feat: add support for allowUnauthenticated and custom IAM definitions

serverless · Jun 24, 2020 · ef0fa2d · ef0fa2d
1 parent ad8cf16
commit ef0fa2d
Show file tree

Hide file tree

Showing 2 changed files with 501 additions and 0 deletions.
diff --git a/package/lib/compileFunctions.js b/package/lib/compileFunctions.js
@@ -24,6 +24,7 @@ module.exports = {
       validateHandlerProperty(funcObject, functionName);
       validateEventsProperty(funcObject, functionName);
       validateVpcConnectorProperty(funcObject, functionName);
+      validateIamProperty(funcObject, functionName);
 
       const funcTemplate = getFunctionTemplate(
         funcObject,
@@ -51,6 +52,11 @@ module.exports = {
         _.get(this, 'serverless.service.provider.environment'),
         funcObject.environment // eslint-disable-line comma-dangle
       );
+      funcTemplate.accessControl.gcpIamPolicy.bindings = _.unionBy(
+        _.get(funcObject, 'iam.bindings'),
+        _.get(this, 'serverless.service.provider.iam.bindings'),
+        'role'
+      );
 
       if (!funcTemplate.properties.serviceAccountEmail) {
         delete funcTemplate.properties.serviceAccountEmail;
@@ -83,6 +89,14 @@ module.exports = {
 
         funcTemplate.properties.httpsTrigger = {};
         funcTemplate.properties.httpsTrigger.url = url;
+
+        if (_.get(funcObject, 'allowUnauthenticated') === true) {
+          funcTemplate.accessControl.gcpIamPolicy.bindings = _.unionBy(
+            [{ role: 'roles/cloudfunctions.invoker', members: ['allUsers'] }],
+            funcTemplate.accessControl.gcpIamPolicy.bindings,
+            'role'
+          );
+        }
       }
       if (eventType === 'event') {
         const type = funcObject.events[0].event.eventType;
@@ -95,6 +109,10 @@ module.exports = {
         funcTemplate.properties.eventTrigger.resource = resource;
       }
 
+      if (!_.size(funcTemplate.accessControl.gcpIamPolicy.bindings)) {
+        delete funcTemplate.accessControl;
+      }
+
       this.serverless.service.provider.compiledConfigurationTemplate.resources.push(funcTemplate);
     });
 
@@ -157,6 +175,29 @@ const validateVpcConnectorProperty = (funcObject, functionName) => {
   }
 };
 
+const validateIamProperty = (funcObject, functionName) => {
+  if (_.get(funcObject, 'iam.bindings') && funcObject.iam.bindings.length > 0) {
+    funcObject.iam.bindings.forEach((binding) => {
+      if (!binding.role) {
+        const errorMessage = [
+          `The function "${functionName}" has no role specified for an IAM binding.`,
+          ' Each binding requires a role. For details on supported roles, see the documentation',
+          ' at: https://cloud.google.com/iam/docs/understanding-roles',
+        ].join('');
+        throw new Error(errorMessage);
+      }
+      if (!binding.members || binding.members.length === 0) {
+        const errorMessage = [
+          `The function "${functionName}" has no members specified for an IAM binding.`,
+          ' Each binding requires at least one member to be assigned. See the IAM documentation',
+          ' for details on configuring members: https://cloud.google.com/iam/docs/overview',
+        ].join('');
+        throw new Error(errorMessage);
+      }
+    });
+  }
+};
+
 const getFunctionTemplate = (funcObject, projectName, region, sourceArchiveUrl) => {
   //eslint-disable-line
   return {
@@ -171,5 +212,10 @@ const getFunctionTemplate = (funcObject, projectName, region, sourceArchiveUrl)
       function: funcObject.name,
       sourceArchiveUrl,
     },
+    accessControl: {
+      gcpIamPolicy: {
+        bindings: [],
+      },
+    },
   };
 };