Skip to content

Commit 6bae7c3

Browse files
sakurai-ryosakurai-ryo
committed
add policyStatements prop
1 parent 44e9f84 commit 6bae7c3

4 files changed

Lines changed: 27 additions & 130 deletions

File tree

packages/@aws-cdk/aws-scheduler-targets-alpha/README.md

Lines changed: 6 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -342,17 +342,19 @@ The `service` must be in lowercase and the `action` must be in camelCase.
342342

343343
By default, an IAM policy for the Scheduler is extracted from the API call.
344344

345-
You can provide additional IAM policy statements to the Scheduler when
346-
other permissions are required for the action.
345+
You can control the IAM policy for the Scheduler by specifying the `policyStatements` property.
347346

348347
```ts
349348
new Schedule(this, 'Schedule', {
350349
schedule: ScheduleExpression.rate(Duration.minutes(60)),
351350
target: new targets.Universal({
352351
service: 'sqs',
353352
action: 'sendMessage',
354-
iamResources: ['arn:aws:sqs:us-east-1:123456789012:my_queue'],
355-
additionalPolicyStatements: [
353+
policyStatements: [
354+
new iam.PolicyStatement({
355+
actions: ['sqs:SendMessage'],
356+
resources: ['arn:aws:sqs:us-east-1:123456789012:my_queue'],
357+
}),
356358
new iam.PolicyStatement({
357359
actions: ['kms:Decrypt', 'kms:GenerateDataKey*'],
358360
resources: ['arn:aws:kms:us-east-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321'],
@@ -361,18 +363,3 @@ new Schedule(this, 'Schedule', {
361363
}),
362364
});
363365
```
364-
365-
In cases where IAM action name differs from the API action name, you can provide the `iamAction` property
366-
to specify the IAM action name.
367-
368-
```ts
369-
new Schedule(this, 'Schedule', {
370-
schedule: ScheduleExpression.rate(Duration.minutes(60)),
371-
target: new targets.Universal({
372-
service: 'lambda',
373-
action: 'invoke',
374-
iamResources: ['arn:aws:lambda:us-east-1:123456789012:function:my-function'],
375-
iamAction: 'lambda:InvokeFunction',
376-
}),
377-
});
378-
```

packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts

Lines changed: 13 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -58,36 +58,13 @@ export interface UniversalTargetProps extends ScheduleTargetBaseProps {
5858
readonly action: string;
5959

6060
/**
61-
* The resources for the IAM policy statement that will be added to the scheduler role's policy
62-
* to allow the scheduler to make the API call.
63-
*/
64-
readonly iamResources: string[];
65-
66-
/**
67-
* The action for the IAM policy statement that will be added to the scheduler role's policy
68-
* to allow the scheduler to make the API call.
69-
*
70-
* Use this in cases where the IAM action name does not match the
71-
* API service/action name, e.g., `lambda:invoke` requires `lambda:InvokeFunction` permission.
72-
*
73-
* @default - service:action
74-
*/
75-
readonly iamAction?: string;
76-
77-
/**
78-
* The conditions for the IAM policy statement that will be added to the scheduler role's policy
79-
* to allow the scheduler to make the API call.
61+
* The IAM policy statements needed to invoke the target. These statements are attached to the Scheduler's role.
8062
*
81-
* @default - no conditions
82-
*/
83-
readonly iamConditions?: { [key: string]: any };
84-
85-
/**
86-
* Additional IAM policy statements that will be added to the scheduler role's policy.
63+
* Note that the default may not be the correct actions as not all AWS services follows the same IAM action pattern, or there may be more actions needed to invoke the target.
8764
*
88-
* @default - no additional policy statements
65+
* @default - Policy with `service:action` action only.
8966
*/
90-
readonly additionalPolicyStatements?: PolicyStatement[];
67+
readonly policyStatements?: PolicyStatement[];
9168
}
9269

9370
/**
@@ -117,14 +94,16 @@ export class Universal extends ScheduleTargetBase implements IScheduleTarget {
11794
}
11895

11996
protected addTargetActionToRole(role: IRole): void {
120-
role.addToPrincipalPolicy(new PolicyStatement({
121-
actions: [this.props.iamAction ?? awsSdkToIamAction(this.props.service, this.props.action)],
122-
resources: this.props.iamResources,
123-
conditions: this.props.iamConditions,
124-
}));
97+
if (!this.props.policyStatements?.length) {
98+
role.addToPrincipalPolicy(new PolicyStatement({
99+
actions: [awsSdkToIamAction(this.props.service, this.props.action)],
100+
resources: ['*'],
101+
}));
102+
return;
103+
}
125104

126-
for (const policyStatement of this.props.additionalPolicyStatements ?? []) {
127-
role.addToPrincipalPolicy(policyStatement);
105+
for (const statement of this.props.policyStatements) {
106+
role.addToPrincipalPolicy(statement);
128107
}
129108
}
130109
}

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.universal.ts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ new schedule.Schedule(stack, 'Schedule', {
1111
target: new Universal({
1212
service: 'sqs',
1313
action: 'createQueue',
14-
iamResources: ['*'],
1514
input: schedule.ScheduleTargetInput.fromObject({
1615
QueueName: 'aws-scheduler-targets-create-queue',
1716
}),

packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts

Lines changed: 8 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@ describe('Universal schedule target', () => {
2121
const target = new Universal({
2222
service: 'sqs',
2323
action: 'createQueue',
24-
iamResources: ['*'],
2524
input: scheduler.ScheduleTargetInput.fromObject({
2625
QueueName: 'my-queue',
2726
}),
@@ -116,7 +115,6 @@ describe('Universal schedule target', () => {
116115
const target = new Universal({
117116
service: 'sqs',
118117
action: 'createQueue',
119-
iamResources: ['*'],
120118
input: scheduler.ScheduleTargetInput.fromObject({
121119
QueueName: 'my-queue',
122120
}),
@@ -176,7 +174,6 @@ describe('Universal schedule target', () => {
176174
const target = new Universal({
177175
service: 'sqs',
178176
action: 'createQueue',
179-
iamResources: ['*'],
180177
input: scheduler.ScheduleTargetInput.fromObject({
181178
QueueName: 'my-queue',
182179
}),
@@ -250,7 +247,6 @@ describe('Universal schedule target', () => {
250247
const target = new Universal({
251248
service: 'sqs',
252249
action: 'createQueue',
253-
iamResources: ['*'],
254250
input: scheduler.ScheduleTargetInput.fromObject({
255251
QueueName: 'my-queue',
256252
}),
@@ -348,7 +344,6 @@ describe('Universal schedule target', () => {
348344
const target = new Universal({
349345
service: 'sqs',
350346
action: 'createQueue',
351-
iamResources: ['*'],
352347
input: scheduler.ScheduleTargetInput.fromObject({
353348
QueueName: 'my-queue',
354349
}),
@@ -403,7 +398,6 @@ describe('Universal schedule target', () => {
403398
const target = new Universal({
404399
service: 'sqs',
405400
action: 'createQueue',
406-
iamResources: ['*'],
407401
input: scheduler.ScheduleTargetInput.fromObject({
408402
QueueName: 'my-queue',
409403
}),
@@ -444,7 +438,6 @@ describe('Universal schedule target', () => {
444438
const target = new Universal({
445439
service: 'sqs',
446440
action: 'createQueue',
447-
iamResources: ['*'],
448441
input: scheduler.ScheduleTargetInput.fromObject({
449442
QueueName: 'my-queue',
450443
}),
@@ -480,7 +473,6 @@ describe('Universal schedule target', () => {
480473
const target = new Universal({
481474
service: 'sqs',
482475
action: 'createQueue',
483-
iamResources: ['*'],
484476
input: scheduler.ScheduleTargetInput.fromObject({
485477
QueueName: 'my-queue',
486478
}),
@@ -526,7 +518,6 @@ describe('Universal schedule target', () => {
526518
const target = new Universal({
527519
service: 'sqs',
528520
action: 'createQueue',
529-
iamResources: ['*'],
530521
input: scheduler.ScheduleTargetInput.fromObject({
531522
QueueName: 'my-queue',
532523
}),
@@ -544,7 +535,6 @@ describe('Universal schedule target', () => {
544535
const target = new Universal({
545536
service: 'sqs',
546537
action: 'createQueue',
547-
iamResources: ['*'],
548538
input: scheduler.ScheduleTargetInput.fromObject({
549539
QueueName: 'my-queue',
550540
}),
@@ -562,7 +552,6 @@ describe('Universal schedule target', () => {
562552
const target = new Universal({
563553
service: 'sqs',
564554
action: 'createQueue',
565-
iamResources: ['*'],
566555
input: scheduler.ScheduleTargetInput.fromObject({
567556
QueueName: 'my-queue',
568557
}),
@@ -581,7 +570,6 @@ describe('Universal schedule target', () => {
581570
new Universal({
582571
service: 'SQS',
583572
action: 'createQueue',
584-
iamResources: ['*'],
585573
input: scheduler.ScheduleTargetInput.fromObject({
586574
QueueName: 'my-queue',
587575
}),
@@ -594,7 +582,6 @@ describe('Universal schedule target', () => {
594582
new Universal({
595583
service: 'sqs',
596584
action: 'CreateQueue',
597-
iamResources: ['*'],
598585
input: scheduler.ScheduleTargetInput.fromObject({
599586
QueueName: 'my-queue',
600587
}),
@@ -607,80 +594,25 @@ describe('Universal schedule target', () => {
607594
new Universal({
608595
service: 'sqs',
609596
action: 'getQueueUrl',
610-
iamResources: ['*'],
611597
input: scheduler.ScheduleTargetInput.fromObject({
612598
QueueName: 'my-queue',
613599
}),
614600
retryAttempts: 200,
615601
})).toThrow(/Read-only API action is not supported by EventBridge Scheduler: sqs:getQueueUrl/);
616602
});
617603

618-
test('specify iamAction and iamConditions', () => {
619-
const target = new Universal({
620-
service: 'lambda',
621-
action: 'invoke',
622-
iamResources: ['arn:aws:lambda:us-east-1:123456789012:function:my-function'],
623-
iamAction: 'lambda:InvokeFunction',
624-
iamConditions: {
625-
StringEquals: {
626-
'aws:Test': 'Test',
627-
},
628-
},
629-
});
630-
631-
new scheduler.Schedule(stack, 'Schedule', {
632-
schedule: scheduleExpression,
633-
target,
634-
});
635-
636-
const template = Template.fromStack(stack);
637-
638-
template.hasResource('AWS::Scheduler::Schedule', {
639-
Properties: {
640-
Target: {
641-
Arn: {
642-
'Fn::Join': [
643-
'',
644-
[
645-
'arn:',
646-
{
647-
Ref: 'AWS::Partition',
648-
},
649-
':scheduler:::aws-sdk:lambda:invoke',
650-
],
651-
],
652-
},
653-
},
654-
},
655-
});
656-
657-
template.hasResourceProperties('AWS::IAM::Policy', {
658-
PolicyDocument: {
659-
Statement: [
660-
{
661-
Action: 'lambda:InvokeFunction',
662-
Effect: 'Allow',
663-
Resource: 'arn:aws:lambda:us-east-1:123456789012:function:my-function',
664-
Condition: {
665-
StringEquals: {
666-
'aws:Test': 'Test',
667-
},
668-
},
669-
},
670-
],
671-
},
672-
});
673-
});
674-
675-
test('specify additionalPolicyStatements', () => {
604+
test('specify policyStatements', () => {
676605
const target = new Universal({
677606
service: 'sqs',
678607
action: 'sendMessage',
679-
iamResources: ['arn:aws:sqs:us-east-1:123456789012:my_queue'],
680-
additionalPolicyStatements: [
608+
policyStatements: [
609+
new iam.PolicyStatement({
610+
actions: ['sqs:SendMessage'],
611+
resources: ['arn:aws:sqs:us-east-1:123456789012:my_queue'],
612+
}),
681613
new iam.PolicyStatement({
682614
actions: ['kms:Decrypt', 'kms:GenerateDataKey*'],
683-
resources: ['arn:aws:kms:us-west-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321'],
615+
resources: ['arn:aws:kms:us-east-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321'],
684616
}),
685617
],
686618
});
@@ -722,7 +654,7 @@ describe('Universal schedule target', () => {
722654
{
723655
Action: ['kms:Decrypt', 'kms:GenerateDataKey*'],
724656
Effect: 'Allow',
725-
Resource: 'arn:aws:kms:us-west-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321',
657+
Resource: 'arn:aws:kms:us-east-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321',
726658
},
727659
],
728660
},

0 commit comments

Comments
 (0)