test: add unit tests for grantStreamRead

Author: Dane Pilcher

packages/amplify-graphql-model-transformer/src/__tests__/amplify-dynamodb-table-construct.test.ts

@@ -6,6 +6,9 @@ import {
 } from '../resources/amplify-dynamodb-table/amplify-dynamodb-table-construct';
 import { AttributeType, StreamViewType, TableEncryption } from 'aws-cdk-lib/aws-dynamodb';
 import { Template } from 'aws-cdk-lib/assertions';
+import { Role, ArnPrincipal, PolicyDocument } from 'aws-cdk-lib/aws-iam';
+import { Key } from 'aws-cdk-lib/aws-kms';
+import { Match } from 'aws-cdk-lib/assertions';
 
 describe('Amplify DynamoDB Table Construct Tests', () => {
   it('render the default amplify dynamodb table in correct form', () => {
@@ -170,4 +173,90 @@ describe('Amplify DynamoDB Table Construct Tests', () => {
       isImported: true,
     });
   });
+
+  describe('grantStreamRead', () => {
+    it('grants read access table stream', () => {
+      const stack = new cdk.Stack();
+      const table = new AmplifyDynamoDBTable(stack, 'MockTable', {
+        customResourceServiceToken: 'mockResourceServiceToken',
+        tableName: 'mockTableName',
+        partitionKey: {
+          name: 'id',
+          type: AttributeType.STRING,
+        },
+        encryptionKey: new Key(stack, 'MockKey', {}),
+        stream: StreamViewType.NEW_AND_OLD_IMAGES,
+      });
+      table.grantStreamRead(
+        new Role(stack, 'MockRole', {
+          assumedBy: new ArnPrincipal('mock_principal'),
+        }),
+      );
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: Match.objectLike({
+          Statement: Match.arrayWith([
+            {
+              Action: ['dynamodb:ListStreams', 'dynamodb:DescribeStream', 'dynamodb:GetRecords', 'dynamodb:GetShardIterator'],
+              Effect: 'Allow',
+              Resource: {
+                'Fn::GetAtt': ['MockTable', 'TableStreamArn'],
+              },
+            },
+          ]),
+        }),
+      });
+    });
+
+    it('throws when stream arn is undefined', () => {
+      const stack = new cdk.Stack();
+      const table = new AmplifyDynamoDBTable(stack, 'MockTable', {
+        customResourceServiceToken: 'mockResourceServiceToken',
+        tableName: 'mockTableName',
+        partitionKey: {
+          name: 'id',
+          type: AttributeType.STRING,
+        },
+        isImported: true,
+      });
+
+      expect(() =>
+        table.grantStreamRead(
+          new Role(stack, 'MockRole', {
+            assumedBy: new ArnPrincipal('mock_principal'),
+          }),
+        ),
+      ).toThrow('No stream ARNs found on the table Default/MockTable');
+    });
+  });
+
+  it('grants access to encryption key', () => {
+    const stack = new cdk.Stack();
+    const table = new AmplifyDynamoDBTable(stack, 'MockTable', {
+      customResourceServiceToken: 'mockResourceServiceToken',
+      tableName: 'mockTableName',
+      partitionKey: {
+        name: 'id',
+        type: AttributeType.STRING,
+      },
+      encryptionKey: new Key(stack, 'MockKey', {}),
+      stream: StreamViewType.NEW_AND_OLD_IMAGES,
+    });
+    table.grantStreamRead(
+      new Role(stack, 'MockRole', {
+        assumedBy: new ArnPrincipal('mock_principal'),
+      }),
+    );
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: Match.objectLike({
+        Statement: Match.arrayWith([
+          Match.objectLike({
+            Action: ['kms:Decrypt', 'kms:DescribeKey'],
+            Effect: 'Allow',
+          }),
+        ]),
+      }),
+    });
+  });
 });

packages/amplify-graphql-model-transformer/src/__tests__/amplify-dynamodb-table-generator.test.ts

@@ -156,8 +156,7 @@ describe('ModelTransformer:', () => {
     type Post @model @searchable {
       id: ID!
       title: String!
-    }
-  `;
+    }`;
 
     const out = testTransform({
       schema: validSchema,