search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.94k forks source link

(iam): provide constants for actions and conditions #22714

Open JoshMcCullough opened 2 years ago

JoshMcCullough commented 2 years ago

Describe the feature

Include constants for AWS actions (e.g. sqs:SendMessage), used when defining policy documents for IAM. This 3rd-party library provides them, but it'd make sense to have them included in the aws-cdk-lib package.

Use Case

new IAM.Role(this, 'MyRole', {
  roleName: 'my-role',
  inlinePolicies: {
    'queue_send-message': new IAM.PolicyDocument({
      statements: [new IAM.PolicyStatement({
        effect:IAM.Effect.ALLOW,
        actions:['sqs:SendMessage'],     // <---- hard-coded action here
        resources:['some-resource-arn'],
      })],
    })
  },
});

Proposed Solution

It'd be great to not have to hard-code sqs.SendMessage and instead have a constant to reference, something like IAM.Actions.SQS.SendMessage, or perahaps IAM actions within each sub-library, like SQS.Actions.SendMessage -- or similar.

Other Information

No response

Acknowledgements

CDK version used

2.49.0 (build 793dd76)

Environment details (OS name and version, etc.)

Manjaro Linux 22

peterwoodworth commented 2 years ago

Thanks for the feature request @JoshMcCullough,

I agree that this would be a nice feature to have that would be helpful and prevent mistakes from being made.

However I'm a little concerned that if we were to include this, that this would have a pretty high cost of maintainability. New services and actions for existing services are added all the time, and we'd need to be keep up with this for a consistent experience. But it seems that the 3rd party library you've linked autogenerates the files, so maybe this could work out well if we can automate this to be up-to-date on each CDK release 🙂

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

hoegertn commented 2 years ago

You can also have a look at https://github.com/udondan/iam-floyd which provides a typesafe way to generate IAM policy statements not only the action strings.

JoshMcCullough commented 2 years ago

Sounds reasonable, thanks.

rix0rrr commented 1 year ago

It's a very reasonable request and a good idea. We'll think on how this might fit into our plans, but for now 3rd party packages are probably the way to go.