feat: add custom IAM actions to S3 resources (#11)

MickVanDuijn · web-flow · commit 1cf13e7cb146 · 2024-07-31T14:14:16.000+02:00
diff --git a/modules/config-lambda/resources.tf b/modules/config-lambda/resources.tf
@@ -56,7 +56,8 @@ locals {
         for resource in try(definition.resources, []) : {
           bucketId       = resource.s3.bucketId
           actions        = resource.s3.actions
-          actions_string = join(",", sort(toset(resource.s3.actions)))
+          iamActions     = try(flatten([resource.dynamodb.iamActions]), [])
+          actions_string = join(",", sort(toset(flatten([resource.s3.actions, try(resource.s3.iamActions, [])]))))
         } if try(resource.s3, null) != null
       ]
       dynamodb = [
@@ -172,6 +173,7 @@ data "aws_iam_policy_document" "s3_access" {
         contains(statement.value, "delete") ? [
           "s3:DeleteObject",
         ] : [],
+        statement.value.iamActions,
       ))
 
       resources = flatten([
diff --git a/src/definition/resources/s3.schema.ts b/src/definition/resources/s3.schema.ts
@@ -4,5 +4,6 @@ export const s3Resource = $object({
     s3: $object({
         bucketId: $string().describe('The ID of the bucket.'),
         actions: $enum(['read', 'write', 'delete', 'get', 'list']).array({ minItems: 1 }),
+        iamActions: $string().array().optional().describe('Custom IAM actions to add to the role.'),
     }).describe('An S3 bucket that is used by the function.'),
 }).describe('An S3 bucket that is used by the function.')
diff --git a/src/definition/resources/s3.type.ts b/src/definition/resources/s3.type.ts
@@ -19,5 +19,9 @@ export interface S3Resource {
          */
         bucketId: string
         actions: [S3ResourceActionsArray, ...S3ResourceActionsArray[]]
+        /**
+         * Custom IAM actions to add to the role.
+         */
+        iamActions?: string[] | undefined
     }
 }
diff --git a/src/definition/schemas/star-chart-handler.schema.json b/src/definition/schemas/star-chart-handler.schema.json
@@ -608,6 +608,13 @@
                 "enum": ["read", "write", "delete", "get", "list"]
               },
               "minItems": 1
+            },
+            "iamActions": {
+              "type": "array",
+              "description": "Custom IAM actions to add to the role.",
+              "items": {
+                "type": "string"
+              }
             }
           },
           "required": ["actions", "bucketId"],

Original file line number	Diff line number	Diff line change
`@@ -19,5 +19,9 @@ export interface S3Resource {`
`19`	`19`	`*/`
`20`	`20`	`bucketId: string`
`21`	`21`	`actions: [S3ResourceActionsArray, ...S3ResourceActionsArray[]]`
	`22`	`+ /**`
	`23`	`+ * Custom IAM actions to add to the role.`
	`24`	`+ */`
	`25`	`+ iamActions?: string[] \| undefined`
`22`	`26`	`}`
`23`	`27`	`}`