From abdf95e0f68590d4451c62b2a644637b73a40431 Mon Sep 17 00:00:00 2001 From: Wing Fung Lau <4760060+hawflau@users.noreply.github.com> Date: Wed, 24 Feb 2021 09:20:10 -0800 Subject: [PATCH 1/2] Fix missing xray policy for State Machine resource --- samtranslator/model/sam_resources.py | 7 +- .../model/stepfunctions/generators.py | 7 +- samtranslator/model/xray_utils.py | 8 ++ .../state_machine_with_xray_policies.yaml | 22 +++ ...yaml => state_machine_with_xray_role.yaml} | 0 .../state_machine_with_xray_policies.json | 133 ++++++++++++++++++ ...json => state_machine_with_xray_role.json} | 0 .../state_machine_with_xray_policies.json | 133 ++++++++++++++++++ ...json => state_machine_with_xray_role.json} | 0 .../state_machine_with_xray_policies.json | 133 ++++++++++++++++++ ...json => state_machine_with_xray_role.json} | 0 tests/translator/test_translator.py | 11 +- 12 files changed, 447 insertions(+), 7 deletions(-) create mode 100644 samtranslator/model/xray_utils.py create mode 100644 tests/translator/input/state_machine_with_xray_policies.yaml rename tests/translator/input/{state_machine_with_xray.yaml => state_machine_with_xray_role.yaml} (100%) create mode 100644 tests/translator/output/aws-cn/state_machine_with_xray_policies.json rename tests/translator/output/aws-cn/{state_machine_with_xray.json => state_machine_with_xray_role.json} (100%) create mode 100644 tests/translator/output/aws-us-gov/state_machine_with_xray_policies.json rename tests/translator/output/aws-us-gov/{state_machine_with_xray.json => state_machine_with_xray_role.json} (100%) create mode 100644 tests/translator/output/state_machine_with_xray_policies.json rename tests/translator/output/{state_machine_with_xray.json => state_machine_with_xray_role.json} (100%) diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index bac7d79ce9..41eaea1773 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -47,6 +47,7 @@ from samtranslator.model.sns import SNSTopic from samtranslator.model.stepfunctions import StateMachineGenerator from samtranslator.model.role_utils import construct_role_for_resource +from samtranslator.model.xray_utils import get_xray_managed_policy_name class SamFunction(SamResourceMacro): @@ -455,11 +456,7 @@ def _construct_role(self, managed_policy_map, event_invoke_policies): if self.Tracing: # use previous (old) policy name for regular regions # for china and gov regions, use the newer policy name - partition_name = ArnGenerator.get_partition_name() - if partition_name == "aws": - managed_policy_name = "AWSXrayWriteOnlyAccess" - else: - managed_policy_name = "AWSXRayDaemonWriteAccess" + managed_policy_name = get_xray_managed_policy_name() managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn(managed_policy_name)) if self.VpcConfig: managed_policy_arns.append( diff --git a/samtranslator/model/stepfunctions/generators.py b/samtranslator/model/stepfunctions/generators.py index 726458086c..8e1797c7df 100644 --- a/samtranslator/model/stepfunctions/generators.py +++ b/samtranslator/model/stepfunctions/generators.py @@ -17,6 +17,7 @@ from samtranslator.model.tags.resource_tagging import get_tag_list from samtranslator.model.intrinsics import is_intrinsic +from samtranslator.model.xray_utils import get_xray_managed_policy_name from samtranslator.utils.cfn_dynamic_references import is_dynamic_reference @@ -210,8 +211,12 @@ def _construct_role(self): :returns: the generated IAM Role :rtype: model.iam.IAMRole """ + policies = self.policies[:] + if self.tracing and self.tracing.get("Enabled") is True: + policies.append(get_xray_managed_policy_name()) + state_machine_policies = ResourcePolicies( - {"Policies": self.policies}, + {"Policies": policies}, # No support for policy templates in the "core" policy_template_processor=None, ) diff --git a/samtranslator/model/xray_utils.py b/samtranslator/model/xray_utils.py new file mode 100644 index 0000000000..599417c001 --- /dev/null +++ b/samtranslator/model/xray_utils.py @@ -0,0 +1,8 @@ +from samtranslator.translator.arn_generator import ArnGenerator + + +def get_xray_managed_policy_name(): + partition_name = ArnGenerator.get_partition_name() + if partition_name == "aws": + return "AWSXrayWriteOnlyAccess" + return "AWSXRayDaemonWriteAccess" diff --git a/tests/translator/input/state_machine_with_xray_policies.yaml b/tests/translator/input/state_machine_with_xray_policies.yaml new file mode 100644 index 0000000000..719d5874ab --- /dev/null +++ b/tests/translator/input/state_machine_with_xray_policies.yaml @@ -0,0 +1,22 @@ +Resources: + MyFunction: + Type: "AWS::Serverless::Function" + Properties: + CodeUri: s3://sam-demo-bucket/hello.zip + Handler: hello.handler + Runtime: python2.7 + + StateMachine: + Type: AWS::Serverless::StateMachine + Properties: + Name: MyBasicStateMachine + Type: STANDARD + DefinitionUri: s3://sam-demo-bucket/my-state-machine.asl.json + Tracing: + Enabled: true + Policies: + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: lambda:InvokeFunction + Resource: !GetAtt MyFunction.Arn diff --git a/tests/translator/input/state_machine_with_xray.yaml b/tests/translator/input/state_machine_with_xray_role.yaml similarity index 100% rename from tests/translator/input/state_machine_with_xray.yaml rename to tests/translator/input/state_machine_with_xray_role.yaml diff --git a/tests/translator/output/aws-cn/state_machine_with_xray_policies.json b/tests/translator/output/aws-cn/state_machine_with_xray_policies.json new file mode 100644 index 0000000000..c073afdc68 --- /dev/null +++ b/tests/translator/output/aws-cn/state_machine_with_xray_policies.json @@ -0,0 +1,133 @@ +{ + "Resources": { + "MyFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "hello.zip" + }, + "Handler": "hello.handler", + "Role": { + "Fn::GetAtt": [ + "MyFunctionRole", + "Arn" + ] + }, + "Runtime": "python2.7", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "MyFunctionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "StateMachine": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionS3Location": { + "Bucket": "sam-demo-bucket", + "Key": "my-state-machine.asl.json" + }, + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRole", + "Arn" + ] + }, + "StateMachineName": "MyBasicStateMachine", + "StateMachineType": "STANDARD", + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ], + "TracingConfiguration": { + "Enabled": true + } + } + }, + "StateMachineRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "states.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess" + ], + "Policies": [ + { + "PolicyName": "StateMachineRolePolicy0", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "MyFunction", + "Arn" + ] + } + } + ] + } + } + ], + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/state_machine_with_xray.json b/tests/translator/output/aws-cn/state_machine_with_xray_role.json similarity index 100% rename from tests/translator/output/aws-cn/state_machine_with_xray.json rename to tests/translator/output/aws-cn/state_machine_with_xray_role.json diff --git a/tests/translator/output/aws-us-gov/state_machine_with_xray_policies.json b/tests/translator/output/aws-us-gov/state_machine_with_xray_policies.json new file mode 100644 index 0000000000..287d1b6265 --- /dev/null +++ b/tests/translator/output/aws-us-gov/state_machine_with_xray_policies.json @@ -0,0 +1,133 @@ +{ + "Resources": { + "MyFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "hello.zip" + }, + "Handler": "hello.handler", + "Role": { + "Fn::GetAtt": [ + "MyFunctionRole", + "Arn" + ] + }, + "Runtime": "python2.7", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "MyFunctionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "StateMachine": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionS3Location": { + "Bucket": "sam-demo-bucket", + "Key": "my-state-machine.asl.json" + }, + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRole", + "Arn" + ] + }, + "StateMachineName": "MyBasicStateMachine", + "StateMachineType": "STANDARD", + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ], + "TracingConfiguration": { + "Enabled": true + } + } + }, + "StateMachineRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "states.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess" + ], + "Policies": [ + { + "PolicyName": "StateMachineRolePolicy0", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "MyFunction", + "Arn" + ] + } + } + ] + } + } + ], + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/state_machine_with_xray.json b/tests/translator/output/aws-us-gov/state_machine_with_xray_role.json similarity index 100% rename from tests/translator/output/aws-us-gov/state_machine_with_xray.json rename to tests/translator/output/aws-us-gov/state_machine_with_xray_role.json diff --git a/tests/translator/output/state_machine_with_xray_policies.json b/tests/translator/output/state_machine_with_xray_policies.json new file mode 100644 index 0000000000..4d23fc62d4 --- /dev/null +++ b/tests/translator/output/state_machine_with_xray_policies.json @@ -0,0 +1,133 @@ +{ + "Resources": { + "MyFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "hello.zip" + }, + "Handler": "hello.handler", + "Role": { + "Fn::GetAtt": [ + "MyFunctionRole", + "Arn" + ] + }, + "Runtime": "python2.7", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "MyFunctionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + } + }, + "StateMachine": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionS3Location": { + "Bucket": "sam-demo-bucket", + "Key": "my-state-machine.asl.json" + }, + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRole", + "Arn" + ] + }, + "StateMachineName": "MyBasicStateMachine", + "StateMachineType": "STANDARD", + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ], + "TracingConfiguration": { + "Enabled": true + } + } + }, + "StateMachineRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "states.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess" + ], + "Policies": [ + { + "PolicyName": "StateMachineRolePolicy0", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "MyFunction", + "Arn" + ] + } + } + ] + } + } + ], + "Tags": [ + { + "Key": "stateMachine:createdBy", + "Value": "SAM" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/state_machine_with_xray.json b/tests/translator/output/state_machine_with_xray_role.json similarity index 100% rename from tests/translator/output/state_machine_with_xray.json rename to tests/translator/output/state_machine_with_xray_role.json diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 07f2016023..0952eaff23 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -311,7 +311,8 @@ class TestTranslatorEndToEnd(TestCase): "state_machine_with_api_resource_policy", "state_machine_with_api_auth_default_scopes", "state_machine_with_condition_and_events", - "state_machine_with_xray", + "state_machine_with_xray_policies", + "state_machine_with_xray_role", "function_with_file_system_config", "state_machine_with_permissions_boundary", ], @@ -349,6 +350,14 @@ def test_transform_success(self, testcase, partition_with_region): "AmazonDynamoDBReadOnlyAccess": "arn:{}:iam::aws:policy/AmazonDynamoDBReadOnlyAccess".format(partition), "AWSLambdaRole": "arn:{}:iam::aws:policy/service-role/AWSLambdaRole".format(partition), } + if partition == "aws": + mock_policy_loader.load.return_value[ + "AWSXrayWriteOnlyAccess" + ] = "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess" + else: + mock_policy_loader.load.return_value[ + "AWSXRayDaemonWriteAccess" + ] = "arn:{}:iam::aws:policy/AWSXRayDaemonWriteAccess".format(partition) output_fragment = transform(manifest, parameter_values, mock_policy_loader) From a314e62054d060232195f8de2910160cf9ea3204 Mon Sep 17 00:00:00 2001 From: Wing Fung Lau <4760060+hawflau@users.noreply.github.com> Date: Wed, 24 Feb 2021 20:33:53 -0800 Subject: [PATCH 2/2] Update comment --- samtranslator/model/sam_resources.py | 2 -- samtranslator/model/xray_utils.py | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index 41eaea1773..a3a9a6d176 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -454,8 +454,6 @@ def _construct_role(self, managed_policy_map, event_invoke_policies): managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicExecutionRole")] if self.Tracing: - # use previous (old) policy name for regular regions - # for china and gov regions, use the newer policy name managed_policy_name = get_xray_managed_policy_name() managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn(managed_policy_name)) if self.VpcConfig: diff --git a/samtranslator/model/xray_utils.py b/samtranslator/model/xray_utils.py index 599417c001..361433932f 100644 --- a/samtranslator/model/xray_utils.py +++ b/samtranslator/model/xray_utils.py @@ -2,6 +2,8 @@ def get_xray_managed_policy_name(): + # use previous (old) policy name for regular regions + # for china and gov regions, use the newer policy name partition_name = ArnGenerator.get_partition_name() if partition_name == "aws": return "AWSXrayWriteOnlyAccess"