refactor: support s3 key resolve with jsonata value and fallback to wildcard

mikewongblinx · mikewongblinx · commit d301b8e9f8e7 · 2025-09-26T10:48:49.000+01:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -8,6 +8,14 @@ const { getArnPartition } = require('../../utils/arn');
 
 const logger = require('../../utils/logger');
 
+/**
+ * Check if a value is a JSONata value template
+ * e.g {% $.some.path %}
+ */
+function isJsonataValueTemplate(value) {
+  return typeof value === 'string' && value.trim().startsWith('{%') && value.trim().endsWith('}');
+}
+
 function getTaskStates(states, stateMachineName) {
   return _.flatMap(states, (state) => {
     switch (state.Type) {
@@ -657,7 +665,13 @@ function resolveS3BucketReferences(bucket, resources) {
 function getS3ObjectPermissions(action, state) {
   // Use the helper so both Arguments (JSONata) and Parameters (JSONPath) are supported
   const bucket = getParameterOrArgument(state, 'Bucket') || '*';
-  const key = getParameterOrArgument(state, 'Key') || '*';
+  let key = getParameterOrArgument(state, 'Key') || '*';
+  if (isJsonataValueTemplate(key)) {
+    console.warn(
+      "Warning: When using JSONata, S3 object permissions will be given for all objects in the bucket"
+    );
+    key = "*";
+  }
   const prefix = getParameterOrArgument(state, 'Prefix');
   let arn;
 
