Merge pull request #12 from AntonBazhal/vpc

Add VPC managed policy when VPC is configured
AntonBazhal · Feb 16, 2021 · effc3ff · effc3ff
2 parents ffd6c81 + 162429b
commit effc3ff
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -3,6 +3,17 @@
 const semver = require('semver');
 const set = require('lodash.set');
 
+const VPC_POLICY = {
+  'Fn::Join': [
+    '',
+    [
+      'arn:',
+      { Ref: 'AWS::Partition' },
+      ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
+    ],
+  ],
+};
+
 class CustomRoles {
   constructor(serverless, options) {
     if (!semver.satisfies(serverless.version, '>= 1.12')) {
@@ -135,8 +146,8 @@ class CustomRoles {
     return this.getPolicyFromStatements('streams', statements);
   }
 
-  getRole(stackName, functionName, policies) {
-    return {
+  getRole(stackName, functionName, policies, managedPolicies) {
+    const role = {
       Type: 'AWS::IAM::Role',
       Properties: {
         AssumeRolePolicyDocument: {
@@ -152,6 +163,12 @@ class CustomRoles {
         Policies: policies
       }
     };
+
+    if (managedPolicies && managedPolicies.length) {
+      role.Properties.ManagedPolicyArns = managedPolicies;
+    }
+
+    return role;
   }
 
   getRoleId(functionName) {
@@ -175,7 +192,9 @@ class CustomRoles {
       const functionObj = service.getFunction(functionName);
       const roleId = this.getRoleId(functionName);
 
+      const managedPolicies = [];
       const policies = [this.getLoggingPolicy(functionObj.name)];
+
       if (sharedPolicy) {
         policies.push(sharedPolicy);
       }
@@ -190,7 +209,11 @@ class CustomRoles {
         policies.push(streamsPolicy);
       }
 
-      const roleResource = this.getRole(stackName, functionName, policies);
+      if (service.provider.vpc || functionObj.vpc) {
+        managedPolicies.push(VPC_POLICY);
+      }
+
+      const roleResource = this.getRole(stackName, functionName, policies, managedPolicies);
 
       functionObj.role = roleId;
       set(service, `resources.Resources.${roleId}`, roleResource);

diff --git a/test/index-tests.js b/test/index-tests.js
@@ -9,6 +9,17 @@ const CustomRoles = require('../index');
 chai.use(chaiSubset);
 const expect = chai.expect;
 
+const VPC_POLICY = {
+  'Fn::Join': [
+    '',
+    [
+      'arn:',
+      { Ref: 'AWS::Partition' },
+      ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
+    ],
+  ],
+};
+
 function createTestInstance(options) {
   options = options || {}; // eslint-disable-line no-param-reassign
 
@@ -574,5 +585,81 @@ describe('serverless-plugin-custom-roles', function() {
 
       sinon.assert.notCalled(instance.serverless.cli.log);
     });
+
+    it('should add vpc policy when function has vpc configuration', function() {
+      const instance = createTestInstance({
+        functions: {
+          function1: {
+            vpc: {
+              securityGroupIds: ['securityGroupId1']
+            }
+          }
+        }
+      });
+
+      instance.createRoles();
+
+      expect(instance)
+        .to.have.nested.property('serverless.service.resources')
+        .that.containSubset({
+          Resources: {
+            Function1LambdaFunctionRole: {
+              Type: 'AWS::IAM::Role',
+              Properties: {
+                ManagedPolicyArns: [VPC_POLICY]
+              }
+            }
+          }
+        });
+
+      sinon.assert.notCalled(instance.serverless.cli.log);
+    });
+
+    it('should add vpc policy when provider has vpc configuration', function() {
+      const instance = createTestInstance({
+        provider: {
+          vpc: {
+            securityGroupIds: ['securityGroupId1']
+          }
+        },
+        functions: {
+          function1: {}
+        }
+      });
+
+      instance.createRoles();
+
+      expect(instance)
+        .to.have.nested.property('serverless.service.resources')
+        .that.containSubset({
+          Resources: {
+            Function1LambdaFunctionRole: {
+              Type: 'AWS::IAM::Role',
+              Properties: {
+                ManagedPolicyArns: [VPC_POLICY]
+              }
+            }
+          }
+        });
+
+      sinon.assert.notCalled(instance.serverless.cli.log);
+    });
+
+    it('should not add vpc policy when vpc is not configured', function() {
+      const instance = createTestInstance({
+        provider: {},
+        functions: {
+          function1: {}
+        }
+      });
+
+      instance.createRoles();
+
+      expect(instance)
+        .to.have.nested.property('serverless.service.resources.Resources.Function1LambdaFunctionRole.Properties')
+        .that.does.not.have.property('ManagedPolicyArns');
+
+      sinon.assert.notCalled(instance.serverless.cli.log);
+    });
   });
 });