forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.ts
36 lines (31 loc) · 1.18 KB
/
iam.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// Copyright 2016-2019, Pulumi Corporation. All rights reserved.
import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";
export function createIamRole(name: string, table: aws.dynamodb.Table) {
const role = new aws.iam.Role(`${name}-role`, {
assumeRolePolicy: aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [{
identifiers: ["appsync.amazonaws.com"],
type: "Service",
}],
effect: "Allow",
}],
}, { async: true }).then(doc => doc.json),
});
const policy = new aws.iam.Policy(`${name}-policy`, {
policy: table.arn.apply(arn => aws.iam.getPolicyDocument({
statements: [{
actions: ["dynamodb:PutItem", "dynamodb:GetItem"],
resources: [arn],
effect: "Allow",
}],
}, { async: true }).then(doc => doc.json)),
});
const attachment = new aws.iam.RolePolicyAttachment(`${name}-rpa`, {
role: role,
policyArn: policy.arn,
});
return role;
}