From beca3d7bb07aeeda627e0088af0b1e57af7252b0 Mon Sep 17 00:00:00 2001 From: Samson Keung Date: Wed, 16 Oct 2024 21:08:11 -0700 Subject: [PATCH] Remove env check on Schedule and the target --- .../lib/codebuild-start-build.ts | 23 +++++----------- .../codepipeline-start-pipeline-execution.ts | 26 +++++-------------- .../lib/event-bridge-put-events.ts | 17 +----------- .../lib/inspector-start-assessment-run.ts | 20 +++----------- .../lib/kinesis-data-firehose-put-record.ts | 23 +++++----------- .../lib/kinesis-stream-put-record.ts | 20 +------------- .../lib/lambda-invoke.ts | 23 +++++----------- .../sage-maker-start-pipeline-execution.ts | 20 +------------- .../lib/sns-publish.ts | 26 +++++-------------- .../lib/sqs-send-message.ts | 17 ++---------- .../lib/stepfunctions-start-execution.ts | 24 +++++------------ 11 files changed, 44 insertions(+), 195 deletions(-) diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codebuild-start-build.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codebuild-start-build.ts index 49ec48fb533b1..f5b5384d49144 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codebuild-start-build.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codebuild-start-build.ts @@ -1,34 +1,23 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IProject } from 'aws-cdk-lib/aws-codebuild'; import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an AWS CodeBuild as a target for AWS EventBridge Scheduler. */ export class CodeBuildStartBuild extends ScheduleTargetBase implements IScheduleTarget { + private readonly project: IProject; + constructor( - private readonly project: IProject, - private readonly props: ScheduleTargetBaseProps = {}, + project: IProject, + props: ScheduleTargetBaseProps = {}, ) { super(props, project.projectArn); + this.project = project; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.project.env.region, schedule.env.region)) { - throw new Error(`Cannot assign project in region ${this.project.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the project must be in the same region.`); - } - - if (!sameEnvDimension(this.project.env.account, schedule.env.account)) { - throw new Error(`Cannot assign project in account ${this.project.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the project must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, schedule.env.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { role.addToPrincipalPolicy(new PolicyStatement({ actions: ['codebuild:StartBuild'], resources: [this.project.projectArn], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codepipeline-start-pipeline-execution.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codepipeline-start-pipeline-execution.ts index 7e75a584e04ef..e0638b3ad3aa2 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codepipeline-start-pipeline-execution.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/codepipeline-start-pipeline-execution.ts @@ -1,37 +1,23 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IPipeline } from 'aws-cdk-lib/aws-codepipeline'; import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an AWS CodePipeline pipeline as a target for AWS EventBridge Scheduler. */ export class CodePipelineStartPipelineExecution extends ScheduleTargetBase implements IScheduleTarget { + private readonly pipeline: IPipeline; + constructor( - private readonly pipeline: IPipeline, - private readonly props: ScheduleTargetBaseProps = {}, + pipeline: IPipeline, + props: ScheduleTargetBaseProps = {}, ) { super(props, pipeline.pipelineArn); + this.pipeline = pipeline; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - const region = this.pipeline.env.region ?? ''; - const account = this.pipeline.env.account ?? ''; - - if (!sameEnvDimension(region, schedule.env.region)) { - throw new Error(`Cannot assign pipeline in region ${region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the pipeline must be in the same region.`); - } - - if (!sameEnvDimension(account, schedule.env.account)) { - throw new Error(`Cannot assign pipeline in account ${account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the pipeline must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.pipeline.node)} in account ${account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { role.addToPrincipalPolicy(new PolicyStatement({ actions: ['codepipeline:StartPipelineExecution'], resources: [this.pipeline.pipelineArn], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/event-bridge-put-events.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/event-bridge-put-events.ts index 9f7697a968f7b..2575a2893a2f3 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/event-bridge-put-events.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/event-bridge-put-events.ts @@ -1,9 +1,7 @@ import { IScheduleTarget, ISchedule, ScheduleTargetInput, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import * as events from 'aws-cdk-lib/aws-events'; import { IRole } from 'aws-cdk-lib/aws-iam'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * An entry to be sent to EventBridge @@ -60,21 +58,8 @@ export class EventBridgePutEvents extends ScheduleTargetBase implements ISchedul } } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { const eventBus = this.entry.eventBus; - const eventBusEnv = eventBus.env; - if (!sameEnvDimension(eventBusEnv.region, schedule.env.region)) { - throw new Error(`Cannot assign eventBus in region ${eventBusEnv.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the eventBus must be in the same region.`); - } - - if (!sameEnvDimension(eventBusEnv.account, schedule.env.account)) { - throw new Error(`Cannot assign eventBus in account ${eventBusEnv.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the eventBus must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, eventBusEnv.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(eventBus.node)} in account ${eventBusEnv.account}. Both the target and the execution role must be in the same account.`); - } - eventBus.grantPutEventsTo(role); } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts index 2c0ee67f54dcf..fa3c20f5a77a0 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts @@ -1,34 +1,20 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an Amazon Inspector as a target for AWS EventBridge Scheduler. */ export class InspectorStartAssessmentRun extends ScheduleTargetBase implements IScheduleTarget { constructor( - private readonly template: CfnAssessmentTemplate, - private readonly props: ScheduleTargetBaseProps = {}, + template: CfnAssessmentTemplate, + props: ScheduleTargetBaseProps = {}, ) { super(props, template.attrArn); } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.template.stack.region, schedule.env.region)) { - throw new Error(`Cannot assign assessment template in region ${this.template.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the assessment template must be in the same region.`); - } - - if (!sameEnvDimension(this.template.stack.account, schedule.env.account)) { - throw new Error(`Cannot assign assessment template in account ${this.template.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the assessment template must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.template.stack.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.template.node)} in account ${this.template.stack.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { role.addToPrincipalPolicy(new PolicyStatement({ actions: ['inspector:StartAssessmentRun'], resources: ['*'], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-data-firehose-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-data-firehose-put-record.ts index 941d94f52c129..48e8a4467c57c 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-data-firehose-put-record.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-data-firehose-put-record.ts @@ -1,34 +1,23 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { CfnDeliveryStream } from 'aws-cdk-lib/aws-kinesisfirehose'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an Amazon Kinesis Data Firehose as a target for AWS EventBridge Scheduler. */ export class KinesisDataFirehosePutRecord extends ScheduleTargetBase implements IScheduleTarget { + private readonly deliveryStream: CfnDeliveryStream; + constructor( - private readonly deliveryStream: CfnDeliveryStream, - private readonly props: ScheduleTargetBaseProps = {}, + deliveryStream: CfnDeliveryStream, + props: ScheduleTargetBaseProps = {}, ) { super(props, deliveryStream.attrArn); + this.deliveryStream = deliveryStream; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.deliveryStream.stack.region, schedule.env.region)) { - throw new Error(`Cannot assign the Firehose delivery stream in region ${this.deliveryStream.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the Firehose delivery stream must be in the same region.`); - } - - if (!sameEnvDimension(this.deliveryStream.stack.account, schedule.env.account)) { - throw new Error(`Cannot assign the Firehose delivery stream in account ${this.deliveryStream.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the Firehose delivery stream must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.deliveryStream.stack.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.deliveryStream.node)} in account ${this.deliveryStream.stack.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { role.addToPrincipalPolicy(new PolicyStatement({ actions: ['firehose:PutRecord'], resources: [this.deliveryStream.attrArn], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts index 1e16d8726bad3..fb2108ba9e745 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts @@ -1,9 +1,7 @@ import { ISchedule, IScheduleTarget, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha'; -import { Names, Token } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import * as kinesis from 'aws-cdk-lib/aws-kinesis'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Properties for a Kinesis Data Streams Target @@ -28,25 +26,9 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched private readonly props: KinesisStreamPutRecordProps, ) { super(props, stream.streamArn); - - if (!Token.isUnresolved(props.partitionKey) && (props.partitionKey.length < 1 || props.partitionKey.length > 256)) { - throw new Error(`partitionKey length must be between 1 and 256, got ${props.partitionKey.length}`); - } } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.stream.env.region, schedule.env.region)) { - throw new Error(`Cannot assign stream in region ${this.stream.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the stream must be in the same region.`); - } - - if (!sameEnvDimension(this.stream.env.account, schedule.env.account)) { - throw new Error(`Cannot assign stream in account ${this.stream.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the stream must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.stream.env.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.stream.node)} in account ${this.stream.env.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.stream.grantWrite(role); } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts index 69c26048c701f..bbd986780b6bd 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts @@ -1,34 +1,23 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an AWS Lambda function as a target for AWS EventBridge Scheduler. */ export class LambdaInvoke extends ScheduleTargetBase implements IScheduleTarget { + private readonly func: lambda.IFunction; + constructor( - private readonly func: lambda.IFunction, - private readonly props: ScheduleTargetBaseProps, + func: lambda.IFunction, + props: ScheduleTargetBaseProps, ) { super(props, func.functionArn); + this.func = func; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.func.env.region, schedule.env.region)) { - throw new Error(`Cannot assign function in region ${this.func.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the function must be in the same region.`); - } - - if (!sameEnvDimension(this.func.env.account, schedule.env.account)) { - throw new Error(`Cannot assign function in account ${this.func.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the function must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.func.env.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.func.node)} in account ${this.func.env.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.func.grantInvoke(role); } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sage-maker-start-pipeline-execution.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sage-maker-start-pipeline-execution.ts index 94dc880ffd84e..040165a5fa9dc 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sage-maker-start-pipeline-execution.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sage-maker-start-pipeline-execution.ts @@ -1,9 +1,7 @@ import { ISchedule, IScheduleTarget, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import { IPipeline } from 'aws-cdk-lib/aws-sagemaker'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Properties for a pipeline parameter @@ -45,25 +43,9 @@ export class SageMakerStartPipelineExecution extends ScheduleTargetBase implemen private readonly props: SageMakerStartPipelineExecutionProps = {}, ) { super(props, pipeline.pipelineArn); - - if (props.pipelineParameterList !== undefined && props.pipelineParameterList.length > 200) { - throw new Error(`pipelineParameterList length must be between 0 and 200, got ${props.pipelineParameterList.length}`); - } } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.pipeline.stack.region, schedule.env.region)) { - throw new Error(`Cannot assign pipeline in region ${this.pipeline.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the pipeline must be in the same region.`); - } - - if (!sameEnvDimension(this.pipeline.stack.account, schedule.env.account)) { - throw new Error(`Cannot assign pipeline in account ${this.pipeline.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the pipeline must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.pipeline.stack.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.pipeline.node)} in account ${this.pipeline.stack.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.pipeline.grantStartPipelineExecution(role); } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sns-publish.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sns-publish.ts index 99ef54d2c0348..dd7c918d3e57b 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sns-publish.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sns-publish.ts @@ -1,37 +1,23 @@ import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import * as sns from 'aws-cdk-lib/aws-sns'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an Amazon SNS topic as a target for AWS EventBridge Scheduler. */ export class SnsPublish extends ScheduleTargetBase implements IScheduleTarget { + private readonly topic: sns.ITopic; + constructor( - private readonly topic: sns.ITopic, - private readonly props: ScheduleTargetBaseProps = {}, + topic: sns.ITopic, + props: ScheduleTargetBaseProps = {}, ) { super(props, topic.topicArn); + this.topic = topic; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - // Check if target and schedule are in the region - if (!sameEnvDimension(this.topic.env.region, schedule.env.region)) { - throw new Error(`Cannot assign topic in region ${this.topic.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the topic must be in the same region.`); - } - - // Check if target and schedule are in the same account - if (!sameEnvDimension(this.topic.env.account, schedule.env.account)) { - throw new Error(`Cannot assign topic in account ${this.topic.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${role.env.account}. Both the schedule and the topic must be in the same account.`); - } - - // Check if target and role are in the same account - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.topic.env.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to publish to target ${Names.nodeUniqueId(this.topic.node)} in account ${this.topic.env.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.topic.grantPublish(role); } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts index a08eaf7e023b1..1d78d2350f0e7 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts @@ -1,9 +1,8 @@ import { ISchedule, IScheduleTarget, ScheduleTargetConfig } from '@aws-cdk/aws-scheduler-alpha'; -import { Names, Token } from 'aws-cdk-lib'; +import { Token } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import * as sqs from 'aws-cdk-lib/aws-sqs'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Properties for a SQS Queue Target @@ -49,19 +48,7 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge } } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - if (!sameEnvDimension(this.queue.env.region, schedule.env.region)) { - throw new Error(`Cannot assign queue in region ${this.queue.env.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the queue must be in the same region.`); - } - - if (!sameEnvDimension(this.queue.env.account, schedule.env.account)) { - throw new Error(`Cannot assign queue in account ${this.queue.env.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the queue must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.queue.env.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.queue.node)} in account ${this.queue.env.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.queue.grantSendMessages(role); } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/stepfunctions-start-execution.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/stepfunctions-start-execution.ts index f0ef37bf10b60..35ab67cd7d400 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/stepfunctions-start-execution.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/stepfunctions-start-execution.ts @@ -1,35 +1,23 @@ import { IScheduleTarget, ISchedule } from '@aws-cdk/aws-scheduler-alpha'; -import { Names } from 'aws-cdk-lib'; import { IRole } from 'aws-cdk-lib/aws-iam'; import { IStateMachine } from 'aws-cdk-lib/aws-stepfunctions'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; -import { sameEnvDimension } from './util'; /** * Use an AWS Step function as a target for AWS EventBridge Scheduler. */ export class StepFunctionsStartExecution extends ScheduleTargetBase implements IScheduleTarget { + private readonly stateMachine: IStateMachine; + constructor( - private readonly stateMachine: IStateMachine, - private readonly props: ScheduleTargetBaseProps, + stateMachine: IStateMachine, + props: ScheduleTargetBaseProps, ) { super(props, stateMachine.stateMachineArn); + this.stateMachine = stateMachine; } - protected addTargetActionToRole(schedule: ISchedule, role: IRole): void { - const stateMachineEnv = this.stateMachine.env; - if (!sameEnvDimension(stateMachineEnv.region, schedule.env.region)) { - throw new Error(`Cannot assign stateMachine in region ${stateMachineEnv.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the stateMachine must be in the same region.`); - } - - if (!sameEnvDimension(stateMachineEnv.account, schedule.env.account)) { - throw new Error(`Cannot assign stateMachine in account ${stateMachineEnv.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the stateMachine must be in the same account.`); - } - - if (this.props.role && !sameEnvDimension(this.props.role.env.account, stateMachineEnv.account)) { - throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.stateMachine.node)} in account ${stateMachineEnv.account}. Both the target and the execution role must be in the same account.`); - } - + protected addTargetActionToRole(_schedule: ISchedule, role: IRole): void { this.stateMachine.grantStartExecution(role); } }