Merge pull request serverless-operations#537 from bahrmichael/patch-2

lopburny · web-flow · commit 7982482175b2 · 2023-03-08T09:58:17.000+09:00
feat: generate permission for dynamodb:Query and for GSIs
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -194,16 +194,31 @@ function getEcsPermissions() {
 }
 
 function getDynamoDBPermissions(action, state) {
-  const tableArn = state.Parameters['TableName.$']
-    ? '*'
-    : getDynamoDBArn(state.Parameters.TableName);
+  let resource;
+
+  if (state.Parameters['TableName.$']) {
+    // When the TableName is only known at runtime, we
+    // have to provide * permissions during deployment.
+    resource = '*';
+  } else if (state.Parameters['IndexName.$'] || state.Parameters.IndexName) {
+    // When the Parameters contain an IndexName, we have to build a
+    // longer arn that includes the index.
+    const indexName = state.Parameters['IndexName.$']
+      // We must provide * here instead of state.Parameters['IndexName.$'], because we don't know
+      // which index will be targeted when we the step function runs
+      ? '*'
+      : state.Parameters.IndexName;
+
+    resource = getDynamoDBArn(`${state.Parameters.TableName}/index/${indexName}`);
+  } else {
+    resource = getDynamoDBArn(state.Parameters.TableName);
+  }
 
   return [{
     action,
-    resource: tableArn,
+    resource,
   }];
 }
-
 function getRedshiftDataPermissions(action, state) {
   if (['redshift-data:ExecuteStatement', 'redshift-data:BatchExecuteStatement'].includes(action)) {
     const clusterName = _.has(state, 'Parameters.ClusterIdentifier') ? state.Parameters.ClusterIdentifier : '*';
@@ -497,6 +512,8 @@ function getIamPermissions(taskStates) {
         return getDynamoDBPermissions('dynamodb:DeleteItem', state);
       case 'arn:aws:states:::aws-sdk:dynamodb:updateTable':
         return getDynamoDBPermissions('dynamodb:UpdateTable', state);
+      case 'arn:aws:states:::aws-sdk:dynamodb:query':
+        return getDynamoDBPermissions('dynamodb:Query', state);
 
       case 'arn:aws:states:::aws-sdk:redshiftdata:executeStatement':
         return getRedshiftDataPermissions('redshift-data:ExecuteStatement', state);
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -731,6 +731,58 @@ describe('#compileIamRole', () => {
       .to.be.deep.equal([worldTableArn]);
   });
 
+  it('should give dynamodb permission to index table whenever IndexName is provided', () => {
+    const helloTable = 'hello';
+
+    const genStateMachine = (id, tableName) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+            },
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+              IndexName: 'GSI1',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', helloTable),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    expect(policy.PolicyDocument.Statement[0].Resource[0]).to.be.deep.equal({
+      'Fn::Join': [':', ['arn', { Ref: 'AWS::Partition' }, 'dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, 'table/hello']],
+    });
+
+    expect(policy.PolicyDocument.Statement[0].Resource[1]).to.be.deep.equal({
+      'Fn::Join': [':', ['arn', { Ref: 'AWS::Partition' }, 'dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, 'table/hello/index/GSI1']],
+    });
+  });
+
   it('should give dynamodb permission to * whenever TableName.$ is seen', () => {
     const helloTable = 'hello';
 
@@ -778,6 +830,84 @@ describe('#compileIamRole', () => {
     expect(policy.PolicyDocument.Statement[0].Resource).to.equal('*');
   });
 
+  it('should give dynamodb permission to table/TableName/index/* when IndexName.$ is seen', () => {
+    const helloTable = 'hello';
+
+    const genStateMachine = (id, tableName) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+              'IndexName.$': '$.myDynamicIndexName',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', helloTable),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    // even though some tasks target specific indices, because IndexName.$ is used we
+    // have to give broad permissions to allow execution to talk to whatever index
+    // the input specifies
+    expect(policy.PolicyDocument.Statement[0].Resource[0]['Fn::Join'][1][5]).to.equal('table/hello/index/*');
+  });
+
+  it('should give dynamodb permission to table/* whenever TableName.$ and IndexName.$ are seen', () => {
+    const genStateMachine = id => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              'TableName.$': '$.myDynamicTableName',
+              'IndexName.$': '$.myDynamicIndexName',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    // even though some tasks target specific tables, because TableName.$ is used we
+    // have to give broad permissions to allow execution to talk to whatever table
+    // the input specifies
+    expect(policy.PolicyDocument.Statement[0].Resource[0]).to.equal('*');
+  });
+
   it('should give Redshift Data permissions to * for safe actions', () => {
     serverless.service.stepFunctions = {
       stateMachines: {
