File tree Expand file tree Collapse file tree 12 files changed +138
-55
lines changed
packages/@aws-cdk/aws-events-targets Expand file tree Collapse file tree 12 files changed +138
-55
lines changed Original file line number Diff line number Diff line change @@ -83,13 +83,16 @@ export class ApiDestination implements events.IRuleTarget {
83
83
addToDeadLetterQueueResourcePolicy ( _rule , this . props . deadLetterQueue ) ;
84
84
}
85
85
86
+ const role = this . props ?. eventRole ?? singletonEventRole ( this . apiDestination ) ;
87
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
88
+ resources : [ this . apiDestination . apiDestinationArn ] ,
89
+ actions : [ 'events:InvokeApiDestination' ] ,
90
+ } ) ) ;
91
+
86
92
return {
87
93
...( this . props ? bindBaseTargetConfig ( this . props ) : { } ) ,
88
94
arn : this . apiDestination . apiDestinationArn ,
89
- role : this . props ?. eventRole ?? singletonEventRole ( this . apiDestination , [ new iam . PolicyStatement ( {
90
- resources : [ this . apiDestination . apiDestinationArn ] ,
91
- actions : [ 'events:InvokeApiDestination' ] ,
92
- } ) ] ) ,
95
+ role,
93
96
input : this . props . event ,
94
97
targetResource : this . apiDestination ,
95
98
httpParameters,
Original file line number Diff line number Diff line change @@ -98,16 +98,20 @@ export class ApiGateway implements events.IRuleTarget {
98
98
this . props ?. path || '/' ,
99
99
this . props ?. stage || this . restApi . deploymentStage . stageName ,
100
100
) ;
101
+
102
+ const role = this . props ?. eventRole || singletonEventRole ( this . restApi ) ;
103
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
104
+ resources : [ restApiArn ] ,
105
+ actions : [
106
+ 'execute-api:Invoke' ,
107
+ 'execute-api:ManageConnections' ,
108
+ ] ,
109
+ } ) ) ;
110
+
101
111
return {
102
112
...( this . props ? bindBaseTargetConfig ( this . props ) : { } ) ,
103
113
arn : restApiArn ,
104
- role : this . props ?. eventRole || singletonEventRole ( this . restApi , [ new iam . PolicyStatement ( {
105
- resources : [ restApiArn ] ,
106
- actions : [
107
- 'execute-api:Invoke' ,
108
- 'execute-api:ManageConnections' ,
109
- ] ,
110
- } ) ] ) ,
114
+ role,
111
115
deadLetterConfig : this . props ?. deadLetterQueue && { arn : this . props . deadLetterQueue ?. queueArn } ,
112
116
input : this . props ?. postBody ,
113
117
targetResource : this . restApi ,
Original file line number Diff line number Diff line change @@ -87,20 +87,21 @@ export class BatchJob implements events.IRuleTarget {
87
87
addToDeadLetterQueueResourcePolicy ( rule , this . props . deadLetterQueue ) ;
88
88
}
89
89
90
+ // When scoping resource-level access for job submission, you must provide both job queue and job definition resource types.
91
+ // https://docs.aws.amazon.com/batch/latest/userguide/ExamplePolicies_BATCH.html#iam-example-restrict-job-def
92
+ const role = singletonEventRole ( this . jobDefinitionScope ) ;
93
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
94
+ actions : [ 'batch:SubmitJob' ] ,
95
+ resources : [
96
+ this . jobDefinitionArn ,
97
+ this . jobQueueArn ,
98
+ ] ,
99
+ } ) ) ;
100
+
90
101
return {
91
102
...bindBaseTargetConfig ( this . props ) ,
92
103
arn : this . jobQueueArn ,
93
- // When scoping resource-level access for job submission, you must provide both job queue and job definition resource types.
94
- // https://docs.aws.amazon.com/batch/latest/userguide/ExamplePolicies_BATCH.html#iam-example-restrict-job-def
95
- role : singletonEventRole ( this . jobDefinitionScope , [
96
- new iam . PolicyStatement ( {
97
- actions : [ 'batch:SubmitJob' ] ,
98
- resources : [
99
- this . jobDefinitionArn ,
100
- this . jobQueueArn ,
101
- ] ,
102
- } ) ,
103
- ] ) ,
104
+ role,
104
105
input : this . props . event ,
105
106
targetResource : this . jobQueueScope ,
106
107
batchParameters,
Original file line number Diff line number Diff line change @@ -44,15 +44,16 @@ export class CodeBuildProject implements events.IRuleTarget {
44
44
addToDeadLetterQueueResourcePolicy ( _rule , this . props . deadLetterQueue ) ;
45
45
}
46
46
47
+ const role = this . props . eventRole || singletonEventRole ( this . project ) ;
48
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
49
+ actions : [ 'codebuild:StartBuild' ] ,
50
+ resources : [ this . project . projectArn ] ,
51
+ } ) ) ;
52
+
47
53
return {
48
54
...bindBaseTargetConfig ( this . props ) ,
49
55
arn : this . project . projectArn ,
50
- role : this . props . eventRole || singletonEventRole ( this . project , [
51
- new iam . PolicyStatement ( {
52
- actions : [ 'codebuild:StartBuild' ] ,
53
- resources : [ this . project . projectArn ] ,
54
- } ) ,
55
- ] ) ,
56
+ role,
56
57
input : this . props . event ,
57
58
targetResource : this . project ,
58
59
} ;
Original file line number Diff line number Diff line change @@ -26,14 +26,17 @@ export class CodePipeline implements events.IRuleTarget {
26
26
}
27
27
28
28
public bind ( _rule : events . IRule , _id ?: string ) : events . RuleTargetConfig {
29
+ const role = this . options . eventRole || singletonEventRole ( this . pipeline ) ;
30
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
31
+ resources : [ this . pipeline . pipelineArn ] ,
32
+ actions : [ 'codepipeline:StartPipelineExecution' ] ,
33
+ } ) ) ;
34
+
29
35
return {
30
36
...bindBaseTargetConfig ( this . options ) ,
31
37
id : '' ,
32
38
arn : this . pipeline . pipelineArn ,
33
- role : this . options . eventRole || singletonEventRole ( this . pipeline , [ new iam . PolicyStatement ( {
34
- resources : [ this . pipeline . pipelineArn ] ,
35
- actions : [ 'codepipeline:StartPipelineExecution' ] ,
36
- } ) ] ) ,
39
+ role,
37
40
targetResource : this . pipeline ,
38
41
} ;
39
42
}
Original file line number Diff line number Diff line change @@ -118,12 +118,9 @@ export class EcsTask implements events.IRuleTarget {
118
118
this . taskCount = props . taskCount ?? 1 ;
119
119
this . platformVersion = props . platformVersion ;
120
120
121
- if ( props . role ) {
122
- const role = props . role ;
123
- this . createEventRolePolicyStatements ( ) . forEach ( role . addToPrincipalPolicy . bind ( role ) ) ;
124
- this . role = role ;
125
- } else {
126
- this . role = singletonEventRole ( this . taskDefinition , this . createEventRolePolicyStatements ( ) ) ;
121
+ this . role = props . role ?? singletonEventRole ( this . taskDefinition ) ;
122
+ for ( const stmt of this . createEventRolePolicyStatements ( ) ) {
123
+ this . role . addToPrincipalPolicy ( stmt ) ;
127
124
}
128
125
129
126
// Security groups are only configurable with the "awsvpc" network mode.
Original file line number Diff line number Diff line change @@ -36,10 +36,8 @@ export class EventBus implements events.IRuleTarget {
36
36
constructor ( private readonly eventBus : events . IEventBus , private readonly props : EventBusProps = { } ) { }
37
37
38
38
bind ( rule : events . IRule , _id ?: string ) : events . RuleTargetConfig {
39
- if ( this . props . role ) {
40
- this . props . role . addToPrincipalPolicy ( this . putEventStatement ( ) ) ;
41
- }
42
- const role = this . props . role ?? singletonEventRole ( rule , [ this . putEventStatement ( ) ] ) ;
39
+ const role = this . props . role ?? singletonEventRole ( rule ) ;
40
+ role . addToPrincipalPolicy ( this . putEventStatement ( ) ) ;
43
41
44
42
if ( this . props . deadLetterQueue ) {
45
43
addToDeadLetterQueueResourcePolicy ( rule , this . props . deadLetterQueue ) ;
Original file line number Diff line number Diff line change @@ -31,14 +31,16 @@ export class KinesisFirehoseStream implements events.IRuleTarget {
31
31
* result from a Event Bridge event.
32
32
*/
33
33
public bind ( _rule : events . IRule , _id ?: string ) : events . RuleTargetConfig {
34
- const policyStatements = [ new iam . PolicyStatement ( {
34
+ const role = singletonEventRole ( this . stream ) ;
35
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
35
36
actions : [ 'firehose:PutRecord' , 'firehose:PutRecordBatch' ] ,
36
37
resources : [ this . stream . attrArn ] ,
37
- } ) ] ;
38
+ } ) ) ;
39
+
38
40
39
41
return {
40
42
arn : this . stream . attrArn ,
41
- role : singletonEventRole ( this . stream , policyStatements ) ,
43
+ role,
42
44
input : this . props . message ,
43
45
targetResource : this . stream ,
44
46
} ;
Original file line number Diff line number Diff line change @@ -45,14 +45,15 @@ export class KinesisStream implements events.IRuleTarget {
45
45
* result from a CloudWatch event.
46
46
*/
47
47
public bind ( _rule : events . IRule , _id ?: string ) : events . RuleTargetConfig {
48
- const policyStatements = [ new iam . PolicyStatement ( {
48
+ const role = singletonEventRole ( this . stream ) ;
49
+ role . addToPrincipalPolicy ( new iam . PolicyStatement ( {
49
50
actions : [ 'kinesis:PutRecord' , 'kinesis:PutRecords' ] ,
50
51
resources : [ this . stream . streamArn ] ,
51
- } ) ] ;
52
+ } ) ) ;
52
53
53
54
return {
54
55
arn : this . stream . streamArn ,
55
- role : singletonEventRole ( this . stream , policyStatements ) ,
56
+ role,
56
57
input : this . props . message ,
57
58
targetResource : this . stream ,
58
59
kinesisParameters : this . props . partitionKeyPath ? { partitionKeyPath : this . props . partitionKeyPath } : undefined ,
Original file line number Diff line number Diff line change @@ -29,11 +29,8 @@ export class SfnStateMachine implements events.IRuleTarget {
29
29
private readonly role : iam . IRole ;
30
30
31
31
constructor ( public readonly machine : sfn . IStateMachine , private readonly props : SfnStateMachineProps = { } ) {
32
- if ( props . role ) {
33
- props . role . grant ( new iam . ServicePrincipal ( 'events.amazonaws.com' ) ) ;
34
- }
35
32
// no statements are passed because we are configuring permissions by using grant* helper below
36
- this . role = props . role ?? singletonEventRole ( machine , [ ] ) ;
33
+ this . role = props . role ?? singletonEventRole ( machine ) ;
37
34
machine . grantStartExecution ( this . role ) ;
38
35
}
39
36
You can’t perform that action at this time.
0 commit comments