Skip to content

Commit

Permalink
fix: generate correct dynamodb IamStatement (#499)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ebisbe
ebisbe authored Jun 4, 2022
1 parent 18f1231 commit 6085941
Show file tree
Hide file tree
Showing 3 changed files with 216 additions and 29 deletions.
215 changes: 189 additions & 26 deletions src/__tests__/__snapshots__/dataSources.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,18 +312,26 @@ Object {
"Resource": Array [
Object {
"Fn::Join": Array [
":",
"/",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
},
Object {
"Ref": "AWS::AccountId",
"Fn::Join": Array [
":",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
},
Object {
"Ref": "AWS::AccountId",
},
"table",
],
],
},
"table/data",
"data",
],
],
},
Expand All @@ -344,10 +352,11 @@ Object {
Object {
"Ref": "AWS::AccountId",
},
"table/data",
"table",
],
],
},
"data",
"*",
],
],
Expand Down Expand Up @@ -433,18 +442,160 @@ Object {
"Resource": Array [
Object {
"Fn::Join": Array [
":",
"/",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
"Fn::Join": Array [
":",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
},
Object {
"Ref": "AWS::AccountId",
},
"table",
],
],
},
"data",
],
],
},
Object {
"Fn::Join": Array [
"/",
Array [
Object {
"Ref": "AWS::AccountId",
"Fn::Join": Array [
":",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
},
Object {
"Ref": "AWS::AccountId",
},
"table",
],
],
},
"data",
"*",
],
],
},
],
},
],
"Version": "2012-10-17",
},
"PolicyName": "AppSync-Datasource-dynamo",
},
],
},
"Type": "AWS::IAM::Role",
},
}
`;

exports[`DataSource DynamoDB should generate default role with a Ref for the table name 1`] = `
Object {
"GraphQlDsdynamo": Object {
"Properties": Object {
"ApiId": Object {
"Fn::GetAtt": Array [
"GraphQlApi",
"ApiId",
],
},
"Description": "My dynamo table",
"DynamoDBConfig": Object {
"AwsRegion": Object {
"Ref": "AWS::Region",
},
"TableName": Object {
"Ref": "MyTable",
},
"UseCallerCredentials": false,
},
"Name": "dynamo",
"ServiceRoleArn": Object {
"Fn::GetAtt": Array [
"GraphQlDsdynamoRole",
"Arn",
],
},
"Type": "AMAZON_DYNAMODB",
},
"Type": "AWS::AppSync::DataSource",
},
"GraphQlDsdynamoRole": Object {
"Properties": Object {
"AssumeRolePolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"sts:AssumeRole",
],
"Effect": "Allow",
"Principal": Object {
"Service": Array [
"appsync.amazonaws.com",
],
},
},
],
"Version": "2012-10-17",
},
"Policies": Array [
Object {
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem",
],
"Effect": "Allow",
"Resource": Array [
Object {
"Fn::Join": Array [
"/",
Array [
Object {
"Fn::Join": Array [
":",
Array [
"arn",
"aws",
"dynamodb",
Object {
"Ref": "AWS::Region",
},
Object {
"Ref": "AWS::AccountId",
},
"table",
],
],
},
Object {
"Ref": "MyTable",
},
"table/data",
],
],
},
Expand All @@ -465,10 +616,13 @@ Object {
Object {
"Ref": "AWS::AccountId",
},
"table/data",
"table",
],
],
},
Object {
"Ref": "MyTable",
},
"*",
],
],
Expand Down Expand Up @@ -552,16 +706,24 @@ Object {
"Resource": Array [
Object {
"Fn::Join": Array [
":",
"/",
Array [
"arn",
"aws",
"dynamodb",
"us-east-2",
Object {
"Ref": "AWS::AccountId",
"Fn::Join": Array [
":",
Array [
"arn",
"aws",
"dynamodb",
"us-east-2",
Object {
"Ref": "AWS::AccountId",
},
"table",
],
],
},
"table/data",
"data",
],
],
},
Expand All @@ -580,10 +742,11 @@ Object {
Object {
"Ref": "AWS::AccountId",
},
"table/data",
"table",
],
],
},
"data",
"*",
],
],
Expand Down
14 changes: 14 additions & 0 deletions src/__tests__/dataSources.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,20 @@ describe('DataSource', () => {
expect(dataSource.compile()).toMatchSnapshot();
});

it('should generate default role with a Ref for the table name', () => {
const api = new Api(given.appSyncConfig(), plugin);
const dataSource = new DataSource(api, {
type: 'AMAZON_DYNAMODB',
name: 'dynamo',
description: 'My dynamo table',
config: {
tableName: { Ref: 'MyTable' },
},
});

expect(dataSource.compile()).toMatchSnapshot();
});

it('should generate default role with custom statement', () => {
const api = new Api(given.appSyncConfig(), plugin);
const dataSource = new DataSource(api, {
Expand Down
16 changes: 13 additions & 3 deletions src/resources/DataSource.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ export class DataSource {
'dynamodb',
this.config.config.region || { Ref: 'AWS::Region' },
{ Ref: 'AWS::AccountId' },
`table/${this.config.config.tableName}`,
`table`,
],
],
};
Expand All @@ -288,8 +288,18 @@ export class DataSource {
],
Effect: 'Allow',
Resource: [
dynamoDbResourceArn,
{ 'Fn::Join': ['/', [dynamoDbResourceArn, '*']] },
{
'Fn::Join': [
'/',
[dynamoDbResourceArn, this.config.config.tableName],
],
},
{
'Fn::Join': [
'/',
[dynamoDbResourceArn, this.config.config.tableName, '*'],
],
},
],
};

Expand Down

0 comments on commit 6085941

Please sign in to comment.