Howdy. I'm migrating some code from CDK to Pulumi. It's a simple application using Lambda and DynamoDB. In the CDK, I grant access to the DynamoDB tables using "`<tableObject>.grantReadWrite(<lambdaObject>)`" -- but I'm having a hard time finding an equivalent in Pulumi. Any insights ?

@delightful-monkey-90700 looks like that creates an IAM role that is abstracted away from you. Similar to this: https://github.com/pulumi/examples/blob/258d3bad0a00020704743e37911c51be63c06bb4/aws-ts-serverless-raw/index.ts#L31-L49

Are there plans to add similar levels of abstraction for really common and abstractable tasks to Pulumi ?

yes, its being worked on actively right now

Is there any information on what the interface will look like ? I'm going to add methods to the DynamoDB/etc classes

not at the moment, check back next week 🙂

Here's what I did:

aws.dynamodb.Table.prototype.grantReadWriteData = async function(role: aws.iam.Role): Promise<void> {
	const roleName = await pulumiOutputStringToString(role.name);
	const policyName = `${roleName}-rolepolicy`;

	if (rolePolicyMap[policyName] === undefined) {
		rolePolicyMap[policyName] = {
			statements: [],
			role: role
		};
	}

	const rolePolicyStatements = rolePolicyMap[policyName].statements;
	rolePolicyStatements.push({
		Action: [
			"dynamodb:BatchGetItem",
			"dynamodb:GetRecords",
			"dynamodb:GetShardIterator",
			"dynamodb:Query",
			"dynamodb:GetItem",
			"dynamodb:Scan",
			"dynamodb:ConditionCheckItem",
			"dynamodb:BatchWriteItem",
			"dynamodb:PutItem",
			"dynamodb:UpdateItem",
			"dynamodb:DeleteItem",
			"dynamodb:DescribeTable"
		],
		Resource: this.arn,
		Effect: "Allow",
	});
}