chore: refactor the getDynamoDBPermissions function to reduce complexity

Michael Bahr · Michael Bahr · commit 4dfda6dea038 · 2023-01-27T10:30:26.000+01:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -130,67 +130,6 @@ function getDynamoDBArn(tableName) {
   };
 }
 
-function getDynamoDBIndexArn(tableName, indexName) {
-  if (isIntrinsic(tableName)) {
-    // most likely we'll see a { Ref: LogicalId }, which we need to map to
-    // { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
-    if (tableName.Ref) {
-      return {
-        'Fn::Join': [
-          '/',
-          [
-            { 'Fn::GetAtt': [tableName.Ref, 'Arn'] },
-            'index',
-            indexName,
-          ],
-        ],
-      };
-    }
-    // but also support importing the table name from an external stack that exports it
-    // as we still want to support direct state machine actions interacting with those tables
-    if (tableName['Fn::ImportValue']) {
-      return {
-        'Fn::Join': [
-          ':',
-          [
-            'arn',
-            { Ref: 'AWS::Partition' },
-            'dynamodb',
-            { Ref: 'AWS::Region' },
-            { Ref: 'AWS::AccountId' },
-            {
-              'Fn::Join': [
-                '/',
-                [
-                  'table',
-                  tableName,
-                  'index',
-                  indexName,
-                ],
-              ],
-            },
-          ],
-        ],
-      };
-    }
-  }
-
-  return {
-    'Fn::Join': [
-      ':',
-      [
-        'arn',
-        { Ref: 'AWS::Partition' },
-        'dynamodb',
-        { Ref: 'AWS::Region' },
-        { Ref: 'AWS::AccountId' },
-        `table/${tableName}/index/${indexName}`,
-      ],
-    ],
-  };
-}
-
-
 function getBatchPermissions() {
   return [{
     action: 'batch:SubmitJob,batch:DescribeJobs,batch:TerminateJob',
@@ -243,26 +182,31 @@ function getEcsPermissions() {
 }
 
 function getDynamoDBPermissions(action, state) {
-  const indexName = state.Parameters['IndexName.$']
-    ? '*'
-    : state.Parameters.IndexName;
-
   let resource;
-  if (indexName) {
-    resource = state.Parameters['TableName.$']
+
+  if (state.Parameters['TableName.$']) {
+    // When the TableName is only known at runtime, we
+    // have to provide * permissions during deployment.
+    resource = '*';
+  } else if (state.Parameters['IndexName.$'] || state.Parameters.IndexName) {
+    // When the Parameters contain an IndexName, we have to build a
+    // longer arn that includes the index.
+    const indexName = state.Parameters['IndexName.$']
+      // We must provide * here instead of state.Parameters['IndexName.$'], because we don't know
+      // which index will be targeted when we the step function runs
       ? '*'
-      : getDynamoDBIndexArn(state.Parameters.TableName, indexName);
+      : state.Parameters.IndexName;
+
+    resource = getDynamoDBArn(`${state.Parameters.TableName}/index/${indexName}`);
   } else {
-    resource = state.Parameters['TableName.$']
-      ? '*'
-      : getDynamoDBArn(state.Parameters.TableName);
+    resource = getDynamoDBArn(state.Parameters.TableName);
   }
+
   return [{
     action,
     resource,
   }];
 }
-
 function getRedshiftDataPermissions(action, state) {
   if (['redshift-data:ExecuteStatement', 'redshift-data:BatchExecuteStatement'].includes(action)) {
     const clusterName = _.has(state, 'Parameters.ClusterIdentifier') ? state.Parameters.ClusterIdentifier : '*';
