From 4e5efd6a68e10cab6aad5d5533d5477805b9c6fc Mon Sep 17 00:00:00 2001 From: mike wong Date: Fri, 26 Sep 2025 09:51:20 +0100 Subject: [PATCH 1/3] refactor(s3): support reading jsonata for s3 --- lib/deploy/stepFunctions/compileIamRole.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index d01a53e..34a7d8a 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -655,9 +655,10 @@ function resolveS3BucketReferences(bucket, resources) { } function getS3ObjectPermissions(action, state) { - const bucket = state.Parameters.Bucket || '*'; - const key = state.Parameters.Key || '*'; - const prefix = state.Parameters.Prefix; + // Use the helper so both Arguments (JSONata) and Parameters (JSONPath) are supported + const bucket = getParameterOrArgument(state, 'Bucket') || '*'; + const key = getParameterOrArgument(state, 'Key') || '*'; + const prefix = getParameterOrArgument(state, 'Prefix'); let arn; if (action === 's3:listObjectsV2') { From d301b8e9f8e710f7ece5d4d8c9d846c608b0d3da Mon Sep 17 00:00:00 2001 From: mike wong Date: Fri, 26 Sep 2025 10:48:49 +0100 Subject: [PATCH 2/3] refactor: support s3 key resolve with jsonata value and fallback to wildcard --- lib/deploy/stepFunctions/compileIamRole.js | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 34a7d8a..12a921f 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -8,6 +8,14 @@ const { getArnPartition } = require('../../utils/arn'); const logger = require('../../utils/logger'); +/** + * Check if a value is a JSONata value template + * e.g {% $.some.path %} + */ +function isJsonataValueTemplate(value) { + return typeof value === 'string' && value.trim().startsWith('{%') && value.trim().endsWith('}'); +} + function getTaskStates(states, stateMachineName) { return _.flatMap(states, (state) => { switch (state.Type) { @@ -657,7 +665,13 @@ function resolveS3BucketReferences(bucket, resources) { function getS3ObjectPermissions(action, state) { // Use the helper so both Arguments (JSONata) and Parameters (JSONPath) are supported const bucket = getParameterOrArgument(state, 'Bucket') || '*'; - const key = getParameterOrArgument(state, 'Key') || '*'; + let key = getParameterOrArgument(state, 'Key') || '*'; + if (isJsonataValueTemplate(key)) { + console.warn( + "Warning: When using JSONata, S3 object permissions will be given for all objects in the bucket" + ); + key = "*"; + } const prefix = getParameterOrArgument(state, 'Prefix'); let arn; From 3d4d9976d5f0c94d1d8c07992fcda297c7993f70 Mon Sep 17 00:00:00 2001 From: mike wong Date: Fri, 3 Oct 2025 12:43:06 +0100 Subject: [PATCH 3/3] support sns permission for jsonata --- lib/deploy/stepFunctions/compileIamRole.js | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 12a921f..2ea9252 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -92,13 +92,16 @@ function getSqsPermissions(serverless, state) { } function getSnsPermissions(serverless, state) { - if (_.has(state, 'Parameters.TopicArn') - || _.has(state, ['Parameters', 'TopicArn.$'])) { - // if topic ARN is provided by input, then need pervasive permissions - const topicArn = state.Parameters['TopicArn.$'] ? '*' : state.Parameters.TopicArn; - return [{ action: 'sns:Publish', resource: topicArn }]; + const topicArn = getParameterOrArgument(state, "TopicArn"); + const topicArnPervasive = getParameterOrArgument(state, "TopicArn.$"); + // if topic ARN is provided by input, then need pervasive permissions + if (topicArnPervasive) { + return [{ action: "sns:Publish", resource: "*" }]; } - logger.log('SNS task missing Parameters.TopicArn or Parameters.TopicArn.$'); + if (topicArn) { + return [{ action: "sns:Publish", resource: topicArn }]; + } + logger.log("SNS task missing Parameters.TopicArn or Parameters.TopicArn.$"); return []; }