fix: Ensure correct cluster or db resource pattern is added to rds:Ad…

…dTagsToResource action (#111) Fixes #110
CloudSnorkel · Apr 26, 2024 · b0dbf79 · b0dbf79
1 parent 79c6144
commit b0dbf79
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 3 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -284,7 +284,7 @@ export class RdsSanitizedSnapshotter extends Construct {
     // needed for creating a snapshot with tags
     this.snapshotter.addToRolePolicy(new iam.PolicyStatement({
       actions: ['rds:AddTagsToResource'],
-      resources: [this.tempSnapshotArn, this.targetSnapshotArn, this.tempDbClusterArn],
+      resources: [this.tempSnapshotArn, this.targetSnapshotArn, this.tempDbClusterArn, this.tempDbInstanceArn],
     }));
 
     // key permissions

diff --git a/test/default.integ.snapshot/RDS-Sanitized-Snapshotter-SFN.assets.json b/test/default.integ.snapshot/RDS-Sanitized-Snapshotter-SFN.assets.json
@@ -40,15 +40,15 @@
         }
       }
     },
-    "77c4d732ada8ebcce7500544251e21c9286d5c95eef46636cafee5a21016e225": {
+    "4d342d6a3f6400ba76ff90f4cd6140b4d7b6f7a8a8c14189a2b75f634544caac": {
       "source": {
         "path": "RDS-Sanitized-Snapshotter-SFN.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "77c4d732ada8ebcce7500544251e21c9286d5c95eef46636cafee5a21016e225.json",
+          "objectKey": "4d342d6a3f6400ba76ff90f4cd6140b4d7b6f7a8a8c14189a2b75f634544caac.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/test/default.integ.snapshot/RDS-Sanitized-Snapshotter-SFN.template.json b/test/default.integ.snapshot/RDS-Sanitized-Snapshotter-SFN.template.json
@@ -1337,6 +1337,26 @@
            ":cluster:sanitize-*"
           ]
          ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":rds:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":db:sanitize-*"
+          ]
+         ]
         }
        ]
       }
@@ -3016,6 +3036,26 @@
            ":cluster:sanitize-*"
           ]
          ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":rds:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":db:sanitize-*"
+          ]
+         ]
         }
        ]
       }
@@ -4549,6 +4589,26 @@
            ":cluster:sanitize-*"
           ]
          ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":rds:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":db:sanitize-*"
+          ]
+         ]
         }
        ]
       },
@@ -6216,6 +6276,26 @@
            ":cluster:sanitize-*"
           ]
          ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":rds:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":db:sanitize-*"
+          ]
+         ]
         }
        ]
       },