def __grant_access()

in Gems/AWSCore/cdk/example/example_resources_stack.py [0:0]

• 53 lines of code
• 4 McCabe index (conditional complexity)

    def __grant_access(self):
        user_group = iam.Group.from_group_arn(
            self,
            f'{self._project_name}-{self._feature_name}-ImportedUserGroup',
            Fn.import_value(f'{self._project_name}:UserGroup')
        )
        admin_group = iam.Group.from_group_arn(
            self,
            f'{self._project_name}-{self._feature_name}-ImportedAdminGroup',
            Fn.import_value(f'{self._project_name}:AdminGroup')
        )

        # Provide the admin and user groups permissions to read the example S3 bucket.
        # Cannot use the grant_read method defined by the Bucket structure since the method tries to add to
        # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are
        # not valid principals in S3 bucket policies.
        # Check https://aws.amazon.com/premiumsupport/knowledge-center/s3-invalid-principal-in-policy-error/
        user_group.add_to_principal_policy(
            iam.PolicyStatement(
                actions=[
                    "s3:GetBucket*",
                    "s3:GetObject*",
                    "s3:List*"
                ],
                effect=iam.Effect.ALLOW,
                resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*']
            )
        )
        admin_group.add_to_principal_policy(
            iam.PolicyStatement(
                actions=[
                    "s3:GetBucket*",
                    "s3:GetObject*",
                    "s3:List*"
                ],
                effect=iam.Effect.ALLOW,
                resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*']
            )
        )

        # Provide the admin and user groups permissions to invoke the example Lambda function.
        # Cannot use the grant_invoke method defined by the Function structure since the method tries to add to
        # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are
        # not valid principals in Lambda function policies.
        user_group.add_to_principal_policy(
            iam.PolicyStatement(
                actions=[
                    "lambda:InvokeFunction"
                ],
                effect=iam.Effect.ALLOW,
                resources=[self._lambda.function_arn]
            )
        )
        admin_group.add_to_principal_policy(
            iam.PolicyStatement(
                actions=[
                    "lambda:InvokeFunction"
                ],
                effect=iam.Effect.ALLOW,
                resources=[self._lambda.function_arn]
            )
        )

        # Provide the admin and user groups permissions to read from the DynamoDB table.
        self._table.grant_read_data(user_group)
        self._table.grant_read_data(admin_group)