Description
Summary
Currently as part of the integration tests of the Parameters utility we are creating a number of resources. For DynamoDBProvider specifically we are creating some DynamoDB Tables and then inserting some items into it, so that the integration tests can read them.
The current implementation of the tests relies on the AWS SDK to perform those inserts as part of the setup stage (beforeAll in Jest). This means that the IAM role/identity used is the one assumed by the GitHub Actions worker and obtained via OIDC connector.
Why is this needed?
The current implementation would require to grant additional permissions to the IAM role assumed by the GitHub Actions worker, which we want to avoid.
Which area does this relate to?
Tests, Parameters
Solution
Move those actions into the stack and do the inserts as part of the deployment. Specifically, given the simplicity of the commands, it's possible to use AwsCustomResource. This will allow us to not grant additional permissions to the worker and delegate the responsibility of communicate with the tables to a custom resource within the stack.
Acknowledgment
- This request meets Lambda Powertools Tenets
- Should this be considered in other Lambda Powertools languages? i.e. Python, Java