Skip to content

Commit 18dc472

Browse files
bayoudhibayoudhi
committed
fix: generate IAM roles when using AWS SDK integration with DynamoDB
1 parent 779f459 commit 18dc472

File tree

2 files changed

+32
-12
lines changed

2 files changed

+32
-12
lines changed

lib/deploy/stepFunctions/compileIamRole.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -420,8 +420,12 @@ function getIamPermissions(taskStates) {
420420
return getSnsPermissions(this.serverless, state);
421421

422422
case 'arn:aws:states:::dynamodb:updateItem':
423+
case 'arn:aws:states:::aws-sdk:dynamodb:updateItem':
424+
case 'arn:aws:states:::aws-sdk:dynamodb:updateItem.waitForTaskToken':
423425
return getDynamoDBPermissions('dynamodb:UpdateItem', state);
424426
case 'arn:aws:states:::dynamodb:putItem':
427+
case 'arn:aws:states:::aws-sdk:dynamodb:putItem':
428+
case 'arn:aws:states:::aws-sdk:dynamodb:putItem.waitForTaskToken':
425429
return getDynamoDBPermissions('dynamodb:PutItem', state);
426430
case 'arn:aws:states:::dynamodb:getItem':
427431
return getDynamoDBPermissions('dynamodb:GetItem', state);

lib/deploy/stepFunctions/compileIamRole.test.js

Lines changed: 28 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -512,22 +512,22 @@ describe('#compileIamRole', () => {
512512
],
513513
};
514514

515-
const genStateMachine = (id, tableName) => ({
515+
const genStateMachine = (id, tableName, resources) => ({
516516
id,
517517
definition: {
518518
StartAt: 'A',
519519
States: {
520520
A: {
521521
Type: 'Task',
522-
Resource: 'arn:aws:states:::dynamodb:updateItem',
522+
Resource: resources[0],
523523
Parameters: {
524524
TableName: tableName,
525525
},
526526
Next: 'B',
527527
},
528528
B: {
529529
Type: 'Task',
530-
Resource: 'arn:aws:states:::dynamodb:putItem',
530+
Resource: resources[1],
531531
Parameters: {
532532
TableName: tableName,
533533
},
@@ -555,8 +555,10 @@ describe('#compileIamRole', () => {
555555

556556
serverless.service.stepFunctions = {
557557
stateMachines: {
558-
myStateMachine1: genStateMachine('StateMachine1', helloTable),
559-
myStateMachine2: genStateMachine('StateMachine2', worldTable),
558+
myStateMachine1: genStateMachine('StateMachine1', helloTable, ['arn:aws:states:::dynamodb:updateItem', 'arn:aws:states:::dynamodb:putItem']),
559+
myStateMachine2: genStateMachine('StateMachine2', worldTable, ['arn:aws:states:::dynamodb:updateItem', 'arn:aws:states:::dynamodb:putItem']),
560+
myStateMachine3: genStateMachine('StateMachine3', helloTable, ['arn:aws:states:::aws-sdk:dynamodb:updateItem', 'arn:aws:states:::aws-sdk:dynamodb:putItem']),
561+
myStateMachine4: genStateMachine('StateMachine4', worldTable, ['arn:aws:states:::aws-sdk:dynamodb:updateItem.waitForTaskToken', 'arn:aws:states:::aws-sdk:dynamodb:putItem.waitForTaskToken']),
560562
},
561563
};
562564

@@ -565,8 +567,10 @@ describe('#compileIamRole', () => {
565567
.provider.compiledCloudFormationTemplate.Resources;
566568
const policy1 = resources.StateMachine1Role.Properties.Policies[0];
567569
const policy2 = resources.StateMachine2Role.Properties.Policies[0];
570+
const policy3 = resources.StateMachine3Role.Properties.Policies[0];
571+
const policy4 = resources.StateMachine4Role.Properties.Policies[0];
568572

569-
[policy1, policy2].forEach((policy) => {
573+
[policy1, policy2, policy3, policy4].forEach((policy) => {
570574
expect(policy.PolicyDocument.Statement[0].Action)
571575
.to.be.deep.equal([
572576
'dynamodb:UpdateItem',
@@ -580,6 +584,10 @@ describe('#compileIamRole', () => {
580584
.to.be.deep.equal([helloTableArn]);
581585
expect(policy2.PolicyDocument.Statement[0].Resource)
582586
.to.be.deep.equal([worldTableArn]);
587+
expect(policy3.PolicyDocument.Statement[0].Resource)
588+
.to.be.deep.equal([helloTableArn]);
589+
expect(policy4.PolicyDocument.Statement[0].Resource)
590+
.to.be.deep.equal([worldTableArn]);
583591
});
584592

585593
it('should give dynamodb permission for table name imported from external stack', () => {
@@ -598,22 +606,22 @@ describe('#compileIamRole', () => {
598606
],
599607
};
600608

601-
const genStateMachine = (id, tableName) => ({
609+
const genStateMachine = (id, tableName, resources) => ({
602610
id,
603611
definition: {
604612
StartAt: 'A',
605613
States: {
606614
A: {
607615
Type: 'Task',
608-
Resource: 'arn:aws:states:::dynamodb:updateItem',
616+
Resource: resources[0],
609617
Parameters: {
610618
TableName: tableName,
611619
},
612620
Next: 'B',
613621
},
614622
B: {
615623
Type: 'Task',
616-
Resource: 'arn:aws:states:::dynamodb:putItem',
624+
Resource: resources[1],
617625
Parameters: {
618626
TableName: tableName,
619627
},
@@ -641,8 +649,10 @@ describe('#compileIamRole', () => {
641649

642650
serverless.service.stepFunctions = {
643651
stateMachines: {
644-
myStateMachine1: genStateMachine('StateMachine1', externalHelloTable),
645-
myStateMachine2: genStateMachine('StateMachine2', externalWorldTable),
652+
myStateMachine1: genStateMachine('StateMachine1', externalHelloTable, ['arn:aws:states:::dynamodb:updateItem', 'arn:aws:states:::dynamodb:putItem']),
653+
myStateMachine2: genStateMachine('StateMachine2', externalWorldTable, ['arn:aws:states:::dynamodb:updateItem', 'arn:aws:states:::dynamodb:putItem']),
654+
myStateMachine3: genStateMachine('StateMachine3', externalHelloTable, ['arn:aws:states:::aws-sdk:dynamodb:updateItem', 'arn:aws:states:::aws-sdk:dynamodb:putItem']),
655+
myStateMachine4: genStateMachine('StateMachine4', externalWorldTable, ['arn:aws:states:::aws-sdk:dynamodb:updateItem.waitForTaskToken', 'arn:aws:states:::aws-sdk:dynamodb:putItem.waitForTaskToken']),
646656
},
647657
};
648658

@@ -652,8 +662,10 @@ describe('#compileIamRole', () => {
652662
.provider.compiledCloudFormationTemplate.Resources;
653663
const policy1 = resources.StateMachine1Role.Properties.Policies[0];
654664
const policy2 = resources.StateMachine2Role.Properties.Policies[0];
665+
const policy3 = resources.StateMachine3Role.Properties.Policies[0];
666+
const policy4 = resources.StateMachine4Role.Properties.Policies[0];
655667

656-
[policy1, policy2].forEach((policy) => {
668+
[policy1, policy2, policy3, policy4].forEach((policy) => {
657669
expect(policy.PolicyDocument.Statement[0].Action)
658670
.to.be.deep.equal([
659671
'dynamodb:UpdateItem',
@@ -667,6 +679,10 @@ describe('#compileIamRole', () => {
667679
.to.be.deep.equal([helloTableArn]);
668680
expect(policy2.PolicyDocument.Statement[0].Resource)
669681
.to.be.deep.equal([worldTableArn]);
682+
expect(policy3.PolicyDocument.Statement[0].Resource)
683+
.to.be.deep.equal([helloTableArn]);
684+
expect(policy4.PolicyDocument.Statement[0].Resource)
685+
.to.be.deep.equal([worldTableArn]);
670686
});
671687

672688
it('should give dynamodb permission to * whenever TableName.$ is seen', () => {

0 commit comments

Comments
 (0)