chore(release): 2.228.1

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.228.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.228.0-alpha.0...v2.228.1-alpha.0) (2025-11-24)
+
 ## [2.228.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.227.0-alpha.0...v2.228.0-alpha.0) (2025-11-24)
 
 ## [2.227.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.226.0-alpha.0...v2.227.0-alpha.0) (2025-11-20)

CHANGELOG.v2.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.228.1](https://github.com/aws/aws-cdk/compare/v2.228.0...v2.228.1) (2025-11-24)
+
+
+### Bug Fixes
+
+* **scheduler:** wrong ARN generated in `ScheduleGroup.grant*` methods ([#36175](https://github.com/aws/aws-cdk/issues/36175)) ([35d4972](https://github.com/aws/aws-cdk/commit/35d49723279e6145e32324853869d833932c8312))
+
 ## [2.228.0](https://github.com/aws/aws-cdk/compare/v2.227.0...v2.228.0) (2025-11-24)
 
 

packages/aws-cdk-lib/aws-scheduler/lib/index.ts

@@ -1,7 +1,7 @@
 export * from './scheduler.generated';
-export * from './scheduler-grants.generated';
 export * from './schedule-expression';
 export * from './input';
 export * from './schedule';
 export * from './target';
 export * from './schedule-group';
+export * from './schedule-group-grants';

packages/aws-cdk-lib/aws-scheduler/lib/schedule-group-grants.ts

@@ -0,0 +1,81 @@
+/* eslint-disable @stylistic/max-len, eol-last */
+import * as scheduler from './scheduler.generated';
+import * as iam from '../../aws-iam';
+import { Arn, Aws } from '../../core';
+
+/**
+ * Properties for ScheduleGroupGrants
+ */
+interface ScheduleGroupGrantsProps {
+  /**
+   * The resource on which actions will be allowed
+   */
+  readonly resource: scheduler.IScheduleGroupRef;
+}
+
+/**
+ * Collection of grant methods for a IScheduleGroupRef
+ */
+export class ScheduleGroupGrants {
+  /**
+   * Creates grants for ScheduleGroupGrants
+   */
+  public static fromScheduleGroup(resource: scheduler.IScheduleGroupRef): ScheduleGroupGrants {
+    return new ScheduleGroupGrants({
+      resource: resource,
+    });
+  }
+
+  protected readonly resource: scheduler.IScheduleGroupRef;
+
+  private constructor(props: ScheduleGroupGrantsProps) {
+    this.resource = props.resource;
+  }
+
+  /**
+   * Grant list and get schedule permissions for schedules in this group to the given principal
+   */
+  public readSchedules(grantee: iam.IGrantable): iam.Grant {
+    const actions = ['scheduler:GetSchedule', 'scheduler:ListSchedules'];
+    return iam.Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [this.arnForScheduleInGroup('*')],
+    });
+  }
+
+  /**
+   * Grant create and update schedule permissions for schedules in this group to the given principal
+   */
+  public writeSchedules(grantee: iam.IGrantable): iam.Grant {
+    const actions = ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'];
+    return iam.Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [this.arnForScheduleInGroup('*')],
+    });
+  }
+
+  /**
+   * Grant delete schedule permission for schedules in this group to the given principal
+   */
+  public deleteSchedules(grantee: iam.IGrantable): iam.Grant {
+    const actions = ['scheduler:DeleteSchedule'];
+    return iam.Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [this.arnForScheduleInGroup('*')],
+    });
+  }
+
+  private arnForScheduleInGroup(scheduleName: string): string {
+    return Arn.format({
+      region: this.resource.env.region,
+      account: this.resource.env.account,
+      partition: Aws.PARTITION,
+      service: 'scheduler',
+      resource: 'schedule',
+      resourceName: this.resource.scheduleGroupRef.scheduleGroupName + '/' + scheduleName,
+    });
+  }
+}

packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts

@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { ScheduleGroupGrants } from './scheduler-grants.generated';
+import { ScheduleGroupGrants } from './schedule-group-grants';
 import { CfnScheduleGroup, IScheduleGroupRef, ScheduleGroupReference } from './scheduler.generated';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
@@ -260,51 +260,25 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup {
     });
   }
 
-  // private arnForScheduleInGroup(scheduleName: string): string {
-  //   return Arn.format({
-  //     region: this.env.region,
-  //     account: this.env.account,
-  //     partition: Aws.PARTITION,
-  //     service: 'scheduler',
-  //     resource: 'schedule',
-  //     resourceName: this.scheduleGroupName + '/' + scheduleName,
-  //   });
-  // }
-
   /**
    * Grant list and get schedule permissions for schedules in this group to the given principal
    */
   public grantReadSchedules(identity: iam.IGrantable) {
     return this.grants.readSchedules(identity);
-    // return iam.Grant.addToPrincipal({
-    //   grantee: identity,
-    //   actions: ['scheduler:GetSchedule', 'scheduler:ListSchedules'],
-    //   resourceArns: [this.arnForScheduleInGroup('*')],
-    // });
   }
 
   /**
    * Grant create and update schedule permissions for schedules in this group to the given principal
    */
   public grantWriteSchedules(identity: iam.IGrantable): iam.Grant {
     return this.grants.writeSchedules(identity);
-    // return iam.Grant.addToPrincipal({
-    //   grantee: identity,
-    //   actions: ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'],
-    //   resourceArns: [this.arnForScheduleInGroup('*')],
-    // });
   }
 
   /**
    * Grant delete schedule permission for schedules in this group to the given principal
    */
   public grantDeleteSchedules(identity: iam.IGrantable): iam.Grant {
     return this.grants.deleteSchedules(identity);
-    // return iam.Grant.addToPrincipal({
-    //   grantee: identity,
-    //   actions: ['scheduler:DeleteSchedule'],
-    //   resourceArns: [this.arnForScheduleInGroup('*')],
-    // });
   }
 }
 

packages/aws-cdk-lib/aws-scheduler/test/schedule-group.test.ts

@@ -185,13 +185,11 @@ describe('Schedule Group', () => {
               'Fn::Join': [
                 '',
                 [
+                  'arn:',
                   {
-                    'Fn::GetAtt': [
-                      'TestGroupAF88660E',
-                      'Arn',
-                    ],
+                    Ref: 'AWS::Partition',
                   },
-                  '/*',
+                  ':scheduler:us-east-1:123456789012:schedule/MyGroup/*',
                 ],
               ],
             },
@@ -228,13 +226,11 @@ describe('Schedule Group', () => {
               'Fn::Join': [
                 '',
                 [
+                  'arn:',
                   {
-                    'Fn::GetAtt': [
-                      'TestGroupAF88660E',
-                      'Arn',
-                    ],
+                    Ref: 'AWS::Partition',
                   },
-                  '/*',
+                  ':scheduler:us-east-1:123456789012:schedule/MyGroup/*',
                 ],
               ],
             },
@@ -258,8 +254,7 @@ describe('Schedule Group', () => {
     group.grantDeleteSchedules(user);
 
     // THEN
-    let template = Template.fromStack(stack);
-    template.hasResourceProperties('AWS::IAM::Policy', {
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
       PolicyDocument: {
         Statement: [
           {
@@ -269,13 +264,11 @@ describe('Schedule Group', () => {
               'Fn::Join': [
                 '',
                 [
+                  'arn:',
                   {
-                    'Fn::GetAtt': [
-                      'TestGroupAF88660E',
-                      'Arn',
-                    ],
+                    Ref: 'AWS::Partition',
                   },
-                  '/*',
+                  ':scheduler:us-east-1:123456789012:schedule/MyGroup/*',
                 ],
               ],
             },

version.v2.json

@@ -1,4 +1,4 @@
 {
-  "version": "2.228.0",
-  "alphaVersion": "2.228.0-alpha.0"
+  "version": "2.228.1",
+  "alphaVersion": "2.228.1-alpha.0"
 }