Add grant helper methods

packages/@aws-cdk/aws-elasticsearch/README.md

@@ -41,8 +41,8 @@ Helper methods also exist for managing access to the domain.
 
 ```ts
 const lambda = new lambda.Function(this, 'Lambda', { /* ... */ });
-// Grant the lambda functiomn read and write access to app-search index
-domain.grantReadWriteForIndex(lambda, 'app-search');
+// Grant the lambda functiomn read access to app-search index
+domain.grantIndex(lambda, 'app-search', 'es:HttpGet');
 ```
 
 ### Encryption

packages/@aws-cdk/aws-elasticsearch/lib/domain.ts

@@ -324,6 +324,35 @@ export interface IDomain extends cdk.IResource {
    */
   readonly domainEndpoint: string;
 
+  /**
+   * Adds an IAM policy statement associated with this domain to an IAM
+   * principal's policy.
+   *
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+
+  /**
+   * Adds an IAM policy statement associated with an index in this domain to an IAM
+   * principal's policy.
+   *
+   * @param index The index to grant permissions for
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  grantIndex(index: string, grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+
+  /**
+   * Adds an IAM policy statement associated with a path in this domain to an IAM
+   * principal's policy.
+   *
+   * @param path The path to grant permissions for
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  grantPath(path: string, grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+
   /**
    * Return the given named metric for this Domain.
    */
@@ -592,6 +621,62 @@ export class Domain extends cdk.Resource implements IDomain {
     this.domainEndpoint = this.domain.getAtt('DomainEndpoint').toString();
   }
 
+  /**
+   * Adds an IAM policy statement associated with this domain to an IAM
+   * principal's policy.
+   *
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions,
+      resourceArns: [
+        this.domainArn,
+        `${this.domainArn}/*`,
+      ],
+      scope: this,
+    });
+  }
+
+  /**
+   * Adds an IAM policy statement associated with an index in this domain to an IAM
+   * principal's policy.
+   *
+   * @param index   The index to grant permissions for
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  public grantIndex(index: string, grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions,
+      resourceArns: [
+        `${this.domainArn}/${index}`,
+        `${this.domainArn}/${index}/*`,
+      ],
+      scope: this,
+    });
+  }
+
+  /**
+   * Adds an IAM policy statement associated with a path in this domain to an IAM
+   * principal's policy.
+   *
+   * @param path   The path to grant permissions for
+   * @param grantee The principal (no-op if undefined)
+   * @param actions The set of actions to allow (i.e. "es:HttpGet", "es:HttpPut", ...)
+   */
+  public grantPath(path: string, grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions,
+      resourceArns: [`${this.domainArn}/${path}`],
+      scope: this,
+    });
+  }
+
   /**
    * Return the given named metric for this Domain.
    */