constructor()

in infra/central/lib/SecurityStack/index.ts [29:111]

• 74 lines of code
• 1 McCabe index (conditional complexity)

    constructor(scope: Construct, id: string, props?: NestedStackProps) {
        super(scope, id, props);
    
        const workflowLambdaSMApproverRolePolicy = new PolicyDocument({
            statements: [
                new PolicyStatement({
                    effect: Effect.ALLOW,
                    actions: [
                        "states:SendTaskSuccess",
                        "states:SendTaskFailure"
                    ],
                    resources: ["*"]
                })
            ]
        });

        this.workflowLambdaSMApproverRole = new Role(this, "WorkflowLambdaSMApproverRole", {
            assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
            managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
            inlinePolicies: {inline0: workflowLambdaSMApproverRolePolicy}
        });

        const workflowLambdaSendApprovalEmailRolePolicy = new PolicyDocument({
            statements: [
                new PolicyStatement({
                    effect: Effect.ALLOW,
                    actions: [
                        "sts:AssumeRole"
                    ],
                    resources: ["arn:aws:iam::*:role/ProducerWorkflowRole"]
                })
            ]
        });

        this.workflowLambdaSendApprovalEmailRole = new Role(this, "WorkflowLambdaSendApprovalEmailRole", {
            assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
            managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
            inlinePolicies: {inline0: workflowLambdaSendApprovalEmailRolePolicy}
        });

        const workflowLambdaShareCatalogItemRolePolicy = new PolicyDocument({
            statements: [
                new PolicyStatement({
                    effect: Effect.ALLOW,
                    actions: [
                        "lakeformation:GrantPermissions",
                        "glue:GetTable",
                        "glue:GetDatabase"
                    ],
                    resources: ["*"]
                })
            ]
        });

        this.workflowLambdaShareCatalogItemRole = new Role(this, "WorkflowLambdaShareCatalogItemRole", {
            assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
            managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"), ManagedPolicy.fromAwsManagedPolicyName("AWSLakeFormationCrossAccountManager")],
            inlinePolicies: {inline0: workflowLambdaShareCatalogItemRolePolicy}
        });

        const workflowLambdaTableDetailsRolePolicy = new PolicyDocument({
            statements: [
                new PolicyStatement({
                    effect: Effect.ALLOW,
                    actions: [
                        "glue:GetTable",
                        "glue:GetDatabase"
                    ],
                    resources: ["*"]
                })
            ]
        });

        this.workflowLambdaTableDetailsRole = new Role(this, "WorkflowLambdaTableDetailsRole", {
            assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
            managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
            inlinePolicies: {inline0: workflowLambdaTableDetailsRolePolicy}
        });

        this.stateMachineWorkflowRole = new Role(this, "DataLakeWorkflowRole", {
            assumedBy: new ServicePrincipal("states.amazonaws.com")
        });
    }