d

    delightful-monkey-90700

    4 months ago
    Howdy. I'm migrating some code from CDK to Pulumi. It's a simple application using Lambda and DynamoDB. In the CDK, I grant access to the DynamoDB tables using "<tableObject>.grantReadWrite(<lambdaObject>)" -- but I'm having a hard time finding an equivalent in Pulumi. Any insights ?
    b

    billowy-army-68599

    4 months ago
    @delightful-monkey-90700 looks like that creates an IAM role that is abstracted away from you. Similar to this: https://github.com/pulumi/examples/blob/258d3bad0a00020704743e37911c51be63c06bb4/aws-ts-serverless-raw/index.ts#L31-L49
    note you'll need to scope the resource (line 45) to the specific table
    d

    delightful-monkey-90700

    4 months ago
    Are there plans to add similar levels of abstraction for really common and abstractable tasks to Pulumi ?
    b

    billowy-army-68599

    4 months ago
    yes, its being worked on actively right now
    d

    delightful-monkey-90700

    4 months ago
    Is there any information on what the interface will look like ? I'm going to add methods to the DynamoDB/etc classes
    b

    billowy-army-68599

    4 months ago
    not at the moment, check back next week 🙂
    d

    delightful-monkey-90700

    4 months ago
    Here's what I did:
    aws.dynamodb.Table.prototype.grantReadWriteData = async function(role: aws.iam.Role): Promise<void> {
    	const roleName = await pulumiOutputStringToString(role.name);
    	const policyName = `${roleName}-rolepolicy`;
    
    	if (rolePolicyMap[policyName] === undefined) {
    		rolePolicyMap[policyName] = {
    			statements: [],
    			role: role
    		};
    	}
    
    	const rolePolicyStatements = rolePolicyMap[policyName].statements;
    	rolePolicyStatements.push({
    		Action: [
    			"dynamodb:BatchGetItem",
    			"dynamodb:GetRecords",
    			"dynamodb:GetShardIterator",
    			"dynamodb:Query",
    			"dynamodb:GetItem",
    			"dynamodb:Scan",
    			"dynamodb:ConditionCheckItem",
    			"dynamodb:BatchWriteItem",
    			"dynamodb:PutItem",
    			"dynamodb:UpdateItem",
    			"dynamodb:DeleteItem",
    			"dynamodb:DescribeTable"
    		],
    		Resource: this.arn,
    		Effect: "Allow",
    	});
    }