feat: support importing DynamoDB tables exported from external stacks

fixes issue #442

Author: danrivett

lib/deploy/stepFunctions/compileIamRole.js

@@ -76,12 +76,37 @@ function getSnsPermissions(serverless, state) {
 }
 
 function getDynamoDBArn(tableName) {
-  if (isIntrinsic(tableName) && tableName.Ref) {
+  if (isIntrinsic(tableName)) {
     // most likely we'll see a { Ref: LogicalId }, which we need to map to
     // { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
-    return {
-      'Fn::GetAtt': [tableName.Ref, 'Arn'],
-    };
+    if (tableName.Ref) {
+      return {
+        'Fn::GetAtt': [tableName.Ref, 'Arn'],
+      };
+    }
+    // but also support importing the table name from an external stack that exports it
+    // as we still want to support direct state machine actions interacting with those tables
+    if (tableName['Fn::ImportValue']) {
+      return {
+        'Fn::Join': [
+          ':',
+          [
+            'arn:aws:dynamodb',
+            { Ref: 'AWS::Region' },
+            { Ref: 'AWS::AccountId' },
+            {
+              'Fn::Join': [
+                '/',
+                [
+                  'table',
+                  tableName,
+                ],
+              ],
+            },
+          ],
+        ],
+      };
+    }
   }
 
   return {

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -576,6 +576,91 @@ describe('#compileIamRole', () => {
       .to.be.deep.equal([worldTableArn]);
   });
 
+  it('should give dynamodb permission for table name imported from external stack', () => {
+    const externalHelloTable = { 'Fn::ImportValue': 'HelloStack:Table:Name' };
+    const helloTableArn = {
+      'Fn::Join': [
+        ':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalHelloTable]] }],
+      ],
+    };
+
+    const externalWorldTable = { 'Fn::ImportValue': 'WorldStack:Table:Name' };
+    const worldTableArn = {
+      'Fn::Join': [
+        ':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalWorldTable]] }],
+      ],
+    };
+
+    const genStateMachine = (id, tableName) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::dynamodb:updateItem',
+            Parameters: {
+              TableName: tableName,
+            },
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::dynamodb:putItem',
+            Parameters: {
+              TableName: tableName,
+            },
+            Next: 'C',
+          },
+          C: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::dynamodb:getItem',
+            Parameters: {
+              TableName: tableName,
+            },
+            Next: 'D',
+          },
+          D: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::dynamodb:deleteItem',
+            Parameters: {
+              TableName: tableName,
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', externalHelloTable),
+        myStateMachine2: genStateMachine('StateMachine2', externalWorldTable),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const resources = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources;
+    const policy1 = resources.StateMachine1Role.Properties.Policies[0];
+    const policy2 = resources.StateMachine2Role.Properties.Policies[0];
+
+    [policy1, policy2].forEach((policy) => {
+      expect(policy.PolicyDocument.Statement[0].Action)
+        .to.be.deep.equal([
+          'dynamodb:UpdateItem',
+          'dynamodb:PutItem',
+          'dynamodb:GetItem',
+          'dynamodb:DeleteItem',
+        ]);
+    });
+
+    expect(policy1.PolicyDocument.Statement[0].Resource)
+      .to.be.deep.equal([helloTableArn]);
+    expect(policy2.PolicyDocument.Statement[0].Resource)
+      .to.be.deep.equal([worldTableArn]);
+  });
+
   it('should give dynamodb permission to * whenever TableName.$ is seen', () => {
     const helloTable = 'hello';