jets 4.0.3 → 4.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2656b9ad4b3542399efbba9eadb992532d2ebed430315280d3e1524a376b3674
-  data.tar.gz: bcd37a34c13c7027b99854129cf537369dd357ba39edc7481416315d20137602
+  metadata.gz: a04cac354e7cc219602bd9a156eb26be7517025997ebfd4965e2d0678ddaee56
+  data.tar.gz: 1e4d52b85a38f8058dc38538f32f6e0c551aacde7cd2ee444368f787486c7779
 SHA512:
-  metadata.gz: 4b16ac3cc3899c989c2de4670fbc6be7c2f9dc07b39869404ebbbc0689f458fc4befc699ccff3c14001946716288792077a006c97f9541f842040fa656e10a4b
-  data.tar.gz: d6f6f26ea83268b6ca877cfe8f49660e15b0e6709cfb7e498bbdf9b87cccf81b4c7cd86f2e707dd4ba0adbed0a8e70ccf0bd06cef80b15fb60e5b689b739dcbf
+  metadata.gz: 9e8216af98538a02cfd1baed256f0b452daa5d626c6e7bde0093bbe37007e207dccd736122903351eba55615af1750ea1272134c6e8fc32c504f53d252e58fdc
+  data.tar.gz: 7968a375e5a80deafc70b1c8261095b9ff9237471c73fb616c63531ed6080483d83745243d08f5ca33a9b92871ea9b1280c6f0e5beb64b26ee57fa9f2621bd75

data/CHANGELOG.md

@@ -3,6 +3,9 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [4.0.4] - 2023-09-07
+- [#662](https://github.com/boltops-tools/jets/pull/662) fix vpc iam permissions
+
 ## [4.0.3] - 2023-08-03
 - [#657](https://github.com/boltops-tools/jets/pull/657) [Fix] ApiGateway for local Middleware: fix query_string_parameters
 

data/lib/jets/application/defaults.rb

@@ -2,8 +2,8 @@ class Jets::Application
   module Defaults
     extend ActiveSupport::Concern
 
-    included do
-      def self.default_iam_policy
+    class_methods do
+      def default_iam_policy
         project_namespace = Jets.project_namespace
         logs = {
           action: ["logs:*"],
@@ -24,24 +24,23 @@ class Jets::Application
         }
         policies << cloudformation
 
-        if Jets.config.function.vpc_config
-          vpc = {
-            action: %w[
-              ec2:CreateNetworkInterface
-              ec2:DeleteNetworkInterface
-              ec2:DescribeNetworkInterfaces
-              ec2:DescribeVpcs
-              ec2:DescribeSubnets
-              ec2:DescribeSecurityGroups
-            ],
-            effect: "Allow",
-            resource: "*",
-          }
-          policies << vpc
-        end
-
         policies
       end
+
+      def vpc_iam_policy_statement
+        {
+          Action: %w[
+            ec2:CreateNetworkInterface
+            ec2:DeleteNetworkInterface
+            ec2:DescribeNetworkInterfaces
+            ec2:DescribeVpcs
+            ec2:DescribeSubnets
+            ec2:DescribeSecurityGroups
+          ],
+          Effect: "Allow",
+          Resource: "*",
+        }
+      end
     end
 
     def default_config
@@ -201,5 +200,29 @@ class Jets::Application
         app/shared/functions
       ]
     end
+
+    # Used by app/jobs/jets/preheat_job.rb
+    def preheat_job_iam_policy
+      policy = [
+        {
+          Sid: "Statement1",
+          Action: ["logs:*"],
+          Effect: "Allow",
+          Resource: [{
+            "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${JetsPreheatJobWarmLambdaFunction}"
+          }]
+        },
+        {
+          Sid: "Statement2",
+          Action: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
+          Effect: "Allow",
+          Resource: [{
+            "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:#{Jets.project_namespace}-*"
+          }]
+        }
+      ]
+      policy << Jets::Application.vpc_iam_policy_statement if Jets.config.function.vpc_config
+      policy
+    end
   end
 end

data/lib/jets/internal/app/jobs/jets/preheat_job.rb

@@ -7,24 +7,7 @@ class Jets::PreheatJob < ApplicationJob
 
   class_timeout 30
   class_memory 1024
-  class_iam_policy(
-    {
-      sid: "Statement1",
-      action: ["logs:*"],
-      effect: "Allow",
-      resource: [
-        sub("arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${WarmLambdaFunction}"),
-      ]
-    },
-    {
-      Sid: "Statement2",
-      Action: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
-      Effect: "Allow",
-      Resource: [
-        sub("arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:#{Jets.project_namespace}-*")
-      ]
-    }
-  )
+  class_iam_policy(Jets.config.preheat_job_iam_policy)
 
   rate(PREWARM_RATE) if torching
   def torch

data/lib/jets/resource/iam/base_role_definition.rb

@@ -24,6 +24,12 @@ module Jets::Resource::Iam
         }
       }
 
+      # Add vpc permissions to all policies
+      definition[logical_id][:properties][:policies] = [
+        policy_name: "vpc", # required, limited to 128-chars
+        policy_document: vpc_policy_document,
+      ] if vpc_policy_document
+
       unless managed_policy_arns.empty?
         definition[logical_id][:properties][:managed_policy_arns] = managed_policy_arns
       end
@@ -31,6 +37,14 @@ module Jets::Resource::Iam
       definition
     end
 
+    def vpc_policy_document
+      if Jets.config.function.vpc_config
+        {
+          Statement: [Jets::Application.vpc_iam_policy_statement]
+        }
+      end
+    end
+
     def policy_document
       PolicyDocument.new(@policy_definitions.flatten.uniq).policy_document
     end

data/lib/jets/version.rb

@@ -1,3 +1,3 @@
 module Jets
-  VERSION = "4.0.3"
+  VERSION = "4.0.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jets
 version: !ruby/object:Gem::Version
-  version: 4.0.3
+  version: 4.0.4
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-08-03 00:00:00.000000000 Z
+date: 2023-09-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer