GuKCLPolicy: Fix DynamoDB permissions on new KCL v3 tables

rtyley · rtyley · commit 6ed3232be035 · 2025-02-27T13:55:23.000Z
In PR #2578 I failed to give the `UpdateItem` & `DeleteItem` permissions on these new KCL v3 tables: * worker metrics: https://docs.aws.amazon.com/streams/latest/dev/kcl-dynamoDB.html#kcl-worker-metrics-table * coordinator state: https://docs.aws.amazon.com/streams/latest/dev/kcl-dynamoDB.html#kcl-coordinator-state-table ...the permissions were correctly granted on the 'lease' table, so existing code, based on KCL v2, _worked_ (as seen in guardian/apple-news#426 (comment)), but as soon as the code was updated to KCL v3, errors were seen: guardian/apple-news#398 (comment) This fix correctly grants the `UpdateItem` & `DeleteItem` permissions to all 3 tables. For reference, the full list of permissions are at: https://docs.aws.amazon.com/streams/latest/dev/kcl-iam-permissions.html
diff --git a/.changeset/cold-rivers-laugh.md b/.changeset/cold-rivers-laugh.md
@@ -0,0 +1,5 @@
+---
+"@guardian/cdk": patch
+---
+
+GuKCLPolicy: Fix DynamoDB permissions on new KCL v3 tables
diff --git a/src/constructs/iam/policies/kcl.test.ts b/src/constructs/iam/policies/kcl.test.ts
@@ -55,6 +55,8 @@ describe("GuKCLPolicy", () => {
               "dynamodb:DescribeTable",
               "dynamodb:GetItem",
               "dynamodb:PutItem",
+              "dynamodb:UpdateItem",
+              "dynamodb:DeleteItem",
             ],
             Effect: "Allow",
             Resource: [
@@ -91,7 +93,7 @@ describe("GuKCLPolicy", () => {
             ],
           },
           {
-            Action: ["dynamodb:UpdateTable", "dynamodb:UpdateItem", "dynamodb:DeleteItem"],
+            Action: "dynamodb:UpdateTable",
             Effect: "Allow",
             Resource: {
               "Fn::Join": [
diff --git a/src/constructs/iam/policies/kcl.ts b/src/constructs/iam/policies/kcl.ts
@@ -24,9 +24,11 @@ const actionsOnAllTables: string[] = [
   "DescribeTable",
   "GetItem",
   "PutItem",
+  "UpdateItem",
+  "DeleteItem",
 ];
 
-const additionalLeaseTableActions: string[] = ["UpdateTable", "UpdateItem", "DeleteItem"];
+const additionalLeaseTableActions: string[] = ["UpdateTable"];
 
 /**
  * Creates an `AWS::IAM::Policy` to grant all the required permissions for the Kinesis Client Library
