UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

2 lines (1 loc) 8.47 kB
1
2
"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__setModuleDefault=exports&&exports.__setModuleDefault||(Object.create?(function(o,v){Object.defineProperty(o,"default",{enumerable:!0,value:v})}):function(o,v){o.default=v}),__importStar=exports&&exports.__importStar||(function(){var ownKeys=function(o){return ownKeys=Object.getOwnPropertyNames||function(o2){var ar=[];for(var k in o2)Object.prototype.hasOwnProperty.call(o2,k)&&(ar[ar.length]=k);return ar},ownKeys(o)};return function(mod){if(mod&&mod.__esModule)return mod;var result={};if(mod!=null)for(var k=ownKeys(mod),i=0;i<k.length;i++)k[i]!=="default"&&__createBinding(result,mod,k[i]);return __setModuleDefault(result,mod),result}})();Object.defineProperty(exports,"__esModule",{value:!0}),exports.TableGrants=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var perms=()=>{var tmp=__importStar(require("./perms"));return perms=()=>tmp,tmp},iam=()=>{var tmp=__importStar(require("../../aws-iam"));return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},principal_utils_1=()=>{var tmp=require("./private/principal-utils");return principal_utils_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};class TableGrants{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_dynamodb.TableGrants",version:"2.259.0"};static fromTable(table,regions,hasIndex){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_dynamodb_ITableRef(table)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromTable),error}return new TableGrants({table,regions,hasIndex})}table;arns=[];encryptedResource;policyResource;constructor(props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_dynamodb_TableGrantsProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,TableGrants),error}this.table=props.table,this.encryptedResource=props.encryptedResource??iam().EncryptedResources.of(this.table),this.policyResource=props.policyResource??iam().ResourceWithPolicies.of(this.table);const stack=core_1().Stack.of(this.table),table=this.table,formatRegionalTableArn=region=>stack.formatArn({region,service:"dynamodb",resource:"table",resourceName:table.tableRef.tableName}),arnForIndex=arn=>core_1().Lazy.string({produce(){return props.hasIndex??("hasIndex"in table?table.hasIndex:!1)?`${arn}/index/*`:void 0}});this.arns=[table.tableRef.tableArn,...(props.regions??[]).map(formatRegionalTableArn),arnForIndex(table.tableRef.tableArn),...(props.regions??[]).map(region=>arnForIndex(formatRegionalTableArn(region)))]}actions(grantee,...actions){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.actions),error}if((0,principal_utils_1().isUnsupportedServicePrincipal)(grantee.grantPrincipal))throw new(core_1()).ValidationError((0,literal_string_1().lit)`ServicePrincipalGrantNotSupported`,"DynamoDB grant* methods do not support ServicePrincipal grantees. Use table.addToResourcePolicy() for an explicit service-specific table policy with required service principal, actions, and conditions",this.table);return this.policyResource?iam().Grant.addToPrincipalOrResource({grantee,actions,resourceArns:this.arns,resource:this.policyResource,resourceSelfArns:["*"]}):iam().Grant.addToPrincipal({grantee,actions,resourceArns:this.arns})}readData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.readData),error}const actions=[...perms().RESOURCE_READ_DATA_ACTIONS,perms().DESCRIBE_TABLE];return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS),this.actions(grantee,...actions).combine(iam().Grant.addToPrincipal({grantee,actions:perms().PRINCIPAL_ONLY_READ_DATA_ACTIONS,resourceArns:this.arns}))}writeData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.writeData),error}const actions=[...perms().WRITE_DATA_ACTIONS,perms().DESCRIBE_TABLE],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result}readWriteData(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.readWriteData),error}const actions=[...perms().RESOURCE_READ_DATA_ACTIONS,...perms().WRITE_DATA_ACTIONS,perms().DESCRIBE_TABLE],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result.combine(iam().Grant.addToPrincipal({grantee,actions:perms().PRINCIPAL_ONLY_READ_DATA_ACTIONS,resourceArns:this.arns}))}fullAccess(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fullAccess),error}const actions=["dynamodb:*"],result=this.actions(grantee,...actions);return this.encryptedResource?.grantOnKey(grantee,...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS),result}multiAccountReplicationTo(destinationReplicaArn){if(!this.policyResource)throw new(core_1()).ValidationError((0,literal_string_1().lit)`CannotGrantMultiAccountReplication`,"Cannot grant multi-account replication permissions without a resource policy",this.table);const stack=core_1().Stack.of(this.table),arnComponents=stack.splitArn(destinationReplicaArn,core_1().ArnFormat.SLASH_RESOURCE_NAME);if(!arnComponents.account)throw new(core_1()).ValidationError((0,literal_string_1().lit)`InvalidTable`,`Invalid table ARN: ${destinationReplicaArn}. ARN must include account ID.`,this.table);this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:`AllowMultiAccountReplicaAssociation${arnComponents.account}`,actions:["dynamodb:AssociateTableReplica"],resources:["*"],principals:[new(iam()).AccountPrincipal(arnComponents.account)]})),this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:`AllowReplicationServiceReadWrite${arnComponents.account}`,actions:perms().MULTI_ACCOUNT_REPLICATION_ACTIONS,resources:["*"],principals:[new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com")],conditions:{StringEquals:{"aws:SourceAccount":[stack.account,arnComponents.account]}}})),this.encryptedResource?.grantOnKey(new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com"),...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS)}multiAccountReplicationFrom(sourceReplicaArn){if(!this.policyResource)throw new(core_1()).ValidationError((0,literal_string_1().lit)`CannotGrantMultiAccountReplication`,"Cannot grant multi-account replication permissions without a resource policy",this.table);const stack=core_1().Stack.of(this.table),arnComponents=stack.splitArn(sourceReplicaArn,core_1().ArnFormat.SLASH_RESOURCE_NAME);if(!arnComponents.account)throw new(core_1()).ValidationError((0,literal_string_1().lit)`InvalidTable`,`Invalid table ARN: ${sourceReplicaArn}. ARN must include account ID.`,this.table);this.policyResource.addToResourcePolicy(new(iam()).PolicyStatement({sid:"AllowReplicationService",actions:perms().MULTI_ACCOUNT_REPLICATION_ACTIONS,resources:["*"],principals:[new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com")],conditions:{StringEquals:{"aws:SourceAccount":[stack.account,arnComponents.account]}}})),this.encryptedResource?.grantOnKey(new(iam()).ServicePrincipal("replication.dynamodb.amazonaws.com"),...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS)}}exports.TableGrants=TableGrants;