Merge pull request #255 from agiledigital/master

Fix permissions generation for Lambda ARNs with aliases

Author: theburningmonk

lib/deploy/stepFunctions/compileIamRole.js

@@ -3,7 +3,8 @@
 const _ = require('lodash');
 const BbPromise = require('bluebird');
 const path = require('path');
-const { isIntrinsic, translateLocalFunctionNames } = require('../../utils/aws');
+const { isIntrinsic, translateLocalFunctionNames, trimAliasFromLambdaArn } = require('../../utils/aws');
+
 
 function getTaskStates(states) {
   return _.flatMap(states, (state) => {
@@ -328,7 +329,8 @@ function getIamPermissions(taskStates) {
 
       default:
         if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
-          const functionArn = translateLocalFunctionNames.bind(this)(state.Resource);
+          const trimmedArn = trimAliasFromLambdaArn(state.Resource);
+          const functionArn = translateLocalFunctionNames.bind(this)(trimmedArn);
           return [{
             action: 'lambda:InvokeFunction',
             resource: [

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -1383,6 +1383,69 @@ describe('#compileIamRole', () => {
     expect(lambdaPermissions[0].Resource).to.deep.include.members(lambdaArns);
   });
 
+  it('should support lambda ARNs as task resource with and without aliases', () => {
+    const getStateMachine = name => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:lambda:region:accountId:function:with-alias:some-alias',
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:lambda:region:accountId:function:no-alias',
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.functions = {
+      'with-alias': {
+        handler: 'with-alias.handler',
+      },
+      'no-alias': {
+        handler: 'with-alias.handler',
+      },
+    };
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: getStateMachine('sm1'),
+        myStateMachine2: getStateMachine('sm2'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const lambdaPermissions = statements.filter(s => _.isEqual(s.Action, ['lambda:InvokeFunction']));
+    expect(lambdaPermissions).to.have.lengthOf(1);
+
+    const expectedResources = [
+      'arn:aws:lambda:region:accountId:function:with-alias',
+      {
+        'Fn::Sub': [
+          '${functionArn}:*',
+          { functionArn: 'arn:aws:lambda:region:accountId:function:with-alias' },
+        ],
+      },
+      'arn:aws:lambda:region:accountId:function:no-alias',
+      {
+        'Fn::Sub': [
+          '${functionArn}:*',
+          { functionArn: 'arn:aws:lambda:region:accountId:function:no-alias' },
+        ],
+      },
+    ];
+    expect(lambdaPermissions[0].Resource).to.deep.include.members(expectedResources);
+  });
+
   it('should give step functions permissions (too permissive, but mirrors console behaviour)', () => {
     const stateMachineArn = 'arn:aws:states:us-east-1:123456789:stateMachine:HelloStateMachine';
     const genStateMachine = name => ({

lib/utils/aws.js

@@ -75,8 +75,23 @@ function convertToFunctionVersion(value) {
   return value;
 }
 
+// If the resource is a lambda ARN string, trim off the alias
+function trimAliasFromLambdaArn(resource) {
+  if (typeof resource === 'string' && resource.startsWith('arn:aws:lambda')) {
+    const components = resource.split(':');
+    // Lambda ARNs with an alias have 8 components
+    // E.g. arn:aws:lambda:region:accountId:function:name:alias
+    const numberOfComponentsWhenAliasExists = 8;
+    const hasAlias = components.length === numberOfComponentsWhenAliasExists;
+    // Slice off the last component and join it back into an ARN string
+    return hasAlias ? components.slice(0, numberOfComponentsWhenAliasExists - 1).join(':') : resource;
+  }
+  return resource;
+}
+
 module.exports = {
   isIntrinsic,
   translateLocalFunctionNames,
   convertToFunctionVersion,
+  trimAliasFromLambdaArn,
 };