(integ-tests-alpha): support granting additional permission

[phuhung273]

Describe the feature

IntegTest awsApiCall should accept an input to give more permission to the Deploy assert lambda.

aws-cdk/packages/@aws-cdk/integ-tests-alpha/lib/assertions/private/deploy-assert.ts

Line 62 in 994e952

public awsApiCall(service: string, api: string, parameters?: any, outputPaths?: string[]): IApiCall {

Use Case

For #32635, integ.assertions.awsApiCall('@aws-sdk/client-api-gateway', 'TestInvokeMethodCommand' automatically grants apigateway:TestInvokeMethodCommand

aws-cdk/packages/@aws-cdk/integ-tests-alpha/lib/assertions/providers/provider.ts

Lines 192 to 199 in 994e952

	public addPolicyStatementFromSdkCall(service: string, api: string, resources?: string[]): void {
	this.lambdaFunction.addPolicies([{
	Action: [awsSdkToIamAction(service, api)],
	Effect: 'Allow',
	Resource: resources || ['*'],
	}]);
	}
	}

But we need something like arn:aws:execute-api:region:account-id:api-id/stage-name/POST/path

If we can let user give more permission, this can fix not only #32635 but any kind of AWS service with complex permission systems

Proposed Solution

Support additionalPolicy to give more permission to Deploy assert Lambda

aws-cdk/packages/@aws-cdk/integ-tests-alpha/lib/assertions/private/deploy-assert.ts

Line 62 in 994e952

public awsApiCall(service: string, api: string, parameters?: any, outputPaths?: string[]): IApiCall {

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

latest

Environment details (OS name and version, etc.)

Ubuntu

[ykethan]

Hey @phuhung273, thank you for filing this issue.

The support for additional IAM permissions for awsApiCall would help test scenarios requiring complex permissions. One possible solutions off the top of my head would probably be:

The entry point awsApiCall method would need to be updated to accept additional policy statements and the Provider's policy management would need to incorporate these.

export interface AwsApiCallProps {
  readonly service: string;
  readonly api: string;
  readonly parameters?: any;
  readonly outputPaths?: string[];
  // Add new optional property for additional IAM policies
  readonly additionalPolicyStatements?: Record<string, any>[];
}

This will allow the awsApiCall method to support both auto-generated and custom permissions:

public awsApiCall(
  service: string, 
  api: string, 
  parameters?: any, 
  outputPaths?: string[],
  additionalPolicyStatements?: Record<string, any>[]
): IApiCall {
  let hash = '';
  try {
    hash = md5hash(this.scope.resolve(parameters));
  } catch {}

  return new AwsApiCall(this.scope, this.uniqueAssertionId(`AwsApiCall${service}${api}${hash}`), {
    api,
    service,
    parameters,
    outputPaths,
    additionalPolicyStatements,
  });
}

The provider will apply both the auto-generated and additional policies:

// In AwsApiCall constructor
if (props.additionalPolicyStatements) {
  props.additionalPolicyStatements.forEach(statement => {
    provider.addToRolePolicy(statement);
  });
}
// Auto-generated permission still applies
provider.addPolicyStatementFromSdkCall(props.service, props.api);

Example usage for API Gateway TestInvoke:

integ.assertions.awsApiCall(
  '@aws-sdk/client-api-gateway',
  'TestInvokeMethodCommand',
  { /* method params */ },
 { /*output paths */ },
  [{
    Effect: 'Allow',
    Action: 'execute-api:Invoke',
    Resource: `arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${apiId}/${stageName}/POST/${path}`
  }]
);

The change is non-breaking and provides a flexible solution for services with complex IAM requirements while maintaining the existing auto-generated permissions functionality.
But any better ideas are always welcome. Feel free to submit your PR and the maintainer will review your PR when it's ready

[phuhung273]

Seems like this is a workaround, leave it here to help others

aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-flow-logs.ts

Lines 132 to 139 in 74cbe27

	const objects = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
	Bucket: featureFlagTest.bucket.bucketName,
	MaxKeys: 1,
	Prefix: `AWSLogs/${featureFlagTest.account}/vpcflowlogs`,
	});
	const assertionProvider = objects.node.tryFindChild('SdkProvider') as AssertionsProvider;
	assertionProvider.addPolicyStatementFromSdkCall('s3', 'ListBucket', [featureFlagTest.bucketArn]);
	assertionProvider.addPolicyStatementFromSdkCall('s3', 'GetObject', [`${featureFlagTest.bucketArn}/*`]);

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.