aws-cdk-lib/aws-dynamodb/lib/table-grants.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.TableGrants=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var perms=()=>{var tmp=require("./perms");return perms=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},principal_utils_1=()=>{var tmp=require("./private/principal-utils");return principal_utils_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};class TableGrants{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_dynamodb.TableGrants",version:"2.248.0"};static fromTable(table,regions,hasIndex){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_dynamodb_ITableRef(table)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromTable),error}return new TableGrants({table,regions,hasIndex})}table;arns=[];encryptedResource;policyResource;constructor(props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_dynamodb_TableGrantsProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,TableGrants),error}this.table=props.table,this.encryptedResource=props.encryptedResource??iam().EncryptedResources.of(this.table),this.policyResource=props.policyResource??iam().ResourceWithPolicies.of(this.table);const stack=core_1().Stack.of(this.table),table=this.table,formatRegionalTableArn=region=>stack.formatArn({region,service:"dynamodb",resource:"table",resourceName:table.tableRef.tableName}),arnForIndex=arn=>core_1().Lazy.string({produce(){return props.hasIndex??("hasIndex"in table?table.hasIndex:!1)?`${arn}/index/*`:void 0}});this.arns=[table.tableRef.tableArn,...(props.regions??[]).map(formatRegionalTableArn),arnForIndex(table.tableRef.tableArn),...(props.regions??[]).map(region=>arnForIndex(formatRegionalTableArn(region)))]}actions(grantee,...actions){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.actions),error}if((0,principal_utils_1().isUnsupportedServicePrincipal)(grantee.grantPrincipal))throw new(core_1()).ValidationError((0,literal_string_1().lit)`ServicePrincipalGrantNotSupported`,"DynamoDB grant* methods do not support ServicePrincipal grantees. Use table.addToResourcePolicy() for an explicit service-specific table policy with required service principal, actions, and conditions",this.table);return this.policyResource?iam().Grant.addToPrincipalOrResource({grantee,actions,resourceArns:this.arns,resource:this.policyResource,resourceSelfArns:["*"]}):iam().Grant.addToPrincipal({grantee,actions,resourceArns:this.arns})}readData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.readData),error}const actions=[...perms().RESOURCE_READ_DATA_ACTIONS,perms().DESCRIBE_TABLE];return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS),this.actions(grantee,...actions).combine(iam().Grant.addToPrincipal({grantee,actions:perms().PRINCIPAL_ONLY_READ_DATA_ACTIONS,resourceArns:this.arns}))}writeData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.writeData),error}const actions=[...perms().WRITE_DATA_ACTIONS,perms().DESCRIBE_TABLE],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result}readWriteData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.readWriteData),error}const actions=[...perms().RESOURCE_READ_DATA_ACTIONS,...perms().WRITE_DATA_ACTIONS,perms().DESCRIBE_TABLE],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result.combine(iam().Grant.addToPrincipal({grantee,actions:perms().PRINCIPAL_ONLY_READ_DATA_ACTIONS,resourceArns:this.arns}))}fullAccess(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fullAccess),error}const actions=["dynamodb:*"],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result}multiAccountReplicationTo(destinationReplicaArn){if(!this.policyResource)throw new(core_1()).ValidationError((0,literal_string_1().lit)`CannotGrantMultiAccountReplication`,"Cannot grant multi-account replication permissions without a resource policy",this.table);const stack=core_1().Stack.of(this.table),arnComponents=stack.splitArn(destinationReplicaArn,core_1().ArnFormat.SLASH_RESOURCE_NAME);if(!arnComponents.account)throw new(core_1()).ValidationError((0,literal_string_1().lit)`InvalidTable`,`Invalid table ARN: ${destinationReplicaArn}. ARN must include account ID.`,this.table);this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:`AllowMultiAccountReplicaAssociation${arnComponents.account}`,actions:["dynamodb:AssociateTableReplica"],resources:["*"],principals:[new(iam()).AccountPrincipal(arnComponents.account)]})),this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:`AllowReplicationServiceReadWrite${arnComponents.account}`,actions:perms().MULTI_ACCOUNT_REPLICATION_ACTIONS,resources:["*"],principals:[new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com")],conditions:{StringEquals:{"aws:SourceAccount":[stack.account,arnComponents.account]}}})),this.encryptedResource?.grantOnKey(new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com"),...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS)}multiAccountReplicationFrom(sourceReplicaArn){if(!this.policyResource)throw new(core_1()).ValidationError((0,literal_string_1().lit)`CannotGrantMultiAccountReplication`,"Cannot grant multi-account replication permissions without a resource policy",this.table);const stack=core_1().Stack.of(this.table),arnComponents=stack.splitArn(sourceReplicaArn,core_1().ArnFormat.SLASH_RESOURCE_NAME);if(!arnComponents.account)throw new(core_1()).ValidationError((0,literal_string_1().lit)`InvalidTable`,`Invalid table ARN: ${sourceReplicaArn}. ARN must include account ID.`,this.table);this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:"AllowReplicationService",actions:perms().MULTI_ACCOUNT_REPLICATION_ACTIONS,resources:["*"],principals:[new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com")],conditions:{StringEquals:{"aws:SourceAccount":[stack.account,arnComponents.account]}}})),this.encryptedResource?.grantOnKey(new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com"),...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS)}}exports.TableGrants=TableGrants;