Add awslint rule to force grant() methods to use helpers

aws · Feb 27, 2019 · cf68f7d · eladb · Feb 27, 2019 · cf68f7d
1 parent 554816d
commit cf68f7d
Show file tree

Hide file tree

Showing 19 changed files with 444 additions and 237 deletions.
diff --git a/packages/@aws-cdk/aws-codepipeline-api/lib/action.ts b/packages/@aws-cdk/aws-codepipeline-api/lib/action.ts
@@ -62,14 +62,14 @@ export interface IPipeline extends cdk.IConstruct, events.IEventRuleTarget {
    *
    * @param identity the IAM Identity to grant the permissions to
    */
-  grantBucketRead(identity?: iam.IPrincipal): void;
+  grantBucketRead(identity?: iam.IPrincipal): iam.GrantResult;
 
   /**
    * Grants read & write permissions to the Pipeline's S3 Bucket to the given Identity.
    *
    * @param identity the IAM Identity to grant the permissions to
    */
-  grantBucketReadWrite(identity?: iam.IPrincipal): void;
+  grantBucketReadWrite(identity?: iam.IPrincipal): iam.GrantResult;
 }
 
 /**

diff --git a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts
@@ -292,12 +292,12 @@ export class Pipeline extends cdk.Construct implements cpapi.IPipeline {
     return this.stages.length;
   }
 
-  public grantBucketRead(identity?: iam.IPrincipal): void {
-    this.artifactBucket.grantRead(identity);
+  public grantBucketRead(identity?: iam.IPrincipal): iam.GrantResult {
+    return this.artifactBucket.grantRead(identity);
   }
 
-  public grantBucketReadWrite(identity?: iam.IPrincipal): void {
-    this.artifactBucket.grantReadWrite(identity);
+  public grantBucketReadWrite(identity?: iam.IPrincipal): iam.GrantResult {
+    return this.artifactBucket.grantReadWrite(identity);
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts
@@ -408,8 +408,8 @@ export class Table extends Construct {
    * @param principal The principal (no-op if undefined)
    * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...)
    */
-  public grant(principal?: iam.IPrincipal, ...actions: string[]) {
-    iam.Permissions.grant({
+  public grant(principal?: iam.IPrincipal, ...actions: string[]): iam.GrantResult {
+    return iam.Permissions.grant({
       principal,
       actions,
       resourceArns: [
@@ -427,7 +427,7 @@ export class Table extends Construct {
    * @param actions The set of actions to allow (i.e. "dynamodb:DescribeStream", "dynamodb:GetRecords", ...)
    */
   public grantStream(principal?: iam.IPrincipal, ...actions: string[]) {
-    iam.Permissions.grant({
+    return iam.Permissions.grant({
       principal,
       actions,
       resourceArns: [this.tableStreamArn],
@@ -441,7 +441,7 @@ export class Table extends Construct {
    * @param principal The principal to grant access to
    */
   public grantReadData(principal?: iam.IPrincipal) {
-    this.grant(principal, ...READ_DATA_ACTIONS);
+    return this.grant(principal, ...READ_DATA_ACTIONS);
   }
 
   /**
@@ -451,7 +451,7 @@ export class Table extends Construct {
    * @param principal The principal to grant access to
    */
   public grantStreamRead(principal?: iam.IPrincipal) {
-    this.grantStream(principal, ...READ_STREAM_DATA_ACTIONS);
+    return this.grantStream(principal, ...READ_STREAM_DATA_ACTIONS);
   }
 
   /**
@@ -460,7 +460,7 @@ export class Table extends Construct {
    * @param principal The principal to grant access to
    */
   public grantWriteData(principal?: iam.IPrincipal) {
-    this.grant(principal, ...WRITE_DATA_ACTIONS);
+    return this.grant(principal, ...WRITE_DATA_ACTIONS);
   }
 
   /**
@@ -470,15 +470,15 @@ export class Table extends Construct {
    * @param principal The principal to grant access to
    */
   public grantReadWriteData(principal?: iam.IPrincipal) {
-    this.grant(principal, ...READ_DATA_ACTIONS, ...WRITE_DATA_ACTIONS);
+    return this.grant(principal, ...READ_DATA_ACTIONS, ...WRITE_DATA_ACTIONS);
   }
 
   /**
    * Permits all DynamoDB operations ("dynamodb:*") to an IAM principal.
    * @param principal The principal to grant access to
    */
   public grantFullAccess(principal?: iam.IPrincipal) {
-    this.grant(principal, 'dynamodb:*');
+    return this.grant(principal, 'dynamodb:*');
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts b/packages/@aws-cdk/aws-ecr/lib/repository-ref.ts
@@ -51,17 +51,17 @@ export interface IRepository extends cdk.IConstruct {
   /**
    * Grant the given principal identity permissions to perform the actions on this repository
    */
-  grant(identity?: iam.IPrincipal, ...actions: string[]): void;
+  grant(identity?: iam.IPrincipal, ...actions: string[]): iam.GrantResult;
 
   /**
    * Grant the given identity permissions to pull images in this repository.
    */
-  grantPull(identity?: iam.IPrincipal): void;
+  grantPull(identity?: iam.IPrincipal): iam.GrantResult;
 
   /**
    * Grant the given identity permissions to pull and push images to this repository.
    */
-  grantPullPush(identity?: iam.IPrincipal): void;
+  grantPullPush(identity?: iam.IPrincipal): iam.GrantResult;
 
   /**
    * Defines an AWS CloudWatch event rule that can trigger a target when an image is pushed to this
@@ -207,7 +207,7 @@ export abstract class RepositoryBase extends cdk.Construct implements IRepositor
    * Grant the given principal identity permissions to perform the actions on this repository
    */
   public grant(principal?: iam.IPrincipal, ...actions: string[]) {
-    iam.Permissions.grant({
+    return iam.Permissions.grant({
       principal,
       actions,
       resourceArns: [this.repositoryArn],
@@ -219,23 +219,24 @@ export abstract class RepositoryBase extends cdk.Construct implements IRepositor
    * Grant the given identity permissions to use the images in this repository
    */
   public grantPull(principal?: iam.IPrincipal) {
-    this.grant(principal, "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage");
+    const ret = this.grant(principal, "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage");
 
-    iam.Permissions.grant({
+    iam.Permissions.tryGrantOnIdentity({
       principal,
-      actions: ["ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents"],
+      actions: ["ecr:GetAuthorizationToken"],
       resourceArns: ['*'],
-      skipResourcePolicy: true,
       scope: this,
     });
+
+    return ret;
   }
 
   /**
    * Grant the given identity permissions to pull and push images to this repository.
    */
   public grantPullPush(identity?: iam.IPrincipal) {
     this.grantPull(identity);
-    this.grant(identity,
+    return this.grant(identity,
       "ecr:PutImage",
       "ecr:InitiateLayerUpload",
       "ecr:UploadLayerPart",