incorporate PR feedback

shivlaks · shivlaks · commit a7c79bcc38ec · 2020-04-08T09:35:39.000-07:00
diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md
@@ -125,8 +125,9 @@ const importedStream = Stream.fromStreamAttributes(
 
 ### Permission Grants
 
-IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime will should be granted IAM permissions. Any object that implements the `IGrantable`
-interface (has an associated principal) can be granted permissions by calling:
+IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime should be granted IAM permissions.
+
+Any object that implements the `IGrantable` interface (has an associated principal) can be granted permissions by calling:
 
 - `grantRead(principal)` - grants the principal read access
 - `grantWrite(principal)` - grants the principal write permissions to a Stream
diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts
@@ -4,6 +4,21 @@ import { Aws, CfnCondition, Construct, Duration, Fn, IResource, Resource, Stack
 import { IResolvable } from 'constructs';
 import { CfnStream } from './kinesis.generated';
 
+const READ_OPERATIONS = [
+  'kinesis:DescribeStream',
+  'kinesis:DescribeStreamSummary',
+  'kinesis:GetRecords',
+  'kinesis:GetShardIterator',
+  'kinesis:ListShards',
+  'kinesis:SubscribeToShard'
+];
+
+const WRITE_OPERATIONS = [
+  'kinesis:ListShards',
+  'kinesis:PutRecord',
+  'kinesis:PutRecords'
+];
+
 /**
  * A Kinesis Stream
  */
@@ -115,14 +130,7 @@ abstract class StreamBase extends Resource implements IStream {
    * contents of the stream will also be granted.
    */
   public grantRead(grantee: iam.IGrantable) {
-    const ret = this.grant(
-      grantee,
-      'kinesis:DescribeStream',
-      'kinesis:DescribeStreamSummary',
-      'kinesis:GetRecords',
-      'kinesis:GetShardIterator',
-      'kinesis:ListShards',
-      'kinesis:SubscribeToShard');
+    const ret = this.grant(grantee, ...READ_OPERATIONS);
 
     if (this.encryptionKey) {
       this.encryptionKey.grantDecrypt(grantee);
@@ -139,11 +147,7 @@ abstract class StreamBase extends Resource implements IStream {
    * contents of the stream will also be granted.
    */
   public grantWrite(grantee: iam.IGrantable) {
-    const ret = this.grant(
-      grantee,
-      'kinesis:ListShards',
-      'kinesis:PutRecord',
-      'kinesis:PutRecords');
+    const ret = this.grant(grantee, ...WRITE_OPERATIONS);
 
     if (this.encryptionKey) {
       this.encryptionKey.grantEncrypt(grantee);
@@ -160,16 +164,7 @@ abstract class StreamBase extends Resource implements IStream {
    * encrypt/decrypt will also be granted.
    */
   public grantReadWrite(grantee: iam.IGrantable) {
-    const ret = this.grant(
-      grantee,
-      'kinesis:DescribeStream',
-      'kinesis:DescribeStreamSummary',
-      'kinesis:GetRecords',
-      'kinesis:GetShardIterator',
-      'kinesis:ListShards',
-      'kinesis:PutRecord',
-      'kinesis:PutRecords',
-      'kinesis:SubscribeToShard');
+    const ret = this.grant(grantee, ...Array.from(new Set([...READ_OPERATIONS, ...WRITE_OPERATIONS])));
 
     if (this.encryptionKey) {
       this.encryptionKey.grantEncryptDecrypt(grantee);
diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json
@@ -44,9 +44,9 @@
                 "kinesis:GetRecords",
                 "kinesis:GetShardIterator",
                 "kinesis:ListShards",
+                "kinesis:SubscribeToShard",
                 "kinesis:PutRecord",
-                "kinesis:PutRecords",
-                "kinesis:SubscribeToShard"
+                "kinesis:PutRecords"
               ],
               "Effect": "Allow",
               "Resource": {
diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts
@@ -868,9 +868,9 @@ export = {
                         'kinesis:GetRecords',
                         'kinesis:GetShardIterator',
                         'kinesis:ListShards',
+                        'kinesis:SubscribeToShard',
                         'kinesis:PutRecord',
-                        'kinesis:PutRecords',
-                        'kinesis:SubscribeToShard'
+                        'kinesis:PutRecords'
                       ],
                       Effect: 'Allow',
                       Resource: {
@@ -1114,9 +1114,9 @@ export = {
                         'kinesis:GetRecords',
                         'kinesis:GetShardIterator',
                         'kinesis:ListShards',
+                        'kinesis:SubscribeToShard',
                         'kinesis:PutRecord',
-                        'kinesis:PutRecords',
-                        'kinesis:SubscribeToShard'
+                        'kinesis:PutRecords'
                       ],
                       Effect: 'Allow',
                       Resource: {
