cfn-model 0.4.18 → 0.4.19
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-model/transforms/serverless.rb +65 -10
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7b2057d4288c487afa70f4e247990777946cd20325cabd8c756ab6ed4a4c362b
|
4
|
+
data.tar.gz: 8b2d6016fe3be1be9feac21995ea3a7d63ab5a851e34d799f738a9bdc8e58b7e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8576632ea87d675293d2d012536de8fde75404f5be46fafb1e441803003795cc518457c9965a28762f82ecb90f9bce03c4e60318da5fb868d5f99cd12f669a8c
|
7
|
+
data.tar.gz: e79459665ae9c92c71f3be34b4c685670bec4773448f6f464867eac425b04e44a4356beeab49a1d84857fb9233b39b62a8620e66f799e646d5abd3ab8efc8790
|
@@ -68,6 +68,11 @@ class CfnModel
|
|
68
68
|
resolve_globals_function_property(cfn_hash, property_name)
|
69
69
|
end
|
70
70
|
|
71
|
+
def format_function_role(serverless_function, function_name)
|
72
|
+
getatt_hash = { 'Fn::GetAtt' => %W[#{function_name}Role Arn] }
|
73
|
+
serverless_function['Properties']['Role'] || getatt_hash
|
74
|
+
end
|
75
|
+
|
71
76
|
# i question whether we need to carry out the transform this far given cfn_nag
|
72
77
|
# likely won't ever opine on bucket names or object keys
|
73
78
|
def transform_code_uri(lambda_fn_params, code_uri)
|
@@ -81,11 +86,12 @@ class CfnModel
|
|
81
86
|
lambda_fn_params
|
82
87
|
end
|
83
88
|
|
84
|
-
def serverless_function_properties(cfn_hash, serverless_function, with_line_numbers)
|
89
|
+
def serverless_function_properties(cfn_hash, serverless_function, fn_name, with_line_numbers)
|
85
90
|
code_uri = serverless_function_property(serverless_function, cfn_hash, 'CodeUri')
|
86
91
|
|
87
92
|
lambda_fn_params = {
|
88
93
|
handler: serverless_function_property(serverless_function, cfn_hash, 'Handler'),
|
94
|
+
role: format_function_role(serverless_function, fn_name),
|
89
95
|
runtime: serverless_function_property(serverless_function, cfn_hash, 'Runtime'),
|
90
96
|
with_line_numbers: with_line_numbers
|
91
97
|
}
|
@@ -101,10 +107,18 @@ class CfnModel
|
|
101
107
|
def replace_serverless_function(cfn_hash, resource_name, with_line_numbers)
|
102
108
|
serverless_function = cfn_hash['Resources'][resource_name]
|
103
109
|
|
104
|
-
lambda_fn_params = serverless_function_properties(cfn_hash,
|
110
|
+
lambda_fn_params = serverless_function_properties(cfn_hash,
|
111
|
+
serverless_function,
|
112
|
+
resource_name,
|
113
|
+
with_line_numbers)
|
105
114
|
|
106
115
|
cfn_hash['Resources'][resource_name] = lambda_function lambda_fn_params
|
107
|
-
|
116
|
+
|
117
|
+
unless serverless_function['Properties']['Role']
|
118
|
+
cfn_hash['Resources'][resource_name + 'Role'] = function_role(serverless_function,
|
119
|
+
resource_name,
|
120
|
+
with_line_numbers)
|
121
|
+
end
|
108
122
|
|
109
123
|
transform_function_events(cfn_hash, serverless_function, resource_name, with_line_numbers) if \
|
110
124
|
serverless_function['Properties']['Events']
|
@@ -123,18 +137,58 @@ class CfnModel
|
|
123
137
|
}
|
124
138
|
end
|
125
139
|
|
126
|
-
# Return the hash structure of the '
|
140
|
+
# Return the hash structure of the '<function_name>Role'
|
127
141
|
# AWS::IAM::Role resource as created by Serverless transform
|
128
|
-
def
|
129
|
-
{
|
142
|
+
def function_role(serverless_function, function_name, with_line_numbers)
|
143
|
+
fn_role = {
|
130
144
|
'Type' => format_resource_type('AWS::IAM::Role', -1, with_line_numbers),
|
131
145
|
'Properties' => {
|
132
|
-
'ManagedPolicyArns' => [
|
133
|
-
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
|
134
|
-
],
|
146
|
+
'ManagedPolicyArns' => function_role_managed_policies(serverless_function['Properties']),
|
135
147
|
'AssumeRolePolicyDocument' => lambda_service_can_assume_role
|
136
148
|
}
|
137
149
|
}
|
150
|
+
function_role_policies(fn_role, serverless_function['Properties'], function_name)
|
151
|
+
fn_role
|
152
|
+
end
|
153
|
+
|
154
|
+
def function_role_managed_policies(function_properties)
|
155
|
+
# Always set AWSLambdaBasicExecutionRole policy
|
156
|
+
base_policies = %w[arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]
|
157
|
+
|
158
|
+
# Return base_policies if no policies assigned to the function
|
159
|
+
return base_policies unless function_properties['Policies']
|
160
|
+
|
161
|
+
# If the SAM function Policies property is a string, append and return
|
162
|
+
return base_policies | %W[arn:aws:iam::aws:policy/#{function_properties['Policies']}] if \
|
163
|
+
function_properties['Policies'].is_a? String
|
164
|
+
|
165
|
+
# Iterate on Policies property and add if String
|
166
|
+
policy_names = function_properties['Policies'].select { |policy| policy.is_a? String }
|
167
|
+
base_policies | policy_names.map { |name| "arn:aws:iam::aws:policy/#{name}" }
|
168
|
+
end
|
169
|
+
|
170
|
+
def function_role_policies(role, function_properties, fn_name)
|
171
|
+
# Return if no policies assigned to the function
|
172
|
+
return unless function_properties['Policies']
|
173
|
+
|
174
|
+
# Process inline policies from SAM function
|
175
|
+
return if function_properties['Policies'].is_a? String
|
176
|
+
|
177
|
+
# Iterate on Policies property and add if Hash
|
178
|
+
policy_hashes = function_properties['Policies'].select do |policy|
|
179
|
+
policy.is_a?(Hash) && policy.keys.first !~ /Policy/
|
180
|
+
end
|
181
|
+
return if policy_hashes.empty?
|
182
|
+
|
183
|
+
# Create policy documents
|
184
|
+
policy_documents = policy_hashes.map.with_index do |policy, index|
|
185
|
+
{
|
186
|
+
'PolicyDocument' => policy,
|
187
|
+
'PolicyName' => "#{fn_name}RolePolicy#{index}"
|
188
|
+
}
|
189
|
+
end
|
190
|
+
|
191
|
+
role['Properties']['Policies'] = policy_documents
|
138
192
|
end
|
139
193
|
|
140
194
|
def lambda_function_code(fn_resource, code_bucket, code_key)
|
@@ -152,13 +206,14 @@ class CfnModel
|
|
152
206
|
def lambda_function(handler:,
|
153
207
|
code_bucket: nil,
|
154
208
|
code_key: nil,
|
209
|
+
role:,
|
155
210
|
runtime:,
|
156
211
|
with_line_numbers: false)
|
157
212
|
fn_resource = {
|
158
213
|
'Type' => format_resource_type('AWS::Lambda::Function', -1, with_line_numbers),
|
159
214
|
'Properties' => {
|
160
215
|
'Handler' => handler,
|
161
|
-
'Role' =>
|
216
|
+
'Role' => role,
|
162
217
|
'Runtime' => runtime
|
163
218
|
}
|
164
219
|
}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-model
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.19
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-02-
|
11
|
+
date: 2020-02-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rubocop
|