fix: create a function for improved readability

Signed-off-by: lennartrommeiss <[email protected]>
dbsystel · Aug 23, 2024 · 082e6d7 · 082e6d7
1 parent d0e399f
commit 082e6d7
Showing 1 changed file with 77 additions and 75 deletions.
diff --git a/src/SopsSync.ts b/src/SopsSync.ts
@@ -11,6 +11,7 @@ import {
 } from 'aws-cdk-lib';
 import {
   IGrantable,
+  IRole,
   ManagedPolicy,
   PolicyStatement,
 } from 'aws-cdk-lib/aws-iam';
@@ -346,82 +347,10 @@ export class SopsSync extends Construct {
           props.encryptionKey?.grantEncryptDecrypt(provider);
         }
         if (props.parameterNames) {
-          // Avoid too large policies
-          // The maximum size of a managed policy is 6.144 bytes -> 1 character = 1 byte
-          const maxPolicyBytes = 6000; // Keep some bytes as a buffer
-          const arnPrefixBytes = 55; // Content for "arn:aws:ssm:ap-southeast-3:<accountnumer>:parameter/
-          let startAtParameter = 0;
-          let currentPolicyBytes = 300; // Reserve some byte space for basic stuff inside the policy
-          for (let i = 0; i < props.parameterNames.length; i += 1) {
-            if (
-              // Check if the current parameter would fit into the policy
-              arnPrefixBytes +
-                props.parameterNames[i].length +
-                currentPolicyBytes <
-              maxPolicyBytes
-            ) {
-              // If so increase the byte counter
-              currentPolicyBytes =
-                arnPrefixBytes +
-                props.parameterNames[i].length +
-                currentPolicyBytes;
-            } else {
-              const parameterNamesChunk = props.parameterNames.slice(
-                startAtParameter,
-                i, //end of slice is not included
-              );
-              startAtParameter = i;
-              currentPolicyBytes = 300;
-              // Create the policy for the selected chunk
-              const putPolicy = new ManagedPolicy(
-                this,
-                `SopsSecretParameterProviderManagedPolicyParameterAccess${i}`,
-                {
-                  description:
-                    'Policy to grant parameter provider permissions to put parameter',
-                },
-              );
-              putPolicy.addStatements(
-                new PolicyStatement({
-                  actions: ['ssm:PutParameter'],
-                  resources: parameterNamesChunk.map(
-                    (param) =>
-                      `arn:aws:ssm:${Stack.of(this).region}:${
-                        Stack.of(this).account
-                      }:parameter${
-                        param.startsWith('/') ? param : `/${param}`
-                      }`,
-                  ),
-                }),
-              );
-              provider.role.addManagedPolicy(putPolicy);
-            }
-          }
-          const parameterNamesChunk = props.parameterNames.slice(
-            startAtParameter,
-            props.parameterNames.length, //end of slice is not included
+          this.createReducedParameterPolicy(
+            props.parameterNames,
+            provider.role,
           );
-          // Create the policy for the remaning elements
-          const putPolicy = new ManagedPolicy(
-            this,
-            `SopsSecretParameterProviderManagedPolicyParameterAccess${props.parameterNames.length}`,
-            {
-              description:
-                'Policy to grant parameter provider permissions to put parameter',
-            },
-          );
-          putPolicy.addStatements(
-            new PolicyStatement({
-              actions: ['ssm:PutParameter'],
-              resources: parameterNamesChunk.map(
-                (param) =>
-                  `arn:aws:ssm:${Stack.of(this).region}:${
-                    Stack.of(this).account
-                  }:parameter${param.startsWith('/') ? param : `/${param}`}`,
-              ),
-            }),
-          );
-          provider.role.addManagedPolicy(putPolicy);
           props.encryptionKey?.grantEncryptDecrypt(provider);
         }
         if (sopsAsset !== undefined) {
@@ -498,4 +427,77 @@ export class SopsSync extends Construct {
     });
     this.versionId = cr.getAttString('VersionId');
   }
+
+  private createReducedParameterPolicy(parameters: string[], role: IRole) {
+    // Avoid too large policies
+    // The maximum size of a managed policy is 6.144 bytes -> 1 character = 1 byte
+    const maxPolicyBytes = 6000; // Keep some bytes as a buffer
+    const arnPrefixBytes = 55; // Content for "arn:aws:ssm:ap-southeast-3:<accountnumer>:parameter/
+    let startAtParameter = 0;
+    let currentPolicyBytes = 300; // Reserve some byte space for basic stuff inside the policy
+    for (let i = 0; i < parameters.length; i += 1) {
+      if (
+        // Check if the current parameter would fit into the policy
+        arnPrefixBytes + parameters[i].length + currentPolicyBytes <
+        maxPolicyBytes
+      ) {
+        // If so increase the byte counter
+        currentPolicyBytes =
+          arnPrefixBytes + parameters[i].length + currentPolicyBytes;
+      } else {
+        const parameterNamesChunk = parameters.slice(
+          startAtParameter,
+          i, //end of slice is not included
+        );
+        startAtParameter = i;
+        currentPolicyBytes = 300;
+        // Create the policy for the selected chunk
+        const putPolicy = new ManagedPolicy(
+          this,
+          `SopsSecretParameterProviderManagedPolicyParameterAccess${i}`,
+          {
+            description:
+              'Policy to grant parameter provider permissions to put parameter',
+          },
+        );
+        putPolicy.addStatements(
+          new PolicyStatement({
+            actions: ['ssm:PutParameter'],
+            resources: parameterNamesChunk.map(
+              (param) =>
+                `arn:aws:ssm:${Stack.of(this).region}:${
+                  Stack.of(this).account
+                }:parameter${param.startsWith('/') ? param : `/${param}`}`,
+            ),
+          }),
+        );
+        role.addManagedPolicy(putPolicy);
+      }
+    }
+    const parameterNamesChunk = parameters.slice(
+      startAtParameter,
+      parameters.length,
+    );
+    // Create the policy for the remaning elements
+    const putPolicy = new ManagedPolicy(
+      this,
+      `SopsSecretParameterProviderManagedPolicyParameterAccess${parameters.length}`,
+      {
+        description:
+          'Policy to grant parameter provider permissions to put parameter',
+      },
+    );
+    putPolicy.addStatements(
+      new PolicyStatement({
+        actions: ['ssm:PutParameter'],
+        resources: parameterNamesChunk.map(
+          (param) =>
+            `arn:aws:ssm:${Stack.of(this).region}:${
+              Stack.of(this).account
+            }:parameter${param.startsWith('/') ? param : `/${param}`}`,
+        ),
+      }),
+    );
+    role.addManagedPolicy(putPolicy);
+  }
 }