Merge pull request getlift#49 from t-richard/fix/deprecated-iam-role-…

…statements fix: allow to use the new provider.iam.role.statements
jianfeng-huang · Jun 21, 2021 · 907632e · 907632e
2 parents 61c6642 + 430322c
commit 907632e
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 0 deletions.
diff --git a/src/plugin.ts b/src/plugin.ts
@@ -209,6 +209,15 @@ class LiftPlugin {
         if (statements.length === 0) {
             return;
         }
+
+        const role = this.serverless.service.provider.iam?.role;
+
+        if (typeof role === "object" && "statements" in role) {
+            role.statements?.push(...statements);
+
+            return;
+        }
+
         this.serverless.service.provider.iamRoleStatements = this.serverless.service.provider.iamRoleStatements ?? [];
         this.serverless.service.provider.iamRoleStatements.push(...statements);
     }

diff --git a/test/fixtures/permissions/serverless.yml b/test/fixtures/permissions/serverless.yml
@@ -0,0 +1,13 @@
+service: storage
+configValidationMode: error
+
+provider:
+  name: aws
+
+functions:
+  foo:
+    handler: worker.handler
+
+constructs:
+  testStorage:
+    type: storage
diff --git a/test/fixtures/permissions/worker.js b/test/fixtures/permissions/worker.js
diff --git a/test/unit/permissions.test.ts b/test/unit/permissions.test.ts
@@ -0,0 +1,105 @@
+import { get, merge } from "lodash";
+import { pluginConfigExt, runServerless } from "../utils/runServerless";
+
+type CfTemplate = {
+    Resources: Record<string, unknown>;
+    Outputs?: Record<string, unknown>;
+};
+
+function expectLiftStorageStatementIsAdded(cfTemplate: CfTemplate) {
+    expect(get(cfTemplate.Resources.IamRoleLambdaExecution, "Properties.Policies[0].PolicyDocument.Statement")).toEqual(
+        expect.arrayContaining([
+            expect.objectContaining({
+                Effect: "Allow",
+                Action: ["s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket"],
+            }),
+        ])
+    );
+}
+
+function expectUserDynamoStatementIsAdded(cfTemplate: CfTemplate) {
+    expect(
+        get(cfTemplate.Resources.IamRoleLambdaExecution, "Properties.Policies[0].PolicyDocument.Statement")
+    ).toContainEqual({
+        Effect: "Allow",
+        Action: ["dynamodb:PutItem"],
+        Resource: "arn:aws:dynamodb:us-east-1:123456789012:table/myDynamoDBTable",
+    });
+}
+
+describe("permissions", () => {
+    it("should not override user-defined role", async () => {
+        const { cfTemplate } = await runServerless({
+            fixture: "permissions",
+            configExt: merge({}, pluginConfigExt, {
+                provider: {
+                    iam: {
+                        role: "arn:aws:iam::123456789012:role/role",
+                    },
+                },
+            }),
+            cliArgs: ["package"],
+        });
+        expect(cfTemplate.Resources.FooLambdaFunction).toMatchObject({
+            Properties: {
+                Role: "arn:aws:iam::123456789012:role/role",
+            },
+        });
+    });
+
+    it("should append permissions when using iam.role.statements", async () => {
+        const { cfTemplate } = await runServerless({
+            fixture: "permissions",
+            configExt: merge({}, pluginConfigExt, {
+                provider: {
+                    iam: {
+                        role: {
+                            statements: [
+                                {
+                                    Effect: "Allow",
+                                    Action: ["dynamodb:PutItem"],
+                                    Resource: "arn:aws:dynamodb:us-east-1:123456789012:table/myDynamoDBTable",
+                                },
+                            ],
+                        },
+                    },
+                },
+            }),
+            cliArgs: ["package"],
+        });
+
+        expectUserDynamoStatementIsAdded(cfTemplate);
+        expectLiftStorageStatementIsAdded(cfTemplate);
+    });
+
+    it("should append permissions when using the deprecated iamRoleStatements", async () => {
+        const { cfTemplate } = await runServerless({
+            fixture: "permissions",
+            configExt: merge({}, pluginConfigExt, {
+                provider: {
+                    iamRoleStatements: [
+                        {
+                            Effect: "Allow",
+                            Action: ["dynamodb:PutItem"],
+                            Resource: "arn:aws:dynamodb:us-east-1:123456789012:table/myDynamoDBTable",
+                        },
+                    ],
+                },
+            }),
+            cliArgs: ["package"],
+        });
+
+        expectUserDynamoStatementIsAdded(cfTemplate);
+        expectLiftStorageStatementIsAdded(cfTemplate);
+    });
+
+    it("should add permissions when no custom statements are provided", async () => {
+        const { cfTemplate } = await runServerless({
+            fixture: "permissions",
+            configExt: pluginConfigExt,
+            cliArgs: ["package"],
+        });
+
+        expectLiftStorageStatementIsAdded(cfTemplate);
+    });
+});