feat: add grantStreamRead to amplify managed table

Author: Dane Pilcher

packages/amplify-graphql-model-transformer/src/__tests__/amplify-dynamodb-table-generator.test.ts

@@ -6,6 +6,7 @@ import {
 } from '@aws-amplify/graphql-transformer-core';
 import { parse } from 'graphql';
 import { ModelTransformer } from '../graphql-model-transformer';
+import { SearchableModelTransformer } from '@aws-amplify/graphql-searchable-transformer';
 import { CUSTOM_DDB_CFN_TYPE, CUSTOM_IMPORTED_DDB_CFN_TYPE } from '../resources/amplify-dynamodb-table/amplify-dynamodb-table-construct';
 import { ITERATIVE_TABLE_STACK_NAME } from '../resources/amplify-dynamodb-table/amplify-dynamo-model-resource-generator';
 
@@ -149,4 +150,26 @@ describe('ModelTransformer:', () => {
     };
     expect(() => testTransform(transformOption)).toThrow('No resource generator assigned for Post with dbType DYNAMODB');
   });
+
+  it('should allow searchable on amplify managed table', async () => {
+    const validSchema = `
+    type Post @model @searchable {
+      id: ID!
+      title: String!
+    }
+  `;
+
+    const out = testTransform({
+      schema: validSchema,
+      transformers: [new ModelTransformer(), new SearchableModelTransformer()],
+      dataSourceStrategies: {
+        Post: DDB_AMPLIFY_MANAGED_DATASOURCE_STRATEGY,
+      },
+    });
+    expect(out).toBeDefined();
+    expect(out.stacks.SearchableStack).toBeDefined();
+
+    validateModelSchema(parse(out.schema));
+    parse(out.schema);
+  });
 });

packages/amplify-graphql-model-transformer/src/resources/amplify-dynamodb-table/amplify-dynamodb-table-construct/index.ts

@@ -14,6 +14,7 @@ import {
   TableEncryption,
   TableProps,
 } from 'aws-cdk-lib/aws-dynamodb';
+import { IGrantable, Grant } from 'aws-cdk-lib/aws-iam';
 import { Construct } from 'constructs';
 
 const HASH_KEY_TYPE = 'HASH';
@@ -202,6 +203,20 @@ export class AmplifyDynamoDBTable extends Resource {
     return schema;
   }
 
+  public grantStreamRead(grantee: IGrantable): Grant {
+    if (!this.tableStreamArn) {
+      throw new Error(`No stream ARNs found on the table ${this.node.path}`);
+    }
+    if (this.encryptionKey) {
+      this.encryptionKey.grant(grantee, 'kms:Decrypt', 'kms:DescribeKey');
+    }
+    return Grant.addToPrincipal({
+      grantee,
+      actions: ['dynamodb:ListStreams', 'dynamodb:DescribeStream', 'dynamodb:GetRecords', 'dynamodb:GetShardIterator'],
+      resourceArns: [this.tableStreamArn],
+    });
+  }
+
   private addKey(attribute: Attribute, keyType: string) {
     const existingProp = this.findKey(keyType);
     if (existingProp) {