fix: support per function role with an empty iamRoleStatements clause (issue #9)

Author: glicht

.gitignore

@@ -3,7 +3,7 @@ node_modules
 #dist is only for the package
 dist
 #ignore npm pack output
-serverless-iam-role-per-function-*.tgz
+serverless-iam-roles-per-function-*.tgz
 #ignore coverage dir
 coverage
 .nyc_output

README.md

@@ -46,7 +46,22 @@ functions:
     ...
 ```
 
-The plugin will create a dedicated role for each function that has an `iamRoleStatements` definition. It will include the permissions for create and write to CloudWatch logs and if VPC is defined: `AWSLambdaVPCAccessExecutionRole` will be included (as is done when using `iamRoleStatements` at the provider level).
+The plugin will create a dedicated role for each function that has an `iamRoleStatements` definition. It will include the permissions for create and write to CloudWatch logs, stream events and if VPC is defined: `AWSLambdaVPCAccessExecutionRole` will be included (as is done when using `iamRoleStatements` at the provider level).
+
+if `iamRoleStatements` are not defined at the function level default behavior is maintained and the function will receive the global iam role. It is possible to define an empty `iamRoleStatements` for a function and then the function will receive a dedicated role with only the permissions needed for CloudWatch and (if needed) stream events and VPC. Example of defining a function with empty `iamRoleStatements` and configured VPC. The function will receive a custom role with CloudWatch logs permissions and the policy `AWSLambdaVPCAccessExecutionRole`:
+
+```yaml
+functions:
+  func1:
+    handler: handler.get    
+    iamRoleStatements: []
+    vpc:
+      securityGroupIds:
+        - sg-xxxxxx
+      subnetIds:
+        - subnet-xxxx
+        - subnet-xxxxx
+```
 
 By default, function level `iamRoleStatements` override the provider level definition. It is also possible to inherit the provider level definition by specifying the option `iamRoleStatementsInherit: true`:
 

src/lib/index.ts

@@ -29,6 +29,9 @@ class ServerlessIamPerFunctionPlugin {
   }
 
   validateStatements(statements: any): void {
+    if(_.isEmpty(statements)) {
+      return;
+    }
     const awsPackagePluginName = "AwsPackage";
     if(!this.awsPackagePlugin) {
       for (const plugin of this.serverless.pluginManager.plugins) {
@@ -145,7 +148,7 @@ class ServerlessIamPerFunctionPlugin {
    */
   createRoleForFunction(functionName: string, functionToRoleMap: Map<string, string>) {
     const functionObject = this.serverless.service.getFunction(functionName);
-    if(_.isEmpty(functionObject.iamRoleStatements)) {
+    if(functionObject.iamRoleStatements === undefined) {
       return;
     }
     if(functionObject.role) {
@@ -197,8 +200,10 @@ class ServerlessIamPerFunctionPlugin {
       }
     }
     //add iamRoleStatements
-    for (const s of functionObject.iamRoleStatements) {
-      policyStatements.push(s);    
+    if(_.isArray(functionObject.iamRoleStatements)) {
+      for (const s of functionObject.iamRoleStatements) {
+        policyStatements.push(s);    
+      }
     }        
     functionIamRole.Properties.RoleName = functionObject.iamRoleStatementsName || this.getFunctionRoleName(functionName);
     const roleResourceName = this.serverless.providers.aws.naming.getNormalizedFunctionName(functionName) + globalRoleName;