fix(dynamodb): addtoresourcepolicy fix for table (v1) construct #31516
Conversation
| @@ -564,7 +564,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc | |||
| * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) | |||
| */ | |||
| public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { | |||
| return iam.Grant.addToPrincipalOrResource({ | |||
| return iam.Grant.addToPrincipal({ | |||
There was a problem hiding this comment.
Why does this need to become addToPrincipal? We are for example already using the resource policy to grant cross-account access to a table directly. We build the policy in CDK from external account ArnPrincipals.
There was a problem hiding this comment.
Because addToPrincipalOrResource never adds to the resource, as IAM is missing methods. So I'm putting it back to how it was before I changed it until I have time to implement the missing methods in IAM
There was a problem hiding this comment.
I don't fully understand what methods are missing. Looking at Grant, it seems to be handling this already, if given the resource in the call: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L145-L157. It's just that Table.addToResourcePolicy is not functional, but instead adds statements to a policy instance not bound with the internal CfnTable.
There was a problem hiding this comment.
@LeeroyHannigan I want to check if I follow your line of thoughts here.
I see the iam.Grant.addToPrincipalOrResource is implemented here. It basically does 2 things, call addToPrincipal and a bit further down on line 151, it calls options.resource.addToResourcePolicy, which means the Table.addToResourcePolicy. Since the method is reportedly a no-op (from #30793), you are saying your change here from addToPrincipalOrResource to addToPrincipal will not change any actual behaviour.
I agree with that. But if I understand @everilae correctly, even though Table.addToResourcePolicy was a no-op, there may be CDK users who are currently relying on what iam.Grant.addToPrincipalOrResource returns (it returns the resource policy statement whereas iam.Grant.addToPrincipal returns principal policy statement.). This allows CDK users to use this method to build the resource policy instead of creating their own.
There was a problem hiding this comment.
Hi,
We rely on the "...OrResource" part, or would like to, once all this is fixed. If the call is replaced with just "addToPrincipal", then attempts at granting to external accounts would not work.
| @@ -958,11 +941,11 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc | |||
| produce: () => this.hasIndex ? `${arn}/index/*` : Aws.NO_VALUE, | |||
| })), | |||
| ]; | |||
| const ret = iam.Grant.addToPrincipalOrResource({ | |||
| const ret = iam.Grant.addToPrincipal({ | |||
There was a problem hiding this comment.
Same as above, this would break Table v1 for us.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
Hi @LeeroyHannigan, I see there are some merge conflicts as well as comments about this can be a breaking change. Are you planning to update this PR? |
Hi, yes I plan to fix this. Although I don't believe there are any breaking changes, I changed the methods previously, but they never worked as intended and this change just reverts them back to original state. |
| principals: [new iam.AccountRootPrincipal()], | ||
| resources: ['*'], | ||
| })); | ||
|
|
There was a problem hiding this comment.
I think the change in this PR is already covered in the unit test. Integ test does not seem necessary to me because we are not using new L1 props. Is there anything the integ test would catch while the unit test cannot?
| @@ -564,7 +564,7 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc | |||
| * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) | |||
| */ | |||
| public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { | |||
| return iam.Grant.addToPrincipalOrResource({ | |||
| return iam.Grant.addToPrincipal({ | |||
There was a problem hiding this comment.
@LeeroyHannigan I want to check if I follow your line of thoughts here.
I see the iam.Grant.addToPrincipalOrResource is implemented here. It basically does 2 things, call addToPrincipal and a bit further down on line 151, it calls options.resource.addToResourcePolicy, which means the Table.addToResourcePolicy. Since the method is reportedly a no-op (from #30793), you are saying your change here from addToPrincipalOrResource to addToPrincipal will not change any actual behaviour.
I agree with that. But if I understand @everilae correctly, even though Table.addToResourcePolicy was a no-op, there may be CDK users who are currently relying on what iam.Grant.addToPrincipalOrResource returns (it returns the resource policy statement whereas iam.Grant.addToPrincipal returns principal policy statement.). This allows CDK users to use this method to build the resource policy instead of creating their own.
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #30793.
Reason for this change
addToResourcePolicy()was not correctly adding a policy statement to the tableDescription of changes
Fixed the method to correctly add the policy to the table constructor.
Description of how you validated changes
Tests added
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license