feat: generate permission for dynamodb:Query and for GSIs

bahrmichael · bahrmichael · commit 0467b3c7ee47 · 2022-12-19T21:03:11.000+01:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -186,9 +186,19 @@ function getDynamoDBPermissions(action, state) {
     ? '*'
     : getDynamoDBArn(state.Parameters.TableName);
 
+  const indexName = state.Parameters['IndexName.$']
+    ? '*'
+    : state.Parameters.IndexName;
+
+  let resource;
+  if (indexName) {
+    resource = `${tableArn}/index/${indexName}`;
+  } else {
+    resource = tableArn;
+  }
   return [{
     action,
-    resource: tableArn,
+    resource,
   }];
 }
 
@@ -466,6 +476,8 @@ function getIamPermissions(taskStates) {
         return getDynamoDBPermissions('dynamodb:DeleteItem', state);
       case 'arn:aws:states:::aws-sdk:dynamodb:updateTable':
         return getDynamoDBPermissions('dynamodb:UpdateTable', state);
+      case 'arn:aws:states:::aws-sdk:dynamodb:query':
+        return getDynamoDBPermissions('dynamodb:Query', state);
 
       case 'arn:aws:states:::aws-sdk:redshiftdata:executeStatement':
         return getRedshiftDataPermissions('redshift-data:ExecuteStatement', state);
