Improve IAM role statements, policies and principals internal handling and resolution #8511
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2525,6 +2525,118 @@ describe('AwsCompileFunctions #2', () => { | |
| }); | ||
| }); | ||
|
|
||
| describe('IamConfig object tests', async () => { | ||
|
There was a problem hiding this comment. Concerning tests, as indicated in main issue description, let's not put any effort in updating them in current shape. Technically we're just refactoring internals, and result CloudFormation template should remain same (at least it should produce very same effect) To avoid tests breaking on internal changes, we need to refactor affected tests to I've outlined on how to do that for two tests files that you're trying to update here Check: #8523 and #8524 Until those are addressed, we need assume that this PR cannot be merged (but it doesn't stop us from finalizing this refactor - it just cannot be properly validated until tests are refactored). After we refactor all affected tests, the only test changes that may be wanted in scope of this PR is moving some of the tests to other files, or improving the coverage, that's it, but I would decide that once we have all tests refactored, and functionality in this PR ready |
||
| let serverless; | ||
| let awsNaming; | ||
|
|
||
| before(async () => { | ||
| ({ serverless, awsNaming } = await runServerless({ | ||
| fixture: 'function', | ||
| configExt: { | ||
| functions: { | ||
| custom: { name: 'custom-name', handler: 'index.handler' }, | ||
| canonical: { | ||
| handler: 'index.handler', | ||
| vpc: { securityGroupIds: ['securityGroupId1'], subnetIds: ['subnetId1'] }, | ||
| }, | ||
| }, | ||
| }, | ||
| cliArgs: ['package'], | ||
| })); | ||
| }); | ||
|
|
||
| it('Should create iamConfig object', () => { | ||
| serverless.service.getAllFunctions().forEach(functionName => { | ||
| const functionObject = serverless.service.getFunction(functionName); | ||
| expect(functionObject.iamConfig).to.exist; | ||
| }); | ||
| }); | ||
|
|
||
| it('should add log policies to iamConfig object', () => { | ||
| const logStatementsTemplate = [ | ||
| { | ||
| Effect: 'Allow', | ||
| Action: ['logs:CreateLogStream', 'logs:CreateLogGroup'], | ||
| Resource: [], | ||
| }, | ||
| { | ||
| Effect: 'Allow', | ||
| Action: ['logs:PutLogEvents'], | ||
| Resource: [], | ||
| }, | ||
| ]; | ||
|
|
||
| const canonicalFunctionNamePrefix = `${serverless.service.service}-${serverless | ||
| .getProvider('aws') | ||
| .getStage()}`; | ||
| const logGroupsPrefix = awsNaming.getLogGroupName(canonicalFunctionNamePrefix); | ||
|
|
||
| serverless.service.getAllFunctions().forEach(functionName => { | ||
| const functionObject = serverless.service.getFunction(functionName); | ||
| const resolvedFunctionName = functionObject.name; | ||
|
|
||
| // if function has canonical name | ||
| if (!resolvedFunctionName || resolvedFunctionName.startsWith(canonicalFunctionNamePrefix)) { | ||
| logStatementsTemplate[0].Resource.push({ | ||
| 'Fn::Sub': | ||
| 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' + | ||
| `:log-group:${logGroupsPrefix}*:*`, | ||
| }); | ||
|
|
||
| logStatementsTemplate[1].Resource.push({ | ||
| 'Fn::Sub': | ||
| 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' + | ||
| `:log-group:${logGroupsPrefix}*:*:*`, | ||
| }); | ||
| } else { | ||
| // if function has custom name resolution | ||
| const customFunctionNameLogGroupsPrefix = awsNaming.getLogGroupName(resolvedFunctionName); | ||
|
|
||
| logStatementsTemplate[0].Resource.push({ | ||
| 'Fn::Sub': | ||
| 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' + | ||
| `:log-group:${customFunctionNameLogGroupsPrefix}:*`, | ||
| }); | ||
|
|
||
| logStatementsTemplate[1].Resource.push({ | ||
| 'Fn::Sub': | ||
| 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' + | ||
| `:log-group:${customFunctionNameLogGroupsPrefix}:*:*`, | ||
| }); | ||
| } | ||
|
|
||
| const statements = functionObject.iamConfig.policyStatements; | ||
|
|
||
| expect(statements).to.deep.include(logStatementsTemplate[0]); | ||
| expect(statements).to.deep.include(logStatementsTemplate[1]); | ||
|
|
||
| logStatementsTemplate[0].Resource = []; | ||
| logStatementsTemplate[1].Resource = []; | ||
| }); | ||
| }); | ||
|
|
||
| it('should add vpc managed policies to iamConfig object when vpc config is present', () => { | ||
| const vpcManagedPolicy = { | ||
| 'Fn::Join': [ | ||
| '', | ||
| [ | ||
| 'arn:', | ||
| { Ref: 'AWS::Partition' }, | ||
| ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole', | ||
| ], | ||
| ], | ||
| }; | ||
|
|
||
| serverless.service.getAllFunctions().forEach(functionName => { | ||
| const functionObject = serverless.service.getFunction(functionName); | ||
|
|
||
| if (!_.isEmpty(functionObject.vpc)) { | ||
| expect(functionObject.iamConfig.managedPolicies).to.deep.include(vpcManagedPolicy); | ||
| } | ||
| }); | ||
| }); | ||
| }); | ||
|
|
||
| describe('when using fileSystemConfig', () => { | ||
| const arn = | ||
| 'arn:aws:elasticfilesystem:us-east-1:111111111111:access-point/fsap-a1a1a1a1a1a1a1a1a'; | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ideally should be initialized in
mergeIamTemplates.js(so we have this configuration setup upfront, while this plugin is complied as some next item in order afaik)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @medikoo . I tried this before but it was giving me multiple errors (~63), which is why I opted for including this code in
functions/index.jsinstead. I put the code inmergeIamTemplates.jsin my latest commit so you can take a look. Maybe there's something I'm missing?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What errors specifically? Is this about failing tests, if so in that case, please list all test files - we need to refactor them to
runServelressvariant.Technically this upgrade should not require any tests to be written or updated, and just work, but for that we need to have many tests refactored to new approach
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The errors only occur when the code to create the
functions[].iamConfigobjects are included inmergeIamTemplates.jsinstead offunctions/index.js. All the errors are fromindex.test.jsand they all say this:so I think it means the iamConfig object hasn't been created yet. That's why I opted for including this code in
functions/index.jsinstead since I thinkmergeIamTemplates.jshasn't yet run by the timefunctions/index.jsis executed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that we need to address #8523. After having that, there won't be such error.
Again, let's not get blocked, or have our implementation influenced by failing (for wrong reason) tests. We have very bad tests in many places, and all that fail should be simply refactored (as proposed in above issue)