Skip to content

chore(ec2): extract grant logic to a helper class #35715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(ec2): extract grant logic to a helper class #35715

wants to merge 2 commits into from
+155 −20

Conversation

otaviomacedo
Copy link
Contributor

Move the logic from VolumeBase.grantAttachVolumeByResourceTag() and VolumeBase.grantAttachVolume() to a new helper class, called VolumeGrants. With this, we can give grants to L1s and L2s in a uniform way:

const instance = new Instance(stack, 'Instance', ...);

// Basic usage:
const volume = new CfnVolume(stack, 'Volume', {
  availabilityZone: 'us-east-1a',
});

VolumeGrants.fromVolume(volume).grantAttachVolumeByResourceTag(instance.grantPrincipal, [instance]);

If the instance of IVolumeRef that we have also happens to implement IResourceWithKey, we can do:

const volume = new Volume(stack, 'Volume', {
  availabilityZone: 'us-east-1a',
});

VolumeGrants.fromVolumeWithKey(volume).grantAttachVolumeByResourceTag(instance.grantPrincipal, [instance]);
//                ^----- Different factory method

which will also give the grantee permission to kms:CreateGrant on the encryption key, if one is defined.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Oct 10, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team October 10, 2025 11:37
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 10, 2025
otaviomacedo
otaviomacedo commented Oct 10, 2025
View reviewed changes
packages/aws-cdk-lib/aws-iam/lib/grant.ts
readonly policyDependable?: IDependable;
}

export interface IResourceWithKey {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better naming suggestions are welcome.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IEncryptedResource ?

IEncryptableResource ?

rix0rrr
rix0rrr reviewed Oct 10, 2025
View reviewed changes
packages/aws-cdk-lib/aws-ec2/lib/volume.ts
return new VolumeGrants(volume);
}

public static fromVolumeWithKey(volume: IVolumeRef & IResourceWithKey) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No intersections yet please :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(May just mean we need to wait a bit before merging this)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marked with do-not-merge.

packages/aws-cdk-lib/aws-iam/lib/grant.ts
readonly policyDependable?: IDependable;
}

export interface IResourceWithKey {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IEncryptedResource ?

IEncryptableResource ?

packages/aws-cdk-lib/aws-iam/lib/grant.ts
}

export interface IResourceWithKey {
grantKey(grantee: IGrantable, actions: string[], conditions?: Record<string, Record<string, unknown>>): void;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addToKeyPolicy() ? With a Statement ?

(Although I guess that's not entirely the thing, is it...)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that would be better. The only question is: a PolicyStatement may have many principals. Should we grant the permission to all of them?

@otaviomacedo otaviomacedo added the pr/do-not-merge This PR should not be merged at this time. label Oct 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rix0rrr rix0rrr rix0rrr left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr/do-not-merge This PR should not be merged at this time.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@otaviomacedo @rix0rrr