Skip to content

Commit

Permalink
feat: expand support for Redshift Data
Browse files Browse the repository at this point in the history
  • Loading branch information
kmfukuda committed Aug 1, 2023
1 parent 28fa07b commit b223272
Show file tree
Hide file tree
Showing 2 changed files with 424 additions and 66 deletions.
89 changes: 73 additions & 16 deletions lib/deploy/stepFunctions/compileIamRole.js
Original file line number Diff line number Diff line change
Expand Up @@ -245,25 +245,82 @@ function getBatchDynamoDBPermissions(action, state) {
}

function getRedshiftDataPermissions(action, state) {
const permissions = [];

if (['redshift-data:ExecuteStatement', 'redshift-data:BatchExecuteStatement'].includes(action)) {
const clusterName = _.has(state, 'Parameters.ClusterIdentifier') ? state.Parameters.ClusterIdentifier : '*';
const dbName = _.has(state, 'Parameters.Database') ? state.Parameters.Database : '*';
const dbUser = _.has(state, 'Parameters.DbUser') ? state.Parameters.DbUser : '*';
return [{
const dbName = _.has(state, ['Parameters', 'Database']) ? state.Parameters.Database : '*';

let workgroupArn;
let clusterName;
if (_.has(state, ['Parameters', 'WorkgroupName'])) {
if (state.Parameters.WorkgroupName.startsWith('arn:')) {
workgroupArn = state.Parameters.WorkgroupName;
} else {
workgroupArn = { 'Fn::Sub': 'arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*' };
}
} else if (_.has(state, ['Parameters', 'WorkgroupName.$'])) {
workgroupArn = { 'Fn::Sub': 'arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*' };
} else if (_.has(state, ['Parameters', 'ClusterIdentifier'])) {
clusterName = state.Parameters.ClusterIdentifier;
} else {
clusterName = '*';
}

let secretArn;
let dbUser;
if (_.has(state, ['Parameters', 'SecretArn'])) {
if (state.Parameters.SecretArn.startsWith('arn:')) {
secretArn = state.Parameters.SecretArn;
} else {
secretArn = { 'Fn::Sub': `arn:\${AWS::Partition}:secretsmanager:\${AWS::Region}:\${AWS::AccountId}:secret:${state.Parameters.SecretArn}*` };
}
} else if (_.has(state, ['Parameters', 'SecretArn.$'])) {
secretArn = { 'Fn::Sub': 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*' };
} else if (_.has(state, ['Parameters', 'DbUser'])) {
dbUser = state.Parameters.DbUser;
} else if (_.has(state, ['Parameters', 'DbUser.$'])) {
dbUser = '*';
}

permissions.push({
action,
resource: { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:cluster:${clusterName}` },
}, {
action: 'redshift:GetClusterCredentials',
resource: [
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbuser:${clusterName}/${dbUser}` },
],
}];
resource: workgroupArn || { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:cluster:${clusterName}` },
});

if (secretArn) {
permissions.push({
action: 'secretsmanager:GetSecretValue',
resource: secretArn,
});
} else if (dbUser) {
permissions.push({
action: 'redshift:GetClusterCredentials',
resource: [
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbuser:${clusterName}/${dbUser}` },
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
],
});
} else {
if (workgroupArn) { // eslint-disable-line no-lonely-if
permissions.push({
action: 'redshift-serverless:GetCredentials',
resource: workgroupArn,
});
} else {
permissions.push({
action: 'redshift:GetClusterCredentialsWithIAM',
resource: { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
});
}
}
} else {
permissions.push({
action,
resource: '*',
});
}
return [{
action,
resource: '*',
}];

return permissions;
}

function getLambdaPermissions(state) {
Expand Down
Loading

0 comments on commit b223272

Please sign in to comment.