Skip to content

Commit bd9363b

Browse files
horike37horike37
authored
Merge pull request #576 from kmfukuda/master
feat: expand support for Redshift Data
2 parents ce5261a + b223272 commit bd9363b

File tree

2 files changed

+424
-66
lines changed

2 files changed

+424
-66
lines changed

lib/deploy/stepFunctions/compileIamRole.js

+73-16
Original file line numberDiff line numberDiff line change
@@ -245,25 +245,82 @@ function getBatchDynamoDBPermissions(action, state) {
245245
}
246246

247247
function getRedshiftDataPermissions(action, state) {
248+
const permissions = [];
249+
248250
if (['redshift-data:ExecuteStatement', 'redshift-data:BatchExecuteStatement'].includes(action)) {
249-
const clusterName = _.has(state, 'Parameters.ClusterIdentifier') ? state.Parameters.ClusterIdentifier : '*';
250-
const dbName = _.has(state, 'Parameters.Database') ? state.Parameters.Database : '*';
251-
const dbUser = _.has(state, 'Parameters.DbUser') ? state.Parameters.DbUser : '*';
252-
return [{
251+
const dbName = _.has(state, ['Parameters', 'Database']) ? state.Parameters.Database : '*';
252+
253+
let workgroupArn;
254+
let clusterName;
255+
if (_.has(state, ['Parameters', 'WorkgroupName'])) {
256+
if (state.Parameters.WorkgroupName.startsWith('arn:')) {
257+
workgroupArn = state.Parameters.WorkgroupName;
258+
} else {
259+
workgroupArn = { 'Fn::Sub': 'arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*' };
260+
}
261+
} else if (_.has(state, ['Parameters', 'WorkgroupName.$'])) {
262+
workgroupArn = { 'Fn::Sub': 'arn:${AWS::Partition}:redshift-serverless:${AWS::Region}:${AWS::AccountId}:workgroup/*' };
263+
} else if (_.has(state, ['Parameters', 'ClusterIdentifier'])) {
264+
clusterName = state.Parameters.ClusterIdentifier;
265+
} else {
266+
clusterName = '*';
267+
}
268+
269+
let secretArn;
270+
let dbUser;
271+
if (_.has(state, ['Parameters', 'SecretArn'])) {
272+
if (state.Parameters.SecretArn.startsWith('arn:')) {
273+
secretArn = state.Parameters.SecretArn;
274+
} else {
275+
secretArn = { 'Fn::Sub': `arn:\${AWS::Partition}:secretsmanager:\${AWS::Region}:\${AWS::AccountId}:secret:${state.Parameters.SecretArn}*` };
276+
}
277+
} else if (_.has(state, ['Parameters', 'SecretArn.$'])) {
278+
secretArn = { 'Fn::Sub': 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*' };
279+
} else if (_.has(state, ['Parameters', 'DbUser'])) {
280+
dbUser = state.Parameters.DbUser;
281+
} else if (_.has(state, ['Parameters', 'DbUser.$'])) {
282+
dbUser = '*';
283+
}
284+
285+
permissions.push({
253286
action,
254-
resource: { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:cluster:${clusterName}` },
255-
}, {
256-
action: 'redshift:GetClusterCredentials',
257-
resource: [
258-
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
259-
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbuser:${clusterName}/${dbUser}` },
260-
],
261-
}];
287+
resource: workgroupArn || { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:cluster:${clusterName}` },
288+
});
289+
290+
if (secretArn) {
291+
permissions.push({
292+
action: 'secretsmanager:GetSecretValue',
293+
resource: secretArn,
294+
});
295+
} else if (dbUser) {
296+
permissions.push({
297+
action: 'redshift:GetClusterCredentials',
298+
resource: [
299+
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbuser:${clusterName}/${dbUser}` },
300+
{ 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
301+
],
302+
});
303+
} else {
304+
if (workgroupArn) { // eslint-disable-line no-lonely-if
305+
permissions.push({
306+
action: 'redshift-serverless:GetCredentials',
307+
resource: workgroupArn,
308+
});
309+
} else {
310+
permissions.push({
311+
action: 'redshift:GetClusterCredentialsWithIAM',
312+
resource: { 'Fn::Sub': `arn:\${AWS::Partition}:redshift:\${AWS::Region}:\${AWS::AccountId}:dbname:${clusterName}/${dbName}` },
313+
});
314+
}
315+
}
316+
} else {
317+
permissions.push({
318+
action,
319+
resource: '*',
320+
});
262321
}
263-
return [{
264-
action,
265-
resource: '*',
266-
}];
322+
323+
return permissions;
267324
}
268325

269326
function getLambdaPermissions(state) {

0 commit comments

Comments
 (0)