Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Grant access to schema for role (#36) #37

Merged
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,17 @@ new Schema(this, "Schema", {
})
```

One may need a role permitted for using schema:

```ts
new Schema(this, "Schema", {
provider: provider,
schemaName: "myschema",
databaseName: database.databaseName,
role: role,
})
```

## Sql

You can insert arbitrary SQL into your database with the `Sql` construct:
Expand Down
63 changes: 57 additions & 6 deletions src/handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,13 @@ interface DatabaseUpdateProps extends DatabaseProps {
MasterOwner: string
}

interface SchemaProps {
/**
* Optional role is granted permissions.
*/
RoleName?: string
}

const maxAttempts = 20

const jumpTable: JumpTable = {
Expand All @@ -73,14 +80,58 @@ const jumpTable: JumpTable = {
},
},
schema: {
Create: async (resourceId: string) => {
return format("create schema if not exists %I", resourceId)
Create: async (resourceId: string, props: SchemaProps) => {
const sql: string[] = [format("create schema if not exists %I", resourceId)]
if (props.RoleName) {
sql.push(format("GRANT USAGE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(format("GRANT CREATE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(
format("GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I", resourceId, props.RoleName)
)
}
return sql
},
Update: async (resourceId: string, oldResourceId: string) => {
return format("alter schema %I rename to %I", oldResourceId, resourceId)
Update: async (resourceId: string, oldResourceId: string, props: SchemaProps) => {
const sql: string[] = []
// TODO: revoke old role-name if props.RoleName was removed or changed
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that needs doing (and be tested).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You did those notes as well:

https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L118
https://github.com/berenddeboer/cdk-rds-sql/blob/main/src/handler.ts#L160

If the handler would be prepared to get old props as well I would have done this check. It is out of the scope of this little change to refactor the handler.

if (props.RoleName) {
sql.push(
format(
"REVOKE ALL ON ALL TABLES IN SCHEMA %I FROM %I",
oldResourceId,
props.RoleName
)
)
sql.push(
format("REVOKE CREATE ON SCHEMA %I FROM %FROM", oldResourceId, props.RoleName)
)
sql.push(format("REVOKE ALL ON SCHEMA %I FROM %I", oldResourceId, props.RoleName))
}
sql.push(format("alter schema %I rename to %I", oldResourceId, resourceId))
if (props.RoleName) {
sql.push(format("GRANT USAGE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(format("GRANT CREATE ON SCHEMA %I TO %I", resourceId, props.RoleName))
sql.push(
format("GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I", resourceId, props.RoleName)
)
}
return sql
},
Delete: (resourceId: string) => {
return format("drop schema if exists %I cascade", resourceId)
Delete: (resourceId: string, props: SchemaProps) => {
const sql: string[] = []
if (props.RoleName) {
sql.push(
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're repeating yourself a lot, so please put the grant + revoke schema into their own function, so you can call that instead of copying the same code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

format(
"REVOKE ALL ON ALL TABLES IN SCHEMA %I FROM %I",
resourceId,
props.RoleName
)
)
sql.push(format("REVOKE CREATE ON SCHEMA %I FROM %I", resourceId, props.RoleName))
sql.push(format("REVOKE ALL ON SCHEMA %I FROM %I", resourceId, props.RoleName))
}
sql.push(format("drop schema if exists %I cascade", resourceId))
return sql
},
},
role: {
Expand Down
8 changes: 8 additions & 0 deletions src/schema.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { Construct } from "constructs"
import { IDatabase } from "./database"
import { RdsSqlResource } from "./enum"
import { Provider } from "./provider"
import { Role } from "./role"

export interface SchemaProps {
/**
Expand All @@ -21,6 +22,11 @@ export interface SchemaProps {
* Schema name.
*/
readonly schemaName: string

/**
* Optional role to be granted for managing tables in schema
*/
readonly role?: Role
}

export class Schema extends CustomResource {
Expand All @@ -34,10 +40,12 @@ export class Schema extends CustomResource {
ResourceId: props.schemaName,
SecretArn: props.provider.secret.secretArn,
DatabaseName: props.database ? props.database.databaseName : undefined,
RoleName: props.role ? props.role.roleName : undefined,
},
})
this.node.addDependency(props.provider)
this.schemaName = props.schemaName
if (props.database) this.node.addDependency(props.database)
if (props.role) this.node.addDependency(props.role)
}
}
Loading