private createResourceLinks()

in packages/constructs/L3/governance/lakeformation-access-control-l3-construct/lib/lakeformation-access-control-l3-construct.ts [200:272]

• 68 lines of code
• 10 McCabe index (conditional complexity)

  private createResourceLinks(resourceLinks: NamedResourceLinkProps, externalDependency?: CfnDatabase) {
    Object.entries(resourceLinks).forEach(resourceLinkEntry => {
      const resourceLinkName = resourceLinkEntry[0];
      const resourceLinkProps = resourceLinkEntry[1];
      const fromAccount = resourceLinkProps.fromAccount || this.account;

      const createScope = fromAccount != this.account ? this.getCrossAccountStack(fromAccount) : this;

      const resourceLinkDatabaseProps: CfnDatabaseProps = {
        catalogId: fromAccount,
        databaseInput: {
          name: resourceLinkName,
          targetDatabase: {
            catalogId: resourceLinkProps.targetAccount || this.account,
            databaseName: resourceLinkProps.targetDatabase,
          },
        },
      };
      console.log(`Creating resource link ${resourceLinkName} in account ${fromAccount}`);
      const createdResourceLinkDatabase = new CfnDatabase(
        createScope,
        `${resourceLinkName}-resource-link`,
        resourceLinkDatabaseProps,
      );

      Object.entries(resourceLinkProps.grantPrincipals || {}).forEach(grantPrincipalEntry => {
        const principalName = grantPrincipalEntry[0];
        const principalProps = grantPrincipalEntry[1];

        const principalIdentity = this.constructPrincipalIdentity(principalName, principalProps);

        console.log(
          `Creating resource link grant for ${principalIdentity.identity} to ${resourceLinkName} in account ${fromAccount}`,
        );
        if (principalIdentity.account != fromAccount) {
          console.warn(
            `Warning, possibly creating grant to principal in separate account ${principalIdentity.account} from resource link ${resourceLinkName} account ${fromAccount}.`,
          );
        }
        const createdResourceLinkName = (createdResourceLinkDatabase.databaseInput as CfnDatabase.DatabaseInputProperty)
          .name;
        if (createdResourceLinkName) {
          const databaseGrantIdentifier = LakeFormationAccessControlL3Construct.generateIdentifier(
            resourceLinkName,
            principalName,
            'RESOURCE-LINK',
          );
          const crossAccountResourceLinkGrant = new CfnPrincipalPermissions(
            createScope,
            `grant-${databaseGrantIdentifier}`,
            {
              resource: {
                database: {
                  catalogId: principalIdentity.account || this.account,
                  name: createdResourceLinkName,
                },
              },
              principal: {
                dataLakePrincipalIdentifier: principalIdentity.identity,
              },
              permissions: ['DESCRIBE'],
              permissionsWithGrantOption: [],
            },
          );
          LakeFormationAccessControlL3Construct.addToAccountGrants(
            fromAccount,
            crossAccountResourceLinkGrant,
            fromAccount == this.account ? externalDependency : undefined,
          );
        }
      });
    });
  }