Skip to content

Commit

Permalink
Grant access to schema for role (#36)
Browse files Browse the repository at this point in the history
  • Loading branch information
stephanpelikan committed Sep 17, 2024
1 parent 1b29ef4 commit e22f1fe
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 6 deletions.
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,17 @@ new Schema(this, "Schema", {
})
```

One may need a role permitted for using schema:

```ts
new Schema(this, "Schema", {
provider: provider,
schemaName: "myschema",
databaseName: database.databaseName,
role: role,
})
```

## Sql

You can insert arbitrary SQL into your database with the `Sql` construct:
Expand Down
63 changes: 57 additions & 6 deletions src/handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,13 @@ interface DatabaseUpdateProps extends DatabaseProps {
MasterOwner: string
}

interface SchemaProps {
/**
* Optional role is granted permissions.
*/
RoleName?: string
}

const maxAttempts = 20

const jumpTable: JumpTable = {
Expand All @@ -73,14 +80,58 @@ const jumpTable: JumpTable = {
},
},
schema: {
Create: async (resourceId: string) => {
return format("create schema if not exists %I", resourceId)
Create: async (resourceId: string, props: SchemaProps) => {
const sql: string[] = [format("create schema if not exists %I", resourceId)]
if (props.RoleName) {
sql.push(format("GRANT USAGE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(format("GRANT CREATE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(
format("GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I", resourceId, props.RoleName)
)
}
return sql
},
Update: async (resourceId: string, oldResourceId: string) => {
return format("alter schema %I rename to %I", oldResourceId, resourceId)
Update: async (resourceId: string, oldResourceId: string, props: SchemaProps) => {
const sql: string[] = []
// TODO: revoke old role-name if props.RoleName was removed or changed
if (props.RoleName) {
sql.push(
format(
"REVOKE ALL ON ALL TABLES IN SCHEMA %I FROM %I",
oldResourceId,
props.RoleName
)
)
sql.push(
format("REVOKE CREATE ON SCHEMA %I FROM %FROM", oldResourceId, props.RoleName)
)
sql.push(format("REVOKE ALL ON SCHEMA %I FROM %I", oldResourceId, props.RoleName))
}
sql.push(format("alter schema %I rename to %I", oldResourceId, resourceId))
if (props.RoleName) {
sql.push(format("GRANT USAGE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(format("GRANT CREATE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(
format("GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I", resourceId, props.RoleName)
)
}
return sql
},
Delete: (resourceId: string) => {
return format("drop schema if exists %I cascade", resourceId)
Delete: (resourceId: string, props: SchemaProps) => {
const sql: string[] = []
if (props.RoleName) {
sql.push(
format(
"REVOKE ALL ON ALL TABLES IN SCHEMA %I FROM %I",
resourceId,
props.RoleName
)
)
sql.push(format("REVOKE CREATE ON SCHEMA %I FROM %I", resourceId, props.RoleName))
sql.push(format("REVOKE ALL ON SCHEMA %I FROM %I", resourceId, props.RoleName))
}
sql.push(format("drop schema if exists %I cascade", resourceId))
return sql
},
},
role: {
Expand Down
8 changes: 8 additions & 0 deletions src/schema.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { Construct } from "constructs"
import { IDatabase } from "./database"
import { RdsSqlResource } from "./enum"
import { Provider } from "./provider"
import { Role } from "./role"

export interface SchemaProps {
/**
Expand All @@ -21,6 +22,11 @@ export interface SchemaProps {
* Schema name.
*/
readonly schemaName: string

/**
* Optional role to be granted for managing tables in schema
*/
readonly role?: Role
}

export class Schema extends CustomResource {
Expand All @@ -34,10 +40,12 @@ export class Schema extends CustomResource {
ResourceId: props.schemaName,
SecretArn: props.provider.secret.secretArn,
DatabaseName: props.database ? props.database.databaseName : undefined,
RoleName: props.role ? props.role.roleName : undefined,
},
})
this.node.addDependency(props.provider)
this.schemaName = props.schemaName
if (props.database) this.node.addDependency(props.database)
if (props.role) this.node.addDependency(props.role)
}
}

0 comments on commit e22f1fe

Please sign in to comment.