From e11352439196caf0cc94dfc78ea9410cbfd2de6d Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Fri, 12 Apr 2024 19:38:02 +0100 Subject: [PATCH 01/18] Add reource polices to DynamoDB Table #29600 --- .../test/integ.dynamodb.policy.ts | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts new file mode 100644 index 0000000000000..4cba5ec7ffae6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -0,0 +1,47 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as iam from 'aws-cdk-lib/aws-iam'; + +const app = new App(); + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + // table with resource policy + new dynamodb.Table(this, 'TableTest1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: iam.PolicyDocument.fromJson({ + Statement: [ + { + Action: 'dynamodb:*', + Effect: 'Allow', + Principal: { + AWS: '123456789101', + }, + Resource: '*', + }, + ], + Version: '2012-10-17', + }), + }); + + // table without resource policy + new dynamodb.Table(this, 'TableTest2', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + }); + } +} + +new TestStack(app, 'ResourcePolicyTest'); + +app.synth(); \ No newline at end of file From 7915c7ee620ecdeae5fc91007f39824446f1e997 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Sat, 13 Apr 2024 00:05:27 +0100 Subject: [PATCH 02/18] Add resource polices to DynamoDB Table #29600 --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 270ab71b06cf0..fd805ee20f6cc 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -370,6 +370,13 @@ export interface TableOptions extends SchemaOptions { * @default - no data import from the S3 bucket */ readonly importSource?: ImportSourceSpecification; + + /** + * Resource policy to assign to DynamoDB Table. + * + * @default - No resource policy statements are added to the created table. + */ + readonly resourcePolicy?: iam.PolicyDocument; } /** @@ -1095,6 +1102,7 @@ export class Table extends TableBase { kinesisStreamSpecification: props.kinesisStream ? { streamArn: props.kinesisStream.streamArn } : undefined, deletionProtectionEnabled: props.deletionProtection, importSourceSpecification: this.renderImportSourceSpecification(props.importSource), + resourcePolicy: props.resourcePolicy? { policyDocument: props.resourcePolicy } : undefined, }); this.table.applyRemovalPolicy(props.removalPolicy); From 7ceb46f43a70a5a3d994ba354b30ed29f941400b Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Tue, 7 May 2024 11:45:06 +0100 Subject: [PATCH 03/18] add grants, not yet working --- .../test/integ.dynamodb-v2.policy.ts | 50 ++++ .../integ.dynamodb.policy.js.snapshot/cdk.out | 1 + .../integ.json | 22 ++ .../manifest.json | 119 +++++++++ .../resource-policy-stack.assets.json | 19 ++ .../resource-policy-stack.template.json | 114 +++++++++ ...efaultTestDeployAssert9778837B.assets.json | 19 ++ ...aultTestDeployAssert9778837B.template.json | 36 +++ .../tree.json | 225 ++++++++++++++++++ .../test/integ.dynamodb.policy.ts | 54 +++-- 10 files changed, 638 insertions(+), 21 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts new file mode 100644 index 0000000000000..899fff122af03 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts @@ -0,0 +1,50 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as iam from 'aws-cdk-lib/aws-iam'; + +const app = new App(); + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + // table with resource policy + new dynamodb.TableV2(this, 'TableTestV2-1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + replicas: [{ + region: 'eu-west-2', + resourcePolicy: iam.PolicyDocument.fromJson({ + Statement: [ + { + Action: 'dynamodb:*', + Effect: 'Allow', + Principal: { + AWS: '123456789101', + }, + Resource: '*', + }, + ], + Version: '2012-10-17', + }), + }], + }); + + // table without resource policy + // new dynamodb.Table(this, 'TableTest2', { + // partitionKey: { + // name: 'id', + // type: dynamodb.AttributeType.STRING, + // }, + // removalPolicy: RemovalPolicy.DESTROY, + // }); + } +} + +new TestStack(app, 'ResourcePolicyTest', { env: { region: 'eu-west-1' } }); + +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..61d445eeb6f54 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/integ.json @@ -0,0 +1,22 @@ +{ + "version": "36.0.0", + "testCases": { + "resource-policy-integ-test/DefaultTest": { + "stacks": [ + "resource-policy-stack" + ], + "regions": [ + "us-east-1" + ], + "cdkCommandOptions": { + "deploy": { + "args": { + "rollback": true + } + } + }, + "assertionStack": "resource-policy-integ-test/DefaultTest/DeployAssert", + "assertionStackName": "resourcepolicyintegtestDefaultTestDeployAssert9778837B" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..3bbf6c4373499 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json @@ -0,0 +1,119 @@ +{ + "version": "36.0.0", + "artifacts": { + "resource-policy-stack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resource-policy-stack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resource-policy-stack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resource-policy-stack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resource-policy-stack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resource-policy-stack.assets" + ], + "metadata": { + "/resource-policy-stack/TableTest1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTest143E55AA2" + } + ], + "/resource-policy-stack/TableTest2/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTest21D137FC9" + } + ], + "/resource-policy-stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-stack" + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "metadata": { + "/resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json new file mode 100644 index 0000000000000..41618f6afaf69 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809": { + "source": { + "path": "resource-policy-stack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json new file mode 100644 index 0000000000000..67c7fbcc3ad20 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json @@ -0,0 +1,114 @@ +{ + "Resources": { + "TableTest143E55AA2": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + }, + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "TableTest21D137FC9": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json new file mode 100644 index 0000000000000..0861153b87513 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..e1f736786033e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json @@ -0,0 +1,225 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "resource-policy-stack": { + "id": "resource-policy-stack", + "path": "resource-policy-stack", + "children": { + "TableTest1": { + "id": "TableTest1", + "path": "resource-policy-stack/TableTest1", + "children": { + "Resource": { + "id": "Resource", + "path": "resource-policy-stack/TableTest1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + }, + "resourcePolicy": { + "policyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "resource-policy-stack/TableTest1/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "TableTest2": { + "id": "TableTest2", + "path": "resource-policy-stack/TableTest2", + "children": { + "Resource": { + "id": "Resource", + "path": "resource-policy-stack/TableTest2/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "resource-policy-stack/TableTest2/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "resource-policy-integ-test": { + "id": "resource-policy-integ-test", + "path": "resource-policy-integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "resource-policy-integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "resource-policy-integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts index 4cba5ec7ffae6..a303b41cf9727 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -2,46 +2,58 @@ import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; import * as iam from 'aws-cdk-lib/aws-iam'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; -const app = new App(); +export class TestStack extends Stack { + + readonly table: dynamodb.Table; + readonly tableTwo: dynamodb.Table; -class TestStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); - // table with resource policy - new dynamodb.Table(this, 'TableTest1', { + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:*'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + this.table = new dynamodb.Table(this, 'TableTest1', { partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING, }, removalPolicy: RemovalPolicy.DESTROY, - resourcePolicy: iam.PolicyDocument.fromJson({ - Statement: [ - { - Action: 'dynamodb:*', - Effect: 'Allow', - Principal: { - AWS: '123456789101', - }, - Resource: '*', - }, - ], - Version: '2012-10-17', - }), + resourcePolicy: doc, }); - // table without resource policy - new dynamodb.Table(this, 'TableTest2', { + this.tableTwo = new dynamodb.Table(this, 'TableTest2', { partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING, }, removalPolicy: RemovalPolicy.DESTROY, }); + + this.tableTwo.grant(new iam.AccountPrincipal('123456789012')); } } -new TestStack(app, 'ResourcePolicyTest'); +const app = new App(); +const stack = new TestStack(app, 'resource-policy-stack', {}); -app.synth(); \ No newline at end of file +new IntegTest(app, 'resource-policy-integ-test', { + testCases: [stack], + regions: ['us-east-1'], + cdkCommandOptions: { + deploy: { + args: { + rollback: true, + }, + }, + }, +}); From c0ff7ca698d9a278c2c85a5173a82ef9441bc5db Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Tue, 7 May 2024 11:47:11 +0100 Subject: [PATCH 04/18] add grants, not yet working --- .../aws-cdk-lib/aws-dynamodb/lib/shared.ts | 7 +++ .../aws-cdk-lib/aws-dynamodb/lib/table-v2.ts | 18 ++++++++ .../aws-cdk-lib/aws-dynamodb/lib/table.ts | 43 +++++++++++++++---- 3 files changed, 59 insertions(+), 9 deletions(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts index 1955ef7fccd35..26ba101e700f5 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts @@ -281,6 +281,13 @@ export interface ITable extends IResource { */ readonly encryptionKey?: kms.IKey; + /** + * Resource policy to assign to DynamoDB Table. + * + * @default - No resource policy statements are added to the created table. + */ + readonly resourcePolicy?: iam.PolicyDocument; + /** * Adds an IAM policy statement associated with this table to an IAM * principal's policy. diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts index 5fc1532d6b922..fc4775366a343 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts @@ -9,6 +9,7 @@ import { SecondaryIndexProps, BillingMode, ProjectionType, } from './shared'; import { TableBaseV2, ITableV2 } from './table-v2-base'; +import { PolicyDocument } from '../../aws-iam'; import { IStream } from '../../aws-kinesis'; import { IKey, Key } from '../../aws-kms'; import { ArnFormat, CfnTag, Lazy, PhysicalName, RemovalPolicy, Stack, Token } from '../../core'; @@ -121,6 +122,13 @@ export interface TableOptionsV2 { * @default - no tags */ readonly tags?: CfnTag[]; + + /** + * Resource policy to assign to DynamoDB Table. + * + * @default - No resource policy statements are added to the created table. + */ + readonly resourcePolicy?: PolicyDocument; } /** @@ -147,6 +155,13 @@ export interface ReplicaTableProps extends TableOptionsV2 { * @default - inherited from the primary table */ readonly globalSecondaryIndexOptions?: { [indexName: string]: ReplicaGlobalSecondaryIndexOptions }; + + /** + * Resource policy to assign to DynamoDB Table. + * + * @default - No resource policy statements are added to the created table. + */ + readonly resourcePolicy?: PolicyDocument; } /** @@ -620,6 +635,9 @@ export class TableV2 extends TableBaseV2 { ? props.readCapacity._renderReadCapacity() : this.readProvisioning, tags: props.tags, + resourcePolicy: props.resourcePolicy + ? { policyDocument: props.resourcePolicy } + : undefined, }; } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index fd805ee20f6cc..0bbe03c5c2461 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -21,6 +21,7 @@ import { Aws, CfnCondition, CfnCustomResource, CfnResource, Duration, Fn, Lazy, Names, RemovalPolicy, Stack, Token, CustomResource, } from '../../core'; +import { Grant, IResourceWithPolicy } from '../../aws-iam'; const HASH_KEY_TYPE = 'HASH'; const RANGE_KEY_TYPE = 'RANGE'; @@ -372,7 +373,7 @@ export interface TableOptions extends SchemaOptions { readonly importSource?: ImportSourceSpecification; /** - * Resource policy to assign to DynamoDB Table. + * Resource policy to assign to table. * * @default - No resource policy statements are added to the created table. */ @@ -486,7 +487,7 @@ export interface TableAttributes { readonly grantIndexPermissions?: boolean; } -export abstract class TableBase extends Resource implements ITable { +export abstract class TableBase extends Resource implements ITable, IResourceWithPolicy { /** * @attribute */ @@ -507,6 +508,11 @@ export abstract class TableBase extends Resource implements ITable { */ public abstract readonly encryptionKey?: kms.IKey; + /** + * @attribute + */ + public abstract resourcePolicy?: iam.PolicyDocument; + protected readonly regionalArns = new Array(); /** @@ -520,7 +526,7 @@ export abstract class TableBase extends Resource implements ITable { * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) */ public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { - return iam.Grant.addToPrincipal({ + return iam.Grant.addToPrincipalOrResource({ grantee, actions, resourceArns: [ @@ -531,10 +537,9 @@ export abstract class TableBase extends Resource implements ITable { produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, })), ], - scope: this, + resource: this, }); } - /** * Adds an IAM policy statement associated with this table's stream to an * IAM principal's policy. @@ -648,6 +653,23 @@ export abstract class TableBase extends Resource implements ITable { return this.combinedGrant(grantee, { keyActions, tableActions: ['dynamodb:*'] }); } + /** + * Adds a statement to the resource policy associated with this file system. + * A resource policy will be automatically created upon the first call to `addToResourcePolicy`. + * + * Note that this does not work with imported file systems. + * + * @param statement The policy statement to add + */ + public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult { + this.resourcePolicy = this.resourcePolicy ?? new iam.PolicyDocument({ statements: [] }); + this.resourcePolicy.addStatements(statement); + return { + statementAdded: true, + policyDependable: this, + }; + } + /** * Return the given named metric for this Table * @@ -898,11 +920,11 @@ export abstract class TableBase extends Resource implements ITable { produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, })), ]; - const ret = iam.Grant.addToPrincipal({ + const ret = Grant.addToPrincipalOrResource({ grantee, actions: opts.tableActions, resourceArns: resources, - scope: this, + resource: this, }); return ret; } @@ -911,11 +933,11 @@ export abstract class TableBase extends Resource implements ITable { throw new Error(`DynamoDB Streams must be enabled on the table ${this.node.path}`); } const resources = [this.tableStreamArn]; - const ret = iam.Grant.addToPrincipal({ + const ret = Grant.addToPrincipalOrResource({ grantee, actions: opts.streamActions, resourceArns: resources, - scope: this, + resource: this, }); return ret; } @@ -986,6 +1008,7 @@ export class Table extends TableBase { public readonly tableArn: string; public readonly tableStreamArn?: string; public readonly encryptionKey?: kms.IKey; + public resourcePolicy?: iam.PolicyDocument | undefined; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; @@ -1024,6 +1047,8 @@ export class Table extends TableBase { public readonly encryptionKey?: kms.IKey; + public resourcePolicy?: iam.PolicyDocument | undefined; + /** * @attribute */ From aaf694c857167c845669d50b5eba5de88b9d9b47 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Tue, 7 May 2024 14:17:17 +0100 Subject: [PATCH 05/18] Fix to table-v2.policy integ test --- .../ResourcePolicyTest-v2.assets.json | 20 +++ .../ResourcePolicyTest-v2.template.json | 63 ++++++++ .../cdk.out | 1 + .../integ.json | 22 +++ .../manifest.json | 113 ++++++++++++++ ...efaultTestDeployAssertBE3353C7.assets.json | 19 +++ ...aultTestDeployAssertBE3353C7.template.json | 36 +++++ .../tree.json | 142 ++++++++++++++++++ .../test/integ.dynamodb-v2.policy.ts | 51 +++---- 9 files changed, 440 insertions(+), 27 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json new file mode 100644 index 0000000000000..998c1d6104ff9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json @@ -0,0 +1,20 @@ +{ + "version": "36.0.0", + "files": { + "33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87": { + "source": { + "path": "ResourcePolicyTest-v2.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-eu-west-1": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1", + "objectKey": "33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87.json", + "region": "eu-west-1", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-eu-west-1" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json new file mode 100644 index 0000000000000..0405f9d8838b3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json @@ -0,0 +1,63 @@ +{ + "Resources": { + "TableTestV215EEA02B7": { + "Type": "AWS::DynamoDB::GlobalTable", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "Replicas": [ + { + "Region": "eu-west-1" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..32e11a1d2250a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/integ.json @@ -0,0 +1,22 @@ +{ + "version": "36.0.0", + "testCases": { + "table-v2-resource-policy-integ-test/DefaultTest": { + "stacks": [ + "ResourcePolicyTest-v2" + ], + "regions": [ + "us-east-1" + ], + "cdkCommandOptions": { + "deploy": { + "args": { + "rollback": true + } + } + }, + "assertionStack": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert", + "assertionStackName": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..502ce6af9ccd8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "36.0.0", + "artifacts": { + "ResourcePolicyTest-v2.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ResourcePolicyTest-v2.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ResourcePolicyTest-v2": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/eu-west-1", + "properties": { + "templateFile": "ResourcePolicyTest-v2.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-eu-west-1", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-eu-west-1", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1/33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ResourcePolicyTest-v2.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-eu-west-1", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ResourcePolicyTest-v2.assets" + ], + "metadata": { + "/ResourcePolicyTest-v2/TableTestV2-1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTestV215EEA02B7" + } + ], + "/ResourcePolicyTest-v2/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ResourcePolicyTest-v2/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ResourcePolicyTest-v2" + }, + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets" + ], + "metadata": { + "/table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json new file mode 100644 index 0000000000000..8b15846a49e27 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tablev2resourcepolicyintegtestDefaultTestDeployAssertBE3353C7.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..dfeca2ee34db4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json @@ -0,0 +1,142 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "ResourcePolicyTest-v2": { + "id": "ResourcePolicyTest-v2", + "path": "ResourcePolicyTest-v2", + "children": { + "TableTestV2-1": { + "id": "TableTestV2-1", + "path": "ResourcePolicyTest-v2/TableTestV2-1", + "children": { + "Resource": { + "id": "Resource", + "path": "ResourcePolicyTest-v2/TableTestV2-1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::GlobalTable", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "billingMode": "PAY_PER_REQUEST", + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "replicas": [ + { + "region": "eu-west-1" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnGlobalTable", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.TableV2", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "ResourcePolicyTest-v2/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "ResourcePolicyTest-v2/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "table-v2-resource-policy-integ-test": { + "id": "table-v2-resource-policy-integ-test", + "path": "table-v2-resource-policy-integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "table-v2-resource-policy-integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "table-v2-resource-policy-integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "table-v2-resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts index 899fff122af03..70f58baa4edf3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts @@ -2,6 +2,7 @@ import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; import * as iam from 'aws-cdk-lib/aws-iam'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new App(); @@ -9,6 +10,16 @@ class TestStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); + const docu = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:*'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + // table with resource policy new dynamodb.TableV2(this, 'TableTestV2-1', { partitionKey: { @@ -16,35 +27,21 @@ class TestStack extends Stack { type: dynamodb.AttributeType.STRING, }, removalPolicy: RemovalPolicy.DESTROY, - replicas: [{ - region: 'eu-west-2', - resourcePolicy: iam.PolicyDocument.fromJson({ - Statement: [ - { - Action: 'dynamodb:*', - Effect: 'Allow', - Principal: { - AWS: '123456789101', - }, - Resource: '*', - }, - ], - Version: '2012-10-17', - }), - }], + resourcePolicy: docu, }); - - // table without resource policy - // new dynamodb.Table(this, 'TableTest2', { - // partitionKey: { - // name: 'id', - // type: dynamodb.AttributeType.STRING, - // }, - // removalPolicy: RemovalPolicy.DESTROY, - // }); } } -new TestStack(app, 'ResourcePolicyTest', { env: { region: 'eu-west-1' } }); +const stack = new TestStack(app, 'ResourcePolicyTest-v2', { env: { region: 'eu-west-1' } }); -app.synth(); \ No newline at end of file +new IntegTest(app, 'table-v2-resource-policy-integ-test', { + testCases: [stack], + regions: ['us-east-1'], + cdkCommandOptions: { + deploy: { + args: { + rollback: true, + }, + }, + }, +}); \ No newline at end of file From 7399e9f22228133ff7ffb5a13124ba6a62786569 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Tue, 7 May 2024 21:44:51 +0100 Subject: [PATCH 06/18] grant() not working as expected --- .../test/aws-dynamodb/test/integ.dynamodb.policy.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts index a303b41cf9727..e103de80e95f1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -33,13 +33,14 @@ export class TestStack extends Stack { this.tableTwo = new dynamodb.Table(this, 'TableTest2', { partitionKey: { - name: 'id', + name: 'PK', type: dynamodb.AttributeType.STRING, }, removalPolicy: RemovalPolicy.DESTROY, }); - this.tableTwo.grant(new iam.AccountPrincipal('123456789012')); + // const permissions: string[] = ['dynamodb:GetItem', 'dynamodb:UpdateItem']; + this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012')); } } From ebf50ed9a278203cd37dde5dc5a52a56cbba9f49 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Mon, 13 May 2024 15:58:19 +0100 Subject: [PATCH 07/18] Resource policy for TableV2 implemented --- .../aws-cdk-lib/aws-dynamodb/lib/shared.ts | 12 +++--- .../aws-dynamodb/lib/table-v2-base.ts | 31 ++++++++++++-- .../aws-cdk-lib/aws-dynamodb/lib/table-v2.ts | 23 ++++++----- .../aws-cdk-lib/aws-dynamodb/lib/table.ts | 11 +++-- .../aws-dynamodb/test/dynamodb.test.ts | 41 +++++++++++++++++++ 5 files changed, 91 insertions(+), 27 deletions(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts index 26ba101e700f5..e0a337408b658 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts @@ -281,12 +281,12 @@ export interface ITable extends IResource { */ readonly encryptionKey?: kms.IKey; - /** - * Resource policy to assign to DynamoDB Table. - * - * @default - No resource policy statements are added to the created table. - */ - readonly resourcePolicy?: iam.PolicyDocument; + // /** + // * Resource policy to assign to DynamoDB Table. + // * + // * @default - No resource policy statements are added to the created table. + // */ + // readonly resourcePolicy?: iam.PolicyDocument; /** * Adds an IAM policy statement associated with this table to an IAM diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts index 168302320077e..e35ab431741f5 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts @@ -2,7 +2,7 @@ import { DynamoDBMetrics } from './dynamodb-canned-metrics.generated'; import * as perms from './perms'; import { Operation, SystemErrorsForOperationsMetricOptions, OperationsMetricOptions, ITable } from './shared'; import { IMetric, MathExpression, Metric, MetricOptions, MetricProps } from '../../aws-cloudwatch'; -import { Grant, IGrantable } from '../../aws-iam'; +import { AddToResourcePolicyResult, Grant, IGrantable, IResourceWithPolicy, PolicyDocument, PolicyStatement } from '../../aws-iam'; import { IKey } from '../../aws-kms'; import { Resource } from '../../core'; @@ -21,7 +21,7 @@ export interface ITableV2 extends ITable { /** * Base class for a DynamoDB table. */ -export abstract class TableBaseV2 extends Resource implements ITableV2 { +export abstract class TableBaseV2 extends Resource implements ITableV2, IResourceWithPolicy { /** * The ARN of the table. * @@ -55,6 +55,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { */ public abstract readonly encryptionKey?: IKey; + /** + * The resource policy for the table + */ + public abstract resourcePolicy?: PolicyDocument; + protected abstract readonly region: string; protected abstract get hasIndex(): boolean; @@ -426,11 +431,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { if (options.tableActions) { const resourceArns = [this.tableArn]; this.hasIndex && resourceArns.push(`${this.tableArn}/index/*`); - return Grant.addToPrincipal({ + return Grant.addToPrincipalOrResource({ grantee, actions: options.tableActions, resourceArns, - scope: this, + resource: this, }); } @@ -457,4 +462,22 @@ export abstract class TableBaseV2 extends Resource implements ITableV2 { account: props?.account ?? this.stack.account, }); } + + /** + * Adds a statement to the resource policy associated with this file system. + * A resource policy will be automatically created upon the first call to `addToResourcePolicy`. + * + * Note that this does not work with imported file systems. + * + * @param statement The policy statement to add + */ + public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult { + + this.resourcePolicy = this.resourcePolicy ?? new PolicyDocument({ statements: [] }); + this.resourcePolicy.addStatements(statement); + return { + statementAdded: true, + policyDependable: this, + }; + } } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts index fc4775366a343..86f8fd581b740 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts @@ -125,7 +125,7 @@ export interface TableOptionsV2 { /** * Resource policy to assign to DynamoDB Table. - * + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-globaltable-replicaspecification.html#cfn-dynamodb-globaltable-replicaspecification-resourcepolicy * @default - No resource policy statements are added to the created table. */ readonly resourcePolicy?: PolicyDocument; @@ -155,13 +155,6 @@ export interface ReplicaTableProps extends TableOptionsV2 { * @default - inherited from the primary table */ readonly globalSecondaryIndexOptions?: { [indexName: string]: ReplicaGlobalSecondaryIndexOptions }; - - /** - * Resource policy to assign to DynamoDB Table. - * - * @default - No resource policy statements are added to the created table. - */ - readonly resourcePolicy?: PolicyDocument; } /** @@ -369,13 +362,14 @@ export class TableV2 extends TableBaseV2 { public readonly tableId?: string; public readonly tableStreamArn?: string; public readonly encryptionKey?: IKey; + public readonly resourcePolicy?: PolicyDocument; protected readonly region: string; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; - public constructor(tableArn: string, tableName: string, tableId?: string, tableStreamArn?: string) { + public constructor(tableArn: string, tableName: string, tableId?: string, tableStreamArn?: string, resourcePolicy?: PolicyDocument) { super(scope, id, { environmentFromArn: tableArn }); const resourceRegion = stack.splitArn(tableArn, ArnFormat.SLASH_RESOURCE_NAME).region; @@ -389,6 +383,7 @@ export class TableV2 extends TableBaseV2 { this.tableId = tableId; this.tableStreamArn = tableStreamArn; this.encryptionKey = attrs.encryptionKey; + this.resourcePolicy = resourcePolicy; } } @@ -422,6 +417,11 @@ export class TableV2 extends TableBaseV2 { return new Import(tableArn, tableName, attrs.tableId, attrs.tableStreamArn); } + /** + * @attribute + */ + public resourcePolicy?: PolicyDocument; + /** * @attribute */ @@ -615,6 +615,7 @@ export class TableV2 extends TableBaseV2 { private configureReplicaTable(props: ReplicaTableProps): CfnGlobalTable.ReplicaSpecificationProperty { const pointInTimeRecovery = props.pointInTimeRecovery ?? this.tableOptions.pointInTimeRecovery; const contributorInsights = props.contributorInsights ?? this.tableOptions.contributorInsights; + const resourcePolicy = props.resourcePolicy ?? this.tableOptions.resourcePolicy; return { region: props.region, @@ -635,8 +636,8 @@ export class TableV2 extends TableBaseV2 { ? props.readCapacity._renderReadCapacity() : this.readProvisioning, tags: props.tags, - resourcePolicy: props.resourcePolicy - ? { policyDocument: props.resourcePolicy } + resourcePolicy: resourcePolicy + ? { policyDocument: resourcePolicy } : undefined, }; } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 0bbe03c5c2461..ce692da01ad3e 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -21,7 +21,6 @@ import { Aws, CfnCondition, CfnCustomResource, CfnResource, Duration, Fn, Lazy, Names, RemovalPolicy, Stack, Token, CustomResource, } from '../../core'; -import { Grant, IResourceWithPolicy } from '../../aws-iam'; const HASH_KEY_TYPE = 'HASH'; const RANGE_KEY_TYPE = 'RANGE'; @@ -374,8 +373,8 @@ export interface TableOptions extends SchemaOptions { /** * Resource policy to assign to table. - * - * @default - No resource policy statements are added to the created table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy + * @default - No resource policy statement */ readonly resourcePolicy?: iam.PolicyDocument; } @@ -487,7 +486,7 @@ export interface TableAttributes { readonly grantIndexPermissions?: boolean; } -export abstract class TableBase extends Resource implements ITable, IResourceWithPolicy { +export abstract class TableBase extends Resource implements ITable, iam.IResourceWithPolicy { /** * @attribute */ @@ -920,7 +919,7 @@ export abstract class TableBase extends Resource implements ITable, IResourceWit produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, })), ]; - const ret = Grant.addToPrincipalOrResource({ + const ret = iam.Grant.addToPrincipalOrResource({ grantee, actions: opts.tableActions, resourceArns: resources, @@ -933,7 +932,7 @@ export abstract class TableBase extends Resource implements ITable, IResourceWit throw new Error(`DynamoDB Streams must be enabled on the table ${this.node.path}`); } const resources = [this.tableStreamArn]; - const ret = Grant.addToPrincipalOrResource({ + const ret = iam.Grant.addToPrincipalOrResource({ grantee, actions: opts.streamActions, resourceArns: resources, diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts index 9bbf19b59518e..974eb4edac0d6 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts @@ -3482,3 +3482,44 @@ describe('import source', () => { }).toThrow(`Delimiter must be a single character and one of the following: comma (,), tab (\\t), colon (:), semicolon (;), pipe (|), space ( ), got '${delimiter}'`); }); }); + +test('Resource policy test', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Stack'); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN + const table = new Table(stack, 'Table', { + partitionKey: { name: 'metric', type: AttributeType.STRING }, + resourcePolicy: doc, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + 'ResourcePolicy': { + 'PolicyDocument': { + 'Version': '2012-10-17', + 'Statement': [ + { + 'Principal': { + 'AWS': 'arn:aws:iam::111122223333:user/foobar', + }, + 'Effect': 'Allow', + 'Action': 'dynamodb:GetItem', + 'Resource': '*', + }, + ], + }, + }, + }); +}); From ffbe667368373f26df97b68271cfe22335c94ec0 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Mon, 13 May 2024 17:24:18 +0100 Subject: [PATCH 08/18] Resource policy for TableV2 README updated --- .../test/integ.dynamodb.policy.ts | 1 - .../sdk-v2-to-v3-adapter/lib/api-call.d.ts | 68 ++ .../sdk-v2-to-v3-adapter/lib/api-call.js | 136 ++++ .../lib/coerce-api-parameters.d.ts | 24 + .../lib/coerce-api-parameters.js | 96 +++ .../lib/find-client-constructor.d.ts | 4 + .../lib/find-client-constructor.js | 12 + .../sdk-v2-to-v3-adapter/lib/index.d.ts | 4 + .../sdk-v2-to-v3-adapter/lib/index.js | 26 + .../lib/parameter-types.d.ts | 2 + .../lib/parameter-types.js | 14 + .../sdk-v2-to-v3-adapter/lib/sdk-info.d.ts | 20 + .../sdk-v2-to-v3-adapter/lib/sdk-info.js | 49 ++ .../test/api-call.test.d.ts | 1 + .../test/api-call.test.js | 111 ++++ .../test/coerce-api-parameters.test.d.ts | 1 + .../test/coerce-api-parameters.test.js | 622 ++++++++++++++++++ .../test/flatten.test.d.ts | 1 + .../sdk-v2-to-v3-adapter/test/flatten.test.js | 20 + packages/aws-cdk-lib/aws-dynamodb/README.md | 29 + .../aws-dynamodb/lib/table-v2-base.ts | 4 +- 21 files changed, 1242 insertions(+), 3 deletions(-) create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts create mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts index e103de80e95f1..86f9f95ad9421 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -39,7 +39,6 @@ export class TestStack extends Stack { removalPolicy: RemovalPolicy.DESTROY, }); - // const permissions: string[] = ['dynamodb:GetItem', 'dynamodb:UpdateItem']; this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012')); } } diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts new file mode 100644 index 0000000000000..d4186f70ff1ab --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts @@ -0,0 +1,68 @@ +import type { AwsCredentialIdentityProvider } from '@smithy/types'; +export interface InvokeOptions { + /** + * The SDKv3 package for the service. + * + * @default - Load the package automatically + */ + readonly sdkPackage?: any; + /** + * Override API version + * + * @default - Use default API version + */ + readonly apiVersion?: string; + /** + * Override region + * + * @default - Current region + */ + readonly region?: string; + /** + * Override credentials + * + * @default - Default credentials + */ + readonly credentials?: AwsCredentialIdentityProvider; + /** + * Parameters to the API call + * + * @default {} + */ + readonly parameters?: Record; + /** + * Flatten the response object + * + * Instead of a nested object structure, return a map of `{ string -> value }`, with the keys + * being the paths to each primitive value. + * + * @default false + */ + readonly flattenResponse?: boolean; +} +/** + * Wrapper to make an SDKv3 API call, with SDKv2 compatibility + */ +export declare class ApiCall { + readonly service: string; + readonly action: string; + readonly v3PackageName: string; + v3Package?: any; + client?: any; + constructor(service: string, action: string); + invoke(options: InvokeOptions): Promise>; + initializePackage(packageOverride?: any): any; + initializeClient(options: Pick): any; + findCommandClass(): new (input: any) => any; + private findConstructor; +} +/** + * Flattens a nested object + * + * @param object the object to be flattened + * @returns a flat object with path as keys + */ +export declare function flatten(root: unknown): { + [key: string]: any; +}; +export declare function coerceSdkv3Response(value: unknown): Promise; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js new file mode 100644 index 0000000000000..32f051d963a07 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js @@ -0,0 +1,136 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.coerceSdkv3Response = exports.flatten = exports.ApiCall = void 0; +const coerce_api_parameters_1 = require("./coerce-api-parameters"); +const find_client_constructor_1 = require("./find-client-constructor"); +const sdk_info_1 = require("./sdk-info"); +/** + * Wrapper to make an SDKv3 API call, with SDKv2 compatibility + */ +class ApiCall { + constructor(service, action) { + this.service = (0, sdk_info_1.normalizeServiceName)(service); + this.action = (0, sdk_info_1.normalizeActionName)(this.service, action); + this.v3PackageName = `@aws-sdk/client-${this.service}`; + } + async invoke(options) { + this.initializePackage(options.sdkPackage); + this.initializeClient(options); + const Command = this.findCommandClass(); + // Command must pass input value https://github.com/aws/aws-sdk-js-v3/issues/424 + const response = await this.client.send(new Command((0, coerce_api_parameters_1.coerceApiParameters)(this.service, this.action, options.parameters ?? {}))); + delete response.$metadata; + const coerced = await coerceSdkv3Response(response); + return (options.flattenResponse ? flatten(coerced) : coerced); + } + initializePackage(packageOverride) { + if (this.v3Package) { + return; + } + if (packageOverride) { + this.v3Package = packageOverride; + return; + } + try { + /* eslint-disable-next-line @typescript-eslint/no-require-imports */ // esbuild-disable unsupported-require-call + this.v3Package = require(this.v3PackageName); + } + catch (e) { + throw Error(`Service ${this.service} client package with name '${this.v3PackageName}' does not exist.`); + } + } + initializeClient(options) { + if (!this.v3Package) { + this.initializePackage(); + } + const ServiceClient = this.findConstructor(this.v3Package); + this.client = new ServiceClient({ + apiVersion: options.apiVersion, + credentials: options.credentials, + region: options.region, + }); + return this.client; + } + findCommandClass() { + if (!this.v3Package) { + this.initializePackage(); + } + const commandName = `${this.action}Command`; + const Command = Object.entries(this.v3Package ?? {}).find(([name]) => name.toLowerCase() === commandName.toLowerCase())?.[1]; + if (!Command) { + throw new Error(`Unable to find command named: ${commandName} for action: ${this.action} in service package ${this.v3PackageName}`); + } + return Command; + } + findConstructor(pkg) { + try { + const ret = (0, find_client_constructor_1.findV3ClientConstructor)(pkg); + if (!ret) { + throw new Error('findV3ClientConstructor returned undefined'); + } + return ret; + } + catch (e) { + // eslint-disable-next-line no-console + console.error(e); + throw Error(`No client constructor found within package: ${this.v3PackageName}`); + } + } +} +exports.ApiCall = ApiCall; +/** + * Flattens a nested object + * + * @param object the object to be flattened + * @returns a flat object with path as keys + */ +function flatten(root) { + const ret = {}; + recurse(root); + return ret; + function recurse(x, path = []) { + if (x && typeof x === 'object') { + for (const [key, value] of Object.entries(x)) { + recurse(value, [...path, key]); + } + return; + } + ret[path.join('.')] = x; + } +} +exports.flatten = flatten; +/** + * Text decoder used for Uint8Array response parsing + */ +const decoder = new TextDecoder(); +async function coerceSdkv3Response(value) { + if (value && typeof (value) === 'object' && typeof (value.transformToString) === 'function') { + // in sdk v3 some return types are now adapters that we need to explicitly + // convert to strings. see example: https://github.com/aws/aws-sdk-js-v3/blob/main/UPGRADING.md?plain=1#L573-L576 + // note we don't use 'instanceof Unit8Array' because observations show this won't always return true, even though + // the `transformToString` function will be available. (for example S3::GetObject) + return value.transformToString(); + } + if (Buffer.isBuffer(value)) { + return value.toString('utf8'); + } + if (ArrayBuffer.isView(value)) { + return decoder.decode(value.buffer); + } + if (Array.isArray(value)) { + const ret = []; + for (const x of value) { + ret.push(await coerceSdkv3Response(x)); + } + return ret; + } + if (value && typeof value === 'object') { + for (const key of Object.keys(value)) { + value[key] = await coerceSdkv3Response(value[key]); + } + return value; + } + return value; +} +exports.coerceSdkv3Response = coerceSdkv3Response; +//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts new file mode 100644 index 0000000000000..4ed6e03dc8613 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts @@ -0,0 +1,24 @@ +import { TypeCoercionStateMachine } from './parameter-types'; +type ApiParameters = { + [param: string]: any; +}; +/** + * Given a minimal AWS SDKv3 call definition (service, action, parameters), + * coerces nested parameter values into a Uint8Array if that's what the SDKv3 expects. + */ +export declare function coerceApiParameters(v3service: string, action: string, parameters?: ApiParameters): ApiParameters; +/** + * Make this a class in order to have multiple entry points for testing that can all share convenience functions + */ +export declare class Coercer { + private readonly typeMachine; + constructor(typeMachine: TypeCoercionStateMachine); + coerceApiParameters(v3service: string, action: string, parameters?: ApiParameters): ApiParameters; + testCoerce(value: unknown): any; + private recurse; + /** + * From a given state, return the state we would end up in if we followed this field + */ + private progress; +} +export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js new file mode 100644 index 0000000000000..aed059bf684f2 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js @@ -0,0 +1,96 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.Coercer = exports.coerceApiParameters = void 0; +const parameter_types_1 = require("./parameter-types"); +/** + * Given a minimal AWS SDKv3 call definition (service, action, parameters), + * coerces nested parameter values into a Uint8Array if that's what the SDKv3 expects. + */ +function coerceApiParameters(v3service, action, parameters = {}) { + const typeMachine = (0, parameter_types_1.typeCoercionStateMachine)(); + return new Coercer(typeMachine).coerceApiParameters(v3service, action, parameters); +} +exports.coerceApiParameters = coerceApiParameters; +/** + * Make this a class in order to have multiple entry points for testing that can all share convenience functions + */ +class Coercer { + constructor(typeMachine) { + this.typeMachine = typeMachine; + } + coerceApiParameters(v3service, action, parameters = {}) { + // Get the initial state corresponding to the current service+action, then recurse through the parameters + const actionState = this.progress(action.toLowerCase(), this.progress(v3service.toLowerCase(), 0)); + return this.recurse(parameters, actionState); + } + testCoerce(value) { + return this.recurse(value, 0); + } + recurse(value, state) { + switch (state) { + case undefined: return value; + case 'b': return coerceValueToUint8Array(value); + case 'n': return coerceValueToNumber(value); + case 'd': return coerceValueToDate(value); + } + if (Array.isArray(value)) { + const elState = this.progress('*', state); + return elState !== undefined + ? value.map((e) => this.recurse(e, elState)) + : value; + } + if (value && typeof value === 'object') { + // Mutate the object in-place for efficiency + const mapState = this.progress('*', state); + for (const key of Object.keys(value)) { + const fieldState = this.progress(key, state) ?? mapState; + if (fieldState !== undefined) { + value[key] = this.recurse(value[key], fieldState); + } + } + return value; + } + return value; + } + /** + * From a given state, return the state we would end up in if we followed this field + */ + progress(field, s) { + if (s === undefined || typeof s !== 'number') { + return undefined; + } + return this.typeMachine[s][field]; + } +} +exports.Coercer = Coercer; +function coerceValueToUint8Array(x) { + if (x instanceof Uint8Array) { + return x; + } + if (typeof x === 'string' || typeof x === 'number') { + return new TextEncoder().encode(x.toString()); + } + return x; +} +function coerceValueToNumber(x) { + if (typeof x === 'number') { + return x; + } + if (typeof x === 'string') { + const n = Number(x); + return isNaN(n) ? x : n; + } + return x; +} +function coerceValueToDate(x) { + if (typeof x === 'string' || typeof x === 'number') { + const date = new Date(x); + // if x is not a valid date + if (isNaN(date.getTime())) { + return x; + } + return date; + } + return x; +} +//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts new file mode 100644 index 0000000000000..7cf6561a8245f --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts @@ -0,0 +1,4 @@ +export declare function findV3ClientConstructor(pkg: Object): new (config: any) => { + send: (command: any) => Promise; + config: any; +}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js new file mode 100644 index 0000000000000..39adbabc81899 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js @@ -0,0 +1,12 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.findV3ClientConstructor = void 0; +function findV3ClientConstructor(pkg) { + const [_clientName, ServiceClient] = Object.entries(pkg).find(([name]) => { + // Services expose a base __Client class that we don't want ever + return name.endsWith('Client') && name !== '__Client'; + }); + return ServiceClient; +} +exports.findV3ClientConstructor = findV3ClientConstructor; +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZmluZC1jbGllbnQtY29uc3RydWN0b3IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJmaW5kLWNsaWVudC1jb25zdHJ1Y3Rvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxTQUFnQix1QkFBdUIsQ0FBQyxHQUFXO0lBQ2pELE1BQU0sQ0FBQyxXQUFXLEVBQUUsYUFBYSxDQUFDLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLENBQzNELENBQUMsQ0FBQyxJQUFJLENBQUMsRUFBRSxFQUFFO1FBQ1QsZ0VBQWdFO1FBQ2hFLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsSUFBSSxJQUFJLEtBQUssVUFBVSxDQUFDO0lBQ3hELENBQUMsQ0FNRCxDQUFDO0lBQ0gsT0FBTyxhQUFhLENBQUM7QUFDdkIsQ0FBQztBQWJELDBEQWFDIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IGZ1bmN0aW9uIGZpbmRWM0NsaWVudENvbnN0cnVjdG9yKHBrZzogT2JqZWN0KSB7XG4gIGNvbnN0IFtfY2xpZW50TmFtZSwgU2VydmljZUNsaWVudF0gPSBPYmplY3QuZW50cmllcyhwa2cpLmZpbmQoXG4gICAgKFtuYW1lXSkgPT4ge1xuICAgICAgLy8gU2VydmljZXMgZXhwb3NlIGEgYmFzZSBfX0NsaWVudCBjbGFzcyB0aGF0IHdlIGRvbid0IHdhbnQgZXZlclxuICAgICAgcmV0dXJuIG5hbWUuZW5kc1dpdGgoJ0NsaWVudCcpICYmIG5hbWUgIT09ICdfX0NsaWVudCc7XG4gICAgfSxcbiAgKSBhcyBbc3RyaW5nLCB7XG4gICAgbmV3IChjb25maWc6IGFueSk6IHtcbiAgICAgIHNlbmQ6IChjb21tYW5kOiBhbnkpID0+IFByb21pc2U8YW55PjtcbiAgICAgIGNvbmZpZzogYW55O1xuICAgIH07XG4gIH1dO1xuICByZXR1cm4gU2VydmljZUNsaWVudDtcbn1cbiJdfQ== \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts new file mode 100644 index 0000000000000..cde4e15344628 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts @@ -0,0 +1,4 @@ +export { coerceApiParameters } from './coerce-api-parameters'; +export { findV3ClientConstructor } from './find-client-constructor'; +export { normalizeServiceName, normalizeActionName } from './sdk-info'; +export * from './api-call'; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js new file mode 100644 index 0000000000000..7456cb0073dfe --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js @@ -0,0 +1,26 @@ +"use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __exportStar = (this && this.__exportStar) || function(m, exports) { + for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.normalizeActionName = exports.normalizeServiceName = exports.findV3ClientConstructor = exports.coerceApiParameters = void 0; +var coerce_api_parameters_1 = require("./coerce-api-parameters"); +Object.defineProperty(exports, "coerceApiParameters", { enumerable: true, get: function () { return coerce_api_parameters_1.coerceApiParameters; } }); +var find_client_constructor_1 = require("./find-client-constructor"); +Object.defineProperty(exports, "findV3ClientConstructor", { enumerable: true, get: function () { return find_client_constructor_1.findV3ClientConstructor; } }); +var sdk_info_1 = require("./sdk-info"); +Object.defineProperty(exports, "normalizeServiceName", { enumerable: true, get: function () { return sdk_info_1.normalizeServiceName; } }); +Object.defineProperty(exports, "normalizeActionName", { enumerable: true, get: function () { return sdk_info_1.normalizeActionName; } }); +__exportStar(require("./api-call"), exports); +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlFQUE4RDtBQUFyRCw0SEFBQSxtQkFBbUIsT0FBQTtBQUM1QixxRUFBb0U7QUFBM0Qsa0lBQUEsdUJBQXVCLE9BQUE7QUFDaEMsdUNBQXVFO0FBQTlELGdIQUFBLG9CQUFvQixPQUFBO0FBQUUsK0dBQUEsbUJBQW1CLE9BQUE7QUFDbEQsNkNBQTJCIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IHsgY29lcmNlQXBpUGFyYW1ldGVycyB9IGZyb20gJy4vY29lcmNlLWFwaS1wYXJhbWV0ZXJzJztcbmV4cG9ydCB7IGZpbmRWM0NsaWVudENvbnN0cnVjdG9yIH0gZnJvbSAnLi9maW5kLWNsaWVudC1jb25zdHJ1Y3Rvcic7XG5leHBvcnQgeyBub3JtYWxpemVTZXJ2aWNlTmFtZSwgbm9ybWFsaXplQWN0aW9uTmFtZSB9IGZyb20gJy4vc2RrLWluZm8nO1xuZXhwb3J0ICogZnJvbSAnLi9hcGktY2FsbCc7XG4iXX0= \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts new file mode 100644 index 0000000000000..d3225637a587e --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts @@ -0,0 +1,2 @@ +export type TypeCoercionStateMachine = Array>; +export declare let typeCoercionStateMachine: () => TypeCoercionStateMachine; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js new file mode 100644 index 0000000000000..3d466051e8947 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js @@ -0,0 +1,14 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.typeCoercionStateMachine = void 0; +// This file was generated from the aws-sdk-js-v3 at Tue Jan 30 2024 09:54:50 GMT+0000 (Coordinated Universal Time) +/* eslint-disable quote-props,comma-dangle,quotes */ +const zlib = require("zlib"); +let typeCoercionStateMachine = () => { + const encoded = ""; + const decoded = JSON.parse(zlib.brotliDecompressSync(Buffer.from(encoded, 'base64')).toString()); + exports.typeCoercionStateMachine = () => decoded; + return decoded; +}; +exports.typeCoercionStateMachine = typeCoercionStateMachine; +//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts new file mode 100644 index 0000000000000..5a2ce086ede4e --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts @@ -0,0 +1,20 @@ +/** + * Normalize a service name from: + * + * - A full SDKv3 package name + * - A partial SDKv3 package name + * - An SDKv2 constructor name + * + * To a partial SDKv3 package name. + */ +export declare function normalizeServiceName(service: string): string; +/** + * Normalize an action name from: + * + * - camelCase SDKv2 method name + * - PascalCase API name + * - SDKv3 command class name + * + * To a PascalCase API name. + */ +export declare function normalizeActionName(v3Service: string, action: string): string; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js new file mode 100644 index 0000000000000..d104c83c6c3fd --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js @@ -0,0 +1,49 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.normalizeActionName = exports.normalizeServiceName = void 0; +/** + * Normalize a service name from: + * + * - A full SDKv3 package name + * - A partial SDKv3 package name + * - An SDKv2 constructor name + * + * To a partial SDKv3 package name. + */ +function normalizeServiceName(service) { + service = service.toLowerCase(); // Lowercase + service = service.replace(/^@aws-sdk\/client-/, ''); // Strip the start of a V3 package name + service = v2ToV3Mapping()?.[service] ?? service; // Optionally map v2 name -> v3 name + return service; +} +exports.normalizeServiceName = normalizeServiceName; +/** + * Normalize an action name from: + * + * - camelCase SDKv2 method name + * - PascalCase API name + * - SDKv3 command class name + * + * To a PascalCase API name. + */ +function normalizeActionName(v3Service, action) { + if (action.charAt(0).toLowerCase() === action.charAt(0)) { + return action.charAt(0).toUpperCase() + action.slice(1); + } + // If the given word is in the APIs ending in 'Command' for this service, + // return as is. Otherwise, return with a potential 'Command' suffix stripped. + if (v3Metadata()[v3Service]?.commands?.includes(action)) { + return action; + } + return action.replace(/Command$/, ''); +} +exports.normalizeActionName = normalizeActionName; +function v2ToV3Mapping() { + // eslint-disable-next-line @typescript-eslint/no-require-imports + return require('./sdk-v2-to-v3.json'); +} +function v3Metadata() { + // eslint-disable-next-line @typescript-eslint/no-require-imports + return require('./sdk-v3-metadata.json'); +} +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2RrLWluZm8uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJzZGstaW5mby50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQTs7Ozs7Ozs7R0FRRztBQUNILFNBQWdCLG9CQUFvQixDQUFDLE9BQWU7SUFDbEQsT0FBTyxHQUFHLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLFlBQVk7SUFDN0MsT0FBTyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsb0JBQW9CLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyx1Q0FBdUM7SUFDNUYsT0FBTyxHQUFHLGFBQWEsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksT0FBTyxDQUFDLENBQUMsb0NBQW9DO0lBQ3JGLE9BQU8sT0FBTyxDQUFDO0FBQ2pCLENBQUM7QUFMRCxvREFLQztBQUVEOzs7Ozs7OztHQVFHO0FBQ0gsU0FBZ0IsbUJBQW1CLENBQUMsU0FBaUIsRUFBRSxNQUFjO0lBQ25FLElBQUksTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFXLEVBQUUsS0FBSyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDeEQsT0FBTyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLFdBQVcsRUFBRSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDMUQsQ0FBQztJQUVELHlFQUF5RTtJQUN6RSw4RUFBOEU7SUFDOUUsSUFBSSxVQUFVLEVBQUUsQ0FBQyxTQUFTLENBQUMsRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDeEQsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVELE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsRUFBRSxDQUFDLENBQUM7QUFDeEMsQ0FBQztBQVpELGtEQVlDO0FBRUQsU0FBUyxhQUFhO0lBQ3BCLGlFQUFpRTtJQUNqRSxPQUFPLE9BQU8sQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO0FBQ3hDLENBQUM7QUFFRCxTQUFTLFVBQVU7SUFDakIsaUVBQWlFO0lBQ2pFLE9BQU8sT0FBTyxDQUFDLHdCQUF3QixDQUFDLENBQUM7QUFDM0MsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogTm9ybWFsaXplIGEgc2VydmljZSBuYW1lIGZyb206XG4gKlxuICogLSBBIGZ1bGwgU0RLdjMgcGFja2FnZSBuYW1lXG4gKiAtIEEgcGFydGlhbCBTREt2MyBwYWNrYWdlIG5hbWVcbiAqIC0gQW4gU0RLdjIgY29uc3RydWN0b3IgbmFtZVxuICpcbiAqIFRvIGEgcGFydGlhbCBTREt2MyBwYWNrYWdlIG5hbWUuXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBub3JtYWxpemVTZXJ2aWNlTmFtZShzZXJ2aWNlOiBzdHJpbmcpIHtcbiAgc2VydmljZSA9IHNlcnZpY2UudG9Mb3dlckNhc2UoKTsgLy8gTG93ZXJjYXNlXG4gIHNlcnZpY2UgPSBzZXJ2aWNlLnJlcGxhY2UoL15AYXdzLXNka1xcL2NsaWVudC0vLCAnJyk7IC8vIFN0cmlwIHRoZSBzdGFydCBvZiBhIFYzIHBhY2thZ2UgbmFtZVxuICBzZXJ2aWNlID0gdjJUb1YzTWFwcGluZygpPy5bc2VydmljZV0gPz8gc2VydmljZTsgLy8gT3B0aW9uYWxseSBtYXAgdjIgbmFtZSAtPiB2MyBuYW1lXG4gIHJldHVybiBzZXJ2aWNlO1xufVxuXG4vKipcbiAqIE5vcm1hbGl6ZSBhbiBhY3Rpb24gbmFtZSBmcm9tOlxuICpcbiAqIC0gY2FtZWxDYXNlIFNES3YyIG1ldGhvZCBuYW1lXG4gKiAtIFBhc2NhbENhc2UgQVBJIG5hbWVcbiAqIC0gU0RLdjMgY29tbWFuZCBjbGFzcyBuYW1lXG4gKlxuICogVG8gYSBQYXNjYWxDYXNlIEFQSSBuYW1lLlxuICovXG5leHBvcnQgZnVuY3Rpb24gbm9ybWFsaXplQWN0aW9uTmFtZSh2M1NlcnZpY2U6IHN0cmluZywgYWN0aW9uOiBzdHJpbmcpIHtcbiAgaWYgKGFjdGlvbi5jaGFyQXQoMCkudG9Mb3dlckNhc2UoKSA9PT0gYWN0aW9uLmNoYXJBdCgwKSkge1xuICAgIHJldHVybiBhY3Rpb24uY2hhckF0KDApLnRvVXBwZXJDYXNlKCkgKyBhY3Rpb24uc2xpY2UoMSk7XG4gIH1cblxuICAvLyBJZiB0aGUgZ2l2ZW4gd29yZCBpcyBpbiB0aGUgQVBJcyBlbmRpbmcgaW4gJ0NvbW1hbmQnIGZvciB0aGlzIHNlcnZpY2UsXG4gIC8vIHJldHVybiBhcyBpcy4gT3RoZXJ3aXNlLCByZXR1cm4gd2l0aCBhIHBvdGVudGlhbCAnQ29tbWFuZCcgc3VmZml4IHN0cmlwcGVkLlxuICBpZiAodjNNZXRhZGF0YSgpW3YzU2VydmljZV0/LmNvbW1hbmRzPy5pbmNsdWRlcyhhY3Rpb24pKSB7XG4gICAgcmV0dXJuIGFjdGlvbjtcbiAgfVxuXG4gIHJldHVybiBhY3Rpb24ucmVwbGFjZSgvQ29tbWFuZCQvLCAnJyk7XG59XG5cbmZ1bmN0aW9uIHYyVG9WM01hcHBpbmcoKTogUmVjb3JkPHN0cmluZywgc3RyaW5nPiB7XG4gIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tcmVxdWlyZS1pbXBvcnRzXG4gIHJldHVybiByZXF1aXJlKCcuL3Nkay12Mi10by12My5qc29uJyk7XG59XG5cbmZ1bmN0aW9uIHYzTWV0YWRhdGEoKTogUmVjb3JkPHN0cmluZywgeyBpYW1QcmVmaXg/OiBzdHJpbmc7IGNvbW1hbmRzPzogc3RyaW5nW10gfT4ge1xuICAvLyBlc2xpbnQtZGlzYWJsZS1uZXh0LWxpbmUgQHR5cGVzY3JpcHQtZXNsaW50L25vLXJlcXVpcmUtaW1wb3J0c1xuICByZXR1cm4gcmVxdWlyZSgnLi9zZGstdjMtbWV0YWRhdGEuanNvbicpO1xufVxuIl19 \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts new file mode 100644 index 0000000000000..cb0ff5c3b541f --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts @@ -0,0 +1 @@ +export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js new file mode 100644 index 0000000000000..70b197940eb0a --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js @@ -0,0 +1,111 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +const lib_1 = require("../lib"); +test('can map service name to SDK v3 client name', () => { + expect(new lib_1.ApiCall('S3', 'Bla').v3PackageName).toBe('@aws-sdk/client-s3'); +}); +test.each([ + 'api-gateway', + '@aws-sdk/client-api-gateway', + 'APIGateway', + 'apigateway', +])('service %p is recognized', (service) => { + expect(new lib_1.ApiCall(service, 'Bla').v3PackageName).toEqual('@aws-sdk/client-api-gateway'); +}); +test.each([ + 'GetRestApi', + 'getRestApi', + 'GetRestApiCommand', +])('action %p is recognized', (action) => { + expect(new lib_1.ApiCall('api-gateway', action).action).toEqual('GetRestApi'); +}); +test.each([ + 'ExecuteCommand', + 'executeCommand', + 'ExecuteCommandCommand', +])('ECS action %p is recognized', (action) => { + expect(new lib_1.ApiCall('ecs', action).action).toEqual('ExecuteCommand'); +}); +describe('helpers for SDKv3', () => { + test('can load a SDK package by service name', () => { + const sdk = new lib_1.ApiCall('S3', 'Bla'); + expect(sdk.v3PackageName).toBe('@aws-sdk/client-s3'); + sdk.initializePackage(); + }); + test('can load a SDK package by package name', () => { + const sdk = new lib_1.ApiCall('@aws-sdk/client-s3', 'Bla'); + expect(sdk.v3PackageName).toBe('@aws-sdk/client-s3'); + sdk.initializePackage(); + }); + test('will throw when attempting to load unknown SDK package', () => { + expect(() => { + loadV3ClientPackage('@aws-sdk/client-foobar'); + }).toThrow("Service foobar client package with name '@aws-sdk/client-foobar' does not exist."); + }); + test('will throw when attempting to load unknown SDK package using V2 style name', () => { + expect(() => { + loadV3ClientPackage('FooBar'); + }).toThrow("Service foobar client package with name '@aws-sdk/client-foobar' does not exist."); + }); + describe('with a SDK package loaded', () => { + test('can get client', () => { + const client = getV3Client('s3'); + expect(client.config.serviceId).toBe('S3'); + }); + test('can get client with config', async () => { + const client = getV3Client('s3', { region: 'eu-west-1' }); + const region = await client.config.region(); + expect(region).toBe('eu-west-1'); + }); + test('can get command', () => { + const apiCall = new lib_1.ApiCall('s3', 'ListBuckets'); + const command = apiCall.findCommandClass(); + expect(command).toBeDefined(); + }); + test('will throw when attempting to get unknown command', () => { + expect(() => { + new lib_1.ApiCall('s3', 'FooBar').findCommandClass(); + }).toThrow('Unable to find command named: FooBarCommand'); + }); + }); +}); +test('flatten', () => { + expect((0, lib_1.flatten)({ + foo: 'foo', + bar: { + foo: 'foo', + bar: 'bar', + }, + baz: [ + { foo: 'foo' }, + { bar: 'bar' }, + ], + })).toEqual({ + 'foo': 'foo', + 'bar.foo': 'foo', + 'bar.bar': 'bar', + 'baz.0.foo': 'foo', + 'baz.1.bar': 'bar', + }); +}); +test.each([ + { transformToString: () => 'foo' }, + Buffer.from('foo'), + new TextEncoder().encode('foo'), +])('coerce %p', async (fooValue) => { + expect(await (0, lib_1.coerceSdkv3Response)({ + foo: fooValue, + })).toEqual({ foo: 'foo' }); +}); +function loadV3ClientPackage(service) { + const apiCall = new lib_1.ApiCall(service, 'Bla'); + apiCall.initializePackage(); + return apiCall.v3Package; +} +function getV3Client(service, options = {}) { + const apiCall = new lib_1.ApiCall(service, 'Bla'); + apiCall.initializePackage(); + apiCall.initializeClient(options); + return apiCall.client; +} +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBpLWNhbGwudGVzdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbImFwaS1jYWxsLnRlc3QudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxnQ0FBOEU7QUFFOUUsSUFBSSxDQUFDLDRDQUE0QyxFQUFFLEdBQUcsRUFBRTtJQUN0RCxNQUFNLENBQUMsSUFBSSxhQUFPLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxDQUFDLGFBQWEsQ0FBQyxDQUFDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO0FBQzVFLENBQUMsQ0FBQyxDQUFDO0FBRUgsSUFBSSxDQUFDLElBQUksQ0FBQztJQUNSLGFBQWE7SUFDYiw2QkFBNkI7SUFDN0IsWUFBWTtJQUNaLFlBQVk7Q0FDYixDQUFDLENBQUMsMEJBQTBCLEVBQUUsQ0FBQyxPQUFPLEVBQUUsRUFBRTtJQUN6QyxNQUFNLENBQUMsSUFBSSxhQUFPLENBQUMsT0FBTyxFQUFFLEtBQUssQ0FBQyxDQUFDLGFBQWEsQ0FBQyxDQUFDLE9BQU8sQ0FBQyw2QkFBNkIsQ0FBQyxDQUFDO0FBQzNGLENBQUMsQ0FBQyxDQUFDO0FBRUgsSUFBSSxDQUFDLElBQUksQ0FBQztJQUNSLFlBQVk7SUFDWixZQUFZO0lBQ1osbUJBQW1CO0NBQ3BCLENBQUMsQ0FBQyx5QkFBeUIsRUFBRSxDQUFDLE1BQU0sRUFBRSxFQUFFO0lBQ3ZDLE1BQU0sQ0FBQyxJQUFJLGFBQU8sQ0FBQyxhQUFhLEVBQUUsTUFBTSxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQyxDQUFDO0FBQzFFLENBQUMsQ0FBQyxDQUFDO0FBRUgsSUFBSSxDQUFDLElBQUksQ0FBQztJQUNSLGdCQUFnQjtJQUNoQixnQkFBZ0I7SUFDaEIsdUJBQXVCO0NBQ3hCLENBQUMsQ0FBQyw2QkFBNkIsRUFBRSxDQUFDLE1BQU0sRUFBRSxFQUFFO0lBQzNDLE1BQU0sQ0FBQyxJQUFJLGFBQU8sQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDLENBQUM7QUFDdEUsQ0FBQyxDQUFDLENBQUM7QUFFSCxRQUFRLENBQUMsbUJBQW1CLEVBQUUsR0FBRyxFQUFFO0lBQ2pDLElBQUksQ0FBQyx3Q0FBd0MsRUFBRSxHQUFHLEVBQUU7UUFDbEQsTUFBTSxHQUFHLEdBQUcsSUFBSSxhQUFPLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3JDLE1BQU0sQ0FBQyxHQUFHLENBQUMsYUFBYSxDQUFDLENBQUMsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFDckQsR0FBRyxDQUFDLGlCQUFpQixFQUFFLENBQUM7SUFDMUIsQ0FBQyxDQUFDLENBQUM7SUFFSCxJQUFJLENBQUMsd0NBQXdDLEVBQUUsR0FBRyxFQUFFO1FBQ2xELE1BQU0sR0FBRyxHQUFHLElBQUksYUFBTyxDQUFDLG9CQUFvQixFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3JELE1BQU0sQ0FBQyxHQUFHLENBQUMsYUFBYSxDQUFDLENBQUMsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFDckQsR0FBRyxDQUFDLGlCQUFpQixFQUFFLENBQUM7SUFDMUIsQ0FBQyxDQUFDLENBQUM7SUFFSCxJQUFJLENBQUMsd0RBQXdELEVBQUUsR0FBRyxFQUFFO1FBQ2xFLE1BQU0sQ0FBQyxHQUFHLEVBQUU7WUFDVixtQkFBbUIsQ0FBQyx3QkFBd0IsQ0FBQyxDQUFDO1FBQ2hELENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxrRkFBa0YsQ0FBQyxDQUFDO0lBQ2pHLENBQUMsQ0FBQyxDQUFDO0lBRUgsSUFBSSxDQUFDLDRFQUE0RSxFQUFFLEdBQUcsRUFBRTtRQUN0RixNQUFNLENBQUMsR0FBRyxFQUFFO1lBQ1YsbUJBQW1CLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDaEMsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLGtGQUFrRixDQUFDLENBQUM7SUFDakcsQ0FBQyxDQUFDLENBQUM7SUFFSCxRQUFRLENBQUMsMkJBQTJCLEVBQUUsR0FBRyxFQUFFO1FBQ3pDLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxHQUFHLEVBQUU7WUFDMUIsTUFBTSxNQUFNLEdBQUcsV0FBVyxDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ2pDLE1BQU0sQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUM3QyxDQUFDLENBQUMsQ0FBQztRQUVILElBQUksQ0FBQyw0QkFBNEIsRUFBRSxLQUFLLElBQUksRUFBRTtZQUM1QyxNQUFNLE1BQU0sR0FBRyxXQUFXLENBQUMsSUFBSSxFQUFFLEVBQUUsTUFBTSxFQUFFLFdBQVcsRUFBRSxDQUFDLENBQUM7WUFDMUQsTUFBTSxNQUFNLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQzVDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDbkMsQ0FBQyxDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsaUJBQWlCLEVBQUUsR0FBRyxFQUFFO1lBQzNCLE1BQU0sT0FBTyxHQUFHLElBQUksYUFBTyxDQUFDLElBQUksRUFBRSxhQUFhLENBQUMsQ0FBQztZQUNqRCxNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMzQyxNQUFNLENBQUMsT0FBTyxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDaEMsQ0FBQyxDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsbURBQW1ELEVBQUUsR0FBRyxFQUFFO1lBQzdELE1BQU0sQ0FBQyxHQUFHLEVBQUU7Z0JBQ1YsSUFBSSxhQUFPLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDakQsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7UUFDNUQsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDLENBQUMsQ0FBQztBQUNMLENBQUMsQ0FBQyxDQUFDO0FBRUgsSUFBSSxDQUFDLFNBQVMsRUFBRSxHQUFHLEVBQUU7SUFDbkIsTUFBTSxDQUFDLElBQUEsYUFBTyxFQUFDO1FBQ2IsR0FBRyxFQUFFLEtBQUs7UUFDVixHQUFHLEVBQUU7WUFDSCxHQUFHLEVBQUUsS0FBSztZQUNWLEdBQUcsRUFBRSxLQUFLO1NBQ1g7UUFDRCxHQUFHLEVBQUU7WUFDSCxFQUFFLEdBQUcsRUFBRSxLQUFLLEVBQUU7WUFDZCxFQUFFLEdBQUcsRUFBRSxLQUFLLEVBQUU7U0FDZjtLQUNGLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQztRQUNWLEtBQUssRUFBRSxLQUFLO1FBQ1osU0FBUyxFQUFFLEtBQUs7UUFDaEIsU0FBUyxFQUFFLEtBQUs7UUFDaEIsV0FBVyxFQUFFLEtBQUs7UUFDbEIsV0FBVyxFQUFFLEtBQUs7S0FDbkIsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyxDQUFDLENBQUM7QUFFSCxJQUFJLENBQUMsSUFBSSxDQUFDO0lBQ1IsRUFBRSxpQkFBaUIsRUFBRSxHQUFHLEVBQUUsQ0FBQyxLQUFLLEVBQUU7SUFDbEMsTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUM7SUFDbEIsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDO0NBQ2hDLENBQUMsQ0FBQyxXQUFXLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxFQUFFO0lBQ2pDLE1BQU0sQ0FBQyxNQUFNLElBQUEseUJBQW1CLEVBQUM7UUFDL0IsR0FBRyxFQUFFLFFBQVE7S0FDZCxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxHQUFHLEVBQUUsS0FBSyxFQUFFLENBQUMsQ0FBQztBQUM5QixDQUFDLENBQUMsQ0FBQztBQUVILFNBQVMsbUJBQW1CLENBQUMsT0FBZTtJQUMxQyxNQUFNLE9BQU8sR0FBRyxJQUFJLGFBQU8sQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLENBQUM7SUFDNUMsT0FBTyxDQUFDLGlCQUFpQixFQUFFLENBQUM7SUFDNUIsT0FBTyxPQUFPLENBQUMsU0FBUyxDQUFDO0FBQzNCLENBQUM7QUFFRCxTQUFTLFdBQVcsQ0FBQyxPQUFlLEVBQUUsVUFBNkMsRUFBRTtJQUNuRixNQUFNLE9BQU8sR0FBRyxJQUFJLGFBQU8sQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLENBQUM7SUFDNUMsT0FBTyxDQUFDLGlCQUFpQixFQUFFLENBQUM7SUFDNUIsT0FBTyxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQ2xDLE9BQU8sT0FBTyxDQUFDLE1BQU0sQ0FBQztBQUN4QixDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgQXBpQ2FsbCwgSW52b2tlT3B0aW9ucywgY29lcmNlU2RrdjNSZXNwb25zZSwgZmxhdHRlbiB9IGZyb20gJy4uL2xpYic7XG5cbnRlc3QoJ2NhbiBtYXAgc2VydmljZSBuYW1lIHRvIFNESyB2MyBjbGllbnQgbmFtZScsICgpID0+IHtcbiAgZXhwZWN0KG5ldyBBcGlDYWxsKCdTMycsICdCbGEnKS52M1BhY2thZ2VOYW1lKS50b0JlKCdAYXdzLXNkay9jbGllbnQtczMnKTtcbn0pO1xuXG50ZXN0LmVhY2goW1xuICAnYXBpLWdhdGV3YXknLFxuICAnQGF3cy1zZGsvY2xpZW50LWFwaS1nYXRld2F5JyxcbiAgJ0FQSUdhdGV3YXknLFxuICAnYXBpZ2F0ZXdheScsXG5dKSgnc2VydmljZSAlcCBpcyByZWNvZ25pemVkJywgKHNlcnZpY2UpID0+IHtcbiAgZXhwZWN0KG5ldyBBcGlDYWxsKHNlcnZpY2UsICdCbGEnKS52M1BhY2thZ2VOYW1lKS50b0VxdWFsKCdAYXdzLXNkay9jbGllbnQtYXBpLWdhdGV3YXknKTtcbn0pO1xuXG50ZXN0LmVhY2goW1xuICAnR2V0UmVzdEFwaScsXG4gICdnZXRSZXN0QXBpJyxcbiAgJ0dldFJlc3RBcGlDb21tYW5kJyxcbl0pKCdhY3Rpb24gJXAgaXMgcmVjb2duaXplZCcsIChhY3Rpb24pID0+IHtcbiAgZXhwZWN0KG5ldyBBcGlDYWxsKCdhcGktZ2F0ZXdheScsIGFjdGlvbikuYWN0aW9uKS50b0VxdWFsKCdHZXRSZXN0QXBpJyk7XG59KTtcblxudGVzdC5lYWNoKFtcbiAgJ0V4ZWN1dGVDb21tYW5kJyxcbiAgJ2V4ZWN1dGVDb21tYW5kJyxcbiAgJ0V4ZWN1dGVDb21tYW5kQ29tbWFuZCcsXG5dKSgnRUNTIGFjdGlvbiAlcCBpcyByZWNvZ25pemVkJywgKGFjdGlvbikgPT4ge1xuICBleHBlY3QobmV3IEFwaUNhbGwoJ2VjcycsIGFjdGlvbikuYWN0aW9uKS50b0VxdWFsKCdFeGVjdXRlQ29tbWFuZCcpO1xufSk7XG5cbmRlc2NyaWJlKCdoZWxwZXJzIGZvciBTREt2MycsICgpID0+IHtcbiAgdGVzdCgnY2FuIGxvYWQgYSBTREsgcGFja2FnZSBieSBzZXJ2aWNlIG5hbWUnLCAoKSA9PiB7XG4gICAgY29uc3Qgc2RrID0gbmV3IEFwaUNhbGwoJ1MzJywgJ0JsYScpO1xuICAgIGV4cGVjdChzZGsudjNQYWNrYWdlTmFtZSkudG9CZSgnQGF3cy1zZGsvY2xpZW50LXMzJyk7XG4gICAgc2RrLmluaXRpYWxpemVQYWNrYWdlKCk7XG4gIH0pO1xuXG4gIHRlc3QoJ2NhbiBsb2FkIGEgU0RLIHBhY2thZ2UgYnkgcGFja2FnZSBuYW1lJywgKCkgPT4ge1xuICAgIGNvbnN0IHNkayA9IG5ldyBBcGlDYWxsKCdAYXdzLXNkay9jbGllbnQtczMnLCAnQmxhJyk7XG4gICAgZXhwZWN0KHNkay52M1BhY2thZ2VOYW1lKS50b0JlKCdAYXdzLXNkay9jbGllbnQtczMnKTtcbiAgICBzZGsuaW5pdGlhbGl6ZVBhY2thZ2UoKTtcbiAgfSk7XG5cbiAgdGVzdCgnd2lsbCB0aHJvdyB3aGVuIGF0dGVtcHRpbmcgdG8gbG9hZCB1bmtub3duIFNESyBwYWNrYWdlJywgKCkgPT4ge1xuICAgIGV4cGVjdCgoKSA9PiB7XG4gICAgICBsb2FkVjNDbGllbnRQYWNrYWdlKCdAYXdzLXNkay9jbGllbnQtZm9vYmFyJyk7XG4gICAgfSkudG9UaHJvdyhcIlNlcnZpY2UgZm9vYmFyIGNsaWVudCBwYWNrYWdlIHdpdGggbmFtZSAnQGF3cy1zZGsvY2xpZW50LWZvb2JhcicgZG9lcyBub3QgZXhpc3QuXCIpO1xuICB9KTtcblxuICB0ZXN0KCd3aWxsIHRocm93IHdoZW4gYXR0ZW1wdGluZyB0byBsb2FkIHVua25vd24gU0RLIHBhY2thZ2UgdXNpbmcgVjIgc3R5bGUgbmFtZScsICgpID0+IHtcbiAgICBleHBlY3QoKCkgPT4ge1xuICAgICAgbG9hZFYzQ2xpZW50UGFja2FnZSgnRm9vQmFyJyk7XG4gICAgfSkudG9UaHJvdyhcIlNlcnZpY2UgZm9vYmFyIGNsaWVudCBwYWNrYWdlIHdpdGggbmFtZSAnQGF3cy1zZGsvY2xpZW50LWZvb2JhcicgZG9lcyBub3QgZXhpc3QuXCIpO1xuICB9KTtcblxuICBkZXNjcmliZSgnd2l0aCBhIFNESyBwYWNrYWdlIGxvYWRlZCcsICgpID0+IHtcbiAgICB0ZXN0KCdjYW4gZ2V0IGNsaWVudCcsICgpID0+IHtcbiAgICAgIGNvbnN0IGNsaWVudCA9IGdldFYzQ2xpZW50KCdzMycpO1xuICAgICAgZXhwZWN0KGNsaWVudC5jb25maWcuc2VydmljZUlkKS50b0JlKCdTMycpO1xuICAgIH0pO1xuXG4gICAgdGVzdCgnY2FuIGdldCBjbGllbnQgd2l0aCBjb25maWcnLCBhc3luYyAoKSA9PiB7XG4gICAgICBjb25zdCBjbGllbnQgPSBnZXRWM0NsaWVudCgnczMnLCB7IHJlZ2lvbjogJ2V1LXdlc3QtMScgfSk7XG4gICAgICBjb25zdCByZWdpb24gPSBhd2FpdCBjbGllbnQuY29uZmlnLnJlZ2lvbigpO1xuICAgICAgZXhwZWN0KHJlZ2lvbikudG9CZSgnZXUtd2VzdC0xJyk7XG4gICAgfSk7XG5cbiAgICB0ZXN0KCdjYW4gZ2V0IGNvbW1hbmQnLCAoKSA9PiB7XG4gICAgICBjb25zdCBhcGlDYWxsID0gbmV3IEFwaUNhbGwoJ3MzJywgJ0xpc3RCdWNrZXRzJyk7XG4gICAgICBjb25zdCBjb21tYW5kID0gYXBpQ2FsbC5maW5kQ29tbWFuZENsYXNzKCk7XG4gICAgICBleHBlY3QoY29tbWFuZCkudG9CZURlZmluZWQoKTtcbiAgICB9KTtcbiAgICB0ZXN0KCd3aWxsIHRocm93IHdoZW4gYXR0ZW1wdGluZyB0byBnZXQgdW5rbm93biBjb21tYW5kJywgKCkgPT4ge1xuICAgICAgZXhwZWN0KCgpID0+IHtcbiAgICAgICAgbmV3IEFwaUNhbGwoJ3MzJywgJ0Zvb0JhcicpLmZpbmRDb21tYW5kQ2xhc3MoKTtcbiAgICAgIH0pLnRvVGhyb3coJ1VuYWJsZSB0byBmaW5kIGNvbW1hbmQgbmFtZWQ6IEZvb0JhckNvbW1hbmQnKTtcbiAgICB9KTtcbiAgfSk7XG59KTtcblxudGVzdCgnZmxhdHRlbicsICgpID0+IHtcbiAgZXhwZWN0KGZsYXR0ZW4oe1xuICAgIGZvbzogJ2ZvbycsXG4gICAgYmFyOiB7XG4gICAgICBmb286ICdmb28nLFxuICAgICAgYmFyOiAnYmFyJyxcbiAgICB9LFxuICAgIGJhejogW1xuICAgICAgeyBmb286ICdmb28nIH0sXG4gICAgICB7IGJhcjogJ2JhcicgfSxcbiAgICBdLFxuICB9KSkudG9FcXVhbCh7XG4gICAgJ2Zvbyc6ICdmb28nLFxuICAgICdiYXIuZm9vJzogJ2ZvbycsXG4gICAgJ2Jhci5iYXInOiAnYmFyJyxcbiAgICAnYmF6LjAuZm9vJzogJ2ZvbycsXG4gICAgJ2Jhei4xLmJhcic6ICdiYXInLFxuICB9KTtcbn0pO1xuXG50ZXN0LmVhY2goW1xuICB7IHRyYW5zZm9ybVRvU3RyaW5nOiAoKSA9PiAnZm9vJyB9LFxuICBCdWZmZXIuZnJvbSgnZm9vJyksXG4gIG5ldyBUZXh0RW5jb2RlcigpLmVuY29kZSgnZm9vJyksXG5dKSgnY29lcmNlICVwJywgYXN5bmMgKGZvb1ZhbHVlKSA9PiB7XG4gIGV4cGVjdChhd2FpdCBjb2VyY2VTZGt2M1Jlc3BvbnNlKHtcbiAgICBmb286IGZvb1ZhbHVlLFxuICB9KSkudG9FcXVhbCh7IGZvbzogJ2ZvbycgfSk7XG59KTtcblxuZnVuY3Rpb24gbG9hZFYzQ2xpZW50UGFja2FnZShzZXJ2aWNlOiBzdHJpbmcpIHtcbiAgY29uc3QgYXBpQ2FsbCA9IG5ldyBBcGlDYWxsKHNlcnZpY2UsICdCbGEnKTtcbiAgYXBpQ2FsbC5pbml0aWFsaXplUGFja2FnZSgpO1xuICByZXR1cm4gYXBpQ2FsbC52M1BhY2thZ2U7XG59XG5cbmZ1bmN0aW9uIGdldFYzQ2xpZW50KHNlcnZpY2U6IHN0cmluZywgb3B0aW9uczogT21pdDxJbnZva2VPcHRpb25zLCAncGFyYW1ldGVycyc+ID0ge30pIHtcbiAgY29uc3QgYXBpQ2FsbCA9IG5ldyBBcGlDYWxsKHNlcnZpY2UsICdCbGEnKTtcbiAgYXBpQ2FsbC5pbml0aWFsaXplUGFja2FnZSgpO1xuICBhcGlDYWxsLmluaXRpYWxpemVDbGllbnQob3B0aW9ucyk7XG4gIHJldHVybiBhcGlDYWxsLmNsaWVudDtcbn1cbiJdfQ== \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts new file mode 100644 index 0000000000000..cb0ff5c3b541f --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts @@ -0,0 +1 @@ +export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js new file mode 100644 index 0000000000000..cb17c38ed59bb --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js @@ -0,0 +1,622 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +const coerce_api_parameters_1 = require("../lib/coerce-api-parameters"); +const encode = (v) => new TextEncoder().encode(v); +describe('Uint8Array', () => { + describe('should coerce', () => { + test('a nested value', () => { + // GIVEN + const obj = { a: { b: { c: 'dummy-value' } } }; + // WHEN + new coerce_api_parameters_1.Coercer([ + { a: 1 }, + { b: 2 }, + { c: 'b' }, + ]).testCoerce(obj); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: encode('dummy-value') } } }); + }); + test('values nested in an array', () => { + // GIVEN + const obj = { + a: { + b: [ + { z: '1' }, + { z: '2' }, + { z: '3' }, + ], + }, + }; + // WHEN + new coerce_api_parameters_1.Coercer([ + { a: 1 }, + { b: 2 }, + { '*': 3 }, + { z: 'b' }, + ]).testCoerce(obj); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: encode('1') }, + { z: encode('2') }, + { z: encode('3') }, + ], + }, + }); + }); + test('array elements', () => { + // GIVEN + const obj = { + a: { + b: ['1', '2', '3'], + }, + }; + // THEN + new coerce_api_parameters_1.Coercer([ + { a: 1 }, + { b: 2 }, + { '*': 'b' }, + ]).testCoerce(obj); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + encode('1'), + encode('2'), + encode('3'), + ], + }, + }); + }); + test('values nested in multiple arrays', () => { + // GIVEN + const obj = { + a: { + b: [ + { + z: [ + { y: '1' }, + { y: '2' }, + ], + }, + { + z: [ + { y: 'A' }, + { y: 'B' }, + ], + }, + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: [{ y: encode('1') }, { y: encode('2') }] }, + { z: [{ y: encode('A') }, { y: encode('B') }] }, + ], + }, + }); + }); + test('empty string', () => { + // GIVEN + const obj = { a: { b: { c: '' } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: encode('') } } }); + }); + test('a number', () => { + // GIVEN + const obj = { a: { b: { c: 0 } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: encode('0') } } }); + }); + }); + describe('should NOT coerce', () => { + test('undefined', () => { + // GIVEN + const obj = { a: { b: { c: undefined } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: undefined } } }); + }); + test('null', () => { + // GIVEN + const obj = { a: { b: { c: null } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: null } } }); + }); + test('an path that does not exist in input', () => { + // GIVEN + const obj = { a: { b: { c: 'dummy-value' } } }; + // THEN + coerce(obj, ['a', 'b', 'foobar'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); + }); + test('a path that is not a leaf', () => { + // GIVEN + const obj = { a: { b: { c: 'dummy-value' } } }; + // THEN + coerce(obj, ['a', 'b'], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); + }); + test('do not change anything for empty path', () => { + // GIVEN + const obj = { a: { b: { c: 'dummy-value' } } }; + // THEN + coerce(obj, [], 'Uint8Array'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); + }); + }); + describe('given an api call description', () => { + test('can convert string parameters to Uint8Array when needed', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('KMS', 'encrypt', { + KeyId: 'key-id', + Plaintext: 'dummy-data', + }); + expect(params).toMatchObject({ + KeyId: 'key-id', + Plaintext: new Uint8Array([ + 100, 117, 109, 109, + 121, 45, 100, 97, + 116, 97, + ]), + }); + }); + test('can convert string parameters to Uint8Array in arrays', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('Kinesis', 'putRecords', { + Records: [ + { + Data: 'aaa', + PartitionKey: 'key', + }, + { + Data: 'bbb', + PartitionKey: 'key', + }, + ], + }); + expect(params).toMatchObject({ + Records: [ + { + Data: new Uint8Array([97, 97, 97]), + PartitionKey: 'key', + }, + { + Data: new Uint8Array([98, 98, 98]), + PartitionKey: 'key', + }, + ], + }); + }); + test('can convert string parameters to Uint8Array in map & union', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('dynamodb', 'putItem', { + Item: { + Binary: { + B: 'abc', + }, + }, + }); + expect(params).toMatchObject({ + Item: { + Binary: { + B: new Uint8Array([97, 98, 99]), + }, + }, + }); + }); + test('can coerce parameters in recursive types', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('connect', 'CreateEvaluationForm', { + Items: [ + { + Section: { + Items: [ + { + Question: { + Weight: '9000', + }, + }, + ], + }, + }, + ], + }); + expect(params).toMatchObject({ + Items: [ + { + Section: { + Items: [ + { + Question: { + Weight: 9000, // <-- converted + }, + }, + ], + }, + }, + ], + }); + }); + }); +}); +describe('number', () => { + describe('should coerce', () => { + test('a nested value', () => { + // GIVEN + const obj = { a: { b: { c: '-123.45' } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: -123.45 } } }); + }); + test('values nested in an array', () => { + // GIVEN + const obj = { + a: { + b: [ + { z: '1' }, + { z: '2' }, + { z: '3' }, + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*', 'z'], 'number'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: 1 }, + { z: 2 }, + { z: 3 }, + ], + }, + }); + }); + test('array elements', () => { + // GIVEN + const obj = { + a: { + b: ['1', '2', '3'], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*'], 'number'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + 1, + 2, + 3, + ], + }, + }); + }); + test('values nested in multiple arrays', () => { + // GIVEN + const obj = { + a: { + b: [ + { + z: [ + { y: '1' }, + { y: '2' }, + ], + }, + { + z: [ + { y: '3' }, + { y: '4' }, + ], + }, + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'number'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: [{ y: 1 }, { y: 2 }] }, + { z: [{ y: 3 }, { y: 4 }] }, + ], + }, + }); + }); + }); + describe('should NOT coerce', () => { + test('empty string', () => { + // GIVEN + const obj = { a: { b: { c: '' } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: encode('') } } }); + }); + test('a number', () => { + // GIVEN + const obj = { a: { b: { c: 0 } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: 0 } } }); + }); + test('undefined', () => { + // GIVEN + const obj = { a: { b: { c: undefined } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: undefined } } }); + }); + test('null', () => { + // GIVEN + const obj = { a: { b: { c: null } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: null } } }); + }); + test('an path that does not exist in input', () => { + // GIVEN + const obj = { a: { b: { c: 'dummy-value' } } }; + // THEN + coerce(obj, ['a', 'b', 'foobar'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); + }); + test('a path that is not a leaf', () => { + // GIVEN + const obj = { a: { b: { c: '123' } } }; + // THEN + coerce(obj, ['a', 'b'], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: '123' } } }); + }); + test('do not change anything for empty path', () => { + // GIVEN + const obj = { a: { b: { c: '123' } } }; + // THEN + coerce(obj, [], 'number'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: '123' } } }); + }); + }); + describe('given an api call description', () => { + test('can convert string parameters to number when needed', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('Amplify', 'listApps', { + maxResults: '15', + }); + expect(params).toMatchObject({ + maxResults: 15, + }); + }); + test('can convert string parameters to number in arrays', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('ECS', 'createService', { + loadBalancers: [{ + containerPort: '8080', + }, { + containerPort: '9000', + }], + }); + expect(params).toMatchObject({ + loadBalancers: [{ + containerPort: 8080, + }, { + containerPort: 9000, + }], + }); + }); + test('can convert string parameters to number in map & union', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('apigatewayv2', 'createApi', { + CorsConfiguration: { + MaxAge: '300', + }, + }); + expect(params).toMatchObject({ + CorsConfiguration: { + MaxAge: 300, + }, + }); + }); + }); +}); +describe('date', () => { + describe('should coerce', () => { + test('a nested value', () => { + // GIVEN + const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01') } } }); + }); + test('values nested in an array', () => { + // GIVEN + const obj = { + a: { + b: [ + { z: new Date('2023-01-01').toJSON() }, + { z: new Date('2023-01-02').toJSON() }, + { z: new Date('2023-01-03').toJSON() }, + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*', 'z'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: new Date('2023-01-01') }, + { z: new Date('2023-01-02') }, + { z: new Date('2023-01-03') }, + ], + }, + }); + }); + test('array elements', () => { + // GIVEN + const obj = { + a: { + b: [ + new Date('2023-01-01').toJSON(), + new Date('2023-01-02').toJSON(), + new Date('2023-01-03').toJSON(), + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + new Date('2023-01-01'), + new Date('2023-01-02'), + new Date('2023-01-03'), + ], + }, + }); + }); + test('values nested in multiple arrays', () => { + // GIVEN + const obj = { + a: { + b: [ + { + z: [ + { y: new Date('2023-01-01').toJSON() }, + { y: new Date('2023-01-02').toJSON() }, + ], + }, + { + z: [ + { y: new Date('2023-01-03').toJSON() }, + { y: new Date('2023-01-04').toJSON() }, + ], + }, + ], + }, + }; + // THEN + coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ + a: { + b: [ + { z: [{ y: new Date('2023-01-01') }, { y: new Date('2023-01-02') }] }, + { z: [{ y: new Date('2023-01-03') }, { y: new Date('2023-01-04') }] }, + ], + }, + }); + }); + }); + describe('should NOT coerce', () => { + test('empty string', () => { + // GIVEN + const obj = { a: { b: { c: '' } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: '' } } }); + }); + test('undefined', () => { + // GIVEN + const obj = { a: { b: { c: undefined } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: undefined } } }); + }); + test('null', () => { + // GIVEN + const obj = { a: { b: { c: null } } }; + // THEN + coerce(obj, ['a', 'b', 'c'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: null } } }); + }); + test('an path that does not exist in input', () => { + // GIVEN + const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; + // THEN + coerce(obj, ['a', 'b', 'foobar'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); + }); + test('a path that is not a leaf', () => { + // GIVEN + const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; + // THEN + coerce(obj, ['a', 'b'], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); + }); + test('do not change anything for empty path', () => { + // GIVEN + const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; + // THEN + coerce(obj, [], 'Date'); + // EXPECT + expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); + }); + }); + describe('given an api call description', () => { + test('can convert string parameters to Date when needed', () => { + const params = (0, coerce_api_parameters_1.coerceApiParameters)('CloudWatch', 'getMetricData', { + MetricDataQueries: [], + StartTime: new Date('2023-01-01').toJSON(), + EndTime: new Date('2023-01-02').toJSON(), + }); + expect(params).toMatchObject({ + MetricDataQueries: [], + StartTime: new Date('2023-01-01'), + EndTime: new Date('2023-01-02'), + }); + }); + }); +}); +/** + * A function to convert code testing the old API into code testing the new API + * + * Having this function saves manually updating 25 call sites. + */ +function coerce(value, path, type) { + const sm = [{}]; + let current = sm[0]; + for (const p of path.slice(0, -1)) { + current[p] = sm.length; + sm.push({}); + current = sm[sm.length - 1]; + } + switch (type) { + case 'Uint8Array': + current[path[path.length - 1]] = 'b'; + break; + case 'number': + current[path[path.length - 1]] = 'n'; + break; + case 'Date': + current[path[path.length - 1]] = 'd'; + break; + default: + throw new Error(`Unexpected type: ${type}`); + } + return new coerce_api_parameters_1.Coercer(sm).testCoerce(value); +} +//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts new file mode 100644 index 0000000000000..cb0ff5c3b541f --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts @@ -0,0 +1 @@ +export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js new file mode 100644 index 0000000000000..5cb4186e515f2 --- /dev/null +++ b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js @@ -0,0 +1,20 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +const api_call_1 = require("../lib/api-call"); +test('flatten correctly flattens a nested object', () => { + expect((0, api_call_1.flatten)({ + a: { b: 'c' }, + d: [ + { e: 'f' }, + { g: 'h', i: 1, j: null, k: { l: false } }, + ], + })).toEqual({ + 'a.b': 'c', + 'd.0.e': 'f', + 'd.1.g': 'h', + 'd.1.i': 1, + 'd.1.j': null, + 'd.1.k.l': false, + }); +}); +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZmxhdHRlbi50ZXN0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiZmxhdHRlbi50ZXN0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsOENBQTBDO0FBRTFDLElBQUksQ0FBQyw0Q0FBNEMsRUFBRSxHQUFHLEVBQUU7SUFDdEQsTUFBTSxDQUFDLElBQUEsa0JBQU8sRUFBQztRQUNiLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUU7UUFDYixDQUFDLEVBQUU7WUFDRCxFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUU7WUFDVixFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxLQUFLLEVBQUUsRUFBRTtTQUMzQztLQUNGLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQztRQUNWLEtBQUssRUFBRSxHQUFHO1FBQ1YsT0FBTyxFQUFFLEdBQUc7UUFDWixPQUFPLEVBQUUsR0FBRztRQUNaLE9BQU8sRUFBRSxDQUFDO1FBQ1YsT0FBTyxFQUFFLElBQUk7UUFDYixTQUFTLEVBQUUsS0FBSztLQUNqQixDQUFDLENBQUM7QUFDTCxDQUFDLENBQUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IGZsYXR0ZW4gfSBmcm9tICcuLi9saWIvYXBpLWNhbGwnO1xuXG50ZXN0KCdmbGF0dGVuIGNvcnJlY3RseSBmbGF0dGVucyBhIG5lc3RlZCBvYmplY3QnLCAoKSA9PiB7XG4gIGV4cGVjdChmbGF0dGVuKHtcbiAgICBhOiB7IGI6ICdjJyB9LFxuICAgIGQ6IFtcbiAgICAgIHsgZTogJ2YnIH0sXG4gICAgICB7IGc6ICdoJywgaTogMSwgajogbnVsbCwgazogeyBsOiBmYWxzZSB9IH0sXG4gICAgXSxcbiAgfSkpLnRvRXF1YWwoe1xuICAgICdhLmInOiAnYycsXG4gICAgJ2QuMC5lJzogJ2YnLFxuICAgICdkLjEuZyc6ICdoJyxcbiAgICAnZC4xLmknOiAxLFxuICAgICdkLjEuaic6IG51bGwsXG4gICAgJ2QuMS5rLmwnOiBmYWxzZSxcbiAgfSk7XG59KTsiXX0= \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-dynamodb/README.md b/packages/aws-cdk-lib/aws-dynamodb/README.md index d7a8eb1fcf16a..46d8e7df6f09e 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/README.md +++ b/packages/aws-cdk-lib/aws-dynamodb/README.md @@ -644,6 +644,35 @@ If you intend to use the `tableStreamArn` (including indirectly, for example by To grant permissions to indexes for a referenced table you can either set `grantIndexPermissions` to `true`, or you can provide the indexes via the `globalIndexes` or `localIndexes` properties. This will enable `grant*` methods to also grant permissions to *all* table indexes. +## Resource Policy + +Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table in the form of a `PolicyDocument`: + +``` + // resource policy document + const policy = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + // table with resource policy + new dynamodb.TableV2(this, 'TableTestV2-1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: policy, + }); +``` + +TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. + ## Grants Using any of the `grant*` methods on an instance of the `TableV2` construct will only apply to the primary table, its indexes, and any associated `encryptionKey`. As an example, `grantReadData` used below will only apply the table in `us-west-2`: diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts index e35ab431741f5..89276fae405f4 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts @@ -76,11 +76,11 @@ export abstract class TableBaseV2 extends Resource implements ITableV2, IResourc public grant(grantee: IGrantable, ...actions: string[]): Grant { const resourceArns = [this.tableArn]; this.hasIndex && resourceArns.push(`${this.tableArn}/index/*`); - return Grant.addToPrincipal({ + return Grant.addToPrincipalOrResource({ grantee, actions, resourceArns, - scope: this, + resource: this, }); } From 4fbda8317448d8d55d8cd526e2518ce66ca1c79a Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Mon, 13 May 2024 18:12:30 +0100 Subject: [PATCH 09/18] Add docstring to resourcePolicy attribute --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index ce692da01ad3e..89c4565324798 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -1046,6 +1046,9 @@ export class Table extends TableBase { public readonly encryptionKey?: kms.IKey; + /** + * @attribute + */ public resourcePolicy?: iam.PolicyDocument | undefined; /** From 26f76eb0bc675cbeffbd5bdb6b0fa612a95db213 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Thu, 16 May 2024 17:47:47 +0100 Subject: [PATCH 10/18] Adding docstring to resourcePolicy --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 89c4565324798..0178a92d44eb2 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -508,7 +508,9 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc public abstract readonly encryptionKey?: kms.IKey; /** - * @attribute + * Resource policy to assign to table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy + * @default - No resource policy statement */ public abstract resourcePolicy?: iam.PolicyDocument; @@ -1047,6 +1049,10 @@ export class Table extends TableBase { public readonly encryptionKey?: kms.IKey; /** + * /** + * Resource policy to assign to table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy + * @default - No resource policy statement * @attribute */ public resourcePolicy?: iam.PolicyDocument | undefined; From 1ee53fe493ea33fd73d1f210e0164ad4ada12ecb Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Thu, 16 May 2024 18:56:18 +0100 Subject: [PATCH 11/18] Including snapshots for integ tests --- .../ResourcePolicyTest-v2.assets.json | 4 +-- .../ResourcePolicyTest-v2.template.json | 28 ++++++++++++++++++- .../manifest.json | 2 +- .../tree.json | 28 ++++++++++++++++++- .../manifest.json | 7 +++-- .../resource-policy-stack.assets.json | 4 +-- .../resource-policy-stack.template.json | 4 +-- .../tree.json | 4 +-- 8 files changed, 68 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json index 998c1d6104ff9..8193c8bf97527 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87": { + "192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849": { "source": { "path": "ResourcePolicyTest-v2.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-eu-west-1": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1", - "objectKey": "33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87.json", + "objectKey": "192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849.json", "region": "eu-west-1", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-eu-west-1" } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json index 0405f9d8838b3..5932811ef4cf1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/ResourcePolicyTest-v2.template.json @@ -18,7 +18,33 @@ ], "Replicas": [ { - "Region": "eu-west-1" + "Region": "eu-west-1", + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } } ] }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json index 502ce6af9ccd8..3c95c2ac52ac0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-eu-west-1", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-eu-west-1", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1/33530261a513e2b3828d626443f0275c4f33c8b82df7561f84639b039985db87.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1/192dc5b63bb0eb2c99bc1ea8a8fe1237a00e5067ac672d4e4f0986700f476849.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json index dfeca2ee34db4..3a0a1c50405d4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.js.snapshot/tree.json @@ -33,7 +33,33 @@ ], "replicas": [ { - "region": "eu-west-1" + "region": "eu-west-1", + "resourcePolicy": { + "policyDocument": { + "Statement": [ + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } } ] } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json index 3bbf6c4373499..ffa0d288174ae 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -43,7 +43,10 @@ "/resource-policy-stack/TableTest2/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TableTest21D137FC9" + "data": "TableTest21D137FC9", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] } ], "/resource-policy-stack/BootstrapVersion": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json index 41618f6afaf69..7c0077eab1646 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809": { + "e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1": { "source": { "path": "resource-policy-stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "97f3cb49b4a5d87dae23c00326add5504a8b2269cb75c78ed04c196c9a605809.json", + "objectKey": "e3fcb6ddf5b25ca1df397996de10e74311360d17c1f51a46151edee98629d5d1.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json index 67c7fbcc3ad20..1d36ff78393a6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/resource-policy-stack.template.json @@ -58,13 +58,13 @@ "Properties": { "AttributeDefinitions": [ { - "AttributeName": "id", + "AttributeName": "PK", "AttributeType": "S" } ], "KeySchema": [ { - "AttributeName": "id", + "AttributeName": "PK", "KeyType": "HASH" } ], diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json index e1f736786033e..72ee67ca075e2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.js.snapshot/tree.json @@ -97,13 +97,13 @@ "aws:cdk:cloudformation:props": { "attributeDefinitions": [ { - "attributeName": "id", + "attributeName": "PK", "attributeType": "S" } ], "keySchema": [ { - "attributeName": "id", + "attributeName": "PK", "keyType": "HASH" } ], From 254828982eca6b3a6e6960b3506bd11aab165768 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Fri, 17 May 2024 12:23:50 +0100 Subject: [PATCH 12/18] Increase test coverage --- .../aws-dynamodb/test/dynamodb.test.ts | 11 ++- .../aws-dynamodb/test/table-v2.test.ts | 79 +++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts index 974eb4edac0d6..51ff5d58a01eb 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts @@ -3500,11 +3500,20 @@ test('Resource policy test', () => { // WHEN const table = new Table(stack, 'Table', { - partitionKey: { name: 'metric', type: AttributeType.STRING }, + partitionKey: { name: 'id', type: AttributeType.STRING }, resourcePolicy: doc, }); // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + KeySchema: [ + { AttributeName: 'id', KeyType: 'HASH' }, + ], + AttributeDefinitions: [ + { AttributeName: 'id', AttributeType: 'S' }, + ], + }); + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { 'ResourcePolicy': { 'PolicyDocument': { diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts index fc8db61eebbc4..1599dad837e16 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts @@ -1,4 +1,5 @@ import { Match, Template } from '../../assertions'; +import { ArnPrincipal, PolicyDocument, PolicyStatement } from '../../aws-iam'; import { Stream } from '../../aws-kinesis'; import { Key } from '../../aws-kms'; import { CfnDeletionPolicy, Lazy, RemovalPolicy, Stack } from '../../core'; @@ -2805,3 +2806,81 @@ describe('imports', () => { }).toThrow('Table ARN must be of the form: arn::dynamodb:::table/'); }); }); + +test('Resource policy test', () => { + // GIVEN + const stack = new Stack(undefined, 'Stack'); + + const doc = new PolicyDocument({ + statements: [ + new PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN + const table = new TableV2(stack, 'Table', { + partitionKey: { name: 'metric', type: AttributeType.STRING }, + resourcePolicy: doc, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::GlobalTable', { + Replicas: [ + { + Region: { + Ref: 'AWS::Region', + }, + ResourcePolicy: { + PolicyDocument: { + Statement: [ + { + Action: 'dynamodb:GetItem', + Effect: 'Allow', + Principal: { + AWS: 'arn:aws:iam::111122223333:user/foobar', + }, + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + }, + }, + ], + }); +}); + +test('throws if trying to add a resource policy to a region other than local region', () => { + // GIVEN + const stack = new Stack(undefined, 'Stack', { + env: { + region: 'eu-west-1', + }, + }); + const doc = new PolicyDocument({ + statements: [ + new PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN / THEN + expect(() => { + new TableV2(stack, 'Table', { + partitionKey: { name: 'pk', type: AttributeType.STRING }, + sortKey: { name: 'sk', type: AttributeType.STRING }, + resourcePolicy: doc, + replicas: [{ + region: 'eu-west-1', + resourcePolicy: doc, + }], + }); + }).toThrow('You cannot add a replica table in the same region as the primary table - the primary table region is eu-west-1'); +}); \ No newline at end of file From 5f2a8ba01374311b1c7459be3c5c03b834b177be Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Sun, 19 May 2024 10:30:20 -0700 Subject: [PATCH 13/18] Revert changes to sdk package --- .../sdk-v2-to-v3-adapter/lib/api-call.d.ts | 68 -- .../sdk-v2-to-v3-adapter/lib/api-call.js | 136 ---- .../lib/coerce-api-parameters.d.ts | 24 - .../lib/coerce-api-parameters.js | 96 --- .../lib/find-client-constructor.d.ts | 4 - .../lib/find-client-constructor.js | 12 - .../sdk-v2-to-v3-adapter/lib/index.d.ts | 4 - .../sdk-v2-to-v3-adapter/lib/index.js | 26 - .../lib/parameter-types.d.ts | 2 - .../lib/parameter-types.js | 14 - .../sdk-v2-to-v3-adapter/lib/sdk-info.d.ts | 20 - .../sdk-v2-to-v3-adapter/lib/sdk-info.js | 49 -- .../test/api-call.test.d.ts | 1 - .../test/api-call.test.js | 111 ---- .../test/coerce-api-parameters.test.d.ts | 1 - .../test/coerce-api-parameters.test.js | 622 ------------------ .../test/flatten.test.d.ts | 1 - .../sdk-v2-to-v3-adapter/test/flatten.test.js | 20 - 18 files changed, 1211 deletions(-) delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts delete mode 100644 packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts deleted file mode 100644 index d4186f70ff1ab..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.d.ts +++ /dev/null @@ -1,68 +0,0 @@ -import type { AwsCredentialIdentityProvider } from '@smithy/types'; -export interface InvokeOptions { - /** - * The SDKv3 package for the service. - * - * @default - Load the package automatically - */ - readonly sdkPackage?: any; - /** - * Override API version - * - * @default - Use default API version - */ - readonly apiVersion?: string; - /** - * Override region - * - * @default - Current region - */ - readonly region?: string; - /** - * Override credentials - * - * @default - Default credentials - */ - readonly credentials?: AwsCredentialIdentityProvider; - /** - * Parameters to the API call - * - * @default {} - */ - readonly parameters?: Record; - /** - * Flatten the response object - * - * Instead of a nested object structure, return a map of `{ string -> value }`, with the keys - * being the paths to each primitive value. - * - * @default false - */ - readonly flattenResponse?: boolean; -} -/** - * Wrapper to make an SDKv3 API call, with SDKv2 compatibility - */ -export declare class ApiCall { - readonly service: string; - readonly action: string; - readonly v3PackageName: string; - v3Package?: any; - client?: any; - constructor(service: string, action: string); - invoke(options: InvokeOptions): Promise>; - initializePackage(packageOverride?: any): any; - initializeClient(options: Pick): any; - findCommandClass(): new (input: any) => any; - private findConstructor; -} -/** - * Flattens a nested object - * - * @param object the object to be flattened - * @returns a flat object with path as keys - */ -export declare function flatten(root: unknown): { - [key: string]: any; -}; -export declare function coerceSdkv3Response(value: unknown): Promise; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js deleted file mode 100644 index 32f051d963a07..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/api-call.js +++ /dev/null @@ -1,136 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.coerceSdkv3Response = exports.flatten = exports.ApiCall = void 0; -const coerce_api_parameters_1 = require("./coerce-api-parameters"); -const find_client_constructor_1 = require("./find-client-constructor"); -const sdk_info_1 = require("./sdk-info"); -/** - * Wrapper to make an SDKv3 API call, with SDKv2 compatibility - */ -class ApiCall { - constructor(service, action) { - this.service = (0, sdk_info_1.normalizeServiceName)(service); - this.action = (0, sdk_info_1.normalizeActionName)(this.service, action); - this.v3PackageName = `@aws-sdk/client-${this.service}`; - } - async invoke(options) { - this.initializePackage(options.sdkPackage); - this.initializeClient(options); - const Command = this.findCommandClass(); - // Command must pass input value https://github.com/aws/aws-sdk-js-v3/issues/424 - const response = await this.client.send(new Command((0, coerce_api_parameters_1.coerceApiParameters)(this.service, this.action, options.parameters ?? {}))); - delete response.$metadata; - const coerced = await coerceSdkv3Response(response); - return (options.flattenResponse ? flatten(coerced) : coerced); - } - initializePackage(packageOverride) { - if (this.v3Package) { - return; - } - if (packageOverride) { - this.v3Package = packageOverride; - return; - } - try { - /* eslint-disable-next-line @typescript-eslint/no-require-imports */ // esbuild-disable unsupported-require-call - this.v3Package = require(this.v3PackageName); - } - catch (e) { - throw Error(`Service ${this.service} client package with name '${this.v3PackageName}' does not exist.`); - } - } - initializeClient(options) { - if (!this.v3Package) { - this.initializePackage(); - } - const ServiceClient = this.findConstructor(this.v3Package); - this.client = new ServiceClient({ - apiVersion: options.apiVersion, - credentials: options.credentials, - region: options.region, - }); - return this.client; - } - findCommandClass() { - if (!this.v3Package) { - this.initializePackage(); - } - const commandName = `${this.action}Command`; - const Command = Object.entries(this.v3Package ?? {}).find(([name]) => name.toLowerCase() === commandName.toLowerCase())?.[1]; - if (!Command) { - throw new Error(`Unable to find command named: ${commandName} for action: ${this.action} in service package ${this.v3PackageName}`); - } - return Command; - } - findConstructor(pkg) { - try { - const ret = (0, find_client_constructor_1.findV3ClientConstructor)(pkg); - if (!ret) { - throw new Error('findV3ClientConstructor returned undefined'); - } - return ret; - } - catch (e) { - // eslint-disable-next-line no-console - console.error(e); - throw Error(`No client constructor found within package: ${this.v3PackageName}`); - } - } -} -exports.ApiCall = ApiCall; -/** - * Flattens a nested object - * - * @param object the object to be flattened - * @returns a flat object with path as keys - */ -function flatten(root) { - const ret = {}; - recurse(root); - return ret; - function recurse(x, path = []) { - if (x && typeof x === 'object') { - for (const [key, value] of Object.entries(x)) { - recurse(value, [...path, key]); - } - return; - } - ret[path.join('.')] = x; - } -} -exports.flatten = flatten; -/** - * Text decoder used for Uint8Array response parsing - */ -const decoder = new TextDecoder(); -async function coerceSdkv3Response(value) { - if (value && typeof (value) === 'object' && typeof (value.transformToString) === 'function') { - // in sdk v3 some return types are now adapters that we need to explicitly - // convert to strings. see example: https://github.com/aws/aws-sdk-js-v3/blob/main/UPGRADING.md?plain=1#L573-L576 - // note we don't use 'instanceof Unit8Array' because observations show this won't always return true, even though - // the `transformToString` function will be available. (for example S3::GetObject) - return value.transformToString(); - } - if (Buffer.isBuffer(value)) { - return value.toString('utf8'); - } - if (ArrayBuffer.isView(value)) { - return decoder.decode(value.buffer); - } - if (Array.isArray(value)) { - const ret = []; - for (const x of value) { - ret.push(await coerceSdkv3Response(x)); - } - return ret; - } - if (value && typeof value === 'object') { - for (const key of Object.keys(value)) { - value[key] = await coerceSdkv3Response(value[key]); - } - return value; - } - return value; -} -exports.coerceSdkv3Response = coerceSdkv3Response; -//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts deleted file mode 100644 index 4ed6e03dc8613..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.d.ts +++ /dev/null @@ -1,24 +0,0 @@ -import { TypeCoercionStateMachine } from './parameter-types'; -type ApiParameters = { - [param: string]: any; -}; -/** - * Given a minimal AWS SDKv3 call definition (service, action, parameters), - * coerces nested parameter values into a Uint8Array if that's what the SDKv3 expects. - */ -export declare function coerceApiParameters(v3service: string, action: string, parameters?: ApiParameters): ApiParameters; -/** - * Make this a class in order to have multiple entry points for testing that can all share convenience functions - */ -export declare class Coercer { - private readonly typeMachine; - constructor(typeMachine: TypeCoercionStateMachine); - coerceApiParameters(v3service: string, action: string, parameters?: ApiParameters): ApiParameters; - testCoerce(value: unknown): any; - private recurse; - /** - * From a given state, return the state we would end up in if we followed this field - */ - private progress; -} -export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js deleted file mode 100644 index aed059bf684f2..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/coerce-api-parameters.js +++ /dev/null @@ -1,96 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.Coercer = exports.coerceApiParameters = void 0; -const parameter_types_1 = require("./parameter-types"); -/** - * Given a minimal AWS SDKv3 call definition (service, action, parameters), - * coerces nested parameter values into a Uint8Array if that's what the SDKv3 expects. - */ -function coerceApiParameters(v3service, action, parameters = {}) { - const typeMachine = (0, parameter_types_1.typeCoercionStateMachine)(); - return new Coercer(typeMachine).coerceApiParameters(v3service, action, parameters); -} -exports.coerceApiParameters = coerceApiParameters; -/** - * Make this a class in order to have multiple entry points for testing that can all share convenience functions - */ -class Coercer { - constructor(typeMachine) { - this.typeMachine = typeMachine; - } - coerceApiParameters(v3service, action, parameters = {}) { - // Get the initial state corresponding to the current service+action, then recurse through the parameters - const actionState = this.progress(action.toLowerCase(), this.progress(v3service.toLowerCase(), 0)); - return this.recurse(parameters, actionState); - } - testCoerce(value) { - return this.recurse(value, 0); - } - recurse(value, state) { - switch (state) { - case undefined: return value; - case 'b': return coerceValueToUint8Array(value); - case 'n': return coerceValueToNumber(value); - case 'd': return coerceValueToDate(value); - } - if (Array.isArray(value)) { - const elState = this.progress('*', state); - return elState !== undefined - ? value.map((e) => this.recurse(e, elState)) - : value; - } - if (value && typeof value === 'object') { - // Mutate the object in-place for efficiency - const mapState = this.progress('*', state); - for (const key of Object.keys(value)) { - const fieldState = this.progress(key, state) ?? mapState; - if (fieldState !== undefined) { - value[key] = this.recurse(value[key], fieldState); - } - } - return value; - } - return value; - } - /** - * From a given state, return the state we would end up in if we followed this field - */ - progress(field, s) { - if (s === undefined || typeof s !== 'number') { - return undefined; - } - return this.typeMachine[s][field]; - } -} -exports.Coercer = Coercer; -function coerceValueToUint8Array(x) { - if (x instanceof Uint8Array) { - return x; - } - if (typeof x === 'string' || typeof x === 'number') { - return new TextEncoder().encode(x.toString()); - } - return x; -} -function coerceValueToNumber(x) { - if (typeof x === 'number') { - return x; - } - if (typeof x === 'string') { - const n = Number(x); - return isNaN(n) ? x : n; - } - return x; -} -function coerceValueToDate(x) { - if (typeof x === 'string' || typeof x === 'number') { - const date = new Date(x); - // if x is not a valid date - if (isNaN(date.getTime())) { - return x; - } - return date; - } - return x; -} -//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts deleted file mode 100644 index 7cf6561a8245f..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.d.ts +++ /dev/null @@ -1,4 +0,0 @@ -export declare function findV3ClientConstructor(pkg: Object): new (config: any) => { - send: (command: any) => Promise; - config: any; -}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js deleted file mode 100644 index 39adbabc81899..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/find-client-constructor.js +++ /dev/null @@ -1,12 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.findV3ClientConstructor = void 0; -function findV3ClientConstructor(pkg) { - const [_clientName, ServiceClient] = Object.entries(pkg).find(([name]) => { - // Services expose a base __Client class that we don't want ever - return name.endsWith('Client') && name !== '__Client'; - }); - return ServiceClient; -} -exports.findV3ClientConstructor = findV3ClientConstructor; -//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZmluZC1jbGllbnQtY29uc3RydWN0b3IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJmaW5kLWNsaWVudC1jb25zdHJ1Y3Rvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxTQUFnQix1QkFBdUIsQ0FBQyxHQUFXO0lBQ2pELE1BQU0sQ0FBQyxXQUFXLEVBQUUsYUFBYSxDQUFDLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLENBQzNELENBQUMsQ0FBQyxJQUFJLENBQUMsRUFBRSxFQUFFO1FBQ1QsZ0VBQWdFO1FBQ2hFLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsSUFBSSxJQUFJLEtBQUssVUFBVSxDQUFDO0lBQ3hELENBQUMsQ0FNRCxDQUFDO0lBQ0gsT0FBTyxhQUFhLENBQUM7QUFDdkIsQ0FBQztBQWJELDBEQWFDIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IGZ1bmN0aW9uIGZpbmRWM0NsaWVudENvbnN0cnVjdG9yKHBrZzogT2JqZWN0KSB7XG4gIGNvbnN0IFtfY2xpZW50TmFtZSwgU2VydmljZUNsaWVudF0gPSBPYmplY3QuZW50cmllcyhwa2cpLmZpbmQoXG4gICAgKFtuYW1lXSkgPT4ge1xuICAgICAgLy8gU2VydmljZXMgZXhwb3NlIGEgYmFzZSBfX0NsaWVudCBjbGFzcyB0aGF0IHdlIGRvbid0IHdhbnQgZXZlclxuICAgICAgcmV0dXJuIG5hbWUuZW5kc1dpdGgoJ0NsaWVudCcpICYmIG5hbWUgIT09ICdfX0NsaWVudCc7XG4gICAgfSxcbiAgKSBhcyBbc3RyaW5nLCB7XG4gICAgbmV3IChjb25maWc6IGFueSk6IHtcbiAgICAgIHNlbmQ6IChjb21tYW5kOiBhbnkpID0+IFByb21pc2U8YW55PjtcbiAgICAgIGNvbmZpZzogYW55O1xuICAgIH07XG4gIH1dO1xuICByZXR1cm4gU2VydmljZUNsaWVudDtcbn1cbiJdfQ== \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts deleted file mode 100644 index cde4e15344628..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.d.ts +++ /dev/null @@ -1,4 +0,0 @@ -export { coerceApiParameters } from './coerce-api-parameters'; -export { findV3ClientConstructor } from './find-client-constructor'; -export { normalizeServiceName, normalizeActionName } from './sdk-info'; -export * from './api-call'; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js deleted file mode 100644 index 7456cb0073dfe..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/index.js +++ /dev/null @@ -1,26 +0,0 @@ -"use strict"; -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __exportStar = (this && this.__exportStar) || function(m, exports) { - for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); -}; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.normalizeActionName = exports.normalizeServiceName = exports.findV3ClientConstructor = exports.coerceApiParameters = void 0; -var coerce_api_parameters_1 = require("./coerce-api-parameters"); -Object.defineProperty(exports, "coerceApiParameters", { enumerable: true, get: function () { return coerce_api_parameters_1.coerceApiParameters; } }); -var find_client_constructor_1 = require("./find-client-constructor"); -Object.defineProperty(exports, "findV3ClientConstructor", { enumerable: true, get: function () { return find_client_constructor_1.findV3ClientConstructor; } }); -var sdk_info_1 = require("./sdk-info"); -Object.defineProperty(exports, "normalizeServiceName", { enumerable: true, get: function () { return sdk_info_1.normalizeServiceName; } }); -Object.defineProperty(exports, "normalizeActionName", { enumerable: true, get: function () { return sdk_info_1.normalizeActionName; } }); -__exportStar(require("./api-call"), exports); -//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlFQUE4RDtBQUFyRCw0SEFBQSxtQkFBbUIsT0FBQTtBQUM1QixxRUFBb0U7QUFBM0Qsa0lBQUEsdUJBQXVCLE9BQUE7QUFDaEMsdUNBQXVFO0FBQTlELGdIQUFBLG9CQUFvQixPQUFBO0FBQUUsK0dBQUEsbUJBQW1CLE9BQUE7QUFDbEQsNkNBQTJCIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IHsgY29lcmNlQXBpUGFyYW1ldGVycyB9IGZyb20gJy4vY29lcmNlLWFwaS1wYXJhbWV0ZXJzJztcbmV4cG9ydCB7IGZpbmRWM0NsaWVudENvbnN0cnVjdG9yIH0gZnJvbSAnLi9maW5kLWNsaWVudC1jb25zdHJ1Y3Rvcic7XG5leHBvcnQgeyBub3JtYWxpemVTZXJ2aWNlTmFtZSwgbm9ybWFsaXplQWN0aW9uTmFtZSB9IGZyb20gJy4vc2RrLWluZm8nO1xuZXhwb3J0ICogZnJvbSAnLi9hcGktY2FsbCc7XG4iXX0= \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts deleted file mode 100644 index d3225637a587e..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.d.ts +++ /dev/null @@ -1,2 +0,0 @@ -export type TypeCoercionStateMachine = Array>; -export declare let typeCoercionStateMachine: () => TypeCoercionStateMachine; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js deleted file mode 100644 index 3d466051e8947..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/parameter-types.js +++ /dev/null @@ -1,14 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.typeCoercionStateMachine = void 0; -// This file was generated from the aws-sdk-js-v3 at Tue Jan 30 2024 09:54:50 GMT+0000 (Coordinated Universal Time) -/* eslint-disable quote-props,comma-dangle,quotes */ -const zlib = require("zlib"); -let typeCoercionStateMachine = () => { - const encoded = ""; - const decoded = JSON.parse(zlib.brotliDecompressSync(Buffer.from(encoded, 'base64')).toString()); - exports.typeCoercionStateMachine = () => decoded; - return decoded; -}; -exports.typeCoercionStateMachine = typeCoercionStateMachine; -//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts deleted file mode 100644 index 5a2ce086ede4e..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.d.ts +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Normalize a service name from: - * - * - A full SDKv3 package name - * - A partial SDKv3 package name - * - An SDKv2 constructor name - * - * To a partial SDKv3 package name. - */ -export declare function normalizeServiceName(service: string): string; -/** - * Normalize an action name from: - * - * - camelCase SDKv2 method name - * - PascalCase API name - * - SDKv3 command class name - * - * To a PascalCase API name. - */ -export declare function normalizeActionName(v3Service: string, action: string): string; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js deleted file mode 100644 index d104c83c6c3fd..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/lib/sdk-info.js +++ /dev/null @@ -1,49 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.normalizeActionName = exports.normalizeServiceName = void 0; -/** - * Normalize a service name from: - * - * - A full SDKv3 package name - * - A partial SDKv3 package name - * - An SDKv2 constructor name - * - * To a partial SDKv3 package name. - */ -function normalizeServiceName(service) { - service = service.toLowerCase(); // Lowercase - service = service.replace(/^@aws-sdk\/client-/, ''); // Strip the start of a V3 package name - service = v2ToV3Mapping()?.[service] ?? service; // Optionally map v2 name -> v3 name - return service; -} -exports.normalizeServiceName = normalizeServiceName; -/** - * Normalize an action name from: - * - * - camelCase SDKv2 method name - * - PascalCase API name - * - SDKv3 command class name - * - * To a PascalCase API name. - */ -function normalizeActionName(v3Service, action) { - if (action.charAt(0).toLowerCase() === action.charAt(0)) { - return action.charAt(0).toUpperCase() + action.slice(1); - } - // If the given word is in the APIs ending in 'Command' for this service, - // return as is. Otherwise, return with a potential 'Command' suffix stripped. - if (v3Metadata()[v3Service]?.commands?.includes(action)) { - return action; - } - return action.replace(/Command$/, ''); -} -exports.normalizeActionName = normalizeActionName; -function v2ToV3Mapping() { - // eslint-disable-next-line @typescript-eslint/no-require-imports - return require('./sdk-v2-to-v3.json'); -} -function v3Metadata() { - // eslint-disable-next-line @typescript-eslint/no-require-imports - return require('./sdk-v3-metadata.json'); -} -//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2RrLWluZm8uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJzZGstaW5mby50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQTs7Ozs7Ozs7R0FRRztBQUNILFNBQWdCLG9CQUFvQixDQUFDLE9BQWU7SUFDbEQsT0FBTyxHQUFHLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLFlBQVk7SUFDN0MsT0FBTyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsb0JBQW9CLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyx1Q0FBdUM7SUFDNUYsT0FBTyxHQUFHLGFBQWEsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksT0FBTyxDQUFDLENBQUMsb0NBQW9DO0lBQ3JGLE9BQU8sT0FBTyxDQUFDO0FBQ2pCLENBQUM7QUFMRCxvREFLQztBQUVEOzs7Ozs7OztHQVFHO0FBQ0gsU0FBZ0IsbUJBQW1CLENBQUMsU0FBaUIsRUFBRSxNQUFjO0lBQ25FLElBQUksTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFXLEVBQUUsS0FBSyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDeEQsT0FBTyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLFdBQVcsRUFBRSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDMUQsQ0FBQztJQUVELHlFQUF5RTtJQUN6RSw4RUFBOEU7SUFDOUUsSUFBSSxVQUFVLEVBQUUsQ0FBQyxTQUFTLENBQUMsRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDeEQsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVELE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsRUFBRSxDQUFDLENBQUM7QUFDeEMsQ0FBQztBQVpELGtEQVlDO0FBRUQsU0FBUyxhQUFhO0lBQ3BCLGlFQUFpRTtJQUNqRSxPQUFPLE9BQU8sQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO0FBQ3hDLENBQUM7QUFFRCxTQUFTLFVBQVU7SUFDakIsaUVBQWlFO0lBQ2pFLE9BQU8sT0FBTyxDQUFDLHdCQUF3QixDQUFDLENBQUM7QUFDM0MsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogTm9ybWFsaXplIGEgc2VydmljZSBuYW1lIGZyb206XG4gKlxuICogLSBBIGZ1bGwgU0RLdjMgcGFja2FnZSBuYW1lXG4gKiAtIEEgcGFydGlhbCBTREt2MyBwYWNrYWdlIG5hbWVcbiAqIC0gQW4gU0RLdjIgY29uc3RydWN0b3IgbmFtZVxuICpcbiAqIFRvIGEgcGFydGlhbCBTREt2MyBwYWNrYWdlIG5hbWUuXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBub3JtYWxpemVTZXJ2aWNlTmFtZShzZXJ2aWNlOiBzdHJpbmcpIHtcbiAgc2VydmljZSA9IHNlcnZpY2UudG9Mb3dlckNhc2UoKTsgLy8gTG93ZXJjYXNlXG4gIHNlcnZpY2UgPSBzZXJ2aWNlLnJlcGxhY2UoL15AYXdzLXNka1xcL2NsaWVudC0vLCAnJyk7IC8vIFN0cmlwIHRoZSBzdGFydCBvZiBhIFYzIHBhY2thZ2UgbmFtZVxuICBzZXJ2aWNlID0gdjJUb1YzTWFwcGluZygpPy5bc2VydmljZV0gPz8gc2VydmljZTsgLy8gT3B0aW9uYWxseSBtYXAgdjIgbmFtZSAtPiB2MyBuYW1lXG4gIHJldHVybiBzZXJ2aWNlO1xufVxuXG4vKipcbiAqIE5vcm1hbGl6ZSBhbiBhY3Rpb24gbmFtZSBmcm9tOlxuICpcbiAqIC0gY2FtZWxDYXNlIFNES3YyIG1ldGhvZCBuYW1lXG4gKiAtIFBhc2NhbENhc2UgQVBJIG5hbWVcbiAqIC0gU0RLdjMgY29tbWFuZCBjbGFzcyBuYW1lXG4gKlxuICogVG8gYSBQYXNjYWxDYXNlIEFQSSBuYW1lLlxuICovXG5leHBvcnQgZnVuY3Rpb24gbm9ybWFsaXplQWN0aW9uTmFtZSh2M1NlcnZpY2U6IHN0cmluZywgYWN0aW9uOiBzdHJpbmcpIHtcbiAgaWYgKGFjdGlvbi5jaGFyQXQoMCkudG9Mb3dlckNhc2UoKSA9PT0gYWN0aW9uLmNoYXJBdCgwKSkge1xuICAgIHJldHVybiBhY3Rpb24uY2hhckF0KDApLnRvVXBwZXJDYXNlKCkgKyBhY3Rpb24uc2xpY2UoMSk7XG4gIH1cblxuICAvLyBJZiB0aGUgZ2l2ZW4gd29yZCBpcyBpbiB0aGUgQVBJcyBlbmRpbmcgaW4gJ0NvbW1hbmQnIGZvciB0aGlzIHNlcnZpY2UsXG4gIC8vIHJldHVybiBhcyBpcy4gT3RoZXJ3aXNlLCByZXR1cm4gd2l0aCBhIHBvdGVudGlhbCAnQ29tbWFuZCcgc3VmZml4IHN0cmlwcGVkLlxuICBpZiAodjNNZXRhZGF0YSgpW3YzU2VydmljZV0/LmNvbW1hbmRzPy5pbmNsdWRlcyhhY3Rpb24pKSB7XG4gICAgcmV0dXJuIGFjdGlvbjtcbiAgfVxuXG4gIHJldHVybiBhY3Rpb24ucmVwbGFjZSgvQ29tbWFuZCQvLCAnJyk7XG59XG5cbmZ1bmN0aW9uIHYyVG9WM01hcHBpbmcoKTogUmVjb3JkPHN0cmluZywgc3RyaW5nPiB7XG4gIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tcmVxdWlyZS1pbXBvcnRzXG4gIHJldHVybiByZXF1aXJlKCcuL3Nkay12Mi10by12My5qc29uJyk7XG59XG5cbmZ1bmN0aW9uIHYzTWV0YWRhdGEoKTogUmVjb3JkPHN0cmluZywgeyBpYW1QcmVmaXg/OiBzdHJpbmc7IGNvbW1hbmRzPzogc3RyaW5nW10gfT4ge1xuICAvLyBlc2xpbnQtZGlzYWJsZS1uZXh0LWxpbmUgQHR5cGVzY3JpcHQtZXNsaW50L25vLXJlcXVpcmUtaW1wb3J0c1xuICByZXR1cm4gcmVxdWlyZSgnLi9zZGstdjMtbWV0YWRhdGEuanNvbicpO1xufVxuIl19 \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts deleted file mode 100644 index cb0ff5c3b541f..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.d.ts +++ /dev/null @@ -1 +0,0 @@ -export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js deleted file mode 100644 index 70b197940eb0a..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/api-call.test.js +++ /dev/null @@ -1,111 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -const lib_1 = require("../lib"); -test('can map service name to SDK v3 client name', () => { - expect(new lib_1.ApiCall('S3', 'Bla').v3PackageName).toBe('@aws-sdk/client-s3'); -}); -test.each([ - 'api-gateway', - '@aws-sdk/client-api-gateway', - 'APIGateway', - 'apigateway', -])('service %p is recognized', (service) => { - expect(new lib_1.ApiCall(service, 'Bla').v3PackageName).toEqual('@aws-sdk/client-api-gateway'); -}); -test.each([ - 'GetRestApi', - 'getRestApi', - 'GetRestApiCommand', -])('action %p is recognized', (action) => { - expect(new lib_1.ApiCall('api-gateway', action).action).toEqual('GetRestApi'); -}); -test.each([ - 'ExecuteCommand', - 'executeCommand', - 'ExecuteCommandCommand', -])('ECS action %p is recognized', (action) => { - expect(new lib_1.ApiCall('ecs', action).action).toEqual('ExecuteCommand'); -}); -describe('helpers for SDKv3', () => { - test('can load a SDK package by service name', () => { - const sdk = new lib_1.ApiCall('S3', 'Bla'); - expect(sdk.v3PackageName).toBe('@aws-sdk/client-s3'); - sdk.initializePackage(); - }); - test('can load a SDK package by package name', () => { - const sdk = new lib_1.ApiCall('@aws-sdk/client-s3', 'Bla'); - expect(sdk.v3PackageName).toBe('@aws-sdk/client-s3'); - sdk.initializePackage(); - }); - test('will throw when attempting to load unknown SDK package', () => { - expect(() => { - loadV3ClientPackage('@aws-sdk/client-foobar'); - }).toThrow("Service foobar client package with name '@aws-sdk/client-foobar' does not exist."); - }); - test('will throw when attempting to load unknown SDK package using V2 style name', () => { - expect(() => { - loadV3ClientPackage('FooBar'); - }).toThrow("Service foobar client package with name '@aws-sdk/client-foobar' does not exist."); - }); - describe('with a SDK package loaded', () => { - test('can get client', () => { - const client = getV3Client('s3'); - expect(client.config.serviceId).toBe('S3'); - }); - test('can get client with config', async () => { - const client = getV3Client('s3', { region: 'eu-west-1' }); - const region = await client.config.region(); - expect(region).toBe('eu-west-1'); - }); - test('can get command', () => { - const apiCall = new lib_1.ApiCall('s3', 'ListBuckets'); - const command = apiCall.findCommandClass(); - expect(command).toBeDefined(); - }); - test('will throw when attempting to get unknown command', () => { - expect(() => { - new lib_1.ApiCall('s3', 'FooBar').findCommandClass(); - }).toThrow('Unable to find command named: FooBarCommand'); - }); - }); -}); -test('flatten', () => { - expect((0, lib_1.flatten)({ - foo: 'foo', - bar: { - foo: 'foo', - bar: 'bar', - }, - baz: [ - { foo: 'foo' }, - { bar: 'bar' }, - ], - })).toEqual({ - 'foo': 'foo', - 'bar.foo': 'foo', - 'bar.bar': 'bar', - 'baz.0.foo': 'foo', - 'baz.1.bar': 'bar', - }); -}); -test.each([ - { transformToString: () => 'foo' }, - Buffer.from('foo'), - new TextEncoder().encode('foo'), -])('coerce %p', async (fooValue) => { - expect(await (0, lib_1.coerceSdkv3Response)({ - foo: fooValue, - })).toEqual({ foo: 'foo' }); -}); -function loadV3ClientPackage(service) { - const apiCall = new lib_1.ApiCall(service, 'Bla'); - apiCall.initializePackage(); - return apiCall.v3Package; -} -function getV3Client(service, options = {}) { - const apiCall = new lib_1.ApiCall(service, 'Bla'); - apiCall.initializePackage(); - apiCall.initializeClient(options); - return apiCall.client; -} -//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts deleted file mode 100644 index cb0ff5c3b541f..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.d.ts +++ /dev/null @@ -1 +0,0 @@ -export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js deleted file mode 100644 index cb17c38ed59bb..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/coerce-api-parameters.test.js +++ /dev/null @@ -1,622 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -const coerce_api_parameters_1 = require("../lib/coerce-api-parameters"); -const encode = (v) => new TextEncoder().encode(v); -describe('Uint8Array', () => { - describe('should coerce', () => { - test('a nested value', () => { - // GIVEN - const obj = { a: { b: { c: 'dummy-value' } } }; - // WHEN - new coerce_api_parameters_1.Coercer([ - { a: 1 }, - { b: 2 }, - { c: 'b' }, - ]).testCoerce(obj); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: encode('dummy-value') } } }); - }); - test('values nested in an array', () => { - // GIVEN - const obj = { - a: { - b: [ - { z: '1' }, - { z: '2' }, - { z: '3' }, - ], - }, - }; - // WHEN - new coerce_api_parameters_1.Coercer([ - { a: 1 }, - { b: 2 }, - { '*': 3 }, - { z: 'b' }, - ]).testCoerce(obj); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: encode('1') }, - { z: encode('2') }, - { z: encode('3') }, - ], - }, - }); - }); - test('array elements', () => { - // GIVEN - const obj = { - a: { - b: ['1', '2', '3'], - }, - }; - // THEN - new coerce_api_parameters_1.Coercer([ - { a: 1 }, - { b: 2 }, - { '*': 'b' }, - ]).testCoerce(obj); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - encode('1'), - encode('2'), - encode('3'), - ], - }, - }); - }); - test('values nested in multiple arrays', () => { - // GIVEN - const obj = { - a: { - b: [ - { - z: [ - { y: '1' }, - { y: '2' }, - ], - }, - { - z: [ - { y: 'A' }, - { y: 'B' }, - ], - }, - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: [{ y: encode('1') }, { y: encode('2') }] }, - { z: [{ y: encode('A') }, { y: encode('B') }] }, - ], - }, - }); - }); - test('empty string', () => { - // GIVEN - const obj = { a: { b: { c: '' } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: encode('') } } }); - }); - test('a number', () => { - // GIVEN - const obj = { a: { b: { c: 0 } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: encode('0') } } }); - }); - }); - describe('should NOT coerce', () => { - test('undefined', () => { - // GIVEN - const obj = { a: { b: { c: undefined } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: undefined } } }); - }); - test('null', () => { - // GIVEN - const obj = { a: { b: { c: null } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: null } } }); - }); - test('an path that does not exist in input', () => { - // GIVEN - const obj = { a: { b: { c: 'dummy-value' } } }; - // THEN - coerce(obj, ['a', 'b', 'foobar'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); - }); - test('a path that is not a leaf', () => { - // GIVEN - const obj = { a: { b: { c: 'dummy-value' } } }; - // THEN - coerce(obj, ['a', 'b'], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); - }); - test('do not change anything for empty path', () => { - // GIVEN - const obj = { a: { b: { c: 'dummy-value' } } }; - // THEN - coerce(obj, [], 'Uint8Array'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); - }); - }); - describe('given an api call description', () => { - test('can convert string parameters to Uint8Array when needed', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('KMS', 'encrypt', { - KeyId: 'key-id', - Plaintext: 'dummy-data', - }); - expect(params).toMatchObject({ - KeyId: 'key-id', - Plaintext: new Uint8Array([ - 100, 117, 109, 109, - 121, 45, 100, 97, - 116, 97, - ]), - }); - }); - test('can convert string parameters to Uint8Array in arrays', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('Kinesis', 'putRecords', { - Records: [ - { - Data: 'aaa', - PartitionKey: 'key', - }, - { - Data: 'bbb', - PartitionKey: 'key', - }, - ], - }); - expect(params).toMatchObject({ - Records: [ - { - Data: new Uint8Array([97, 97, 97]), - PartitionKey: 'key', - }, - { - Data: new Uint8Array([98, 98, 98]), - PartitionKey: 'key', - }, - ], - }); - }); - test('can convert string parameters to Uint8Array in map & union', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('dynamodb', 'putItem', { - Item: { - Binary: { - B: 'abc', - }, - }, - }); - expect(params).toMatchObject({ - Item: { - Binary: { - B: new Uint8Array([97, 98, 99]), - }, - }, - }); - }); - test('can coerce parameters in recursive types', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('connect', 'CreateEvaluationForm', { - Items: [ - { - Section: { - Items: [ - { - Question: { - Weight: '9000', - }, - }, - ], - }, - }, - ], - }); - expect(params).toMatchObject({ - Items: [ - { - Section: { - Items: [ - { - Question: { - Weight: 9000, // <-- converted - }, - }, - ], - }, - }, - ], - }); - }); - }); -}); -describe('number', () => { - describe('should coerce', () => { - test('a nested value', () => { - // GIVEN - const obj = { a: { b: { c: '-123.45' } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: -123.45 } } }); - }); - test('values nested in an array', () => { - // GIVEN - const obj = { - a: { - b: [ - { z: '1' }, - { z: '2' }, - { z: '3' }, - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*', 'z'], 'number'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: 1 }, - { z: 2 }, - { z: 3 }, - ], - }, - }); - }); - test('array elements', () => { - // GIVEN - const obj = { - a: { - b: ['1', '2', '3'], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*'], 'number'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - 1, - 2, - 3, - ], - }, - }); - }); - test('values nested in multiple arrays', () => { - // GIVEN - const obj = { - a: { - b: [ - { - z: [ - { y: '1' }, - { y: '2' }, - ], - }, - { - z: [ - { y: '3' }, - { y: '4' }, - ], - }, - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'number'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: [{ y: 1 }, { y: 2 }] }, - { z: [{ y: 3 }, { y: 4 }] }, - ], - }, - }); - }); - }); - describe('should NOT coerce', () => { - test('empty string', () => { - // GIVEN - const obj = { a: { b: { c: '' } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: encode('') } } }); - }); - test('a number', () => { - // GIVEN - const obj = { a: { b: { c: 0 } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: 0 } } }); - }); - test('undefined', () => { - // GIVEN - const obj = { a: { b: { c: undefined } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: undefined } } }); - }); - test('null', () => { - // GIVEN - const obj = { a: { b: { c: null } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: null } } }); - }); - test('an path that does not exist in input', () => { - // GIVEN - const obj = { a: { b: { c: 'dummy-value' } } }; - // THEN - coerce(obj, ['a', 'b', 'foobar'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: 'dummy-value' } } }); - }); - test('a path that is not a leaf', () => { - // GIVEN - const obj = { a: { b: { c: '123' } } }; - // THEN - coerce(obj, ['a', 'b'], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: '123' } } }); - }); - test('do not change anything for empty path', () => { - // GIVEN - const obj = { a: { b: { c: '123' } } }; - // THEN - coerce(obj, [], 'number'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: '123' } } }); - }); - }); - describe('given an api call description', () => { - test('can convert string parameters to number when needed', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('Amplify', 'listApps', { - maxResults: '15', - }); - expect(params).toMatchObject({ - maxResults: 15, - }); - }); - test('can convert string parameters to number in arrays', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('ECS', 'createService', { - loadBalancers: [{ - containerPort: '8080', - }, { - containerPort: '9000', - }], - }); - expect(params).toMatchObject({ - loadBalancers: [{ - containerPort: 8080, - }, { - containerPort: 9000, - }], - }); - }); - test('can convert string parameters to number in map & union', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('apigatewayv2', 'createApi', { - CorsConfiguration: { - MaxAge: '300', - }, - }); - expect(params).toMatchObject({ - CorsConfiguration: { - MaxAge: 300, - }, - }); - }); - }); -}); -describe('date', () => { - describe('should coerce', () => { - test('a nested value', () => { - // GIVEN - const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01') } } }); - }); - test('values nested in an array', () => { - // GIVEN - const obj = { - a: { - b: [ - { z: new Date('2023-01-01').toJSON() }, - { z: new Date('2023-01-02').toJSON() }, - { z: new Date('2023-01-03').toJSON() }, - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*', 'z'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: new Date('2023-01-01') }, - { z: new Date('2023-01-02') }, - { z: new Date('2023-01-03') }, - ], - }, - }); - }); - test('array elements', () => { - // GIVEN - const obj = { - a: { - b: [ - new Date('2023-01-01').toJSON(), - new Date('2023-01-02').toJSON(), - new Date('2023-01-03').toJSON(), - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - new Date('2023-01-01'), - new Date('2023-01-02'), - new Date('2023-01-03'), - ], - }, - }); - }); - test('values nested in multiple arrays', () => { - // GIVEN - const obj = { - a: { - b: [ - { - z: [ - { y: new Date('2023-01-01').toJSON() }, - { y: new Date('2023-01-02').toJSON() }, - ], - }, - { - z: [ - { y: new Date('2023-01-03').toJSON() }, - { y: new Date('2023-01-04').toJSON() }, - ], - }, - ], - }, - }; - // THEN - coerce(obj, ['a', 'b', '*', 'z', '*', 'y'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ - a: { - b: [ - { z: [{ y: new Date('2023-01-01') }, { y: new Date('2023-01-02') }] }, - { z: [{ y: new Date('2023-01-03') }, { y: new Date('2023-01-04') }] }, - ], - }, - }); - }); - }); - describe('should NOT coerce', () => { - test('empty string', () => { - // GIVEN - const obj = { a: { b: { c: '' } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: '' } } }); - }); - test('undefined', () => { - // GIVEN - const obj = { a: { b: { c: undefined } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: undefined } } }); - }); - test('null', () => { - // GIVEN - const obj = { a: { b: { c: null } } }; - // THEN - coerce(obj, ['a', 'b', 'c'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: null } } }); - }); - test('an path that does not exist in input', () => { - // GIVEN - const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; - // THEN - coerce(obj, ['a', 'b', 'foobar'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); - }); - test('a path that is not a leaf', () => { - // GIVEN - const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; - // THEN - coerce(obj, ['a', 'b'], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); - }); - test('do not change anything for empty path', () => { - // GIVEN - const obj = { a: { b: { c: new Date('2023-01-01').toJSON() } } }; - // THEN - coerce(obj, [], 'Date'); - // EXPECT - expect(obj).toMatchObject({ a: { b: { c: new Date('2023-01-01').toJSON() } } }); - }); - }); - describe('given an api call description', () => { - test('can convert string parameters to Date when needed', () => { - const params = (0, coerce_api_parameters_1.coerceApiParameters)('CloudWatch', 'getMetricData', { - MetricDataQueries: [], - StartTime: new Date('2023-01-01').toJSON(), - EndTime: new Date('2023-01-02').toJSON(), - }); - expect(params).toMatchObject({ - MetricDataQueries: [], - StartTime: new Date('2023-01-01'), - EndTime: new Date('2023-01-02'), - }); - }); - }); -}); -/** - * A function to convert code testing the old API into code testing the new API - * - * Having this function saves manually updating 25 call sites. - */ -function coerce(value, path, type) { - const sm = [{}]; - let current = sm[0]; - for (const p of path.slice(0, -1)) { - current[p] = sm.length; - sm.push({}); - current = sm[sm.length - 1]; - } - switch (type) { - case 'Uint8Array': - current[path[path.length - 1]] = 'b'; - break; - case 'number': - current[path[path.length - 1]] = 'n'; - break; - case 'Date': - current[path[path.length - 1]] = 'd'; - break; - default: - throw new Error(`Unexpected type: ${type}`); - } - return new coerce_api_parameters_1.Coercer(sm).testCoerce(value); -} -//# sourceMappingURL=data:application/json;base64, \ No newline at end of file diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts deleted file mode 100644 index cb0ff5c3b541f..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.d.ts +++ /dev/null @@ -1 +0,0 @@ -export {}; diff --git a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js b/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js deleted file mode 100644 index 5cb4186e515f2..0000000000000 --- a/packages/@aws-cdk/sdk-v2-to-v3-adapter/test/flatten.test.js +++ /dev/null @@ -1,20 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -const api_call_1 = require("../lib/api-call"); -test('flatten correctly flattens a nested object', () => { - expect((0, api_call_1.flatten)({ - a: { b: 'c' }, - d: [ - { e: 'f' }, - { g: 'h', i: 1, j: null, k: { l: false } }, - ], - })).toEqual({ - 'a.b': 'c', - 'd.0.e': 'f', - 'd.1.g': 'h', - 'd.1.i': 1, - 'd.1.j': null, - 'd.1.k.l': false, - }); -}); -//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZmxhdHRlbi50ZXN0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiZmxhdHRlbi50ZXN0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsOENBQTBDO0FBRTFDLElBQUksQ0FBQyw0Q0FBNEMsRUFBRSxHQUFHLEVBQUU7SUFDdEQsTUFBTSxDQUFDLElBQUEsa0JBQU8sRUFBQztRQUNiLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUU7UUFDYixDQUFDLEVBQUU7WUFDRCxFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUU7WUFDVixFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxLQUFLLEVBQUUsRUFBRTtTQUMzQztLQUNGLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQztRQUNWLEtBQUssRUFBRSxHQUFHO1FBQ1YsT0FBTyxFQUFFLEdBQUc7UUFDWixPQUFPLEVBQUUsR0FBRztRQUNaLE9BQU8sRUFBRSxDQUFDO1FBQ1YsT0FBTyxFQUFFLElBQUk7UUFDYixTQUFTLEVBQUUsS0FBSztLQUNqQixDQUFDLENBQUM7QUFDTCxDQUFDLENBQUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IGZsYXR0ZW4gfSBmcm9tICcuLi9saWIvYXBpLWNhbGwnO1xuXG50ZXN0KCdmbGF0dGVuIGNvcnJlY3RseSBmbGF0dGVucyBhIG5lc3RlZCBvYmplY3QnLCAoKSA9PiB7XG4gIGV4cGVjdChmbGF0dGVuKHtcbiAgICBhOiB7IGI6ICdjJyB9LFxuICAgIGQ6IFtcbiAgICAgIHsgZTogJ2YnIH0sXG4gICAgICB7IGc6ICdoJywgaTogMSwgajogbnVsbCwgazogeyBsOiBmYWxzZSB9IH0sXG4gICAgXSxcbiAgfSkpLnRvRXF1YWwoe1xuICAgICdhLmInOiAnYycsXG4gICAgJ2QuMC5lJzogJ2YnLFxuICAgICdkLjEuZyc6ICdoJyxcbiAgICAnZC4xLmknOiAxLFxuICAgICdkLjEuaic6IG51bGwsXG4gICAgJ2QuMS5rLmwnOiBmYWxzZSxcbiAgfSk7XG59KTsiXX0= \ No newline at end of file From c8b40eed3e8805d946d95875223625f4f32bb282 Mon Sep 17 00:00:00 2001 From: Lee Hannigan Date: Tue, 28 May 2024 17:36:21 +0100 Subject: [PATCH 14/18] Incorporating feedback - Tidy up --- .../test/integ.dynamodb-v2.policy.ts | 12 ++----- .../test/integ.dynamodb.policy.ts | 8 ----- packages/aws-cdk-lib/aws-dynamodb/README.md | 2 +- .../aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md | 26 ++++++++++++++++ .../aws-cdk-lib/aws-dynamodb/lib/shared.ts | 7 ----- .../aws-cdk-lib/aws-dynamodb/lib/table-v2.ts | 10 +++--- .../aws-cdk-lib/aws-dynamodb/lib/table.ts | 11 +++---- .../aws-dynamodb/test/table-v2.test.ts | 31 ------------------- 8 files changed, 39 insertions(+), 68 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts index 70f58baa4edf3..5a30de692de21 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb-v2.policy.ts @@ -21,7 +21,7 @@ class TestStack extends Stack { }); // table with resource policy - new dynamodb.TableV2(this, 'TableTestV2-1', { + const table = new dynamodb.TableV2(this, 'TableTestV2-1', { partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING, @@ -29,6 +29,8 @@ class TestStack extends Stack { removalPolicy: RemovalPolicy.DESTROY, resourcePolicy: docu, }); + + table.grantReadData(new iam.AccountPrincipal('123456789012')); } } @@ -36,12 +38,4 @@ const stack = new TestStack(app, 'ResourcePolicyTest-v2', { env: { region: 'eu-w new IntegTest(app, 'table-v2-resource-policy-integ-test', { testCases: [stack], - regions: ['us-east-1'], - cdkCommandOptions: { - deploy: { - args: { - rollback: true, - }, - }, - }, }); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts index 86f9f95ad9421..8b9ade678aec4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.policy.ts @@ -48,12 +48,4 @@ const stack = new TestStack(app, 'resource-policy-stack', {}); new IntegTest(app, 'resource-policy-integ-test', { testCases: [stack], - regions: ['us-east-1'], - cdkCommandOptions: { - deploy: { - args: { - rollback: true, - }, - }, - }, }); diff --git a/packages/aws-cdk-lib/aws-dynamodb/README.md b/packages/aws-cdk-lib/aws-dynamodb/README.md index 46d8e7df6f09e..47bd9abae67c8 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/README.md +++ b/packages/aws-cdk-lib/aws-dynamodb/README.md @@ -671,7 +671,7 @@ Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.c }); ``` -TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. +TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy. ## Grants diff --git a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md index 730c73e5a6273..ae5049af56cd8 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md +++ b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md @@ -237,3 +237,29 @@ const table = new dynamodb.Table(this, 'Table', { deletionProtection: true, }); ``` +## Resource Policy + +Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table in the form of a `PolicyDocument`: + +```ts +const policy = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetItem'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], +}); + +new dynamodb.Table(this, 'MyTable', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + resourcePolicy: policy, +}); +``` + +If you have a global table replica, note that it does not support the addition of a resource-based policy. \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts index e0a337408b658..1955ef7fccd35 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts @@ -281,13 +281,6 @@ export interface ITable extends IResource { */ readonly encryptionKey?: kms.IKey; - // /** - // * Resource policy to assign to DynamoDB Table. - // * - // * @default - No resource policy statements are added to the created table. - // */ - // readonly resourcePolicy?: iam.PolicyDocument; - /** * Adds an IAM policy statement associated with this table to an IAM * principal's policy. diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts index 86f8fd581b740..a309c994d33ad 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts @@ -417,11 +417,6 @@ export class TableV2 extends TableBaseV2 { return new Import(tableArn, tableName, attrs.tableId, attrs.tableStreamArn); } - /** - * @attribute - */ - public resourcePolicy?: PolicyDocument; - /** * @attribute */ @@ -444,6 +439,11 @@ export class TableV2 extends TableBaseV2 { public readonly encryptionKey?: IKey; + /** + * @attribute + */ + public resourcePolicy?: PolicyDocument; + protected readonly region: string; private readonly billingMode: string; diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 0178a92d44eb2..6d28c0d604c60 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -509,8 +509,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc /** * Resource policy to assign to table. - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy - * @default - No resource policy statement + * @attribute */ public abstract resourcePolicy?: iam.PolicyDocument; @@ -1049,11 +1048,9 @@ export class Table extends TableBase { public readonly encryptionKey?: kms.IKey; /** - * /** - * Resource policy to assign to table. - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-resourcepolicy - * @default - No resource policy statement - * @attribute + * Resource policy to assign to DynamoDB Table. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-resourcepolicy.html + * @default - No resource policy statements are added to the created table. */ public resourcePolicy?: iam.PolicyDocument | undefined; diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts index 1599dad837e16..81e9205211a0b 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts @@ -2852,35 +2852,4 @@ test('Resource policy test', () => { }, ], }); -}); - -test('throws if trying to add a resource policy to a region other than local region', () => { - // GIVEN - const stack = new Stack(undefined, 'Stack', { - env: { - region: 'eu-west-1', - }, - }); - const doc = new PolicyDocument({ - statements: [ - new PolicyStatement({ - actions: ['dynamodb:GetItem'], - principals: [new ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], - resources: ['*'], - }), - ], - }); - - // WHEN / THEN - expect(() => { - new TableV2(stack, 'Table', { - partitionKey: { name: 'pk', type: AttributeType.STRING }, - sortKey: { name: 'sk', type: AttributeType.STRING }, - resourcePolicy: doc, - replicas: [{ - region: 'eu-west-1', - resourcePolicy: doc, - }], - }); - }).toThrow('You cannot add a replica table in the same region as the primary table - the primary table region is eu-west-1'); }); \ No newline at end of file From bf89bb5d7fa19798a3ac8a43f009e5900690f28a Mon Sep 17 00:00:00 2001 From: Parker Scanlon <69879391+scanlonp@users.noreply.github.com> Date: Wed, 29 May 2024 14:39:22 -0700 Subject: [PATCH 15/18] Update packages/aws-cdk-lib/aws-dynamodb/lib/table.ts --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 6d28c0d604c60..fd238b46f6bb4 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -1008,7 +1008,7 @@ export class Table extends TableBase { public readonly tableArn: string; public readonly tableStreamArn?: string; public readonly encryptionKey?: kms.IKey; - public resourcePolicy?: iam.PolicyDocument | undefined; + public resourcePolicy?: iam.PolicyDocument; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; From 417db1ee70510b151b7b68a9c36375993d7e598d Mon Sep 17 00:00:00 2001 From: Parker Scanlon <69879391+scanlonp@users.noreply.github.com> Date: Wed, 29 May 2024 14:39:32 -0700 Subject: [PATCH 16/18] Update packages/aws-cdk-lib/aws-dynamodb/lib/table.ts --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index fd238b46f6bb4..d258c70ff8ad7 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -1052,7 +1052,7 @@ export class Table extends TableBase { * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-resourcepolicy.html * @default - No resource policy statements are added to the created table. */ - public resourcePolicy?: iam.PolicyDocument | undefined; + public resourcePolicy?: iam.PolicyDocument; /** * @attribute From 1befa1e513bb5f4be1b61175a61ac519c0634743 Mon Sep 17 00:00:00 2001 From: Parker Scanlon <69879391+scanlonp@users.noreply.github.com> Date: Wed, 29 May 2024 14:41:01 -0700 Subject: [PATCH 17/18] Update packages/aws-cdk-lib/aws-dynamodb/README.md --- packages/aws-cdk-lib/aws-dynamodb/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/README.md b/packages/aws-cdk-lib/aws-dynamodb/README.md index 47bd9abae67c8..83d3e35c7d2f2 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/README.md +++ b/packages/aws-cdk-lib/aws-dynamodb/README.md @@ -671,7 +671,8 @@ Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.c }); ``` -TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy. +TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update. +To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy. ## Grants From cae42d61d76396a50504d805cac909c7f75612dc Mon Sep 17 00:00:00 2001 From: Parker Scanlon <69879391+scanlonp@users.noreply.github.com> Date: Wed, 29 May 2024 14:45:10 -0700 Subject: [PATCH 18/18] Update packages/aws-cdk-lib/aws-dynamodb/lib/table.ts --- packages/aws-cdk-lib/aws-dynamodb/lib/table.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index d258c70ff8ad7..5d38902414514 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -1132,7 +1132,9 @@ export class Table extends TableBase { kinesisStreamSpecification: props.kinesisStream ? { streamArn: props.kinesisStream.streamArn } : undefined, deletionProtectionEnabled: props.deletionProtection, importSourceSpecification: this.renderImportSourceSpecification(props.importSource), - resourcePolicy: props.resourcePolicy? { policyDocument: props.resourcePolicy } : undefined, + resourcePolicy: props.resourcePolicy + ? { policyDocument: props.resourcePolicy } + : undefined, }); this.table.applyRemovalPolicy(props.removalPolicy);