feat(custom-resources): implement IGrantable for AwsCustomResource

Closes aws#4710
jogold · Oct 31, 2019 · eae6375 · eae6375
1 parent 4d16f79
commit eae6375
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource.ts b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource.ts
@@ -133,7 +133,9 @@ export interface AwsCustomResourceProps {
   readonly timeout?: cdk.Duration
 }
 
-export class AwsCustomResource extends cdk.Construct {
+export class AwsCustomResource extends cdk.Construct implements iam.IGrantable, iam.IPrincipal {
+  public readonly grantPrincipal: iam.IPrincipal;
+
   private readonly customResource: CustomResource;
 
   constructor(scope: cdk.Construct, id: string, props: AwsCustomResourceProps) {
@@ -157,6 +159,7 @@ export class AwsCustomResource extends cdk.Construct {
       lambdaPurpose: 'AWS',
       timeout: props.timeout || cdk.Duration.seconds(30),
     });
+    this.grantPrincipal = provider.grantPrincipal;
 
     if (props.policyStatements) {
       for (const statement of props.policyStatements) {

diff --git a/packages/@aws-cdk/custom-resources/test/test.aws-custom-resource.ts b/packages/@aws-cdk/custom-resources/test/test.aws-custom-resource.ts
@@ -264,6 +264,49 @@ export = {
       Timeout: 900
     }));
 
+    test.done();
+  },
+
+  'implements IGrantable'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'Role', {
+      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
+    });
+    const customResource = new AwsCustomResource(stack, 'AwsSdk', {
+      onCreate: {
+        service: 'service',
+        action: 'action',
+        physicalResourceId: 'id'
+      }
+    });
+
+    // WHEN
+    role.grantPassRole(customResource.grantPrincipal);
+
+    expect(stack).to(haveResource('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'service:Action',
+            Effect: 'Allow',
+            Resource: '*'
+          },
+          {
+            Action: 'iam:PassRole',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'Role1ABCC5F0',
+                'Arn'
+              ]
+            }
+          }
+        ],
+        Version: '2012-10-17'
+      }
+    }));
+
     test.done();
   }
 };