policy and throw an exception when fail.

Are you suggesting to make resourcePolicy field private and table construct will need to implement addToResourcePolicy function, then when failing to add IAM policy fall back to call addToResourcePolicy and update resourcePolicy field? I don't see why this would be backward incompatible though.

Copy link
Contributor Author

@LeeroyHannigan LeeroyHannigan May 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@comcalvi

Don't expose the resourcePolicy like this, integrate it with the L2's grant methods (try using addToPrincipalOrResource). You'll need to put this under a feature flag, because otherwise this will be modifying people's IAM permissions on a version bump, which is a breaking change.

According to the design guidelines we should expose this prop:

When a construct represents an AWS resource that supports a resource policy, it should expose an optional prop that will allow initializing resource with a specified policy [awslint:resource-policy-prop]:

resourcePolicy?: iam.PolicyStatement[]

Are you suggesting otherwise?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't realize this was in our design guidelines. We should follow the design guidelines here. As we discussed offline, this grant needs to support using addToPrincpalOrResource. TableBase needs to implement IResourceWithPolicy.

super(scope, id, props);

// table with resource policy
new dynamodb.Table(this, 'TableTest1', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need unit test changes as well as integ test changes.

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add some unit tests for this change.

/**
* Resource policy to assign to DynamoDB Table.
*
* @default - No resource policy statements are added to the created table.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* @default - No resource policy statements are added to the created table.
* @default - No resource policy.

/**
* Resource policy to assign to DynamoDB Table.
*
* @default - No resource policy statements are added to the created table.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* @default - No resource policy statements are added to the created table.
* @default - No resource policy.

@@ -21,6 +21,7 @@ import {
Aws, CfnCondition, CfnCustomResource, CfnResource, Duration,
Fn, Lazy, Names, RemovalPolicy, Stack, Token, CustomResource,
} from '../../core';
import { Grant, IResourceWithPolicy } from '../../aws-iam';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use the package import iam object instead of these directly?

@LeeroyHannigan LeeroyHannigan changed the title feat(dynamodb) add resource polices for DynamoDB Table feat(dynamodb): add resource polices for dynamoDB table May 13, 2024
@LeeroyHannigan LeeroyHannigan changed the title feat(dynamodb): add resource polices for dynamoDB table feat(dynamodb): add resource polices for table May 13, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review May 13, 2024 16:31

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@mergify mergify bot dismissed comcalvi’s stale review May 13, 2024 17:13

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: dc14bba
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

@aws-cdk-automation aws-cdk-automation added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-cdk-lib.aws_dynamodb: Resource Policy property
7 participants