Skip to content

Commit

Permalink
Merge branch 'master' into benisrae/nested-fix-multi-level-refs
Browse files Browse the repository at this point in the history
  • Loading branch information
Elad Ben-Israel authored Apr 15, 2020
2 parents 1d02733 + 7695f2b commit 5f043cc
Show file tree
Hide file tree
Showing 23 changed files with 1,142 additions and 1,188 deletions.
15 changes: 14 additions & 1 deletion packages/@aws-cdk/aws-kinesis/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ intake and aggregation.
- [Permission Grants](#permission-grants)
- [Read Permissions](#read-permissions)
- [Write Permissions](#write-permissions)
- [Custom Permissions](#custom-permissions)

## Streams

Expand Down Expand Up @@ -150,7 +151,6 @@ stream.grantRead(lambdaRole);
The following read permissions are provided to a service principal by the `grantRead()` API:
- `kinesis:DescribeStream`
- `kinesis:DescribeStreamSummary`
- `kinesis:GetRecords`
- `kinesis:GetShardIterator`
Expand Down Expand Up @@ -181,3 +181,16 @@ The following write permissions are provided to a service principal by the `gran
- `kinesis:ListShards`
- `kinesis:PutRecord`
- `kinesis:PutRecords`
#### Custom Permissions
You can add any set of permissions to a stream by calling the `grant()` API.
```ts
const user = new iam.User(stack, 'MyUser');

const stream = new Stream(stack, 'MyStream');

// give my user permissions to list shards
stream.grant(user, 'kinesis:ListShards');
```
6 changes: 5 additions & 1 deletion packages/@aws-cdk/aws-kinesis/lib/stream.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import { IResolvable } from 'constructs';
import { CfnStream } from './kinesis.generated';

const READ_OPERATIONS = [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand Down Expand Up @@ -68,6 +67,11 @@ export interface IStream extends IResource {
* encrypt/decrypt will also be granted.
*/
grantReadWrite(grantee: iam.IGrantable): iam.Grant;

/**
* Grant the indicated permissions on this stream to the provided IAM principal.
*/
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
}

/**
Expand Down
1 change: 0 additions & 1 deletion packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
"Statement": [
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
Expand Down
86 changes: 81 additions & 5 deletions packages/@aws-cdk/aws-kinesis/test/stream.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,6 @@ describe('Kinesis data streams', () => {
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand Down Expand Up @@ -836,7 +835,6 @@ describe('Kinesis data streams', () => {
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand Down Expand Up @@ -910,7 +908,6 @@ describe('Kinesis data streams', () => {
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand Down Expand Up @@ -1039,7 +1036,7 @@ describe('Kinesis data streams', () => {
});
}),

test('greatReadWrite creates and attaches a policy with write only access to Stream', () => {
test('grantReadWrite creates and attaches a policy with write only access to Stream', () => {
const stack = new Stack();
const stream = new Stream(stack, 'MyStream');

Expand Down Expand Up @@ -1077,7 +1074,6 @@ describe('Kinesis data streams', () => {
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand Down Expand Up @@ -1128,6 +1124,86 @@ describe('Kinesis data streams', () => {
});
}),

test('grant creates and attaches a policy to Stream which includes supplied permissions', () => {
const stack = new Stack();
const stream = new Stream(stack, 'MyStream');

const user = new iam.User(stack, 'MyUser');
stream.grant(user, 'kinesis:DescribeStream');

expect(stack).toMatchTemplate({
Resources: {
MyStream5C050E93: {
Type: 'AWS::Kinesis::Stream',
Properties: {
ShardCount: 1,
RetentionPeriodHours: 24,
StreamEncryption: {
'Fn::If': [
'AwsCdkKinesisEncryptedStreamsUnsupportedRegions',
{
Ref: 'AWS::NoValue',
},
{
EncryptionType: 'KMS',
KeyId: 'alias/aws/kinesis',
},
],
},
},
},
MyUserDC45028B: {
Type: 'AWS::IAM::User',
},
MyUserDefaultPolicy7B897426: {
Type: 'AWS::IAM::Policy',
Properties: {
PolicyDocument: {
Statement: [
{
Action: 'kinesis:DescribeStream',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn'],
},
},
],
Version: '2012-10-17',
},
PolicyName: 'MyUserDefaultPolicy7B897426',
Users: [
{
Ref: 'MyUserDC45028B',
},
],
},
},
},
Conditions: {
AwsCdkKinesisEncryptedStreamsUnsupportedRegions: {
'Fn::Or': [
{
'Fn::Equals': [
{
Ref: 'AWS::Region',
},
'cn-north-1',
],
},
{
'Fn::Equals': [
{
Ref: 'AWS::Region',
},
'cn-northwest-1',
],
},
],
},
},
});
}),

test('cross-stack permissions - no encryption', () => {
const app = new App();
const stackA = new Stack(app, 'stackA');
Expand Down
7 changes: 7 additions & 0 deletions packages/@aws-cdk/aws-lambda-event-sources/lib/kinesis.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ export class KinesisEventSource extends StreamEventSource {
this._eventSourceMappingId = eventSourceMapping.eventSourceMappingId;

this.stream.grantRead(target);

// The `grantRead` API provides all the permissions recommended by the Kinesis team for reading a stream.
// `DescribeStream` permissions are not required to read a stream as it's covered by the `DescribeStreamSummary`
// and `SubscribeToShard` APIs.
// The Lambda::EventSourceMapping resource validates against the `DescribeStream` permission. So we add it explicitly.
// FIXME This permission can be removed when the event source mapping resource drops it from validation.
this.stream.grant(target, 'kinesis:DescribeStream');
}

/**
Expand Down
11 changes: 10 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
"Statement": [
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
Expand All @@ -52,6 +51,16 @@
"Arn"
]
}
},
{
"Action": "kinesis:DescribeStream",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Q63C6E3AB",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down
11 changes: 10 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@
},
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
Expand All @@ -66,6 +65,16 @@
"Arn"
]
}
},
{
"Action": "kinesis:DescribeStream",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"S509448A1",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down
11 changes: 10 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ export = {
'Statement': [
{
'Action': [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
Expand All @@ -40,6 +39,16 @@ export = {
'Arn'
]
}
},
{
'Action': 'kinesis:DescribeStream',
'Effect': 'Allow',
'Resource': {
'Fn::GetAtt': [
'S509448A1',
'Arn'
]
}
}
],
'Version': '2012-10-17'
Expand Down
10 changes: 8 additions & 2 deletions packages/@aws-cdk/aws-stepfunctions/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,9 @@
"license": "Apache-2.0",
"devDependencies": {
"@aws-cdk/assert": "0.0.0",
"@types/nodeunit": "^0.0.30",
"cdk-build-tools": "0.0.0",
"cdk-integ-tools": "0.0.0",
"cfn2ts": "0.0.0",
"nodeunit": "^0.11.3",
"pkglint": "0.0.0"
},
"dependencies": {
Expand All @@ -87,6 +85,14 @@
"@aws-cdk/core": "0.0.0",
"constructs": "^2.0.0"
},
"jest": {
"coverageThreshold": {
"global": {
"branches": 75,
"statements": 80
}
}
},
"engines": {
"node": ">= 10.12.0"
},
Expand Down
27 changes: 11 additions & 16 deletions ...k/aws-stepfunctions/test/test.activity.ts → ...k/aws-stepfunctions/test/activity.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,22 @@
import { expect, haveResource } from '@aws-cdk/assert';
import '@aws-cdk/assert/jest';
import * as cdk from '@aws-cdk/core';
import { Test } from 'nodeunit';
import * as stepfunctions from '../lib';

export = {
'instantiate Activity'(test: Test) {
describe('Activity', () => {
test('instantiate Activity', () => {
// GIVEN
const stack = new cdk.Stack();

// WHEN
new stepfunctions.Activity(stack, 'Activity');

// THEN
expect(stack).to(haveResource('AWS::StepFunctions::Activity', {
expect(stack).toHaveResource('AWS::StepFunctions::Activity', {
Name: 'Activity'
}));

test.done();
},
});
});

'Activity exposes metrics'(test: Test) {
test('Activity exposes metrics', () => {
// GIVEN
const stack = new cdk.Stack();

Expand All @@ -32,18 +29,16 @@ export = {
namespace: 'AWS/States',
dimensions: { ActivityArn: { Ref: 'Activity04690B0A' }},
};
test.deepEqual(stack.resolve(activity.metricRunTime()), {
expect((stack.resolve(activity.metricRunTime()))).toEqual({
...sharedMetric,
metricName: 'ActivityRunTime',
statistic: 'Average'
});

test.deepEqual(stack.resolve(activity.metricFailed()), {
expect(stack.resolve(activity.metricFailed())).toEqual({
...sharedMetric,
metricName: 'ActivitiesFailed',
statistic: 'Sum'
});

test.done();
}
};
});
});
Loading

0 comments on commit 5f043cc

Please sign in to comment.