cfn-model 0.4.18 → 0.4.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-model/transforms/serverless.rb +65 -10
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7b2057d4288c487afa70f4e247990777946cd20325cabd8c756ab6ed4a4c362b
|
|
4
|
+
data.tar.gz: 8b2d6016fe3be1be9feac21995ea3a7d63ab5a851e34d799f738a9bdc8e58b7e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8576632ea87d675293d2d012536de8fde75404f5be46fafb1e441803003795cc518457c9965a28762f82ecb90f9bce03c4e60318da5fb868d5f99cd12f669a8c
|
|
7
|
+
data.tar.gz: e79459665ae9c92c71f3be34b4c685670bec4773448f6f464867eac425b04e44a4356beeab49a1d84857fb9233b39b62a8620e66f799e646d5abd3ab8efc8790
|
|
@@ -68,6 +68,11 @@ class CfnModel
|
|
|
68
68
|
resolve_globals_function_property(cfn_hash, property_name)
|
|
69
69
|
end
|
|
70
70
|
|
|
71
|
+
def format_function_role(serverless_function, function_name)
|
|
72
|
+
getatt_hash = { 'Fn::GetAtt' => %W[#{function_name}Role Arn] }
|
|
73
|
+
serverless_function['Properties']['Role'] || getatt_hash
|
|
74
|
+
end
|
|
75
|
+
|
|
71
76
|
# i question whether we need to carry out the transform this far given cfn_nag
|
|
72
77
|
# likely won't ever opine on bucket names or object keys
|
|
73
78
|
def transform_code_uri(lambda_fn_params, code_uri)
|
|
@@ -81,11 +86,12 @@ class CfnModel
|
|
|
81
86
|
lambda_fn_params
|
|
82
87
|
end
|
|
83
88
|
|
|
84
|
-
def serverless_function_properties(cfn_hash, serverless_function, with_line_numbers)
|
|
89
|
+
def serverless_function_properties(cfn_hash, serverless_function, fn_name, with_line_numbers)
|
|
85
90
|
code_uri = serverless_function_property(serverless_function, cfn_hash, 'CodeUri')
|
|
86
91
|
|
|
87
92
|
lambda_fn_params = {
|
|
88
93
|
handler: serverless_function_property(serverless_function, cfn_hash, 'Handler'),
|
|
94
|
+
role: format_function_role(serverless_function, fn_name),
|
|
89
95
|
runtime: serverless_function_property(serverless_function, cfn_hash, 'Runtime'),
|
|
90
96
|
with_line_numbers: with_line_numbers
|
|
91
97
|
}
|
|
@@ -101,10 +107,18 @@ class CfnModel
|
|
|
101
107
|
def replace_serverless_function(cfn_hash, resource_name, with_line_numbers)
|
|
102
108
|
serverless_function = cfn_hash['Resources'][resource_name]
|
|
103
109
|
|
|
104
|
-
lambda_fn_params = serverless_function_properties(cfn_hash,
|
|
110
|
+
lambda_fn_params = serverless_function_properties(cfn_hash,
|
|
111
|
+
serverless_function,
|
|
112
|
+
resource_name,
|
|
113
|
+
with_line_numbers)
|
|
105
114
|
|
|
106
115
|
cfn_hash['Resources'][resource_name] = lambda_function lambda_fn_params
|
|
107
|
-
|
|
116
|
+
|
|
117
|
+
unless serverless_function['Properties']['Role']
|
|
118
|
+
cfn_hash['Resources'][resource_name + 'Role'] = function_role(serverless_function,
|
|
119
|
+
resource_name,
|
|
120
|
+
with_line_numbers)
|
|
121
|
+
end
|
|
108
122
|
|
|
109
123
|
transform_function_events(cfn_hash, serverless_function, resource_name, with_line_numbers) if \
|
|
110
124
|
serverless_function['Properties']['Events']
|
|
@@ -123,18 +137,58 @@ class CfnModel
|
|
|
123
137
|
}
|
|
124
138
|
end
|
|
125
139
|
|
|
126
|
-
# Return the hash structure of the '
|
|
140
|
+
# Return the hash structure of the '<function_name>Role'
|
|
127
141
|
# AWS::IAM::Role resource as created by Serverless transform
|
|
128
|
-
def
|
|
129
|
-
{
|
|
142
|
+
def function_role(serverless_function, function_name, with_line_numbers)
|
|
143
|
+
fn_role = {
|
|
130
144
|
'Type' => format_resource_type('AWS::IAM::Role', -1, with_line_numbers),
|
|
131
145
|
'Properties' => {
|
|
132
|
-
'ManagedPolicyArns' => [
|
|
133
|
-
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
|
|
134
|
-
],
|
|
146
|
+
'ManagedPolicyArns' => function_role_managed_policies(serverless_function['Properties']),
|
|
135
147
|
'AssumeRolePolicyDocument' => lambda_service_can_assume_role
|
|
136
148
|
}
|
|
137
149
|
}
|
|
150
|
+
function_role_policies(fn_role, serverless_function['Properties'], function_name)
|
|
151
|
+
fn_role
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
def function_role_managed_policies(function_properties)
|
|
155
|
+
# Always set AWSLambdaBasicExecutionRole policy
|
|
156
|
+
base_policies = %w[arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]
|
|
157
|
+
|
|
158
|
+
# Return base_policies if no policies assigned to the function
|
|
159
|
+
return base_policies unless function_properties['Policies']
|
|
160
|
+
|
|
161
|
+
# If the SAM function Policies property is a string, append and return
|
|
162
|
+
return base_policies | %W[arn:aws:iam::aws:policy/#{function_properties['Policies']}] if \
|
|
163
|
+
function_properties['Policies'].is_a? String
|
|
164
|
+
|
|
165
|
+
# Iterate on Policies property and add if String
|
|
166
|
+
policy_names = function_properties['Policies'].select { |policy| policy.is_a? String }
|
|
167
|
+
base_policies | policy_names.map { |name| "arn:aws:iam::aws:policy/#{name}" }
|
|
168
|
+
end
|
|
169
|
+
|
|
170
|
+
def function_role_policies(role, function_properties, fn_name)
|
|
171
|
+
# Return if no policies assigned to the function
|
|
172
|
+
return unless function_properties['Policies']
|
|
173
|
+
|
|
174
|
+
# Process inline policies from SAM function
|
|
175
|
+
return if function_properties['Policies'].is_a? String
|
|
176
|
+
|
|
177
|
+
# Iterate on Policies property and add if Hash
|
|
178
|
+
policy_hashes = function_properties['Policies'].select do |policy|
|
|
179
|
+
policy.is_a?(Hash) && policy.keys.first !~ /Policy/
|
|
180
|
+
end
|
|
181
|
+
return if policy_hashes.empty?
|
|
182
|
+
|
|
183
|
+
# Create policy documents
|
|
184
|
+
policy_documents = policy_hashes.map.with_index do |policy, index|
|
|
185
|
+
{
|
|
186
|
+
'PolicyDocument' => policy,
|
|
187
|
+
'PolicyName' => "#{fn_name}RolePolicy#{index}"
|
|
188
|
+
}
|
|
189
|
+
end
|
|
190
|
+
|
|
191
|
+
role['Properties']['Policies'] = policy_documents
|
|
138
192
|
end
|
|
139
193
|
|
|
140
194
|
def lambda_function_code(fn_resource, code_bucket, code_key)
|
|
@@ -152,13 +206,14 @@ class CfnModel
|
|
|
152
206
|
def lambda_function(handler:,
|
|
153
207
|
code_bucket: nil,
|
|
154
208
|
code_key: nil,
|
|
209
|
+
role:,
|
|
155
210
|
runtime:,
|
|
156
211
|
with_line_numbers: false)
|
|
157
212
|
fn_resource = {
|
|
158
213
|
'Type' => format_resource_type('AWS::Lambda::Function', -1, with_line_numbers),
|
|
159
214
|
'Properties' => {
|
|
160
215
|
'Handler' => handler,
|
|
161
|
-
'Role' =>
|
|
216
|
+
'Role' => role,
|
|
162
217
|
'Runtime' => runtime
|
|
163
218
|
}
|
|
164
219
|
}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-model
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.19
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-02-
|
|
11
|
+
date: 2020-02-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rubocop
|