RubyGems - cfn-model - Versions diffs - 0.4.18 → 0.4.19 - Mend

cfn-model 0.4.18 → 0.4.19

Files changed (3) hide show

checksums.yaml +4 -4
data/lib/cfn-model/transforms/serverless.rb +65 -10
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a30f11c718dd0eff8aca481d309eb43ec956fb7589f4bac4509568029c49d96a
-  data.tar.gz: b49b0f87f0314422b9596e83377ac80ab53f8587426549b8dca118c9bc1f56e3
+  metadata.gz: 7b2057d4288c487afa70f4e247990777946cd20325cabd8c756ab6ed4a4c362b
+  data.tar.gz: 8b2d6016fe3be1be9feac21995ea3a7d63ab5a851e34d799f738a9bdc8e58b7e
 SHA512:
-  metadata.gz: 5be4b84d0149684785f3696941d2a288f7f7080057bb2d31945e9561ca73625134aed3a9a405930651d3bdcdc29529f79bc2ab7b2a31b80eeb81b7cc9ae18306
-  data.tar.gz: f863433dfba321ace4cfd1b685d2176b8ff56ec09826f9b6863f44079b7ac96ecf80206f394ac2f0967082686c9ca7e95bfc0343e10294cc38b4780005bd12d1
+  metadata.gz: 8576632ea87d675293d2d012536de8fde75404f5be46fafb1e441803003795cc518457c9965a28762f82ecb90f9bce03c4e60318da5fb868d5f99cd12f669a8c
+  data.tar.gz: e79459665ae9c92c71f3be34b4c685670bec4773448f6f464867eac425b04e44a4356beeab49a1d84857fb9233b39b62a8620e66f799e646d5abd3ab8efc8790

data/lib/cfn-model/transforms/serverless.rb CHANGED Viewed

@@ -68,6 +68,11 @@ class CfnModel
           resolve_globals_function_property(cfn_hash, property_name)
       end
+      def format_function_role(serverless_function, function_name)
+        getatt_hash = { 'Fn::GetAtt' => %W[#{function_name}Role Arn] }
+        serverless_function['Properties']['Role'] || getatt_hash
+      end
       # i question whether we need to carry out the transform this far given cfn_nag
       # likely won't ever opine on bucket names or object keys
       def transform_code_uri(lambda_fn_params, code_uri)
@@ -81,11 +86,12 @@ class CfnModel
         lambda_fn_params
       end
-      def serverless_function_properties(cfn_hash, serverless_function, with_line_numbers)
+      def serverless_function_properties(cfn_hash, serverless_function, fn_name, with_line_numbers)
         code_uri = serverless_function_property(serverless_function, cfn_hash, 'CodeUri')
         lambda_fn_params = {
           handler: serverless_function_property(serverless_function, cfn_hash, 'Handler'),
+          role: format_function_role(serverless_function, fn_name),
           runtime: serverless_function_property(serverless_function, cfn_hash, 'Runtime'),
           with_line_numbers: with_line_numbers
         }
@@ -101,10 +107,18 @@ class CfnModel
       def replace_serverless_function(cfn_hash, resource_name, with_line_numbers)
         serverless_function = cfn_hash['Resources'][resource_name]
-        lambda_fn_params = serverless_function_properties(cfn_hash, serverless_function, with_line_numbers)
+        lambda_fn_params = serverless_function_properties(cfn_hash,
+                                                          serverless_function,
+                                                          resource_name,
+                                                          with_line_numbers)
         cfn_hash['Resources'][resource_name] = lambda_function lambda_fn_params
-        cfn_hash['Resources']['FunctionNameRole'] = function_name_role with_line_numbers
+        unless serverless_function['Properties']['Role']
+          cfn_hash['Resources'][resource_name + 'Role'] = function_role(serverless_function,
+                                                                        resource_name,
+                                                                        with_line_numbers)
+        end
         transform_function_events(cfn_hash, serverless_function, resource_name, with_line_numbers) if \
           serverless_function['Properties']['Events']
@@ -123,18 +137,58 @@ class CfnModel
         }
       end
-      # Return the hash structure of the 'FunctionNameRole'
+      # Return the hash structure of the '<function_name>Role'
       # AWS::IAM::Role resource as created by Serverless transform
-      def function_name_role(with_line_numbers)
-        {
+      def function_role(serverless_function, function_name, with_line_numbers)
+        fn_role = {
           'Type' => format_resource_type('AWS::IAM::Role', -1, with_line_numbers),
           'Properties' => {
-            'ManagedPolicyArns' => [
-              'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
-            ],
+            'ManagedPolicyArns' => function_role_managed_policies(serverless_function['Properties']),
             'AssumeRolePolicyDocument' => lambda_service_can_assume_role
           }
         }
+        function_role_policies(fn_role, serverless_function['Properties'], function_name)
+        fn_role
+      end
+      def function_role_managed_policies(function_properties)
+        # Always set AWSLambdaBasicExecutionRole policy
+        base_policies = %w[arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]
+        # Return base_policies if no policies assigned to the function
+        return base_policies unless function_properties['Policies']
+        # If the SAM function Policies property is a string, append and return
+        return base_policies | %W[arn:aws:iam::aws:policy/#{function_properties['Policies']}] if \
+          function_properties['Policies'].is_a? String
+        # Iterate on Policies property and add if String
+        policy_names = function_properties['Policies'].select { |policy| policy.is_a? String }
+        base_policies | policy_names.map { |name| "arn:aws:iam::aws:policy/#{name}" }
+      end
+      def function_role_policies(role, function_properties, fn_name)
+        # Return if no policies assigned to the function
+        return unless function_properties['Policies']
+        # Process inline policies from SAM function
+        return if function_properties['Policies'].is_a? String
+        # Iterate on Policies property and add if Hash
+        policy_hashes = function_properties['Policies'].select do |policy|
+          policy.is_a?(Hash) && policy.keys.first !~ /Policy/
+        end
+        return if policy_hashes.empty?
+        # Create policy documents
+        policy_documents = policy_hashes.map.with_index do |policy, index|
+          {
+            'PolicyDocument' => policy,
+            'PolicyName' => "#{fn_name}RolePolicy#{index}"
+          }
+        end
+        role['Properties']['Policies'] = policy_documents
       end
       def lambda_function_code(fn_resource, code_bucket, code_key)
@@ -152,13 +206,14 @@ class CfnModel
       def lambda_function(handler:,
                           code_bucket: nil,
                           code_key: nil,
+                          role:,
                           runtime:,
                           with_line_numbers: false)
         fn_resource = {
           'Type' => format_resource_type('AWS::Lambda::Function', -1, with_line_numbers),
           'Properties' => {
             'Handler' => handler,
-            'Role' => { 'Fn::GetAtt' => %w[FunctionNameRole Arn] },
+            'Role' => role,
             'Runtime' => runtime
           }
         }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-model
 version: !ruby/object:Gem::Version
-  version: 0.4.18
+  version: 0.4.19
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-25 00:00:00.000000000 Z
+date: 2020-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop