Merge pull request #71 from functionalone/master

chore: prod release 3.1.0

.eslintrc.js

@@ -33,6 +33,7 @@ module.exports = {
     'camelcase': ERROR,
     'space-infix-ops': ERROR,
     'keyword-spacing': ERROR,
+    'space-before-blocks': ERROR,
     'spaced-comment': ERROR,
     'arrow-body-style': [ERROR, 'as-needed'],
     'comma-dangle': [ERROR, 'always-multiline'],

CHANGELOG.md

@@ -2,7 +2,18 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-### [3.0.1](https://github.com/functionalone/serverless-iam-roles-per-function/compare/v3.0.0...v3.0.1) (2020-11-28)
+## [3.1.0](https://github.com/functionalone/serverless-iam-roles-per-function/compare/v3.0.2...v3.1.0) (2020-12-17)
+
+
+### Features
+
+* Permission boundary [PR#68](https://github.com/functionalone/serverless-iam-roles-per-function/pull/68)
+
+## [3.0.2](https://github.com/functionalone/serverless-iam-roles-per-function/compare/v3.0.1...v3.0.2) (2020-12-04)
+
+### Bug Fixes
+Add `logs:CreateLogGroup` action to default policy ([#42](https://github.com/functionalone/serverless-iam-roles-per-function/issues/42)) ([b5e1837](https://github.com/functionalone/serverless-iam-roles-per-function/commit/b5e1837))
+## [3.0.1](https://github.com/functionalone/serverless-iam-roles-per-function/compare/v3.0.0...v3.0.1) (2020-11-28)
 
 
 ### Features

README.md

@@ -125,6 +125,35 @@ functions:
     ...
 ```  
 
+## Permissions boundaries
+
+Define iamPermissionsBoundary definitions at the function level:
+
+```yaml
+functions:
+  func1:
+    handler: handler.get
+    iamPermissionsBoundary: arn:aws:iam::xxxxx:policy/your_permissions_boundary_policy
+    iamRoleStatementsName: my-custom-role-name 
+    iamRoleStatements:
+      - Effect: "Allow"        
+        Action:
+          - sqs:*        
+        Resource: "*"
+    ...
+```
+
+You can set permissionsBoundary for all roles with iamGlobalPermissionsBoundary in custom:
+
+```yaml
+custom:
+  serverless-iam-roles-per-function:
+    iamGlobalPermissionsBoundary: arn:aws:iam::xxxx:policy/permissions-boundary-policy
+```
+
+For more information, see [Permissions Boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html).
+
+
 ## Contributing
 Contributions are welcome and appreciated. 
 
@@ -143,6 +172,16 @@ Contributions are welcome and appreciated.
   npm install --save-dev serverless-iam-roles-per-function@next
   ``` 
 
+## Publishing a Production Release (Maintainers)
+Once a contributed PR (or multiple PRs) have been merged into `master`, there is need to publish a production release, after we are sure that the release is stable. Maintainers with commit access to the repository can publish a release by merging into the `release` branch. Steps to follow:
+* Verify that the current deployed pre-release version under the `next` tag in npmjs is working properly. Usually, it is best to allow the `next` version to gain traction a week or two before releasing. Also, if the version solves a specific reported issue, ask the community on the issue to test out the `next` version.
+* Make sure the version being used in master hasn't been released. This can happen if a PR was merged without bumping the version by running `npm run release`. If the version needs to be advanced, open a PR to advance the version as specified [here](#contributing).
+* Open a PR to merge into the `release` branch. Use as a base the `release` branch and compare the `tag` version to `release`. For example:
+![Example PR](https://user-images.githubusercontent.com/1395797/101236848-1866e180-36dd-11eb-9281-6c726d15e4f1.png)
+
+* Once approved by another maintainer, merge the PR.
+* Make sure to check after the Travis CI build completes that the release has been published to the `latest` tag on [nmpjs](https://www.npmjs.com/package/serverless-iam-roles-per-function?activeTab=versions). 
+
 ## More Info
 
 **Introduction post**:
@@ -155,8 +194,8 @@ Contributions are welcome and appreciated.
 [npm-url]:http://npmjs.org/package/serverless-iam-roles-per-function
 [sls-image]:http://public.serverless.com/badges/v3.svg
 [sls-url]:http://www.serverless.com
-[travis-image]:https://travis-ci.org/functionalone/serverless-iam-roles-per-function.svg?branch=master
-[travis-url]:https://travis-ci.org/functionalone/serverless-iam-roles-per-function
+[travis-image]:https://travis-ci.com/functionalone/serverless-iam-roles-per-function.svg?branch=master
+[travis-url]:https://travis-ci.com/functionalone/serverless-iam-roles-per-function
 [david-image]:https://david-dm.org/functionalone/serverless-iam-roles-per-function/status.svg
 [david-url]:https://david-dm.org/functionalone/serverless-iam-roles-per-function
 [coveralls-image]:https://coveralls.io/repos/github/functionalone/serverless-iam-roles-per-function/badge.svg?branch=master

package.json

@@ -1,7 +1,7 @@
 {
   "name": "serverless-iam-roles-per-function",
   "private": false,
-  "version": "3.0.1",
+  "version": "3.1.0",
   "engines": {
     "node": ">=10"
   },

src/lib/index.ts

@@ -39,9 +39,8 @@ class ServerlessIamPerFunctionPlugin {
           [PLUGIN_NAME]: {
             type: 'object',
             properties: {
-              defaultInherit: {
-                type: 'boolean',
-              },
+              defaultInherit: { type: 'boolean' },
+              iamGlobalPermissionsBoundary: { $ref: '#/definitions/awsArnString' },
             },
             additionalProperties: false,
           },
@@ -56,6 +55,7 @@ class ServerlessIamPerFunctionPlugin {
           properties: {
             iamRoleStatementsInherit: { type: 'boolean' },
             iamRoleStatementsName: { type: 'string' },
+            iamPermissionsBoundary: { $ref: '#/definitions/awsArnString' },
             iamRoleStatements: { $ref: '#/definitions/awsIamPolicyStatements' },
           },
         });
@@ -300,7 +300,7 @@ class ServerlessIamPerFunctionPlugin {
     // set log statements
     policyStatements[0] = {
       Effect: 'Allow',
-      Action: ['logs:CreateLogStream', 'logs:PutLogEvents'],
+      Action: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
       Resource: [
         {
           'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' +
@@ -355,6 +355,24 @@ class ServerlessIamPerFunctionPlugin {
         policyStatements.push(s);
       }
     }
+
+    // add iamPermissionsBoundary
+    const iamPermissionsBoundary = functionObject.iamPermissionsBoundary;
+    const iamGlobalPermissionsBoundary =
+      _.get(this.serverless.service, `custom.${PLUGIN_NAME}.iamGlobalPermissionsBoundary`);
+
+    if (iamPermissionsBoundary || iamGlobalPermissionsBoundary) {
+      functionIamRole.Properties.PermissionsBoundary = {
+        'Fn::Sub': iamPermissionsBoundary || iamGlobalPermissionsBoundary,
+      }
+    }
+
+    if (iamGlobalPermissionsBoundary) {
+      globalIamRole.Properties.PermissionsBoundary = {
+        'Fn::Sub': iamGlobalPermissionsBoundary,
+      }
+    }
+
     functionIamRole.Properties.RoleName = functionObject.iamRoleStatementsName
       || this.getFunctionRoleName(functionName);
     const roleResourceName = this.serverless.providers.aws.naming.getNormalizedFunctionName(functionName)

src/test/funcs-with-iam.json

@@ -106,6 +106,14 @@
         "securityGroupIds": ["sg-xxxxxx"],
         "subnetIds": ["subnet-xxxx", "subnet-yyyy"]
       }
+    },
+    "helloPermissionsBoundary": {
+      "handler": "handler.permissionsBoundary",
+      "iamRoleStatements": [],
+      "iamPermissionsBoundary": "arn:aws:iam::xxxxx:policy/your_permissions_boundary_policy",
+      "events": [],
+      "name": "test-permissions-boundary-hello",
+      "package": {}
     }
   },
   "resources": {

src/test/index.test.ts

@@ -417,6 +417,25 @@ describe('plugin tests', function(this: any) {
         assert.isTrue(statements.find((s) => s.Action[0] === 'xray:PutTelemetryRecords') === undefined,
           'global statements not imported as iamRoleStatementsInherit is false');
       });
+
+      it('should add permission policy arn when there is iamPermissionsBoundary defined', () => {
+        const compiledResources = serverless.service.provider.compiledCloudFormationTemplate.Resources;
+        plugin.createRolesPerFunction();
+        const helloPermissionsBoundaryIamRole = compiledResources.HelloPermissionsBoundaryIamRoleLambdaExecution;
+        const policyName = helloPermissionsBoundaryIamRole.Properties.PermissionsBoundary['Fn::Sub'];
+        assert.equal(policyName, 'arn:aws:iam::xxxxx:policy/your_permissions_boundary_policy');
+      })
+
+      it('should add permission policy arn when there is iamGlobalPermissionsBoundary defined', () => {
+        const compiledResources = serverless.service.provider.compiledCloudFormationTemplate.Resources;
+        serverless.service.custom['serverless-iam-roles-per-function'] = {
+          iamGlobalPermissionsBoundary: 'arn:aws:iam::xxxxx:policy/permissions_boundary',
+        };
+        plugin.createRolesPerFunction();
+        const defaultIamRoleLambdaExecution = compiledResources.IamRoleLambdaExecution;
+        const policyName = defaultIamRoleLambdaExecution.Properties.PermissionsBoundary['Fn::Sub'];
+        assert.equal(policyName, 'arn:aws:iam::xxxxx:policy/permissions_boundary');
+      })
     });
   });