updateUsersRoles()

in infrastructure/cdk/lib/layer/ingestionConsumptionLayer.ts [1042:1137]

• 91 lines of code
• 1 McCabe index (conditional complexity)

    updateUsersRoles(props: IParameterAwareProps) {

        let baseArn = 'arn:aws:apigateway:' + props.region + ':' + props.accountId + ':' + this.api.ref + '/prod/*/';
        let baseExecArn = 'arn:aws:execute-api:' + props.region + ':' + props.accountId + ':' + this.api.ref + '/prod/';
        let playerRole = (<IAM.Role>props.getParameter('security.playersrole'));

        playerRole.addToPolicy(
            new IAM.PolicyStatement({
                actions: ['apigateway:GET'],
                resources: [
                    baseArn + 'config',
                    baseArn + 'session',
                    baseArn + 'scoreboard'
                ]
            })
        );
        playerRole.addToPolicy(
            new IAM.PolicyStatement(
                {
                    actions: ['execute-api:Invoke'],
                    resources: [
                        baseExecArn + 'GET/config',
                        baseExecArn + 'GET/session',
                        baseExecArn + 'GET/scoreboard'
                    ]
                })
        );
        playerRole.addToPolicy(
            new IAM.PolicyStatement(
                {
                    actions: ['apigateway:POST'],
                    resources: [
                        baseArn + 'updatestatus',
                        baseArn + 'allocate',
                        baseArn + 'deallocate'
                    ]
                })
        );
        playerRole.addToPolicy(
            new IAM.PolicyStatement({
                actions: ['execute-api:Invoke'],
                resources: [
                    baseExecArn + 'POST/updatestatus',
                    baseExecArn + 'POST/allocate',
                    baseExecArn + 'POST/deallocate'
                ]
            })
        );

        let managerRole = (<IAM.Role>props.getParameter('security.managersrole'));
        managerRole.addToPolicy(
            new IAM.PolicyStatement({
                actions : [
                    "dynamodb:BatchGetItem",
                    "dynamodb:BatchWriteItem",
                    "dynamodb:PutItem",
                    "dynamodb:Scan",
                    "dynamodb:Query",
                    "dynamodb:GetItem"
                ],
                resources : [ "arn:aws:dynamodb:" + props.region + ":" + props.accountId + ":table/" + props.getApplicationName() + "*" ]

            })
        );
        managerRole.addToPolicy(
            new IAM.PolicyStatement({    
                actions : [
                    "ssm:GetParameters",
                    "ssm:GetParameter",
                    "ssm:DeleteParameters",
                    "ssm:PutParameter",
                    "ssm:DeleteParameter"
                ],
                resources : [
                    "arn:aws:ssm:" + props.region + ":" + props.accountId + ":parameter/" + props.getApplicationName().toLowerCase() + "/*"
                ]
            })
        );
        managerRole.addToPolicy(
            new IAM.PolicyStatement({
                actions : [
                    "kinesis:GetShardIterator",
                    "kinesis:DescribeStream",
                    "kinesis:GetRecords"
                ],
                resources : [ this.kinesisStreams.streamArn ]
            })
        );

        managerRole.addToPolicy(
            new IAM.PolicyStatement({
                actions: [ 'apigateway:*' ],
                resources : [ baseArn + '*' ]
            })
        );
    }