feat: support referencing exact version

theburningmonk · theburningmonk · commit e967f0454cfd · 2019-08-18T21:09:03.000+02:00
Closes #240
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -152,46 +152,66 @@ function getLambdaPermissions(state) {
   if (_.isString(functionName)) {
     const segments = functionName.split(':');
 
-    let functionArn;
+    let functionArns;
     if (functionName.startsWith('arn:aws:lambda')) {
       // full ARN
-      functionArn = functionName;
+      functionArns = [
+        functionName,
+        `${functionName}:*`,
+      ];
     } else if (segments.length === 3 && segments[0].match(/^\d+$/)) {
       // partial ARN
-      functionArn = {
-        'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}`,
-      };
+      functionArns = [
+        { 'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}` },
+        { 'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}:*` },
+      ];
     } else {
       // name-only (with or without alias)
-      functionArn = {
-        'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
-      };
+      functionArns = [
+        {
+          'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
+        },
+        {
+          'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}:*`,
+        },
+      ];
     }
 
     return [{
       action: 'lambda:InvokeFunction',
-      resource: functionArn,
+      resource: functionArns,
     }];
   } if (_.has(functionName, 'Fn::GetAtt')) {
     // because the FunctionName parameter can be either a name or ARN
     // so you should be able to use Fn::GetAtt here to get the ARN
+    const functionArn = translateLocalFunctionNames.bind(this)(functionName);
     return [{
       action: 'lambda:InvokeFunction',
-      resource: translateLocalFunctionNames.bind(this)(functionName),
+      resource: [
+        functionArn,
+        { 'Fn::Sub': ['${functionArn}:*', { functionArn }] },
+      ],
     }];
   } if (_.has(functionName, 'Ref')) {
     // because the FunctionName parameter can be either a name or ARN
     // so you should be able to use Ref here to get the function name
+    const functionArn = translateLocalFunctionNames.bind(this)(functionName);
     return [{
       action: 'lambda:InvokeFunction',
-      resource: {
-        'Fn::Sub': [
-          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
-          {
-            FunctionName: translateLocalFunctionNames.bind(this)(functionName),
-          },
-        ],
-      },
+      resource: [
+        {
+          'Fn::Sub': [
+            'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}',
+            { functionArn },
+          ],
+        },
+        {
+          'Fn::Sub': [
+            'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}:*',
+            { functionArn },
+          ],
+        },
+      ],
     }];
   }
 
@@ -278,9 +298,13 @@ function getIamPermissions(taskStates) {
 
       default:
         if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
+          const functionArn = translateLocalFunctionNames.bind(this)(state.Resource);
           return [{
             action: 'lambda:InvokeFunction',
-            resource: translateLocalFunctionNames.bind(this)(state.Resource),
+            resource: [
+              functionArn,
+              { 'Fn::Sub': ['${functionArn}:*', { functionArn }] },
+            ],
           }];
         }
         this.serverless.cli.consoleLog('Cannot generate IAM policy statement for Task state', state);
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -99,7 +99,7 @@ describe('#compileIamRole', () => {
     const helloLambda = 'arn:aws:lambda:123:*:function:hello';
     const worldLambda = 'arn:aws:lambda:*:*:function:world';
     const fooLambda = 'arn:aws:lambda:us-west-2::function:foo_';
-    const barLambda = 'arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:bar';
+    const barLambda = 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:bar';
 
     const genStateMachine = (name, lambda1, lambda2) => ({
       name,
@@ -131,8 +131,21 @@ describe('#compileIamRole', () => {
     const policy = serverlessStepFunctions.serverless.service
       .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
       .Properties.Policies[0];
-    expect(policy.PolicyDocument.Statement[0].Resource)
-      .to.be.deep.equal([helloLambda, worldLambda, fooLambda, barLambda]);
+    expect(policy.PolicyDocument.Statement[0].Action).to.deep.equal(['lambda:InvokeFunction']);
+
+    const resources = policy.PolicyDocument.Statement[0].Resource;
+    expect(resources).to.have.lengthOf(8);
+
+    expect(resources).to.include.members([helloLambda, worldLambda, fooLambda, barLambda]);
+
+    const versionResources = resources.filter(x => x['Fn::Sub']);
+    versionResources.forEach((x) => {
+      const template = x['Fn::Sub'][0];
+      expect(template).to.equal('${functionArn}:*');
+    });
+
+    const versionedArns = versionResources.map(x => x['Fn::Sub'][1].functionArn);
+    expect(versionedArns).to.deep.equal([helloLambda, worldLambda, fooLambda, barLambda]);
   });
 
   it('should give sns:Publish permission for only SNS topics referenced by state machine', () => {
@@ -786,7 +799,7 @@ describe('#compileIamRole', () => {
 
     const lambdaPermissions = statements.filter(s => _.isEqual(s.Action, ['lambda:InvokeFunction']));
     expect(lambdaPermissions).to.have.lengthOf(1);
-    expect(lambdaPermissions[0].Resource).to.deep.eq([lambda1, lambda2]);
+    expect(lambdaPermissions[0].Resource).to.include.members([lambda1, lambda2]);
 
     const snsPermissions = statements.filter(s => _.isEqual(s.Action, ['sns:Publish']));
     expect(snsPermissions).to.have.lengthOf(1);
@@ -969,7 +982,7 @@ describe('#compileIamRole', () => {
     const statements = policy.PolicyDocument.Statement;
 
     const lambdaPermissions = statements.find(x => x.Action[0] === 'lambda:InvokeFunction');
-    expect(lambdaPermissions.Resource).to.be.deep.equal([
+    expect(lambdaPermissions.Resource).to.deep.include.members([
       { Ref: 'MyFunction' }, { Ref: 'MyFunction2' }]);
 
     const snsPermissions = statements.find(x => x.Action[0] === 'sns:Publish');
@@ -1130,7 +1143,7 @@ describe('#compileIamRole', () => {
       'arn:aws:lambda:us-west-2:1234567890:function:c',
       { 'Fn::Sub': 'arn:aws:lambda:${AWS::Region}:1234567890:function:d' },
     ];
-    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 
   it('should support lambda::invoke resource type', () => {
@@ -1183,7 +1196,7 @@ describe('#compileIamRole', () => {
       'arn:aws:lambda:us-west-2:1234567890:function:c',
       { 'Fn::Sub': 'arn:aws:lambda:${AWS::Region}:1234567890:function:d' },
     ];
-    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 
   it('should support intrinsic functions for lambda::invoke resource type', () => {
@@ -1238,8 +1251,8 @@ describe('#compileIamRole', () => {
     const lambdaArns = [
       {
         'Fn::Sub': [
-          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
-          { FunctionName: lambda1 },
+          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}',
+          { functionArn: lambda1 },
         ],
       },
       {
@@ -1257,7 +1270,7 @@ describe('#compileIamRole', () => {
         ],
       },
     ];
-    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 
   it('should support local function names', () => {
@@ -1305,7 +1318,7 @@ describe('#compileIamRole', () => {
         ],
       },
     ];
-    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 
   it('should support local function names for lambda::invoke resource type', () => {
@@ -1356,8 +1369,8 @@ describe('#compileIamRole', () => {
     const lambdaArns = [
       {
         'Fn::Sub': [
-          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
-          { FunctionName: { Ref: 'HelloDashworldLambdaFunction' } },
+          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}',
+          { functionArn: { Ref: 'HelloDashworldLambdaFunction' } },
         ],
       },
       {
@@ -1367,6 +1380,6 @@ describe('#compileIamRole', () => {
         ],
       },
     ];
-    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 });
diff --git a/lib/deploy/stepFunctions/compileStateMachines.js b/lib/deploy/stepFunctions/compileStateMachines.js
@@ -5,7 +5,7 @@ const Joi = require('@hapi/joi');
 const Chance = require('chance');
 const BbPromise = require('bluebird');
 const schema = require('./compileStateMachines.schema');
-const { isIntrinsic, translateLocalFunctionNames } = require('../../utils/aws');
+const { isIntrinsic, translateLocalFunctionNames, convertToFunctionVersion } = require('../../utils/aws');
 
 const chance = new Chance();
 
@@ -102,6 +102,13 @@ module.exports = {
           }
         }
 
+        if (stateMachineObj.useExactVersion === true && DefinitionString['Fn::Sub']) {
+          const params = DefinitionString['Fn::Sub'][1];
+          const f = convertToFunctionVersion.bind(this);
+          const converted = _.mapValues(params, f);
+          DefinitionString['Fn::Sub'][1] = converted;
+        }
+
         if (stateMachineObj.role) {
           RoleArn = stateMachineObj.role;
         } else {
diff --git a/lib/deploy/stepFunctions/compileStateMachines.schema.js b/lib/deploy/stepFunctions/compileStateMachines.schema.js
@@ -26,12 +26,14 @@ const name = Joi.string();
 const events = Joi.array();
 const alarms = Joi.object();
 const notifications = Joi.object();
+const useExactVersion = Joi.boolean().default(false);
 
 const schema = Joi.object().keys({
   id,
   events,
   name,
   role: arn,
+  useExactVersion,
   definition: definition.required(),
   dependsOn,
   tags,
diff --git a/lib/deploy/stepFunctions/compileStateMachines.test.js b/lib/deploy/stepFunctions/compileStateMachines.test.js
@@ -848,4 +848,99 @@ describe('#compileStateMachines', () => {
     const lambda2Param = params[lambda2ParamName];
     expect(lambda2Param).to.eql({ 'Fn::GetAtt': ['HelloDashworldLambdaFunction', 'Arn'] });
   });
+
+  it('should support using exact versions of functions', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'Test',
+          useExactVersion: true,
+          definition: {
+            StartAt: 'Lambda1',
+            States: {
+              Lambda1: {
+                Type: 'Task',
+                Resource: 'arn:aws:states:::lambda:invoke',
+                Parameters: {
+                  FunctionName: {
+                    Ref: 'HelloLambdaFunction',
+                  },
+                  Payload: {
+                    'ExecutionName.$': '$$.Execution.Name',
+                  },
+                },
+                Next: 'Lambda2',
+              },
+              Lambda2: {
+                Type: 'Task',
+                Resource: {
+                  'Fn::GetAtt': ['WorldLambdaFunction', 'Arn'],
+                },
+                End: true,
+              },
+            },
+          },
+        },
+      },
+    };
+
+    serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .HelloLambdaFunction = {
+        Type: 'AWS::Lambda::Function',
+      };
+
+    serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .Lambda1Version13579 = {
+        Type: 'AWS::Lambda::Version',
+        Properties: {
+          FunctionName: {
+            Ref: 'HelloLambdaFunction',
+          },
+        },
+      };
+
+    serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .WorldLambdaFunction = {
+        Type: 'AWS::Lambda::Function',
+      };
+
+    serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .Lambda2Version24680 = {
+        Type: 'AWS::Lambda::Version',
+        Properties: {
+          FunctionName: {
+            Ref: 'WorldLambdaFunction',
+          },
+        },
+      };
+
+    serverlessStepFunctions.compileStateMachines();
+    const stateMachine = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .Test;
+
+    expect(stateMachine.Properties.DefinitionString).to.haveOwnProperty('Fn::Sub');
+    expect(stateMachine.Properties.DefinitionString['Fn::Sub']).to.have.lengthOf(2);
+
+    const [json, params] = stateMachine.Properties.DefinitionString['Fn::Sub'];
+    const modifiedDefinition = JSON.parse(json);
+
+    const lambda1 = modifiedDefinition.States.Lambda1;
+    expect(lambda1.Parameters.FunctionName.startsWith('${')).to.eq(true);
+    const lambda1ParamName = lambda1.Parameters.FunctionName.replace(/[${}]/g, '');
+    expect(params).to.haveOwnProperty(lambda1ParamName);
+    const lambda1Param = params[lambda1ParamName];
+    expect(lambda1Param).to.eql({ Ref: 'Lambda1Version13579' });
+
+    const lambda2 = modifiedDefinition.States.Lambda2;
+    expect(lambda2.Resource.startsWith('${')).to.eq(true);
+    const lambda2ParamName = lambda2.Resource.replace(/[${}]/g, '');
+    expect(params).to.haveOwnProperty(lambda2ParamName);
+    const lambda2Param = params[lambda2ParamName];
+    expect(lambda2Param).to.eql({ Ref: 'Lambda2Version24680' });
+  });
 });
diff --git a/lib/utils/aws.js b/lib/utils/aws.js
@@ -37,7 +37,42 @@ function translateLocalFunctionNames(value) {
   return value;
 }
 
+// converts a reference to a function to a reference to a function version
+function convertToFunctionVersion(value) {
+  const resources = this.serverless.service.provider.compiledCloudFormationTemplate.Resources;
+  const versions = Object.keys(resources) // [ [logicalId, version] ]
+    .filter(logicalId => resources[logicalId].Type === 'AWS::Lambda::Version')
+    .map(logicalId => [logicalId, resources[logicalId]]);
+
+  const isFunction = logicalId => _.has(resources, logicalId) && resources[logicalId].Type === 'AWS::Lambda::Function';
+  const getVersion = (logicalId) => {
+    const version = versions.find(x => _.get(x[1], 'Properties.FunctionName.Ref') === logicalId);
+    if (version) {
+      return version[0];
+    }
+
+    return logicalId;
+  };
+
+  if (_.has(value, 'Ref') && isFunction(value.Ref)) {
+    return {
+      Ref: getVersion(value.Ref),
+    };
+  }
+
+  // for Lambda function, Get::Att can only return the ARN
+  // but for Lambda version, you need Ref to get its ARN, hence why we return Ref here
+  if (_.has(value, 'Fn::GetAtt') && isFunction(value['Fn::GetAtt'][0])) {
+    return {
+      Ref: getVersion(value['Fn::GetAtt'][0]),
+    };
+  }
+
+  return value;
+}
+
 module.exports = {
   isIntrinsic,
   translateLocalFunctionNames,
+  convertToFunctionVersion,
 };
