diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..4efaa16f29af9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.24"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..2c9b6939a5f22 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.24", + "testCases": { + "resource-policy-integ-test/DefaultTest": { + "stacks": [ + "resource-policy-stack" + ], + "assertionStack": "resource-policy-integ-test/DefaultTest/DeployAssert", + "assertionStackName": "resourcepolicyintegtestDefaultTestDeployAssert9778837B" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..36c7e12330316 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "36.0.24", + "artifacts": { + "resource-policy-stack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resource-policy-stack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resource-policy-stack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resource-policy-stack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/eaf795e2aa3e87c92e581a53465161c42199950471982a78183c0fe8cd1578c6.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resource-policy-stack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resource-policy-stack.assets" + ], + "metadata": { + "/resource-policy-stack/TableTest1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableTest143E55AA2" + } + ], + "/resource-policy-stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-stack" + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "resourcepolicyintegtestDefaultTestDeployAssert9778837B": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets" + ], + "metadata": { + "/resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "resource-policy-integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.assets.json new file mode 100644 index 0000000000000..f0b1c9cd00459 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.24", + "files": { + "eaf795e2aa3e87c92e581a53465161c42199950471982a78183c0fe8cd1578c6": { + "source": { + "path": "resource-policy-stack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "eaf795e2aa3e87c92e581a53465161c42199950471982a78183c0fe8cd1578c6.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.template.json new file mode 100644 index 0000000000000..7d53d181ac0a3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resource-policy-stack.template.json @@ -0,0 +1,97 @@ +{ + "Resources": { + "TableTest143E55AA2": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + }, + "StreamSpecification": { + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "dynamodb:DescribeStream", + "dynamodb:GetRecords" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "StreamViewType": "NEW_AND_OLD_IMAGES" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json new file mode 100644 index 0000000000000..fc368508fb64a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.24", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/resourcepolicyintegtestDefaultTestDeployAssert9778837B.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..4e93f9203a755 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.js.snapshot/tree.json @@ -0,0 +1,184 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "resource-policy-stack": { + "id": "resource-policy-stack", + "path": "resource-policy-stack", + "children": { + "TableTest1": { + "id": "TableTest1", + "path": "resource-policy-stack/TableTest1", + "children": { + "Resource": { + "id": "Resource", + "path": "resource-policy-stack/TableTest1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + }, + "streamSpecification": { + "streamViewType": "NEW_AND_OLD_IMAGES", + "resourcePolicy": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "dynamodb:DescribeStream", + "dynamodb:GetRecords" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "resource-policy-stack/TableTest1/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.Table", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "resource-policy-integ-test": { + "id": "resource-policy-integ-test", + "path": "resource-policy-integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "resource-policy-integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "resource-policy-integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "resource-policy-integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.ts new file mode 100644 index 0000000000000..5d7507126e28d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.stream-policy.ts @@ -0,0 +1,42 @@ +import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +export class TestStack extends Stack { + + readonly table: dynamodb.Table; + + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetRecords', 'dynamodb:DescribeStream'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], + }); + + this.table = new dynamodb.Table(this, 'TableTest1', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + streamResourcePolicy: doc, + stream: dynamodb.StreamViewType.NEW_AND_OLD_IMAGES, + }); + + } +} + +const app = new App(); +const stack = new TestStack(app, 'resource-policy-stack', {}); + +new IntegTest(app, 'resource-policy-integ-test', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md index 34cf25434d6b2..b2ffe94f9ebd5 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md +++ b/packages/aws-cdk-lib/aws-dynamodb/TABLE_V1_API.md @@ -273,4 +273,28 @@ new dynamodb.Table(this, 'MyTable', { }); ``` -If you have a global table replica, note that it does not support the addition of a resource-based policy. \ No newline at end of file +If you have a global table replica, note that it does not support the addition of a resource-based policy. + +Using `streamResourcePolicy` you can add a [resource policy](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) to a table's stream in the form of a `PolicyDocument`: + +```ts +const policy = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:GetRecords'], + principals: [new iam.AccountRootPrincipal()], + resources: ['*'], + }), + ], +}); + +new dynamodb.Table(this, 'MyTable', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + streamResourcePolicy: policy, + stream: StreamViewType.NEW_AND_OLD_IMAGES, +}); +``` diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 8a37d443cb97f..979a4885f537a 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -397,6 +397,13 @@ export interface TableOptions extends SchemaOptions { * @default - No resource policy statement */ readonly resourcePolicy?: iam.PolicyDocument; + + /** + * Resource policy to assign to a DynamoDB stream. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-globaltable-replicaspecification.html#cfn-dynamodb-globaltable-replicaspecification-replicastreamspecification + * @default - No resource policy statements are added to the stream + */ + readonly streamResourcePolicy?: iam.PolicyDocument; } /** @@ -551,6 +558,12 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc */ public abstract resourcePolicy?: iam.PolicyDocument; + /** + * Resource policy to assign to table. + * @attribute + */ + public abstract streamResourcePolicy?: iam.PolicyDocument; + protected readonly regionalArns = new Array(); /** @@ -1047,6 +1060,7 @@ export class Table extends TableBase { public readonly tableStreamArn?: string; public readonly encryptionKey?: kms.IKey; public resourcePolicy?: iam.PolicyDocument; + public streamResourcePolicy?: iam.PolicyDocument; protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) || (attrs.globalIndexes ?? []).length > 0 || (attrs.localIndexes ?? []).length > 0; @@ -1092,6 +1106,13 @@ export class Table extends TableBase { */ public resourcePolicy?: iam.PolicyDocument; + /** + * Resource policy to assign to DynamoDB stream. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-resourcepolicy.html + * @default - No resource policy statements are added to the created stream. + */ + public streamResourcePolicy?: iam.PolicyDocument; + /** * @attribute */ @@ -1139,15 +1160,28 @@ export class Table extends TableBase { if (props.stream && props.stream !== StreamViewType.NEW_AND_OLD_IMAGES) { throw new Error('`stream` must be set to `NEW_AND_OLD_IMAGES` when specifying `replicationRegions`'); } - streamSpecification = { streamViewType: StreamViewType.NEW_AND_OLD_IMAGES }; + streamSpecification = { + streamViewType: StreamViewType.NEW_AND_OLD_IMAGES, + resourcePolicy: props.streamResourcePolicy + ? { policyDocument: props.streamResourcePolicy } + : undefined, + }; this.billingMode = props.billingMode ?? BillingMode.PAY_PER_REQUEST; } else { this.billingMode = props.billingMode ?? BillingMode.PROVISIONED; if (props.stream) { - streamSpecification = { streamViewType: props.stream }; + streamSpecification = { + streamViewType: props.stream, + resourcePolicy: props.streamResourcePolicy + ? { policyDocument: props.streamResourcePolicy } + : undefined, + }; } } + if (props.streamResourcePolicy && !props.stream) { + throw new Error('`stream` must be enabled when specifying `streamResourcePolicy`'); + } this.validateProvisioning(props); this.table = new CfnTable(this, 'Resource', { diff --git a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts index 4be16524b2ca3..4b1a762b16e39 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts @@ -3601,3 +3601,78 @@ test('Resource policy test', () => { }, }); }); + +test('Stream resource policy test to fail as no stream specified', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Stack'); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:DescribeStream', 'dynamodb:GetRecords'], + principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + expect(() => new Table(stack, 'Table', { + partitionKey: TABLE_PARTITION_KEY, + streamResourcePolicy: doc, + })).toThrow('`stream` must be enabled when specifying `streamResourcePolicy`'); + +}); + +test('Stream resource policy test', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Stack'); + + const doc = new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['dynamodb:DescribeStream', 'dynamodb:GetRecords'], + principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:user/foobar')], + resources: ['*'], + }), + ], + }); + + // WHEN + const table = new Table(stack, 'Table', { + partitionKey: { name: 'id', type: AttributeType.STRING }, + streamResourcePolicy: doc, + stream: StreamViewType.NEW_AND_OLD_IMAGES, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + KeySchema: [ + { AttributeName: 'id', KeyType: 'HASH' }, + ], + AttributeDefinitions: [ + { AttributeName: 'id', AttributeType: 'S' }, + ], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', { + 'StreamSpecification': { + 'ResourcePolicy': { + 'PolicyDocument': { + 'Version': '2012-10-17', + 'Statement': [ + { + 'Principal': { + 'AWS': 'arn:aws:iam::111122223333:user/foobar', + }, + 'Effect': 'Allow', + 'Action': ['dynamodb:DescribeStream', 'dynamodb:GetRecords'], + 'Resource': '*', + }, + ], + }, + }, + }, + }); +}); \ No newline at end of file