test iam policy

juancarle · juancarle · commit 4b1662394ef8 · 2024-03-19T11:04:52.000-03:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -594,16 +594,16 @@ function getS3ObjectPermissions(action, state) {
         action: 's3:Get*',
         resource: [
           `arn:aws:s3:::${bucket}`,
-          `arn:aws:s3:::${bucket}/*`
-        ]
+          `arn:aws:s3:::${bucket}/*`,
+        ],
       },
       {
         action: 's3:List*',
         resource: [
           `arn:aws:s3:::${bucket}`,
-          `arn:aws:s3:::${bucket}/*`
-        ]
-      }
+          `arn:aws:s3:::${bucket}/*`,
+        ],
+      },
     ];
   }
 
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -3804,4 +3804,57 @@ describe('#compileIamRole', () => {
       .PermissionsBoundary;
     expect(boundary).to.equal('arn:aws:iam::myAccount:policy/permission_boundary');
   });
+
+
+  it('should handle permissions listObjectsV2', () => {
+    const myBucket = 'myBucket';
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'StateMachine1',
+          definition: {
+            StartAt: 'A',
+            States: {
+              A: {
+                Type: 'Map',
+                ItemProcessor: {
+                  ProcessorConfig: {
+                    Mode: 'DISTRIBUTED',
+                  },
+                },
+                StartAt: 'B',
+                States: {
+                  B: {
+                    Type: 'Task',
+                    Resource: 'arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:hello',
+                    End: true,
+                  },
+                },
+                ItemReader: {
+                  Resource: 'arn:aws:states:::s3:listObjectsV2',
+                  Parameters: {
+                    Bucket: myBucket,
+                    Prefix: 'hello',
+                  },
+                },
+                End: true,
+              },
+            },
+          },
+        },
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service.provider
+      .compiledCloudFormationTemplate.Resources.StateMachine1Role.Properties.Policies[0]
+      .PolicyDocument.Statement;
+
+    expect(statements).to.have.lengthOf(4);
+    expect(statements[3].Effect).to.equal('Allow');
+    expect(statements[3].Action[0]).to.equal('s3:Get*');
+    expect(statements[3].Action[1]).to.equal('s3:List*');
+    expect(statements[3].Resource[0]).to.equal(`arn:aws:s3:::${myBucket}`);
+    expect(statements[3].Resource[1]).to.equal(`arn:aws:s3:::${myBucket}/*`);
+  });
 });
