diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index accf54ffecbd2..661e9c29f0b35 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +### [2.228.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.228.0-alpha.0...v2.228.1-alpha.0) (2025-11-24) + ## [2.228.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.227.0-alpha.0...v2.228.0-alpha.0) (2025-11-24) ## [2.227.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.226.0-alpha.0...v2.227.0-alpha.0) (2025-11-20) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 50c98c672d14a..3a724a63ae5c8 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +### [2.228.1](https://github.com/aws/aws-cdk/compare/v2.228.0...v2.228.1) (2025-11-24) + + +### Bug Fixes + +* **scheduler:** wrong ARN generated in `ScheduleGroup.grant*` methods ([#36175](https://github.com/aws/aws-cdk/issues/36175)) ([35d4972](https://github.com/aws/aws-cdk/commit/35d49723279e6145e32324853869d833932c8312)) + ## [2.228.0](https://github.com/aws/aws-cdk/compare/v2.227.0...v2.228.0) (2025-11-24) diff --git a/packages/aws-cdk-lib/aws-scheduler/grants.json b/packages/aws-cdk-lib/aws-scheduler/grants.json deleted file mode 100644 index ccb7131c893cf..0000000000000 --- a/packages/aws-cdk-lib/aws-scheduler/grants.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "resources": { - "ScheduleGroup": { - "grants": { - "readSchedules": { - "actions": [ - "scheduler:GetSchedule", - "scheduler:ListSchedules" - ], - "arnFormat": "${scheduleGroupArn}/*", - "docSummary": "Grant list and get schedule permissions for schedules in this group to the given principal" - }, - "writeSchedules": { - "actions": [ - "scheduler:CreateSchedule", - "scheduler:UpdateSchedule" - ], - "arnFormat": "${scheduleGroupArn}/*", - "docSummary": "Grant create and update schedule permissions for schedules in this group to the given principal" - }, - "deleteSchedules": { - "actions": [ - "scheduler:DeleteSchedule" - ], - "arnFormat": "${scheduleGroupArn}/*", - "docSummary": "Grant delete schedule permission for schedules in this group to the given principal" - } - } - } - } -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/index.ts b/packages/aws-cdk-lib/aws-scheduler/lib/index.ts index 4de6b79a5cd3b..e37438b77fca0 100644 --- a/packages/aws-cdk-lib/aws-scheduler/lib/index.ts +++ b/packages/aws-cdk-lib/aws-scheduler/lib/index.ts @@ -1,7 +1,7 @@ export * from './scheduler.generated'; -export * from './scheduler-grants.generated'; export * from './schedule-expression'; export * from './input'; export * from './schedule'; export * from './target'; export * from './schedule-group'; +export * from './schedule-group-grants'; diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group-grants.ts b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group-grants.ts new file mode 100644 index 0000000000000..f2dcb204745e5 --- /dev/null +++ b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group-grants.ts @@ -0,0 +1,81 @@ +/* eslint-disable @stylistic/max-len, eol-last */ +import * as scheduler from './scheduler.generated'; +import * as iam from '../../aws-iam'; +import { Arn, Aws } from '../../core'; + +/** + * Properties for ScheduleGroupGrants + */ +interface ScheduleGroupGrantsProps { + /** + * The resource on which actions will be allowed + */ + readonly resource: scheduler.IScheduleGroupRef; +} + +/** + * Collection of grant methods for a IScheduleGroupRef + */ +export class ScheduleGroupGrants { + /** + * Creates grants for ScheduleGroupGrants + */ + public static fromScheduleGroup(resource: scheduler.IScheduleGroupRef): ScheduleGroupGrants { + return new ScheduleGroupGrants({ + resource: resource, + }); + } + + protected readonly resource: scheduler.IScheduleGroupRef; + + private constructor(props: ScheduleGroupGrantsProps) { + this.resource = props.resource; + } + + /** + * Grant list and get schedule permissions for schedules in this group to the given principal + */ + public readSchedules(grantee: iam.IGrantable): iam.Grant { + const actions = ['scheduler:GetSchedule', 'scheduler:ListSchedules']; + return iam.Grant.addToPrincipal({ + actions: actions, + grantee: grantee, + resourceArns: [this.arnForScheduleInGroup('*')], + }); + } + + /** + * Grant create and update schedule permissions for schedules in this group to the given principal + */ + public writeSchedules(grantee: iam.IGrantable): iam.Grant { + const actions = ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule']; + return iam.Grant.addToPrincipal({ + actions: actions, + grantee: grantee, + resourceArns: [this.arnForScheduleInGroup('*')], + }); + } + + /** + * Grant delete schedule permission for schedules in this group to the given principal + */ + public deleteSchedules(grantee: iam.IGrantable): iam.Grant { + const actions = ['scheduler:DeleteSchedule']; + return iam.Grant.addToPrincipal({ + actions: actions, + grantee: grantee, + resourceArns: [this.arnForScheduleInGroup('*')], + }); + } + + private arnForScheduleInGroup(scheduleName: string): string { + return Arn.format({ + region: this.resource.env.region, + account: this.resource.env.account, + partition: Aws.PARTITION, + service: 'scheduler', + resource: 'schedule', + resourceName: this.resource.scheduleGroupRef.scheduleGroupName + '/' + scheduleName, + }); + } +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts index 3859d36991277..3b8fb380e096d 100644 --- a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts +++ b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts @@ -1,5 +1,5 @@ import { Construct } from 'constructs'; -import { ScheduleGroupGrants } from './scheduler-grants.generated'; +import { ScheduleGroupGrants } from './schedule-group-grants'; import { CfnScheduleGroup, IScheduleGroupRef, ScheduleGroupReference } from './scheduler.generated'; import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; @@ -260,27 +260,11 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { }); } - // private arnForScheduleInGroup(scheduleName: string): string { - // return Arn.format({ - // region: this.env.region, - // account: this.env.account, - // partition: Aws.PARTITION, - // service: 'scheduler', - // resource: 'schedule', - // resourceName: this.scheduleGroupName + '/' + scheduleName, - // }); - // } - /** * Grant list and get schedule permissions for schedules in this group to the given principal */ public grantReadSchedules(identity: iam.IGrantable) { return this.grants.readSchedules(identity); - // return iam.Grant.addToPrincipal({ - // grantee: identity, - // actions: ['scheduler:GetSchedule', 'scheduler:ListSchedules'], - // resourceArns: [this.arnForScheduleInGroup('*')], - // }); } /** @@ -288,11 +272,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { */ public grantWriteSchedules(identity: iam.IGrantable): iam.Grant { return this.grants.writeSchedules(identity); - // return iam.Grant.addToPrincipal({ - // grantee: identity, - // actions: ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'], - // resourceArns: [this.arnForScheduleInGroup('*')], - // }); } /** @@ -300,11 +279,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { */ public grantDeleteSchedules(identity: iam.IGrantable): iam.Grant { return this.grants.deleteSchedules(identity); - // return iam.Grant.addToPrincipal({ - // grantee: identity, - // actions: ['scheduler:DeleteSchedule'], - // resourceArns: [this.arnForScheduleInGroup('*')], - // }); } } diff --git a/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts b/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts index 1e27ab254e2d6..cc4a7bb4bc9d3 100644 --- a/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts +++ b/packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts @@ -185,13 +185,11 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ + 'arn:', { - 'Fn::GetAtt': [ - 'TestGroupAF88660E', - 'Arn', - ], + Ref: 'AWS::Partition', }, - '/*', + ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', ], ], }, @@ -228,13 +226,11 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ + 'arn:', { - 'Fn::GetAtt': [ - 'TestGroupAF88660E', - 'Arn', - ], + Ref: 'AWS::Partition', }, - '/*', + ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', ], ], }, @@ -258,8 +254,7 @@ describe('Schedule Group', () => { group.grantDeleteSchedules(user); // THEN - let template = Template.fromStack(stack); - template.hasResourceProperties('AWS::IAM::Policy', { + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { PolicyDocument: { Statement: [ { @@ -269,13 +264,11 @@ describe('Schedule Group', () => { 'Fn::Join': [ '', [ + 'arn:', { - 'Fn::GetAtt': [ - 'TestGroupAF88660E', - 'Arn', - ], + Ref: 'AWS::Partition', }, - '/*', + ':scheduler:us-east-1:123456789012:schedule/MyGroup/*', ], ], }, diff --git a/version.v2.json b/version.v2.json index 030b0c40c579e..71aa807ed04e1 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.228.0", - "alphaVersion": "2.228.0-alpha.0" + "version": "2.228.1", + "alphaVersion": "2.228.1-alpha.0" } \ No newline at end of file