@izara_project/izara-core-generate-service-code 1.0.54 → 1.0.56

package/src/codeGenerators/app/sls_yaml/SharedResourceYamlGenerator.js

@@ -11,14 +11,29 @@ const __dirname = path.dirname(__filename);
 const APP_SOURCE_FILES = [
   'find-data.yml',
   'flow-schema.yml',
-  'per-action-function.yml',
+  'flow-rbac.yml',
+  'flow-objects.yml',
   'process-logical.yml',
-  'relationship-per-action.yml'
+  'flow-relationships.yml'
 ];
 
+const FLOW_OBJECTS_ROLE = 'FlowObjectsRole';
+
 const QUEUE_OWNERSHIP_PREFIXES = {
-  PerActionEndpointRole: ['Create', 'Update', 'Delete', 'Get'],
-  RelationshipRole: [
+  [FLOW_OBJECTS_ROLE]: ['Create', 'Update', 'Delete', 'Get'],
+  FlowRbacRole: [
+    'CreateTargetRole',
+    'ListTargetRole',
+    'DeleteTargetRole',
+    'CreateRolePermissions',
+    'ListRolePermissions',
+    'DeleteRolePermissions',
+    'CreateUserRole',
+    'ListUserInRoles',
+    'DeleteUserFromRole',
+    'UserRbacFlow'
+  ],
+  FlowRelationshipRole: [
     'CreateRelationship',
     'UpdateRelationship',
     'DeleteRelationship',
@@ -31,6 +46,54 @@ const QUEUE_OWNERSHIP_PREFIXES = {
   WebSocketMainRole: ['WebSocket']
 };
 
+const COMMON_S3_STATEMENTS = [
+  {
+    action: 's3:GetObject',
+    resource:
+      'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/perServiceSchemas/*'
+  },
+  {
+    action: 's3:GetObjectVersion',
+    resource:
+      'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/perServiceSchemas/*'
+  },
+  {
+    action: 's3:GetObject',
+    resource:
+      'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/serviceConfig/GraphServerTags.json'
+  },
+  {
+    action: 's3:GetObjectVersion',
+    resource:
+      'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/serviceConfig/GraphServerTags.json'
+  },
+  {
+    action: 's3:ListBucket',
+    resource: 'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}'
+  }
+];
+
+const DEFAULT_DYNAMO_ACTIONS = [
+  'dynamodb:DeleteItem',
+  'dynamodb:GetItem',
+  'dynamodb:PutItem',
+  'dynamodb:Query',
+  'dynamodb:UpdateItem'
+];
+
+const DYNAMO_ACTIONS_BY_ROLE = {
+  RegisterRole: [],
+  WebSocketMainRole: ['dynamodb:DeleteItem', 'dynamodb:PutItem', 'dynamodb:Query']
+};
+
+const SQS_CONSUMER_ACTIONS = [
+  'sqs:DeleteMessage',
+  'sqs:DeleteMessageBatch',
+  'sqs:GetQueueAttributes',
+  'sqs:GetQueueUrl',
+  'sqs:ReceiveMessage'
+];
+
 function upperCase(str) {
   if (!str) return str;
   return str.charAt(0).toUpperCase() + str.slice(1);
@@ -46,74 +109,12 @@ async function readTextIfExists(filePath) {
 
 function collectMatches(text, regex) {
   const out = new Set();
+
   for (const match of text.matchAll(regex)) {
     if (match[1]) out.add(match[1]);
   }
-  return out;
-}
-
-async function collectExplicitResourceNames(outputPath) {
-  const appSourceDir = path.join(
-    outputPath,
-    'app',
-    'sls_yaml',
-    'generatedCode',
-    'source'
-  );
-  const resourceSourceDir = path.join(
-    outputPath,
-    'resource',
-    'sls_yaml',
-    'generatedCode',
-    'source'
-  );
 
-  const resourceFiles = await Promise.all([
-    readTextIfExists(path.join(resourceSourceDir, 'generated-dynamoDB-table.yml')),
-    readTextIfExists(path.join(resourceSourceDir, 'generated-sns-in-sqs.yml')),
-    readTextIfExists(path.join(resourceSourceDir, 'generated-sns-out.yml')),
-    ...APP_SOURCE_FILES.map(fileName =>
-      readTextIfExists(path.join(appSourceDir, fileName))
-    )
-  ]);
-
-  const [dynamoText, snsInSqsText, snsOutText, ...appSourceTexts] = resourceFiles;
-  const appJoinedText = appSourceTexts.join('\n');
-
-  const tableNames = new Set([
-    ...collectMatches(
-      dynamoText,
-      /TableName:\s+\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)/g
-    )
-  ]);
-
-  const queueNames = new Set([
-    ...collectMatches(
-      snsInSqsText,
-      /QueueName:\s+\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)/g
-    ),
-    ...collectMatches(
-      appJoinedText,
-      /arn:aws:sqs:\$\{self:custom\.iz_region\}:\$\{self:custom\.iz_accountId\}:\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)/g
-    )
-  ]);
-
-  const topicNames = new Set([
-    ...collectMatches(
-      snsInSqsText,
-      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9]+)/g
-    ),
-    ...collectMatches(
-      snsOutText,
-      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9]+)/g
-    )
-  ]);
-
-  return {
-    tableNames: Array.from(tableNames).sort(),
-    queueNames: Array.from(queueNames).sort(),
-    topicNames: Array.from(topicNames).sort()
-  };
+  return out;
 }
 
 function splitTopLevelBlocks(text) {
@@ -127,6 +128,7 @@ function splitTopLevelBlocks(text) {
       current = [line];
       continue;
     }
+
     current.push(line);
   }
 
@@ -135,35 +137,148 @@ function splitTopLevelBlocks(text) {
 }
 
 function rolePrefixes(roleName) {
-  if (QUEUE_OWNERSHIP_PREFIXES[roleName]) {
-    return QUEUE_OWNERSHIP_PREFIXES[roleName];
-  }
-
-  if (roleName.endsWith('Role')) {
-    return [roleName.replace(/Role$/, '')];
-  }
-
+  if (QUEUE_OWNERSHIP_PREFIXES[roleName]) return QUEUE_OWNERSHIP_PREFIXES[roleName];
+  if (roleName.endsWith('Role')) return [roleName.replace(/Role$/, '')];
   return [roleName];
 }
 
 function topicBelongsToRole(roleName, topicName) {
+  if (topicName.endsWith('Complete_In')) return false;
+
   const prefixes = rolePrefixes(roleName);
 
-  if (roleName === 'PerActionEndpointRole') {
+  if (roleName === FLOW_OBJECTS_ROLE) {
+    const reservedPrefixes = [
+      ...QUEUE_OWNERSHIP_PREFIXES.FlowRbacRole,
+      ...QUEUE_OWNERSHIP_PREFIXES.FlowRelationshipRole
+    ];
+
     return (
       prefixes.some(prefix => topicName.startsWith(prefix)) &&
+      !reservedPrefixes.some(prefix => topicName.startsWith(prefix)) &&
       !topicName.includes('Relationship')
     );
   }
 
-  if (roleName === 'RelationshipRole') {
-    return prefixes.some(prefix => topicName.startsWith(prefix));
+  return prefixes.some(prefix => topicName.startsWith(prefix));
+}
+
+function buildDynamoArn(tableName) {
+  return (
+    'arn:aws:dynamodb:${self:custom.iz_region}:${self:custom.iz_accountId}:table/' +
+    '${self:custom.iz_resourcePrefix}' +
+    tableName
+  );
+}
+
+function buildQueueArn(queueName) {
+  return (
+    'arn:aws:sqs:${self:custom.iz_region}:${self:custom.iz_accountId}:' +
+    '${self:custom.iz_resourcePrefix}' +
+    queueName
+  );
+}
+
+function buildTopicArn(topicName) {
+  return (
+    'arn:aws:sns:${self:custom.iz_region}:${self:custom.iz_accountId}:' +
+    '${self:custom.iz_serviceTag}_${self:custom.iz_stage}_' +
+    topicName
+  );
+}
+
+function buildWebSocketArn() {
+  return (
+    'arn:aws:execute-api:${self:custom.iz_region}:${self:custom.iz_accountId}:' +
+    '${self:custom.iz_webSocketHostId}/*'
+  );
+}
+
+function detectRoleNamesFromSchemas(allSchemas = {}) {
+  const roleNames = new Set(['ProcFindDataRole', 'RegisterRole']);
+  const flows = getFlowsForGeneration(allSchemas);
+
+  if ((allSchemas.objects || []).length > 0) roleNames.add(FLOW_OBJECTS_ROLE);
+  if ((allSchemas.relationships || []).length > 0) roleNames.add('FlowRelationshipRole');
+
+  for (const flow of flows) {
+    if (!flow.flowTag) continue;
+
+    const upperFlowTag = upperCase(flow.flowTag);
+
+    if (QUEUE_OWNERSHIP_PREFIXES.FlowRbacRole.includes(upperFlowTag)) {
+      roleNames.add('FlowRbacRole');
+      continue;
+    }
+
+    if (upperFlowTag.endsWith('RbacFlow')) {
+      roleNames.add('FlowRbacRole');
+      continue;
+    }
+
+    if (QUEUE_OWNERSHIP_PREFIXES.FlowRelationshipRole.includes(upperFlowTag)) {
+      roleNames.add('FlowRelationshipRole');
+      continue;
+    }
+
+    if (QUEUE_OWNERSHIP_PREFIXES[FLOW_OBJECTS_ROLE].includes(upperFlowTag)) {
+      roleNames.add(FLOW_OBJECTS_ROLE);
+      continue;
+    }
+
+    if ((flow.event || []).includes('ownTopic')) {
+      roleNames.add('WebSocketMainRole');
+      // ponytail: removed continue; so custom flows with ownTopic get their own specific role
+    }
+
+    roleNames.add(`${upperFlowTag}Role`);
   }
 
-  return prefixes.some(prefix => topicName.startsWith(prefix));
+  return roleNames;
 }
 
-async function collectRoleScopedResourceNames(outputPath) {
+async function readRoleNames(outputPath, allSchemas) {
+  const roleConfigPath = path.join(
+    outputPath,
+    'app',
+    'sls_yaml',
+    'generatedCode',
+    'source',
+    'role-name-config.yml'
+  );
+  const roleConfigText = await readTextIfExists(roleConfigPath);
+  const fromFile = collectMatches(
+    roleConfigText,
+    /\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+Role)/g
+  );
+
+  if (fromFile.size > 0) return new Set(fromFile);
+  return detectRoleNamesFromSchemas(allSchemas);
+}
+
+async function collectExplicitResourceNames(outputPath) {
+  const resourceSourceDir = path.join(
+    outputPath,
+    'resource',
+    'sls_yaml',
+    'generatedCode',
+    'source'
+  );
+  const dynamoText = await readTextIfExists(
+    path.join(resourceSourceDir, 'generated-dynamoDB-table.yml')
+  );
+
+  return {
+    tableNames: Array.from(
+      collectMatches(
+        dynamoText,
+        /TableName:\s+\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)/g
+      )
+    ).sort()
+  };
+}
+
+async function collectRoleScopedResourceNames(outputPath, allowedRoles) {
   const appSourceDir = path.join(
     outputPath,
     'app',
@@ -190,142 +305,111 @@ async function collectRoleScopedResourceNames(outputPath) {
   const appTexts = texts.slice(0, APP_SOURCE_FILES.length);
   const snsInSqsText = texts[APP_SOURCE_FILES.length];
   const snsOutText = texts[APP_SOURCE_FILES.length + 1];
+  const allTopics = new Set([
+    ...collectMatches(
+      snsInSqsText,
+      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9_]+)/g
+    ),
+    ...collectMatches(
+      snsOutText,
+      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9_]+)/g
+    )
+  ]);
 
   const roleQueues = new Map();
 
+  for (const roleName of allowedRoles) {
+    roleQueues.set(roleName, new Set());
+  }
+
   for (const text of appTexts) {
     for (const block of splitTopLevelBlocks(text)) {
       const roleMatch = block.match(/role:\s+([A-Za-z0-9]+)/);
-      if (!roleMatch) continue;
-      const roleName = roleMatch[1];
-      const queueMatches = collectMatches(
+      if (!roleMatch || !allowedRoles.has(roleMatch[1])) continue;
+
+      const queueNames = collectMatches(
         block,
         /arn:aws:sqs:\$\{self:custom\.iz_region\}:\$\{self:custom\.iz_accountId\}:\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)/g
       );
-      if (!roleQueues.has(roleName)) roleQueues.set(roleName, new Set());
-      for (const queueName of queueMatches) {
-        roleQueues.get(roleName).add(queueName);
+
+      for (const queueName of queueNames) {
+        roleQueues.get(roleMatch[1]).add(queueName);
       }
     }
   }
 
-  const topicToQueuePairs = [
-    ...snsInSqsText.matchAll(
-      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9]+)[\s\S]*?Endpoint:\s+"arn:aws:sqs:\$\{self:custom\.iz_region\}:\$\{self:custom\.iz_accountId\}:\$\{self:custom\.iz_resourcePrefix\}([A-Za-z0-9]+)"/g
-    )
-  ].map(match => ({
-    topicName: match[1],
-    queueName: match[2]
-  }));
-
-  const outTopics = Array.from(
-    collectMatches(
-      snsOutText,
-      /TopicName:\s+\$\{self:custom\.iz_serviceTag\}_\$\{self:custom\.iz_stage\}_([A-Za-z0-9]+)/g
-    )
-  );
-
   const scoped = new Map();
 
-  for (const [roleName, queues] of roleQueues.entries()) {
-    const prefixes = rolePrefixes(roleName);
-    const topics = new Set();
-
-    for (const { topicName, queueName } of topicToQueuePairs) {
-      if (queues.has(queueName)) topics.add(topicName);
-    }
-
-    for (const topicName of outTopics) {
-      if (topicBelongsToRole(roleName, topicName)) {
-        topics.add(topicName);
-      }
-    }
+  for (const roleName of allowedRoles) {
+    const queueNames = Array.from(roleQueues.get(roleName) || []).sort();
+    const topicNames = Array.from(allTopics).filter(topicName => {
+      return topicBelongsToRole(roleName, topicName);
+    });
 
     scoped.set(roleName, {
-      queueNames: Array.from(queues).sort(),
-      topicNames: Array.from(topics).sort()
+      queueNames,
+      topicNames: topicNames.sort()
     });
   }
 
   return scoped;
 }
 
-function buildBaselineStatements(roleName, resources, scopedResources) {
-  const statements = [
-    {
-      action: 's3:GetObject',
-      resource:
-        'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/perServiceSchemas/*'
-    },
-    {
-      action: 's3:GetObjectVersion',
-      resource:
-        'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/perServiceSchemas/*'
-    },
-    {
-      action: 's3:GetObject',
-      resource:
-        'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/serviceConfig/GraphServerTags.json'
-    },
-    {
-      action: 's3:GetObjectVersion',
-      resource:
-        'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}/serviceConfig/GraphServerTags.json'
-    },
-    {
-      action: 's3:ListBucket',
-      resource: 'arn:aws:s3:::${self:custom.iz_serviceSchemaBucketName}'
+function tableNamesForRole(roleName, tableNames) {
+  if (roleName === 'RegisterRole') return [];
+
+  if (roleName === 'WebSocketMainRole') {
+    const filtered = tableNames.filter(tableName => /websocket|upload/i.test(tableName));
+    // ponytail: fall back to all tables if websocket tables are not named consistently yet.
+    return filtered.length > 0 ? filtered : tableNames;
+  }
+
+  // ponytail: least privilege for ProcFindDataRole, exclude system internal tables
+  if (roleName === 'ProcFindDataRole') {
+    return tableNames.filter(tableName => !/Awaiting|WebSocket|Upload/i.test(tableName));
+  }
+
+  const isFlowRole = roleName.endsWith('Role');
+  if (isFlowRole) {
+    const flowTables = tableNames.filter(tableName => !/FindDataMain|LogicalResults|RegisterRecords|Upload/i.test(tableName));
+    if (roleName === 'FlowRbacRole') {
+      return [...new Set([...flowTables, 'TargetRoles', 'RolePermissions', 'RoleUsers', 'UserRoles'])];
     }
-  ];
+    return flowTables;
+  }
 
-  const roleScoped = scopedResources.get(roleName) || {
-    queueNames: [],
-    topicNames: []
-  };
+  return tableNames;
+}
+
+function dynamoActionsForRole(roleName) {
+  return DYNAMO_ACTIONS_BY_ROLE[roleName] || DEFAULT_DYNAMO_ACTIONS;
+}
 
-  for (const tableName of resources.tableNames) {
-    const arn =
-      'arn:aws:dynamodb:${self:custom.iz_region}:${self:custom.iz_accountId}:table/' +
-      '${self:custom.iz_resourcePrefix}' +
-      tableName;
-
-    for (const action of [
-      'dynamodb:DeleteItem',
-      'dynamodb:GetItem',
-      'dynamodb:PutItem',
-      'dynamodb:Query',
-      'dynamodb:UpdateItem'
-    ]) {
-      statements.push({ action, resource: arn });
+function buildRoleStatements(roleName, resources, scopedResources) {
+  const statements = [...COMMON_S3_STATEMENTS];
+  const scoped = scopedResources.get(roleName) || { queueNames: [], topicNames: [] };
+
+  for (const tableName of tableNamesForRole(roleName, resources.tableNames)) {
+    for (const action of dynamoActionsForRole(roleName)) {
+      statements.push({ action, resource: buildDynamoArn(tableName) });
     }
   }
 
-  for (const queueName of roleScoped.queueNames) {
-    const arn =
-      'arn:aws:sqs:${self:custom.iz_region}:${self:custom.iz_accountId}:' +
-      '${self:custom.iz_resourcePrefix}' +
-      queueName;
-
-    for (const action of [
-      'sqs:DeleteMessage',
-      'sqs:DeleteMessageBatch',
-      'sqs:GetQueueAttributes',
-      'sqs:GetQueueUrl',
-      'sqs:ReceiveMessage',
-      'sqs:SendMessage'
-    ]) {
-      statements.push({ action, resource: arn });
+  for (const queueName of scoped.queueNames) {
+    for (const action of SQS_CONSUMER_ACTIONS) {
+      statements.push({ action, resource: buildQueueArn(queueName) });
     }
   }
 
-  for (const topicName of roleScoped.topicNames) {
-    const arn =
-      'arn:aws:sns:${self:custom.iz_region}:${self:custom.iz_accountId}:' +
-      '${self:custom.iz_serviceTag}_${self:custom.iz_stage}_' +
-      topicName;
+  for (const topicName of scoped.topicNames) {
+    statements.push({ action: 'sns:Publish', resource: buildTopicArn(topicName) });
+  }
 
-    statements.push({ action: 'sns:Publish', resource: arn });
-    statements.push({ action: 'sns:Subscribe', resource: arn });
+  if (roleName === 'WebSocketMainRole') {
+    statements.push({
+      action: 'execute-api:ManageConnections',
+      resource: buildWebSocketArn()
+    });
   }
 
   return statements;
@@ -335,20 +419,16 @@ function groupStatementsByResources(statements) {
   const grouped = new Map();
 
   for (const statement of statements) {
-    const resources = [...(statement.resource || [])].sort();
+    const resources = Array.isArray(statement.resource)
+      ? [...statement.resource].sort()
+      : [statement.resource];
     const key = JSON.stringify(resources);
 
     if (!grouped.has(key)) {
-      grouped.set(key, {
-        action: new Set(),
-        resource: resources
-      });
+      grouped.set(key, { action: new Set(), resource: resources });
     }
 
-    const entry = grouped.get(key);
-    for (const action of statement.action || []) {
-      entry.action.add(action);
-    }
+    grouped.get(key).action.add(statement.action);
   }
 
   return [...grouped.values()].map(entry => ({
@@ -359,7 +439,7 @@ function groupStatementsByResources(statements) {
 
 export async function generateSharedResourceYaml(allSchemas, options) {
   console.log(
-    '  [SharedResourceYamlGenerator] Generating Shared Resource YAML (IAM Roles)...'
+    ' [SharedResourceYamlGenerator] Generating Shared Resource YAML (IAM Roles)...'
   );
 
   const slsYamlDir = path.join(
@@ -371,101 +451,54 @@ export async function generateSharedResourceYaml(allSchemas, options) {
   );
   await fs.mkdir(slsYamlDir, { recursive: true });
 
-  const roleNameConfigs = new Set();
-
-  roleNameConfigs.add('ProcFindDataRole');
-  roleNameConfigs.add('RegisterRole');
-
-  if (allSchemas.objects && allSchemas.objects.length > 0) {
-    roleNameConfigs.add('PerActionEndpointRole');
-  }
-
-  if (allSchemas.relationships && allSchemas.relationships.length > 0) {
-    roleNameConfigs.add('RelationshipRole');
-  }
-
-  const flows = getFlowsForGeneration(allSchemas);
-  if (
-    flows.length > 0 &&
-    flows.some(flow => flow.event && flow.event.includes('ownTopic'))
-  ) {
-    roleNameConfigs.add('WebSocketMainRole');
-  }
-
-  const standardRoles = [
-    'PerActionEndpointRole',
-    'RelationshipRole',
-    'WebSocketMainRole',
-    'ProcFindDataRole',
-    'RegisterRole'
-  ];
-
-  for (const flow of flows) {
-    if (!flow.flowTag) continue;
-    const upperFlowTag = upperCase(flow.flowTag);
-    if (QUEUE_OWNERSHIP_PREFIXES.RelationshipRole.includes(upperFlowTag)) {
-      continue;
-    }
-    if (!standardRoles.includes(`${upperFlowTag}Role`)) {
-      roleNameConfigs.add(`${upperFlowTag}Role`);
-    }
-  }
-
-  const allResources = await collectExplicitResourceNames(options.outputPath);
-  const scopedResources = await collectRoleScopedResourceNames(options.outputPath);
+  const allowedRoles = await readRoleNames(options.outputPath, allSchemas);
+  const resources = await collectExplicitResourceNames(options.outputPath);
+  const scopedResources = await collectRoleScopedResourceNames(
+    options.outputPath,
+    allowedRoles
+  );
 
-  for (const roleName of roleNameConfigs) {
+  for (const roleName of allowedRoles) {
     policyRegistry.addMany(
       roleName,
-      buildBaselineStatements(roleName, allResources, scopedResources)
+      buildRoleStatements(roleName, resources, scopedResources)
     );
-
-    if (roleName === 'WebSocketMainRole') {
-      policyRegistry.addMany(roleName, [
-        {
-          action: 'execute-api:ManageConnections',
-          resource:
-            'arn:aws:execute-api:${self:custom.iz_region}:${self:custom.iz_accountId}:${self:custom.iz_webSocketHostId}/*'
-        },
-        {
-          action: 'execute-api:Invoke',
-          resource:
-            'arn:aws:execute-api:${self:custom.iz_region}:${self:custom.iz_accountId}:${self:custom.iz_webSocketHostId}/*'
-        }
-      ]);
-    }
   }
 
   const groupedStatements = policyRegistry.toGroupedByRole();
-  const roles = Array.from(roleNameConfigs).map(roleName => ({
-    roleName,
-    statements: groupStatementsByResources(
-      groupedStatements[roleName]?.statements || []
-    )
-  }));
+  const unexpectedRoles = Object.keys(groupedStatements).filter(
+    roleName => !allowedRoles.has(roleName)
+  );
 
-  const templatePath = path.join(__dirname, 'templates', 'SharedResource_Yaml.ejs');
-  let templateString;
-  try {
-    templateString = await fs.readFile(templatePath, 'utf-8');
-  } catch (error) {
-    console.error('Error reading SharedResource YAML template:', error);
-    return;
+  if (unexpectedRoles.length > 0) {
+    console.warn(
+      ` [SharedResourceYamlGenerator] Ignoring roles not present in role-name-config.yml: ${unexpectedRoles.join(', ')}`
+    );
   }
 
+  const roles = Array.from(allowedRoles)
+    .sort()
+    .map(roleName => ({
+      roleName,
+      statements: groupStatementsByResources(groupedStatements[roleName]?.statements || [])
+    }));
+
+  const templatePath = path.join(__dirname, 'templates', 'SharedResource_Yaml.ejs');
+  const templateString = await fs.readFile(templatePath, 'utf-8');
   const fileContent = ejs.render(templateString, { roles });
   let normalizedContent = fileContent
     .split('\n')
     .filter(line => line.trim() !== '')
     .join('\n');
-    
-  normalizedContent = normalizedContent
-    .replace(/^  [A-Za-z0-9]+:/gm, '\n\n$&')
-    .replace(/^Resources:\n+  /, 'Resources:\n\n  ') + '\n';
+
+  normalizedContent =
+    normalizedContent
+      .replace(/^ [A-Za-z0-9]+:/gm, '\n\n$&')
+      .replace(/^Resources:\n+ /, 'Resources:\n\n ') + '\n';
 
   const outputPath = path.join(slsYamlDir, 'generate-shared-resource.yml');
   await fs.writeFile(outputPath, normalizedContent, 'utf-8');
   console.log(
-    `  [SharedResourceYamlGenerator] Wrote generate-shared-resource.yml to ${outputPath}`
+    ` [SharedResourceYamlGenerator] Wrote generate-shared-resource.yml to ${outputPath}`
   );
 }