From 156e38bc72e1e327b32e8f2b306245fd1a87f873 Mon Sep 17 00:00:00 2001 From: gracelu0 Date: Wed, 13 Nov 2024 19:09:13 -0800 Subject: [PATCH] scope down permissions for sqs and kinesis stream targets --- .../lib/kinesis-stream-put-record.ts | 5 +- .../lib/sqs-send-message.ts | 5 +- .../aws-scheduler-targets-alpha/lib/target.ts | 4 - .../integ.inspector-start-assessment-run.ts | 2 - .../integ.kinesis-data-firehose-put-record.ts | 2 - ...gets-kinesis-stream-put-record.assets.json | 4 +- ...ts-kinesis-stream-put-record.template.json | 5 +- ...efaultTestDeployAssert6B5E163F.assets.json | 4 +- ...aultTestDeployAssert6B5E163F.template.json | 4 +- .../manifest.json | 4 +- .../tree.json | 1 - .../test/integ.kinesis-stream-put-record.ts | 2 +- ...teg.sage-maker-start-pipeline-execution.ts | 2 - .../aws-cdk-schedule-dlq.assets.json | 4 +- .../aws-cdk-schedule-dlq.template.json | 34 ++++----- ...efaultTestDeployAssertC769CF31.assets.json | 4 +- ...aultTestDeployAssertC769CF31.template.json | 2 +- .../manifest.json | 4 +- .../tree.json | 36 ++++----- .../aws-cdk-schedule.assets.json | 4 +- .../aws-cdk-schedule.template.json | 6 +- ...efaultTestDeployAssert883D0D33.assets.json | 4 +- ...aultTestDeployAssert883D0D33.template.json | 2 +- .../manifest.json | 4 +- .../tree.json | 6 +- .../test/kinesis-stream-put-record.test.ts | 55 +++++++++++--- .../test/sqs-send-message.test.ts | 76 +++++++++++++------ 27 files changed, 162 insertions(+), 123 deletions(-) diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts index 1e16d8726bad3..220536f29d80c 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts @@ -47,7 +47,8 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.stream.node)} in account ${this.stream.env.account}. Both the target and the execution role must be in the same account.`); } - this.stream.grantWrite(role); + this.stream.grant(role, 'kinesis:PutRecord', 'kinesis:PutRecords'); + this.stream.encryptionKey?.grant(role, 'kms:GenerateDataKey*'); } protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig { @@ -58,4 +59,4 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched }, }; } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts index a08eaf7e023b1..7343fcb3e27c9 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts @@ -62,7 +62,8 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.queue.node)} in account ${this.queue.env.account}. Both the target and the execution role must be in the same account.`); } - this.queue.grantSendMessages(role); + this.queue.grant(role, 'sqs:SendMessage'); + this.queue.encryptionMasterKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey*'); } protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig { @@ -73,4 +74,4 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge }, }; } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts index fdf2678349660..e2b4dd5a56c9e 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts @@ -16,10 +16,6 @@ export interface ScheduleTargetBaseProps { * permissions to interact with the templated target. If you wish you may specify your own IAM role, then the templated targets * will grant minimal required permissions. * - * Universal target automatically create an IAM role if you do not specify your own IAM role. - * However, in comparison with templated targets, for universal targets you must grant the required - * IAM permissions yourself. - * * @default - created by target */ readonly role?: iam.IRole; diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts index b2fc24b3035e6..8b001f86eae2d 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts @@ -44,5 +44,3 @@ integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', { interval: cdk.Duration.seconds(30), totalTimeout: cdk.Duration.minutes(10), }); - -app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts index 0fca71eb13b3c..bf8400a5bf004 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts @@ -69,5 +69,3 @@ if (objects instanceof AwsApiCall && objects.waiterProvider) { Resource: ['*'], }); } - -app.synth(); diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json index 73d1e9735b272..eb64942edde56 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json @@ -1,7 +1,7 @@ { "version": "38.0.1", "files": { - "5a0677ed1657a0df65bcd3d8b8443f9fb0e7452f340b83b259b1b269a783e98d": { + "f2422f25efcd3f83c93f552eb5d2733d702851b938f4e8d1e3ed178fe5c6c2ff": { "source": { "path": "aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "5a0677ed1657a0df65bcd3d8b8443f9fb0e7452f340b83b259b1b269a783e98d.json", + "objectKey": "f2422f25efcd3f83c93f552eb5d2733d702851b938f4e8d1e3ed178fe5c6c2ff.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json index 7c4688bf15a59..f742eee0e617e 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json @@ -19,8 +19,8 @@ ] } }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" }, "Schedule83A77FD1": { "Type": "AWS::Scheduler::Schedule", @@ -106,7 +106,6 @@ "Statement": [ { "Action": [ - "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json index bc6bf0d34581e..2349798e94623 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json @@ -14,7 +14,7 @@ } } }, - "b7ba1d2a8c1665fe6609234861e4a38bc44770bd7df20dfe74404faeae11b000": { + "8129b64f9ba0bc27f54bdf02f6ece38e5bb92c79f74d153fa4649a1c76bead6d": { "source": { "path": "integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7ba1d2a8c1665fe6609234861e4a38bc44770bd7df20dfe74404faeae11b000.json", + "objectKey": "8129b64f9ba0bc27f54bdf02f6ece38e5bb92c79f74d153fa4649a1c76bead6d.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json index 9a5b9e665e519..70d9fab6e8992 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json @@ -23,7 +23,7 @@ "outputPaths": [ "ShardIterator" ], - "salt": "1730406489546" + "salt": "1731552619376" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -406,7 +406,7 @@ "outputPaths": [ "Records.0.PartitionKey" ], - "salt": "1730406489548" + "salt": "1731552619378" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json index 740036917c132..fdb9dbac13c99 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json @@ -19,7 +19,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5a0677ed1657a0df65bcd3d8b8443f9fb0e7452f340b83b259b1b269a783e98d.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f2422f25efcd3f83c93f552eb5d2733d702851b938f4e8d1e3ed178fe5c6c2ff.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -98,7 +98,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b7ba1d2a8c1665fe6609234861e4a38bc44770bd7df20dfe74404faeae11b000.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8129b64f9ba0bc27f54bdf02f6ece38e5bb92c79f74d153fa4649a1c76bead6d.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json index 48a9f2bf8f444..b6bcd573eb440 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json @@ -183,7 +183,6 @@ "Statement": [ { "Action": [ - "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts index f1ef73ef021cd..fa10ffe742061 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts @@ -21,6 +21,7 @@ const partitionKey = 'key'; const stream = new Stream(stack, 'MyStream', { streamName, shardCount: 1, + removalPolicy: cdk.RemovalPolicy.DESTROY, }); new scheduler.Schedule(stack, 'Schedule', { @@ -58,4 +59,3 @@ getRecords.assertAtPath( totalTimeout: cdk.Duration.minutes(10), }); -app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts index 6027056d6ed28..89967c433395c 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts @@ -135,5 +135,3 @@ integrationTest.assertions.awsApiCall('Sagemaker', 'listPipelineExecutions', { interval: cdk.Duration.seconds(30), totalTimeout: cdk.Duration.minutes(10), }); - -app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json index 2adab5edfafbd..5f8ee3b1b484c 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json @@ -1,7 +1,7 @@ { "version": "38.0.1", "files": { - "137515a3ae0676ac922b8b370bb5a7df9789035d9f2924d3c32c762884844af8": { + "4d47f0104c1b344ab37245744e46d6f619101faff75dd622caf98e0671be3fd7": { "source": { "path": "aws-cdk-schedule-dlq.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "137515a3ae0676ac922b8b370bb5a7df9789035d9f2924d3c32c762884844af8.json", + "objectKey": "4d47f0104c1b344ab37245744e46d6f619101faff75dd622caf98e0671be3fd7.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json index e8d484b60840b..4bae1663209d5 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json @@ -27,29 +27,23 @@ "Properties": { "PolicyDocument": { "Statement": [ - { - "Action": [ - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:SendMessage" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ScheduleTargetQueueFA42B954", - "Arn" - ] - } - }, { "Action": "sqs:SendMessage", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ScheduleDeadLetterQueue0D6B48D2", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "ScheduleDeadLetterQueue0D6B48D2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "ScheduleTargetQueueFA42B954", + "Arn" + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json index 8b74097dc25ca..bf858c800d0b2 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json @@ -14,7 +14,7 @@ } } }, - "8cc9346d186750bb434b226af55ff6d8d01624077f70d6c1e65f86367df7814c": { + "23c5ac12f7a2c57664410637df75b276957ac2a0466b3375fc061617fd797d4b": { "source": { "path": "integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8cc9346d186750bb434b226af55ff6d8d01624077f70d6c1e65f86367df7814c.json", + "objectKey": "23c5ac12f7a2c57664410637df75b276957ac2a0466b3375fc061617fd797d4b.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json index 97442780c04a5..c87f0b2bad3f1 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json @@ -42,7 +42,7 @@ "MaxNumberOfMessages": "10" }, "flattenResponse": "false", - "salt": "1731007634218" + "salt": "1731552654930" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json index 1e642f31c3e4c..09b4ee4281dc6 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json @@ -19,7 +19,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/137515a3ae0676ac922b8b370bb5a7df9789035d9f2924d3c32c762884844af8.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4d47f0104c1b344ab37245744e46d6f619101faff75dd622caf98e0671be3fd7.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -116,7 +116,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8cc9346d186750bb434b226af55ff6d8d01624077f70d6c1e65f86367df7814c.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/23c5ac12f7a2c57664410637df75b276957ac2a0466b3375fc061617fd797d4b.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json index 6019eb735ec85..d1d92d6c676d2 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json @@ -79,29 +79,23 @@ "aws:cdk:cloudformation:props": { "policyDocument": { "Statement": [ - { - "Action": [ - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:SendMessage" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ScheduleTargetQueueFA42B954", - "Arn" - ] - } - }, { "Action": "sqs:SendMessage", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ScheduleDeadLetterQueue0D6B48D2", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "ScheduleDeadLetterQueue0D6B48D2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "ScheduleTargetQueueFA42B954", + "Arn" + ] + } + ] } ], "Version": "2012-10-17" @@ -251,7 +245,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-scheduler-alpha.Schedule", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json index 34600270f0cce..a2ce217bd9ac2 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json @@ -1,7 +1,7 @@ { "version": "38.0.1", "files": { - "87b6146acb75d71bb497e9d6948e300cd3d2c47a7a4fe2003bc857715776dbb6": { + "f1fa110f40ba83b4118a22890e9016434cc9f41cbd6f2e331d9fc243b731f61f": { "source": { "path": "aws-cdk-schedule.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "87b6146acb75d71bb497e9d6948e300cd3d2c47a7a4fe2003bc857715776dbb6.json", + "objectKey": "f1fa110f40ba83b4118a22890e9016434cc9f41cbd6f2e331d9fc243b731f61f.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json index fdaa3624feabf..2592ade0636dd 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json @@ -92,11 +92,7 @@ "PolicyDocument": { "Statement": [ { - "Action": [ - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:SendMessage" - ], + "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json index 71a011a7571b5..bcade19f5ae33 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json @@ -14,7 +14,7 @@ } } }, - "b30b0a027677b9660baec22bd14ba543457691b36e4eee3905faeb4ff74e5c64": { + "e05c791f0b0f8148943f90056d48e4fbf32cb56a6a2d9ccafb849d35a9e30e07": { "source": { "path": "integsqssendmessageDefaultTestDeployAssert883D0D33.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b30b0a027677b9660baec22bd14ba543457691b36e4eee3905faeb4ff74e5c64.json", + "objectKey": "e05c791f0b0f8148943f90056d48e4fbf32cb56a6a2d9ccafb849d35a9e30e07.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json index e008e1c103942..b15e0dae33e0d 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json @@ -34,7 +34,7 @@ "outputPaths": [ "Messages.0.Body" ], - "salt": "1730407597091" + "salt": "1731553149563" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json index 499194033b851..6bfcfc45caa76 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json @@ -19,7 +19,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/87b6146acb75d71bb497e9d6948e300cd3d2c47a7a4fe2003bc857715776dbb6.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f1fa110f40ba83b4118a22890e9016434cc9f41cbd6f2e331d9fc243b731f61f.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -98,7 +98,7 @@ "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b30b0a027677b9660baec22bd14ba543457691b36e4eee3905faeb4ff74e5c64.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e05c791f0b0f8148943f90056d48e4fbf32cb56a6a2d9ccafb849d35a9e30e07.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/tree.json b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/tree.json index 9d953ce11e45d..5ffae25740a2a 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/tree.json @@ -161,11 +161,7 @@ "policyDocument": { "Statement": [ { - "Action": [ - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:SendMessage" - ], + "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/kinesis-stream-put-record.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/kinesis-stream-put-record.test.ts index 822c9cbb84efc..6c67b124ac17b 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/kinesis-stream-put-record.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/kinesis-stream-put-record.test.ts @@ -3,6 +3,7 @@ import { App, Duration, Stack } from 'aws-cdk-lib'; import { Template } from 'aws-cdk-lib/assertions'; import { AccountRootPrincipal, Role } from 'aws-cdk-lib/aws-iam'; import * as kinesis from 'aws-cdk-lib/aws-kinesis'; +import * as kms from 'aws-cdk-lib/aws-kms'; import * as sqs from 'aws-cdk-lib/aws-sqs'; import { KinesisStreamPutRecord } from '../lib'; @@ -48,7 +49,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -126,7 +127,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -189,7 +190,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -274,7 +275,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -315,7 +316,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: 'arn:aws:kinesis:us-east-1:123456789012:stream/Foo', }, @@ -357,7 +358,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -400,7 +401,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: 'arn:aws:kinesis:us-east-1:123456789012:stream/Foo', }, @@ -457,7 +458,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -493,7 +494,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'], @@ -510,6 +511,42 @@ describe('schedule target', () => { }); }); + test('adds kms permissions to execution role when stream uses customer-managed key for encryption', () => { + const key = new kms.Key(stack, 'MyKey'); + const ssekmsstream = new kinesis.Stream(stack, 'MySSEKMSStream', { + encryptionKey: key, + }); + const streamTarget = new KinesisStreamPutRecord(ssekmsstream, { + partitionKey: 'key', + }); + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: streamTarget, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MySSEKMSStreamB597D4E1', 'Arn'], + }, + }, + { + Action: 'kms:GenerateDataKey*', + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MyKey6AB29FA6', 'Arn'], + }, + }, + ], + }, + Roles: [{ Ref: 'SchedulerRoleForTargeta736fbE883CED5' }], + }); + }); + test('renders expected retry policy', () => { const streamTarget = new KinesisStreamPutRecord(stream, { partitionKey: 'key', diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/sqs-send-message.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/sqs-send-message.test.ts index 8cb7a060c4295..cc029af5a8bb0 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/sqs-send-message.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/sqs-send-message.test.ts @@ -2,6 +2,7 @@ import { ScheduleExpression, Schedule, Group } from '@aws-cdk/aws-scheduler-alph import { App, Duration, Stack } from 'aws-cdk-lib'; import { Template } from 'aws-cdk-lib/assertions'; import { AccountRootPrincipal, Role } from 'aws-cdk-lib/aws-iam'; +import * as kms from 'aws-cdk-lib/aws-kms'; import * as sqs from 'aws-cdk-lib/aws-sqs'; import { SqsSendMessage } from '../lib'; @@ -42,7 +43,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], @@ -116,7 +117,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], @@ -177,7 +178,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], @@ -260,7 +261,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], @@ -296,7 +297,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: 'arn:aws:sqs:us-east-1:123456789012:somequeue', }, @@ -334,7 +335,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], @@ -373,7 +374,7 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: 'arn:aws:sqs:us-east-1:123456789012:somequeue', }, @@ -434,19 +435,17 @@ describe('schedule target', () => { Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { PolicyDocument: { Statement: [ - { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], - Effect: 'Allow', - Resource: { - 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], - }, - }, { Action: 'sqs:SendMessage', Effect: 'Allow', - Resource: { - 'Fn::GetAtt': ['DummyDeadLetterQueueCEBF3463', 'Arn'], - }, + Resource: [ + { + 'Fn::GetAtt': ['DummyDeadLetterQueueCEBF3463', 'Arn'], + }, + { + 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], + }, + ], }, ], }, @@ -470,20 +469,53 @@ describe('schedule target', () => { PolicyDocument: { Statement: [ { - Action: ['sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SendMessage'], + Action: 'sqs:SendMessage', + Effect: 'Allow', + Resource: [ + importedQueue.queueArn, + { 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'] }, + ], + }, + ], + }, + Roles: [{ Ref: roleId }], + }); + }); + + test('adds kms permissions to execution role when queue uses customer-managed key for encryption', () => { + const key = new kms.Key(stack, 'MyKey'); + const ssekmsqueue = new sqs.Queue(stack, 'MySSEKMSQueue', { + encryptionMasterKey: key, + }); + const queueTarget = new SqsSendMessage(ssekmsqueue, {}); + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: queueTarget, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'sqs:SendMessage', Effect: 'Allow', Resource: { - 'Fn::GetAtt': ['MyQueueE6CA6235', 'Arn'], + 'Fn::GetAtt': ['MySSEKMSQueueB12ED8F3', 'Arn'], }, }, { - Action: 'sqs:SendMessage', + Action: [ + 'kms:Decrypt', + 'kms:GenerateDataKey*', + ], Effect: 'Allow', - Resource: importedQueue.queueArn, + Resource: { + 'Fn::GetAtt': ['MyKey6AB29FA6', 'Arn'], + }, }, ], }, - Roles: [{ Ref: roleId }], + Roles: [{ Ref: 'SchedulerRoleForTarget4bd89cBD24D046' }], }); });