Skip to content

fix generated IAM role when there are no Task states #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 31, 2019
Merged

fix generated IAM role when there are no Task states #165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29ca84c
- fixed node4/5 error
theburningmonk Jan 30, 2019
4ca4a5c
- issue a Deny all policy statement when there are no Task states in …
theburningmonk Jan 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 21 additions & 6 deletions lib/deploy/stepFunctions/compileIamRole.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ function consolidatePermissionsByAction(permissions) {
.mapValues(perms => {
// find the unique resources
let resources = _.uniqWith(_.flatMap(perms, p => p.resource), _.isEqual);
if (resources.includes('*')) {
if (_.includes(resources, '*')) {
resources = '*';
}

Expand Down Expand Up @@ -198,6 +198,25 @@ function getIamPermissions(serverless, taskStates) {
});
}

function getIamStatements(iamPermissions) {
// when the state machine doesn't define any Task states, and therefore doesn't need ANY
// permission, then we should follow the behaviour of the AWS console and return a policy
// that denies access to EVERYTHING
if (_.isEmpty(iamPermissions)) {
return [{
Effect: 'Deny',
Action: '*',
Resource: '*',
}];
}

return iamPermissions.map(p => ({
Effect: 'Allow',
Action: p.action.split(','),
Resource: p.resource,
}));
}

module.exports = {
compileIamRole() {
const customRolesProvided = [];
Expand All @@ -223,11 +242,7 @@ module.exports = {
iamPermissions = consolidatePermissionsByAction(iamPermissions);
iamPermissions = consolidatePermissionsByResource(iamPermissions);

const iamStatements = iamPermissions.map(p => ({
Effect: 'Allow',
Action: p.action.split(','),
Resource: p.resource,
}));
const iamStatements = getIamStatements(iamPermissions);

const iamRoleJson =
iamRoleStateMachineExecutionTemplate
Expand Down
52 changes: 44 additions & 8 deletions lib/deploy/stepFunctions/compileIamRole.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ describe('#compileIamRole', () => {
serverlessStepFunctions = new ServerlessStepFunctions(serverless, options);
});

const expectDenyAllPolicy = (policy) => {
const statements = policy.PolicyDocument.Statement;
expect(statements).to.have.lengthOf(1);
expect(statements[0].Effect).to.equal('Deny');
expect(statements[0].Action).to.equal('*');
expect(statements[0].Resource).to.equal('*');
};

it('should do nothing when role property exists in all statmachine properties', () => {
serverless.service.stepFunctions = {
stateMachines: {
Expand Down Expand Up @@ -243,7 +251,7 @@ describe('#compileIamRole', () => {
const policy = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
.Properties.Policies[0];
expect(policy.PolicyDocument.Statement).to.have.lengthOf(0);
expectDenyAllPolicy(policy);
});

it('should give sqs:SendMessage permission for only SQS referenced by state machine', () => {
Expand Down Expand Up @@ -362,7 +370,7 @@ describe('#compileIamRole', () => {
const policy = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
.Properties.Policies[0];
expect(policy.PolicyDocument.Statement).to.have.lengthOf(0);
expectDenyAllPolicy(policy);
});

it('should not give sqs:SendMessage permission if QueueUrl is invalid', () => {
Expand Down Expand Up @@ -789,10 +797,10 @@ describe('#compileIamRole', () => {
};

serverlessStepFunctions.compileIamRole();
const statements = serverlessStepFunctions.serverless.service
const policy = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
.Properties.Policies[0].PolicyDocument.Statement;
expect(statements).to.have.lengthOf(0);
.Properties.Policies[0];
expectDenyAllPolicy(policy);
});

it('should not generate any permissions for Task states not yet supported', () => {
Expand All @@ -818,9 +826,37 @@ describe('#compileIamRole', () => {
};

serverlessStepFunctions.compileIamRole();
const statements = serverlessStepFunctions.serverless.service
const policy = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
.Properties.Policies[0].PolicyDocument.Statement;
expect(statements).to.have.lengthOf(0);
.Properties.Policies[0];
expectDenyAllPolicy(policy);
});

it('should generate a Deny all statement if state machine has no tasks', () => {
const genStateMachine = (name) => ({
name,
definition: {
StartAt: 'A',
States: {
A: {
Type: 'Pass',
End: true,
},
},
},
});

serverless.service.stepFunctions = {
stateMachines: {
myStateMachine1: genStateMachine('stateMachineBeta1'),
myStateMachine2: genStateMachine('stateMachineBeta2'),
},
};

serverlessStepFunctions.compileIamRole();
const policy = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
.Properties.Policies[0];
expectDenyAllPolicy(policy);
});
});