aws · mergify · Jan 13, 2025 · Nov 29, 2024 · Dec 1, 2024 · Dec 1, 2024
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md b/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md
@@ -34,6 +34,7 @@ The following targets are supported:
 9. `targets.KinesisDataFirehosePutRecord`: [Put a record to a Kinesis Data Firehose](#put-a-record-to-a-kinesis-data-firehose)
 10. `targets.CodePipelineStartPipelineExecution`: [Start a CodePipeline execution](#start-a-codepipeline-execution)
 11. `targets.SageMakerStartPipelineExecution`: [Start a SageMaker pipeline execution](#start-a-sagemaker-pipeline-execution)
+12. `targets.Universal`: [Invoke a wider set of AWS API](#invoke-a-wider-set-of-aws-api)
 
 ## Invoke a Lambda function
 
@@ -312,3 +313,54 @@ new Schedule(this, 'Schedule', {
   }),
 });
 ```
+
+## Invoke a wider set of AWS API
+
+Use the `Universal` target to invoke AWS API.
+
+The code snippet below creates an event rule with AWS API as the target which is
+called at midnight every day by EventBridge Scheduler.
+
+```ts
+new Schedule(this, 'Schedule', {
+  schedule: ScheduleExpression.cron({
+    minute: '0',
+    hour: '0',
+  }),
+  target: new targets.Universal({
+    service: 'rds',
+    action: 'stopDBCluster',
+    input: ScheduleTargetInput.fromObject({
+      DbClusterIdentifier: 'my-db',
+    }),
+  }),
+});
+```
+
+The `service` must be in lowercase and the `action` must be in camelCase.
+
+By default, IAM policies for the Scheduler are extracted from the API call.
+
+You can also provide custom IAM policy statements to the Scheduler.
+
+This is useful when you want to control the permissions of the Scheduler.
+
+```ts
+new Schedule(this, 'Schedule', {
+  schedule: ScheduleExpression.rate(Duration.minutes(60)),
+  target: new targets.Universal({
+    service: 'sqs',
+    action: 'sendMessage',
+    policyStatements: [
+      new iam.PolicyStatement({
+        actions: ['sqs:SendMessage'],
+        resources: ['arn:aws:sqs:us-east-1:123456789012:my_queue'],
+      }),
+      new iam.PolicyStatement({
+        actions: ['kms:Decrypt', 'kms:GenerateDataKey*'],
+        resources: ['arn:aws:kms:us-west-1:123456789012:key/0987dcba-09fe-87dc-65ba-ab0987654321'],
+      }),
+    ],
+  }),
+});
+```
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/index.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/index.ts
@@ -10,3 +10,4 @@ export * from './sns-publish';
 export * from './sqs-send-message';
 export * from './stepfunctions-start-execution';
 export * from './target';
+export * from './universal';
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts
@@ -0,0 +1,110 @@
+import { IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
+import { Aws, Token } from 'aws-cdk-lib';
+import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { awsSdkToIamAction } from 'aws-cdk-lib/custom-resources/lib/helpers-internal';
+import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
+
+/**
+ * AWS read-only API action name prefixes that are not supported by EventBridge Scheduler.
+ *
+ * @see https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html
+ */
+const NOT_SUPPORTED_ACTION_PREFIX = [
+  'get',
+  'describe',
+  'list',
+  'poll',
+  'receive',
+  'search',
+  'scan',
+  'query',
+  'select',
+  'read',
+  'lookup',
+  'discover',
+  'validate',
+  'batchGet',
+  'batchDescribe',
+  'batchRead',
+  'transactGet',
+  'adminGet',
+  'adminList',
+  'testMigration',
+  'retrieve',
+  'testConnection',
+  'translateDocument',
+  'isAuthorized',
+  'invokeModel',
+];
+
+/**
+ * Properties for a Universal Target
+ */
+export interface UniversalProps extends ScheduleTargetBaseProps {
-export interface UniversalProps extends ScheduleTargetBaseProps {
+export interface UniversalTargetProps extends ScheduleTargetBaseProps {
-export interface UniversalProps extends ScheduleTargetBaseProps {
+export interface UniversalTargetProps extends ScheduleTargetBaseProps {
+  /**
+   * The AWS service to call.
+   *
+   * This must be in lowercase.
+   */
+  readonly service: string;
+
+  /**
+   * The API action to call.
+   *
+   * You cannot use read-only API actions such as common GET operations.
+   *
+   * Also, This must be in camelCase.
-   * The API action to call.
-   *
-   * You cannot use read-only API actions such as common GET operations.
-   *
-   * Also, This must be in camelCase.
+   * The API action to call. Must be camelCase.
+   *
+   * You cannot use read-only API actions such as common GET operations. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html#unsupported-api-actions
-   * The API action to call.
-   *
-   * You cannot use read-only API actions such as common GET operations.
-   *
-   * Also, This must be in camelCase.
+   * The API action to call. Must be camelCase.
+   *
+   * You cannot use read-only API actions such as common GET operations. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html#unsupported-api-actions
+   */
+  readonly action: string;
+
+  /**
+   * The IAM policy statements to allow the API call.
+   *
+   * These policies will be added to the role used to invoke the API.
+   *
+   * @default - extract the permission from the API call
+   */
+  readonly policyStatements?: PolicyStatement[];
+}
+
+/**
+ * Use a wider set of AWS API as a target for AWS EventBridge Scheduler.
+ *
+ * @see https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html
+ */
+export class Universal extends ScheduleTargetBase implements IScheduleTarget {
+  constructor(
+    private readonly props: UniversalProps,
+  ) {
+    const service = props.service;
+    const action = props.action;
+
+    if (!Token.isUnresolved(service) && service !== service.toLowerCase()) {
+      throw new Error(`API service must be lowercase, got: ${service}`);
+    }
+    if (!Token.isUnresolved(action) && !action.startsWith(action[0]?.toLowerCase())) {
+      throw new Error(`API action must be camelCase, got: ${action}`);
+    }
+    if (!Token.isUnresolved(action) && NOT_SUPPORTED_ACTION_PREFIX.some(prefix => action.startsWith(prefix))) {
+      throw new Error(`Read-only API action is not supported by EventBridge Scheduler: ${service}:${action}`);
+    }
+
+    const arn = `arn:${Aws.PARTITION}:scheduler:::aws-sdk:${service}:${action}`;
+    super(props, arn);
+  }
+
+  protected addTargetActionToRole(role: IRole): void {
+    // If policyStatements are not provided or are empty, add a policy statement extracted from the API call
+    if (!this.props.policyStatements?.length) {
+      role.addToPrincipalPolicy(new PolicyStatement({
+        actions: [awsSdkToIamAction(this.props.service, this.props.action)],
+        resources: ['*'],
+      }));
+      return;
+    }
+
+    for (const policyStatement of this.props.policyStatements) {
+      role.addToPrincipalPolicy(policyStatement);
+    }
+  }
+}
diff --git a/...r-targets-alpha/test/integ.universal.js.snapshot/AwsSchedulerTargetsUniversal.assets.json b/...r-targets-alpha/test/integ.universal.js.snapshot/AwsSchedulerTargetsUniversal.assets.json
diff --git a/...targets-alpha/test/integ.universal.js.snapshot/AwsSchedulerTargetsUniversal.template.json b/...targets-alpha/test/integ.universal.js.snapshot/AwsSchedulerTargetsUniversal.template.json
@@ -0,0 +1,139 @@
+{
+ "Resources": {
+  "Schedule83A77FD1": {
+   "Type": "AWS::Scheduler::Schedule",
+   "Properties": {
+    "FlexibleTimeWindow": {
+     "Mode": "OFF"
+    },
+    "ScheduleExpression": "rate(1 minute)",
+    "ScheduleExpressionTimezone": "Etc/UTC",
+    "State": "ENABLED",
+    "Target": {
+     "Arn": {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":scheduler:::aws-sdk:sqs:createQueue"
+       ]
+      ]
+     },
+     "Input": "{\"QueueName\":\"aws-scheduler-targets-create-queue\"}",
+     "RetryPolicy": {
+      "MaximumEventAgeInSeconds": 86400,
+      "MaximumRetryAttempts": 185
+     },
+     "RoleArn": {
+      "Fn::GetAtt": [
+       "SchedulerRoleForTarget5cddf726972933",
+       "Arn"
+      ]
+     }
+    }
+   }
+  },
+  "SchedulerRoleForTarget5cddf726972933": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Condition": {
+        "StringEquals": {
+         "aws:SourceAccount": {
+          "Ref": "AWS::AccountId"
+         },
+         "aws:SourceArn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":scheduler:",
+            {
+             "Ref": "AWS::Region"
+            },
+            ":",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":schedule-group/default"
+           ]
+          ]
+         }
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "scheduler.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "SchedulerRoleForTarget5cddf7DefaultPolicy3159C97B": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sqs:CreateQueue",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "SchedulerRoleForTarget5cddf7DefaultPolicy3159C97B",
+    "Roles": [
+     {
+      "Ref": "SchedulerRoleForTarget5cddf726972933"
+     }
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...integ.universal.js.snapshot/IntegTestUniversalDefaultTestDeployAssert42BBB3FD.assets.json b/...integ.universal.js.snapshot/IntegTestUniversalDefaultTestDeployAssert42BBB3FD.assets.json