From b7f9158e4a1ccdfdc0dbfb9d1e9b6932826c765a Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Mon, 12 Oct 2020 15:19:29 -0400 Subject: [PATCH 1/8] Add a version to the Role PolicyDocument --- lib/shortcuts/role.js | 1 + package-lock.json | 129 ++++++++++++++++++ package.json | 3 +- .../cross-account-role-no-defaults.json | 1 + test/fixtures/shortcuts/role-no-defaults.json | 1 + .../shortcuts/service-role-no-defaults.json | 1 + 6 files changed, 135 insertions(+), 1 deletion(-) diff --git a/lib/shortcuts/role.js b/lib/shortcuts/role.js index 76d4eeb..e5c6d69 100644 --- a/lib/shortcuts/role.js +++ b/lib/shortcuts/role.js @@ -88,6 +88,7 @@ class Role { { PolicyName: 'main', PolicyDocument: { + Version: '2012-10-17', Statement } } diff --git a/package-lock.json b/package-lock.json index 523af3b..26262f7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5774,6 +5774,12 @@ "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=", "dev": true }, + "is-finite": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.1.0.tgz", + "integrity": "sha512-cdyMtqX/BOqqNBBiKlIVkytNHm49MtMlYyn1zxzvJKWmFMlGzm+ry5BBfYyeY9YmNKbRSo/o7OX9w9ale0wg3w==", + "dev": true + }, "is-fullwidth-code-point": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz", @@ -7560,6 +7566,12 @@ "unist-util-visit-children": "^1.0.0" } }, + "parse-ms": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/parse-ms/-/parse-ms-1.0.1.tgz", + "integrity": "sha1-VjRtR0nXjyNDDKDHE4UK75GqNh0=", + "dev": true + }, "parse-path": { "version": "4.0.1", "resolved": "https://registry.npmjs.org/parse-path/-/parse-path-4.0.1.tgz", @@ -7746,6 +7758,12 @@ } } }, + "plur": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/plur/-/plur-1.0.0.tgz", + "integrity": "sha1-24XGgU9eXlo7Se/CjWBP7GKXUVY=", + "dev": true + }, "pluralize": { "version": "7.0.0", "resolved": "https://registry.npmjs.org/pluralize/-/pluralize-7.0.0.tgz", @@ -7770,6 +7788,17 @@ "integrity": "sha1-1PRWKwzjaW5BrFLQ4ALlemNdxtw=", "dev": true }, + "pretty-ms": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/pretty-ms/-/pretty-ms-2.1.0.tgz", + "integrity": "sha1-QlfCVt8/sLRR1q/6qwIYhBJpgdw=", + "dev": true, + "requires": { + "is-finite": "^1.0.1", + "parse-ms": "^1.0.0", + "plur": "^1.0.0" + } + }, "private": { "version": "0.1.8", "resolved": "https://registry.npmjs.org/private/-/private-0.1.8.tgz", @@ -7911,6 +7940,12 @@ "strip-json-comments": "~2.0.1" } }, + "re-emitter": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/re-emitter/-/re-emitter-1.1.3.tgz", + "integrity": "sha1-+p4xn/3u6zWycpbvDz03TawvUqc=", + "dev": true + }, "read-pkg": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-3.0.0.tgz", @@ -9204,6 +9239,100 @@ } } }, + "tap-out": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/tap-out/-/tap-out-2.1.0.tgz", + "integrity": "sha512-LJE+TBoVbOWhwdz4+FQk40nmbIuxJLqaGvj3WauQw3NYYU5TdjoV3C0x/yq37YAvVyi+oeBXmWnxWSjJ7IEyUw==", + "dev": true, + "requires": { + "re-emitter": "1.1.3", + "readable-stream": "2.2.9", + "split": "1.0.0", + "trim": "0.0.1" + }, + "dependencies": { + "process-nextick-args": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-1.0.7.tgz", + "integrity": "sha1-FQ4gt1ZZCtP5EJPyWk8q2L/zC6M=", + "dev": true + }, + "readable-stream": { + "version": "2.2.9", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.2.9.tgz", + "integrity": "sha1-z3jsb0ptHrQ9JkiMrJfwQudLf8g=", + "dev": true, + "requires": { + "buffer-shims": "~1.0.0", + "core-util-is": "~1.0.0", + "inherits": "~2.0.1", + "isarray": "~1.0.0", + "process-nextick-args": "~1.0.6", + "string_decoder": "~1.0.0", + "util-deprecate": "~1.0.1" + } + }, + "split": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/split/-/split-1.0.0.tgz", + "integrity": "sha1-xDlc5oOrzSVLwo/h2rtuXCfc/64=", + "dev": true, + "requires": { + "through": "2" + } + }, + "string_decoder": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.0.3.tgz", + "integrity": "sha512-4AH6Z5fzNNBcH+6XDMfA/BTt87skxqJlO0lAh3Dker5zThcAxG6mKz+iGu308UKoPPQ8Dcqx/4JhujzltRa+hQ==", + "dev": true, + "requires": { + "safe-buffer": "~5.1.0" + } + } + } + }, + "tap-spec": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/tap-spec/-/tap-spec-5.0.0.tgz", + "integrity": "sha512-zMDVJiE5I6Y4XGjlueGXJIX2YIkbDN44broZlnypT38Hj/czfOXrszHNNJBF/DXR8n+x6gbfSx68x04kIEHdrw==", + "dev": true, + "requires": { + "chalk": "^1.0.0", + "duplexer": "^0.1.1", + "figures": "^1.4.0", + "lodash": "^4.17.10", + "pretty-ms": "^2.1.0", + "repeat-string": "^1.5.2", + "tap-out": "^2.1.0", + "through2": "^2.0.0" + }, + "dependencies": { + "chalk": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz", + "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=", + "dev": true, + "requires": { + "ansi-styles": "^2.2.1", + "escape-string-regexp": "^1.0.2", + "has-ansi": "^2.0.0", + "strip-ansi": "^3.0.0", + "supports-color": "^2.0.0" + } + }, + "figures": { + "version": "1.7.0", + "resolved": "https://registry.npmjs.org/figures/-/figures-1.7.0.tgz", + "integrity": "sha1-y+Hjr/zxzUS4DK3+0o3Hk6lwHS4=", + "dev": true, + "requires": { + "escape-string-regexp": "^1.0.5", + "object-assign": "^4.1.0" + } + } + } + }, "tape": { "version": "4.9.1", "resolved": "https://registry.npmjs.org/tape/-/tape-4.9.1.tgz", diff --git a/package.json b/package.json index a6cdbb2..2f8b90a 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ }, "scripts": { "pretest": "eslint index.js test lib bin cloudformation && npm run shortcuts-api-doc", - "test": "nyc tape test/*.test.js", + "test": "nyc tape test/*.test.js | tap-spec", "coverage": "nyc --reporter html tape test/*.test.js && opener coverage/index.html", "build-ci-template": "bin/build-template.js cloudformation/ci.template.js > cloudformation/ci.template.json", "copyeditor-shortcuts": "copyeditor -q lib/shortcuts/api.md", @@ -41,6 +41,7 @@ "nyc": "^14.1.0", "opener": "^1.4.1", "p-queue": "^6.3.0", + "tap-spec": "^5.0.0", "tape": "^4.6.0" }, "dependencies": { diff --git a/test/fixtures/shortcuts/cross-account-role-no-defaults.json b/test/fixtures/shortcuts/cross-account-role-no-defaults.json index 168938c..5f2b438 100644 --- a/test/fixtures/shortcuts/cross-account-role-no-defaults.json +++ b/test/fixtures/shortcuts/cross-account-role-no-defaults.json @@ -47,6 +47,7 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", diff --git a/test/fixtures/shortcuts/role-no-defaults.json b/test/fixtures/shortcuts/role-no-defaults.json index edda557..7b94b8f 100644 --- a/test/fixtures/shortcuts/role-no-defaults.json +++ b/test/fixtures/shortcuts/role-no-defaults.json @@ -47,6 +47,7 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", diff --git a/test/fixtures/shortcuts/service-role-no-defaults.json b/test/fixtures/shortcuts/service-role-no-defaults.json index 7e32068..728f760 100644 --- a/test/fixtures/shortcuts/service-role-no-defaults.json +++ b/test/fixtures/shortcuts/service-role-no-defaults.json @@ -43,6 +43,7 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", From 75c58c31e20ac1b9a07a4db6abec66dc3c2aa5ee Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Mon, 12 Oct 2020 15:55:06 -0400 Subject: [PATCH 2/8] Update Lambda shortcut to use ServiceRole --- lib/shortcuts/lambda.js | 54 +++---- .../shortcuts/event-lambda-defaults.json | 73 ++++----- .../fixtures/shortcuts/event-lambda-full.json | 73 ++++----- .../glue-parquet-table-defaults.json | 4 +- .../glue-parquet-table-no-defaults.json | 2 +- .../shortcuts/hookshot-github-secret-ref.json | 138 +++++++++--------- .../hookshot-github-secret-string.json | 138 +++++++++--------- test/fixtures/shortcuts/hookshot-github.json | 138 +++++++++--------- ...ookshot-passthrough-access-log-format.json | 138 +++++++++--------- .../hookshot-passthrough-alarms.json | 138 +++++++++--------- ...hookshot-passthrough-enhanced-logging.json | 138 +++++++++--------- ...okshot-passthrough-full-blown-logging.json | 138 +++++++++--------- .../hookshot-passthrough-logging.json | 138 +++++++++--------- .../shortcuts/hookshot-passthrough.json | 138 +++++++++--------- test/fixtures/shortcuts/lambda-defaults.json | 73 ++++----- test/fixtures/shortcuts/lambda-full.json | 84 +++++------ test/fixtures/shortcuts/lambda-zipfile.json | 73 ++++----- .../log-subscription-lambda-defaults.json | 73 ++++----- .../log-subscription-lambda-no-defaults.json | 73 ++++----- .../fixtures/shortcuts/queue-lambda-zero.json | 111 +++++++------- test/fixtures/shortcuts/queue-lambda.json | 111 +++++++------- .../shortcuts/scheduled-lambda-defaults.json | 73 ++++----- .../shortcuts/scheduled-lambda-full.json | 73 ++++----- .../shortcuts/stream-lambda-defaults.json | 121 +++++++-------- .../shortcuts/stream-lambda-no-defaults.json | 121 +++++++-------- 25 files changed, 1255 insertions(+), 1179 deletions(-) diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index 9fccd16..80071a8 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -1,5 +1,8 @@ 'use strict'; +const merge = require('../merge'); +const ServiceRole = require('./service-role'); + /** * Baseline CloudFormation resources involved in a Lambda Function. Creates a * Log Group, a Role, an Alarm on function errors, and the Lambda Function itself. @@ -129,41 +132,6 @@ class Lambda { } }, - [`${LogicalName}Role`]: { - Type: 'AWS::IAM::Role', - Condition, - Properties: { - AssumeRolePolicyDocument: { - Statement: [ - { - Effect: 'Allow', - Action: 'sts:AssumeRole', - Principal: { - Service: 'lambda.amazonaws.com' - } - } - ] - }, - Policies: [ - { - PolicyName: 'main', - PolicyDocument: { - Statement: [ - { - Effect: 'Allow', - Action: 'logs:*', - Resource: { - 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] - } - }, - ...Statement - ] - } - } - ] - } - }, - [`${LogicalName}`]: { Type: 'AWS::Lambda::Function', Condition, @@ -216,6 +184,22 @@ class Lambda { } } }; + + const serviceRole = new ServiceRole({ + LogicalName: `${LogicalName}Role`, + Service: 'lambda', + Statement: [ + { + Effect: 'Allow', + Action: 'logs:*', + Resource: { + 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] + } + }, + ...Statement + ] + }); + this.Resources = merge(this, serviceRole).Resources; } } diff --git a/test/fixtures/shortcuts/event-lambda-defaults.json b/test/fixtures/shortcuts/event-lambda-defaults.json index d475773..0d1c9b3 100644 --- a/test/fixtures/shortcuts/event-lambda-defaults.json +++ b/test/fixtures/shortcuts/event-lambda-defaults.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaTrigger": { "Type": "AWS::Events::Rule", "Properties": { diff --git a/test/fixtures/shortcuts/event-lambda-full.json b/test/fixtures/shortcuts/event-lambda-full.json index 56f865e..b711bc5 100644 --- a/test/fixtures/shortcuts/event-lambda-full.json +++ b/test/fixtures/shortcuts/event-lambda-full.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaTrigger": { "Type": "AWS::Events::Rule", "Properties": { diff --git a/test/fixtures/shortcuts/glue-parquet-table-defaults.json b/test/fixtures/shortcuts/glue-parquet-table-defaults.json index aca8764..3d21e9f 100644 --- a/test/fixtures/shortcuts/glue-parquet-table-defaults.json +++ b/test/fixtures/shortcuts/glue-parquet-table-defaults.json @@ -17,10 +17,10 @@ "Fn::Sub": "Created by the ${AWS::StackName} CloudFormation stack" }, "Name": "my_table", - "PartitionKeys": [], "Parameters": { "EXTERNAL": "true" }, + "PartitionKeys": [], "TableType": "EXTERNAL_TABLE", "StorageDescriptor": { "Columns": [ @@ -48,4 +48,4 @@ } }, "Outputs": {} -} +} \ No newline at end of file diff --git a/test/fixtures/shortcuts/glue-parquet-table-no-defaults.json b/test/fixtures/shortcuts/glue-parquet-table-no-defaults.json index b849664..96924f9 100644 --- a/test/fixtures/shortcuts/glue-parquet-table-no-defaults.json +++ b/test/fixtures/shortcuts/glue-parquet-table-no-defaults.json @@ -68,4 +68,4 @@ } }, "Outputs": {} -} +} \ No newline at end of file diff --git a/test/fixtures/shortcuts/hookshot-github-secret-ref.json b/test/fixtures/shortcuts/hookshot-github-secret-ref.json index 9280307..4c22952 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-ref.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-ref.json @@ -27,7 +27,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -46,7 +46,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -157,51 +157,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -271,23 +226,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -296,7 +235,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -305,13 +246,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -322,6 +274,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -381,6 +349,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-github-secret-string.json b/test/fixtures/shortcuts/hookshot-github-secret-string.json index 721d5c2..c018ddc 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-string.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-string.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -153,51 +153,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -265,23 +220,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -290,7 +229,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -299,13 +240,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -316,6 +268,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -375,6 +343,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-github.json b/test/fixtures/shortcuts/hookshot-github.json index cf6af37..94912f8 100644 --- a/test/fixtures/shortcuts/hookshot-github.json +++ b/test/fixtures/shortcuts/hookshot-github.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -159,51 +159,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -273,23 +228,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -298,7 +237,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -307,13 +248,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -324,6 +276,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -383,6 +351,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json index 6020f0c..694190e 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -51,7 +51,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -162,51 +162,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -269,23 +224,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -294,7 +233,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -303,13 +244,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -320,6 +272,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -379,6 +347,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json index f4fe5d8..e31b523 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -144,51 +144,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -253,23 +208,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -278,7 +217,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -287,13 +228,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -304,6 +256,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -363,6 +331,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json index dd30ee7..b197708 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -144,51 +144,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -251,23 +206,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -276,7 +215,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -285,13 +226,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -302,6 +254,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -361,6 +329,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json index 3597852..69c99dc 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -144,51 +144,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -251,23 +206,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -276,7 +215,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -285,13 +226,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -302,6 +254,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -361,6 +329,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-logging.json index cb1b7fa..ded5fad 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -144,51 +144,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -251,23 +206,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -276,7 +215,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -285,13 +226,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -302,6 +254,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -361,6 +329,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/hookshot-passthrough.json b/test/fixtures/shortcuts/hookshot-passthrough.json index 247d08f..11d15a5 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough.json +++ b/test/fixtures/shortcuts/hookshot-passthrough.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment244f3c80" + "Ref": "PassDeployment6ac3f7b3" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment244f3c80": { + "PassDeployment6ac3f7b3": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -144,51 +144,6 @@ "RetentionInDays": 14 } }, - "PassFunctionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": { - "Fn::GetAtt": [ - "Destination", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "PassFunction": { "Type": "AWS::Lambda::Function", "Properties": { @@ -251,23 +206,7 @@ "MetricName": "Errors" } }, - "DestinationLogs": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": { - "Fn::Sub": [ - "/aws/lambda/${name}", - { - "name": { - "Fn::Sub": "${AWS::StackName}-Destination" - } - } - ] - }, - "RetentionInDays": 14 - } - }, - "DestinationRole": { + "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -276,7 +215,9 @@ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { - "Service": "lambda.amazonaws.com" + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } } } ] @@ -285,13 +226,24 @@ { "PolicyName": "main", "PolicyDocument": { + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:*", "Resource": { "Fn::GetAtt": [ - "DestinationLogs", + "PassFunctionLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": { + "Fn::GetAtt": [ + "Destination", "Arn" ] } @@ -302,6 +254,22 @@ ] } }, + "DestinationLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-Destination" + } + } + ] + }, + "RetentionInDays": 14 + } + }, "Destination": { "Type": "AWS::Lambda::Function", "Properties": { @@ -361,6 +329,44 @@ ], "MetricName": "Errors" } + }, + "DestinationRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": { diff --git a/test/fixtures/shortcuts/lambda-defaults.json b/test/fixtures/shortcuts/lambda-defaults.json index 7d4b8cc..f3ae5bb 100644 --- a/test/fixtures/shortcuts/lambda-defaults.json +++ b/test/fixtures/shortcuts/lambda-defaults.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -116,6 +81,44 @@ ], "MetricName": "Errors" } + }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": {} diff --git a/test/fixtures/shortcuts/lambda-full.json b/test/fixtures/shortcuts/lambda-full.json index a61067d..27edff4 100644 --- a/test/fixtures/shortcuts/lambda-full.json +++ b/test/fixtures/shortcuts/lambda-full.json @@ -30,47 +30,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Condition": "Always", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::fake/data" - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Condition": "Always", @@ -155,6 +114,49 @@ ], "MetricName": "Errors" } + }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::fake/data" + } + ] + } + } + ] + } } }, "Outputs": {} diff --git a/test/fixtures/shortcuts/lambda-zipfile.json b/test/fixtures/shortcuts/lambda-zipfile.json index dc82ad8..54401bb 100644 --- a/test/fixtures/shortcuts/lambda-zipfile.json +++ b/test/fixtures/shortcuts/lambda-zipfile.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -115,6 +80,44 @@ ], "MetricName": "Errors" } + }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } } }, "Outputs": {} diff --git a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json index 3b51a30..a425fc2 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaSubscriptionFilter": { "Type": "AWS::Logs::SubscriptionFilter", "Properties": { diff --git a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json index f40817b..30107dd 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaSubscriptionFilter": { "Type": "AWS::Logs::SubscriptionFilter", "Properties": { diff --git a/test/fixtures/shortcuts/queue-lambda-zero.json b/test/fixtures/shortcuts/queue-lambda-zero.json index 9ead255..b70f28a 100644 --- a/test/fixtures/shortcuts/queue-lambda-zero.json +++ b/test/fixtures/shortcuts/queue-lambda-zero.json @@ -21,60 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": [ - "sqs:DeleteMessage", - "sqs:ReceiveMessage", - "sqs:GetQueueAttributes" - ], - "Resource": [ - "arn:aws:sqs:us-east-1:123456789012:queue/fake", - { - "Fn::Sub": [ - "${arn}/*", - { - "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" - } - ] - } - ] - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -137,6 +83,63 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": [ + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:GetQueueAttributes" + ], + "Resource": [ + "arn:aws:sqs:us-east-1:123456789012:queue/fake", + { + "Fn::Sub": [ + "${arn}/*", + { + "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" + } + ] + } + ] + } + ] + } + } + ] + } + }, "MyLambdaEventSource": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { diff --git a/test/fixtures/shortcuts/queue-lambda.json b/test/fixtures/shortcuts/queue-lambda.json index 0d5670b..7a5588d 100644 --- a/test/fixtures/shortcuts/queue-lambda.json +++ b/test/fixtures/shortcuts/queue-lambda.json @@ -21,60 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": [ - "sqs:DeleteMessage", - "sqs:ReceiveMessage", - "sqs:GetQueueAttributes" - ], - "Resource": [ - "arn:aws:sqs:us-east-1:123456789012:queue/fake", - { - "Fn::Sub": [ - "${arn}/*", - { - "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" - } - ] - } - ] - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -137,6 +83,63 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": [ + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:GetQueueAttributes" + ], + "Resource": [ + "arn:aws:sqs:us-east-1:123456789012:queue/fake", + { + "Fn::Sub": [ + "${arn}/*", + { + "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" + } + ] + } + ] + } + ] + } + } + ] + } + }, "MyLambdaEventSource": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { diff --git a/test/fixtures/shortcuts/scheduled-lambda-defaults.json b/test/fixtures/shortcuts/scheduled-lambda-defaults.json index fc4dd99..0eebdba 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-defaults.json +++ b/test/fixtures/shortcuts/scheduled-lambda-defaults.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaSchedule": { "Type": "AWS::Events::Rule", "Properties": { diff --git a/test/fixtures/shortcuts/scheduled-lambda-full.json b/test/fixtures/shortcuts/scheduled-lambda-full.json index 0fb9380..a178398 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-full.json +++ b/test/fixtures/shortcuts/scheduled-lambda-full.json @@ -21,41 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -117,6 +82,44 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + ] + } + }, "MyLambdaSchedule": { "Type": "AWS::Events::Rule", "Properties": { diff --git a/test/fixtures/shortcuts/stream-lambda-defaults.json b/test/fixtures/shortcuts/stream-lambda-defaults.json index eea61b0..c397af5 100644 --- a/test/fixtures/shortcuts/stream-lambda-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-defaults.json @@ -21,65 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": [ - "dynamodb:GetRecords", - "dynamodb:GetShardIterator", - "dynamodb:DescribeStream", - "dynamodb:ListStreams", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:DescribeStream", - "kinesis:ListStreams" - ], - "Resource": [ - "arn:aws:sqs:us-east-1:123456789012:queue/fake", - { - "Fn::Sub": [ - "${arn}/*", - { - "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" - } - ] - } - ] - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -141,6 +82,68 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetRecords", + "dynamodb:GetShardIterator", + "dynamodb:DescribeStream", + "dynamodb:ListStreams", + "kinesis:GetRecords", + "kinesis:GetShardIterator", + "kinesis:DescribeStream", + "kinesis:ListStreams" + ], + "Resource": [ + "arn:aws:sqs:us-east-1:123456789012:queue/fake", + { + "Fn::Sub": [ + "${arn}/*", + { + "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" + } + ] + } + ] + } + ] + } + } + ] + } + }, "MyLambdaEventSource": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { diff --git a/test/fixtures/shortcuts/stream-lambda-no-defaults.json b/test/fixtures/shortcuts/stream-lambda-no-defaults.json index 8041d6e..3517fcc 100644 --- a/test/fixtures/shortcuts/stream-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-no-defaults.json @@ -21,65 +21,6 @@ "RetentionInDays": 14 } }, - "MyLambdaRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, - { - "Effect": "Allow", - "Action": [ - "dynamodb:GetRecords", - "dynamodb:GetShardIterator", - "dynamodb:DescribeStream", - "dynamodb:ListStreams", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:DescribeStream", - "kinesis:ListStreams" - ], - "Resource": [ - "arn:aws:sqs:us-east-1:123456789012:queue/fake", - { - "Fn::Sub": [ - "${arn}/*", - { - "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" - } - ] - } - ] - } - ] - } - } - ] - } - }, "MyLambda": { "Type": "AWS::Lambda::Function", "Properties": { @@ -141,6 +82,68 @@ "MetricName": "Errors" } }, + "MyLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": { + "Fn::Sub": "lambda.amazonaws.com" + } + } + } + ] + }, + "Policies": [ + { + "PolicyName": "main", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetRecords", + "dynamodb:GetShardIterator", + "dynamodb:DescribeStream", + "dynamodb:ListStreams", + "kinesis:GetRecords", + "kinesis:GetShardIterator", + "kinesis:DescribeStream", + "kinesis:ListStreams" + ], + "Resource": [ + "arn:aws:sqs:us-east-1:123456789012:queue/fake", + { + "Fn::Sub": [ + "${arn}/*", + { + "arn": "arn:aws:sqs:us-east-1:123456789012:queue/fake" + } + ] + } + ] + } + ] + } + } + ] + } + }, "MyLambdaEventSource": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { From 59d29f8d71404873bd3a36233c9b95ebb3b5bda5 Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Mon, 12 Oct 2020 16:22:43 -0400 Subject: [PATCH 3/8] enable passing a role to Lambdas instead of always creating one --- lib/shortcuts/api.md | 4 +- lib/shortcuts/lambda.js | 45 +++++---- .../shortcuts/lambda-provided-role.json | 91 +++++++++++++++++++ test/shortcuts.test.js | 42 +++++++++ 4 files changed, 162 insertions(+), 20 deletions(-) create mode 100644 test/fixtures/shortcuts/lambda-provided-role.json diff --git a/lib/shortcuts/api.md b/lib/shortcuts/api.md index 2396879..cb0a1ae 100644 --- a/lib/shortcuts/api.md +++ b/lib/shortcuts/api.md @@ -92,8 +92,8 @@ Log Group, a Role, an Alarm on function errors, and the Lambda Function itself. the name of the condition here. See [AWS documentation][78]. (optional, default `undefined`) - `options.DependsOn` **[String][60]** Specify a stack resource dependency to this Lambda function. See [AWS documentation][79]. (optional, default `undefined`) - - `options.Statement` **[Array][68]<[Object][59]>** an array of policy statements - defining the permissions that your Lambda function needs to execute. (optional, default `[]`) + - `options.Statement` **[Array][68]<[Object][59]>** Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. (optional, default `[]`) + - `options.RoleARN` **[String][60]** If specified, the Lambda function will use this role instead of creating a new role. (optional, default `undefined`) - `options.AlarmName` **[String][60]** See [AWS documentation][80]. (optional, default `'${stack name}-${logical name}-Errors-${region}'`) - `options.AlarmDescription` **[String][60]** See [AWS documentation][81]. (optional, default `'Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'`) - `options.AlarmActions` **[Array][68]<[String][60]>** See [AWS documentation][82]. (optional, default `[]`) diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index 80071a8..b1dc30f 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -31,8 +31,8 @@ const ServiceRole = require('./service-role'); * the name of the condition here. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html). * @param {String} [options.DependsOn=undefined] - Specify a stack resource dependency * to this Lambda function. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html). - * @param {Array} [options.Statement=[]] an array of policy statements - * defining the permissions that your Lambda function needs to execute. + * @param {Array} [options.Statement=[]] Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. + * @param {String} [options.RoleARN=undefined] If specified, the Lambda function will use this role instead of creating a new role. * @param {String} [options.AlarmName='${stack name}-${logical name}-Errors-${region}'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmname). * @param {String} [options.AlarmDescription='Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmdescription). * @param {Array} [options.AlarmActions=[]] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmactions). @@ -85,6 +85,7 @@ class Lambda { Condition = undefined, DependsOn = undefined, Statement = [], + RoleArn, AlarmName = { 'Fn::Sub': `\${AWS::StackName}-${LogicalName}-Errors-\${AWS::Region}` }, AlarmDescription = { 'Fn::Sub': [ @@ -116,6 +117,10 @@ class Lambda { if (!supportedRuntimes.includes(Runtime)) throw new Error(`Runtime ${Runtime} is not one of the supported runtimes: ${supportedRuntimes}`); + if (Statement.length > 0 && RoleArn) { + throw new Error('You cannot specify both Statements and a RoleArn'); + } + this.LogicalName = LogicalName; this.FunctionName = FunctionName; this.Condition = Condition; @@ -147,7 +152,6 @@ class Lambda { Layers, MemorySize, ReservedConcurrentExecutions, - Role: { 'Fn::GetAtt': [`${LogicalName}Role`, 'Arn'] }, Runtime, Timeout, TracingConfig, @@ -185,21 +189,26 @@ class Lambda { } }; - const serviceRole = new ServiceRole({ - LogicalName: `${LogicalName}Role`, - Service: 'lambda', - Statement: [ - { - Effect: 'Allow', - Action: 'logs:*', - Resource: { - 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] - } - }, - ...Statement - ] - }); - this.Resources = merge(this, serviceRole).Resources; + if (RoleArn) { + this.Resources[`${LogicalName}`].Properties.Role = RoleArn; + } else { + const serviceRole = new ServiceRole({ + LogicalName: `${LogicalName}Role`, + Service: 'lambda', + Statement: [ + { + Effect: 'Allow', + Action: 'logs:*', + Resource: { + 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] + } + }, + ...Statement + ] + }); + this.Resources[`${LogicalName}`].Properties.Role = { 'Fn::GetAtt': [`${LogicalName}Role`, 'Arn'] }; + this.Resources = merge(this, serviceRole).Resources; + } } } diff --git a/test/fixtures/shortcuts/lambda-provided-role.json b/test/fixtures/shortcuts/lambda-provided-role.json new file mode 100644 index 0000000..51e6333 --- /dev/null +++ b/test/fixtures/shortcuts/lambda-provided-role.json @@ -0,0 +1,91 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Metadata": {}, + "Parameters": {}, + "Mappings": {}, + "Conditions": {}, + "Resources": { + "MyLambdaLogs": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Sub": [ + "/aws/lambda/${name}", + { + "name": { + "Fn::Sub": "${AWS::StackName}-MyLambda" + } + } + ] + }, + "RetentionInDays": 14 + } + }, + "MyLambda": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "my-code-bucket", + "S3Key": "path/to/code.zip" + }, + "Description": { + "Fn::Sub": "MyLambda in the ${AWS::StackName} stack" + }, + "FunctionName": { + "Fn::Sub": "${AWS::StackName}-MyLambda" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "CustomLambdaRole", + "Arn" + ] + }, + "Runtime": "nodejs10.x", + "Timeout": 300 + } + }, + "MyLambdaErrorAlarm": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "AlarmName": { + "Fn::Sub": "${AWS::StackName}-MyLambda-Errors-${AWS::Region}" + }, + "AlarmDescription": { + "Fn::Sub": [ + "Error alarm for ${name} lambda function in ${AWS::StackName} stack", + { + "name": { + "Fn::Sub": "${AWS::StackName}-MyLambda" + } + } + ] + }, + "AlarmActions": [], + "Period": 60, + "EvaluationPeriods": 5, + "DatapointsToAlarm": 1, + "Statistic": "Sum", + "Threshold": 0, + "ComparisonOperator": "GreaterThanThreshold", + "TreatMissingData": "notBreaching", + "Namespace": "AWS/Lambda", + "Dimensions": [ + { + "Name": "FunctionName", + "Value": { + "Ref": "MyLambda" + } + } + ], + "MetricName": "Errors" + } + }, + "CustomLambdaRole": { + "Type": "AWS::IAM::Role", + "Properties": {} + } + }, + "Outputs": {} +} \ No newline at end of file diff --git a/test/shortcuts.test.js b/test/shortcuts.test.js index eb65c1b..338b483 100644 --- a/test/shortcuts.test.js +++ b/test/shortcuts.test.js @@ -55,6 +55,24 @@ test('[shortcuts] lambda', (assert) => { 'throws for unsupported runtime' ); + assert.throws( + () => new cf.shortcuts.Lambda({ + LogicalName: 'MyLambda', + Code: { + S3Bucket: 'my-code-bucket', + S3Key: 'path/to/code.zip' + }, + RoleArn: 'custom', + Statement: [{ + Effect: 'Allow', + Action: 's3:GetObject', + Resource: 'arn:aws:s3:::my-bucket/*' + }] + }), + /You cannot specify both Statements and a RoleArn/, + 'throws for RoleArn and Statements both provided' + ); + let lambda = new cf.shortcuts.Lambda({ LogicalName: 'MyLambda', Code: { @@ -86,6 +104,30 @@ test('[shortcuts] lambda', (assert) => { 'expected resources generated using all default values and inline code' ); + lambda = new cf.shortcuts.Lambda({ + LogicalName: 'MyLambda', + Code: { + S3Bucket: 'my-code-bucket', + S3Key: 'path/to/code.zip' + }, + RoleArn: cf.getAtt('CustomLambdaRole', 'Arn') + }); + + template = cf.merge(lambda, { + Resources: { + 'CustomLambdaRole': { + Type: 'AWS::IAM::Role', + Properties: {} + } + } + }); + if (update) fixtures.update('lambda-provided-role', template); + assert.deepEqual( + noUndefined(template), + fixtures.get('lambda-provided-role'), + 'expected resources generated if RoleArn provided' + ); + lambda = new cf.shortcuts.Lambda({ LogicalName: 'MyLambda', Code: { From c9e7057eb4c74ebbb30f7104607bf0c280395c50 Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Mon, 12 Oct 2020 16:35:04 -0400 Subject: [PATCH 4/8] update changelog --- changelog.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/changelog.md b/changelog.md index c4ad133..597c20d 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,8 @@ +# unreleased + +- Sets the policy Version in all generated Roles to **2012-10-17** +- Adds a `RoleArn` setting to Lambda shortcuts. If set, the created Lambda function will use this Role and will not create a new one. + # v4.3.0 - Adds Tags option to Role shortcuts From 5837b93a71d29ffda71ad117a861ba1e331cb0ac Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Wed, 21 Oct 2020 11:24:35 -0400 Subject: [PATCH 5/8] update docs based on review --- lib/shortcuts/api.md | 4 ++-- lib/shortcuts/lambda.js | 4 ++-- local.dic | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/shortcuts/api.md b/lib/shortcuts/api.md index cb0a1ae..5c0b4a8 100644 --- a/lib/shortcuts/api.md +++ b/lib/shortcuts/api.md @@ -92,8 +92,8 @@ Log Group, a Role, an Alarm on function errors, and the Lambda Function itself. the name of the condition here. See [AWS documentation][78]. (optional, default `undefined`) - `options.DependsOn` **[String][60]** Specify a stack resource dependency to this Lambda function. See [AWS documentation][79]. (optional, default `undefined`) - - `options.Statement` **[Array][68]<[Object][59]>** Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. (optional, default `[]`) - - `options.RoleARN` **[String][60]** If specified, the Lambda function will use this role instead of creating a new role. (optional, default `undefined`) + - `options.Statement` **[Array][68]<[Object][59]>** Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleARN._ (optional, default `[]`) + - `options.RoleARN` **[String][60]** If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ (optional, default `undefined`) - `options.AlarmName` **[String][60]** See [AWS documentation][80]. (optional, default `'${stack name}-${logical name}-Errors-${region}'`) - `options.AlarmDescription` **[String][60]** See [AWS documentation][81]. (optional, default `'Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'`) - `options.AlarmActions` **[Array][68]<[String][60]>** See [AWS documentation][82]. (optional, default `[]`) diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index b1dc30f..17e33db 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -31,8 +31,8 @@ const ServiceRole = require('./service-role'); * the name of the condition here. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html). * @param {String} [options.DependsOn=undefined] - Specify a stack resource dependency * to this Lambda function. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html). - * @param {Array} [options.Statement=[]] Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. - * @param {String} [options.RoleARN=undefined] If specified, the Lambda function will use this role instead of creating a new role. + * @param {Array} [options.Statement=[]] Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleARN._ + * @param {String} [options.RoleARN=undefined] If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ * @param {String} [options.AlarmName='${stack name}-${logical name}-Errors-${region}'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmname). * @param {String} [options.AlarmDescription='Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmdescription). * @param {Array} [options.AlarmActions=[]] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmactions). diff --git a/local.dic b/local.dic index fc41d1b..95d2afd 100644 --- a/local.dic +++ b/local.dic @@ -16,6 +16,7 @@ KinesisFirehoseBase LogGroup LogSubscriptionLambda QueueLambda +RoleARN S3KinesisFirehose ScheduledLambda ServiceRole From d0cbb714bdd33806a4ab012ffeed80759c97273e Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Wed, 21 Oct 2020 12:30:52 -0400 Subject: [PATCH 6/8] always add a LogPolicy to lambdas --- lib/shortcuts/lambda.js | 32 +++++-- lib/shortcuts/queue-lambda.js | 40 +++++--- lib/shortcuts/stream-lambda.js | 50 ++++++---- .../shortcuts/event-lambda-defaults.json | 52 +++++----- .../fixtures/shortcuts/event-lambda-full.json | 52 +++++----- .../shortcuts/hookshot-github-secret-ref.json | 96 +++++++++++-------- .../hookshot-github-secret-string.json | 96 +++++++++++-------- test/fixtures/shortcuts/hookshot-github.json | 96 +++++++++++-------- ...ookshot-passthrough-access-log-format.json | 96 +++++++++++-------- .../hookshot-passthrough-alarms.json | 96 +++++++++++-------- ...hookshot-passthrough-enhanced-logging.json | 96 +++++++++++-------- ...okshot-passthrough-full-blown-logging.json | 96 +++++++++++-------- .../hookshot-passthrough-logging.json | 96 +++++++++++-------- .../shortcuts/hookshot-passthrough.json | 96 +++++++++++-------- test/fixtures/shortcuts/lambda-defaults.json | 52 +++++----- test/fixtures/shortcuts/lambda-full.json | 49 ++++++---- .../shortcuts/lambda-provided-role.json | 33 ++++++- test/fixtures/shortcuts/lambda-zipfile.json | 52 +++++----- .../log-subscription-lambda-defaults.json | 52 +++++----- .../log-subscription-lambda-no-defaults.json | 52 +++++----- .../fixtures/shortcuts/queue-lambda-zero.json | 42 +++++--- test/fixtures/shortcuts/queue-lambda.json | 42 +++++--- .../shortcuts/role-defaults-no-stmt.json | 26 +++++ .../shortcuts/scheduled-lambda-defaults.json | 52 +++++----- .../shortcuts/scheduled-lambda-full.json | 52 +++++----- .../shortcuts/stream-lambda-defaults.json | 42 +++++--- .../shortcuts/stream-lambda-no-defaults.json | 42 +++++--- 27 files changed, 1018 insertions(+), 660 deletions(-) create mode 100644 test/fixtures/shortcuts/role-defaults-no-stmt.json diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index 17e33db..86b93ff 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -186,6 +186,27 @@ class Lambda { ], MetricName: 'Errors' } + }, + + [`${LogicalName}LogPolicy`]: { + Type: 'AWS::IAM::Policy', + Condition, + Properties: { + PolicyName: 'lambda-log-access', + Roles: (RoleArn) ? RoleArn : { 'Ref': `${LogicalName}Role` }, + PolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Action: 'logs:*', + Resource: { + 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] + } + } + ] + } + } } }; @@ -195,16 +216,7 @@ class Lambda { const serviceRole = new ServiceRole({ LogicalName: `${LogicalName}Role`, Service: 'lambda', - Statement: [ - { - Effect: 'Allow', - Action: 'logs:*', - Resource: { - 'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] - } - }, - ...Statement - ] + Statement }); this.Resources[`${LogicalName}`].Properties.Role = { 'Fn::GetAtt': [`${LogicalName}Role`, 'Arn'] }; this.Resources = merge(this, serviceRole).Resources; diff --git a/lib/shortcuts/queue-lambda.js b/lib/shortcuts/queue-lambda.js index 0e599c1..cba2f45 100644 --- a/lib/shortcuts/queue-lambda.js +++ b/lib/shortcuts/queue-lambda.js @@ -60,19 +60,33 @@ class QueueLambda extends Lambda { } }; - this.Resources[`${this.LogicalName}Role`] - .Properties.Policies[0].PolicyDocument.Statement.push({ - Effect: 'Allow', - Action: [ - 'sqs:DeleteMessage', - 'sqs:ReceiveMessage', - 'sqs:GetQueueAttributes' - ], - Resource: [ - EventSourceArn, - { 'Fn::Sub': ['${arn}/*', { arn: EventSourceArn }] } - ] - }); + const generatedRoleRef = this.Resources[`${this.LogicalName}Role`]; + const sqsStatement = { + Effect: 'Allow', + Action: [ + 'sqs:DeleteMessage', + 'sqs:ReceiveMessage', + 'sqs:GetQueueAttributes' + ], + Resource: [ + EventSourceArn, + { 'Fn::Sub': ['${arn}/*', { arn: EventSourceArn }] } + ] + }; + + if (generatedRoleRef && generatedRoleRef.Properties.Policies) { + generatedRoleRef.Properties.Policies[0].PolicyDocument.Statement.push(sqsStatement); + } else if (generatedRoleRef) { + generatedRoleRef.Properties.Policies = [ + { + PolicyName: 'SQSAccess', + PolicyDocument: { + Version: '2012-10-17', + Statement: [sqsStatement] + } + } + ]; + } } } diff --git a/lib/shortcuts/stream-lambda.js b/lib/shortcuts/stream-lambda.js index 0c9efb1..37efee3 100644 --- a/lib/shortcuts/stream-lambda.js +++ b/lib/shortcuts/stream-lambda.js @@ -60,24 +60,38 @@ class StreamLambda extends Lambda { } }; - this.Resources[`${this.LogicalName}Role`] - .Properties.Policies[0].PolicyDocument.Statement.push({ - Effect: 'Allow', - Action: [ - 'dynamodb:GetRecords', - 'dynamodb:GetShardIterator', - 'dynamodb:DescribeStream', - 'dynamodb:ListStreams', - 'kinesis:GetRecords', - 'kinesis:GetShardIterator', - 'kinesis:DescribeStream', - 'kinesis:ListStreams' - ], - Resource: [ - EventSourceArn, - { 'Fn::Sub': ['${arn}/*', { arn: EventSourceArn }] } - ] - }); + const generatedRoleRef = this.Resources[`${this.LogicalName}Role`]; + const streamStatement = { + Effect: 'Allow', + Action: [ + 'dynamodb:GetRecords', + 'dynamodb:GetShardIterator', + 'dynamodb:DescribeStream', + 'dynamodb:ListStreams', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:DescribeStream', + 'kinesis:ListStreams' + ], + Resource: [ + EventSourceArn, + { 'Fn::Sub': ['${arn}/*', { arn: EventSourceArn }] } + ] + }; + + if (generatedRoleRef && generatedRoleRef.Properties.Policies) { + generatedRoleRef.Properties.Policies[0].PolicyDocument.Statement.push(streamStatement); + } else if (generatedRoleRef) { + generatedRoleRef.Properties.Policies = [ + { + PolicyName: 'StreamAccess', + PolicyDocument: { + Version: '2012-10-17', + Statement: [streamStatement] + } + } + ]; + } } } diff --git a/test/fixtures/shortcuts/event-lambda-defaults.json b/test/fixtures/shortcuts/event-lambda-defaults.json index 0d1c9b3..5fe3109 100644 --- a/test/fixtures/shortcuts/event-lambda-defaults.json +++ b/test/fixtures/shortcuts/event-lambda-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaTrigger": { diff --git a/test/fixtures/shortcuts/event-lambda-full.json b/test/fixtures/shortcuts/event-lambda-full.json index b711bc5..5cefd3a 100644 --- a/test/fixtures/shortcuts/event-lambda-full.json +++ b/test/fixtures/shortcuts/event-lambda-full.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaTrigger": { diff --git a/test/fixtures/shortcuts/hookshot-github-secret-ref.json b/test/fixtures/shortcuts/hookshot-github-secret-ref.json index 4c22952..26fd294 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-ref.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-ref.json @@ -27,7 +27,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -46,7 +46,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -180,14 +180,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -226,6 +226,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -248,16 +272,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -304,14 +318,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -350,6 +364,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -365,27 +403,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-github-secret-string.json b/test/fixtures/shortcuts/hookshot-github-secret-string.json index c018ddc..f61396e 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-string.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-string.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -174,14 +174,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -220,6 +220,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -242,16 +266,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -298,14 +312,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -344,6 +358,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -359,27 +397,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-github.json b/test/fixtures/shortcuts/hookshot-github.json index 94912f8..cd3d34d 100644 --- a/test/fixtures/shortcuts/hookshot-github.json +++ b/test/fixtures/shortcuts/hookshot-github.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -182,14 +182,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -228,6 +228,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -250,16 +274,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -306,14 +320,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -352,6 +366,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -367,27 +405,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json index 694190e..df15df2 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -51,7 +51,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -178,14 +178,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -224,6 +224,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -246,16 +270,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -302,14 +316,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -348,6 +362,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -363,27 +401,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json index e31b523..e3a23dd 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -160,14 +160,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -208,6 +208,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -230,16 +254,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -286,14 +300,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -332,6 +346,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -347,27 +385,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json index b197708..1af56d6 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -160,14 +160,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -206,6 +206,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -228,16 +252,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -284,14 +298,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -330,6 +344,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -345,27 +383,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json index 69c99dc..4a41750 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -160,14 +160,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -206,6 +206,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -228,16 +252,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -284,14 +298,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -330,6 +344,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -345,27 +383,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-logging.json index ded5fad..3507652 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -160,14 +160,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -206,6 +206,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -228,16 +252,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -284,14 +298,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -330,6 +344,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -345,27 +383,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/hookshot-passthrough.json b/test/fixtures/shortcuts/hookshot-passthrough.json index 11d15a5..330a9a1 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough.json +++ b/test/fixtures/shortcuts/hookshot-passthrough.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment6ac3f7b3" + "Ref": "PassDeployment4f8e0ab5" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment6ac3f7b3": { + "PassDeployment4f8e0ab5": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -160,14 +160,14 @@ }, "Handler": "index.lambda", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 30, "Role": { "Fn::GetAtt": [ "PassFunctionRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 30 + } } }, "PassFunctionErrorAlarm": { @@ -206,6 +206,30 @@ "MetricName": "Errors" } }, + "PassFunctionLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "PassFunctionRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "PassFunctionLogs", + "Arn" + ] + } + } + ] + } + } + }, "PassFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -228,16 +252,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "PassFunctionLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", @@ -284,14 +298,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "DestinationRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "DestinationErrorAlarm": { @@ -330,6 +344,30 @@ "MetricName": "Errors" } }, + "DestinationLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "DestinationRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "DestinationLogs", + "Arn" + ] + } + } + ] + } + } + }, "DestinationRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -345,27 +383,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "DestinationLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/lambda-defaults.json b/test/fixtures/shortcuts/lambda-defaults.json index f3ae5bb..e5e6ba8 100644 --- a/test/fixtures/shortcuts/lambda-defaults.json +++ b/test/fixtures/shortcuts/lambda-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/lambda-full.json b/test/fixtures/shortcuts/lambda-full.json index 27edff4..0c0b69e 100644 --- a/test/fixtures/shortcuts/lambda-full.json +++ b/test/fixtures/shortcuts/lambda-full.json @@ -56,12 +56,6 @@ ], "MemorySize": 512, "ReservedConcurrentExecutions": 10, - "Role": { - "Fn::GetAtt": [ - "MyLambdaRole", - "Arn" - ] - }, "Runtime": "nodejs12.x", "Timeout": 30, "TracingConfig": { @@ -80,7 +74,13 @@ "Key": "a", "Value": "b" } - ] + ], + "Role": { + "Fn::GetAtt": [ + "MyLambdaRole", + "Arn" + ] + } } }, "MyLambdaErrorAlarm": { @@ -115,6 +115,31 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Condition": "Always", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -137,16 +162,6 @@ "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": "s3:GetObject", diff --git a/test/fixtures/shortcuts/lambda-provided-role.json b/test/fixtures/shortcuts/lambda-provided-role.json index 51e6333..32aa51b 100644 --- a/test/fixtures/shortcuts/lambda-provided-role.json +++ b/test/fixtures/shortcuts/lambda-provided-role.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "CustomLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,33 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Fn::GetAtt": [ + "CustomLambdaRole", + "Arn" + ] + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "CustomLambdaRole": { "Type": "AWS::IAM::Role", "Properties": {} diff --git a/test/fixtures/shortcuts/lambda-zipfile.json b/test/fixtures/shortcuts/lambda-zipfile.json index 54401bb..12d9c2e 100644 --- a/test/fixtures/shortcuts/lambda-zipfile.json +++ b/test/fixtures/shortcuts/lambda-zipfile.json @@ -35,14 +35,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -81,6 +81,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -96,27 +120,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } } }, diff --git a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json index a425fc2..6c4447f 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaSubscriptionFilter": { diff --git a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json index 30107dd..8e85be9 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaSubscriptionFilter": { diff --git a/test/fixtures/shortcuts/queue-lambda-zero.json b/test/fixtures/shortcuts/queue-lambda-zero.json index b70f28a..383b280 100644 --- a/test/fixtures/shortcuts/queue-lambda-zero.json +++ b/test/fixtures/shortcuts/queue-lambda-zero.json @@ -37,14 +37,14 @@ "Handler": "index.handler", "MemorySize": 128, "ReservedConcurrentExecutions": 0, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -83,6 +83,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -101,20 +125,10 @@ }, "Policies": [ { - "PolicyName": "main", + "PolicyName": "SQSAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": [ diff --git a/test/fixtures/shortcuts/queue-lambda.json b/test/fixtures/shortcuts/queue-lambda.json index 7a5588d..19420ed 100644 --- a/test/fixtures/shortcuts/queue-lambda.json +++ b/test/fixtures/shortcuts/queue-lambda.json @@ -37,14 +37,14 @@ "Handler": "index.handler", "MemorySize": 128, "ReservedConcurrentExecutions": 10, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -83,6 +83,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -101,20 +125,10 @@ }, "Policies": [ { - "PolicyName": "main", + "PolicyName": "SQSAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": [ diff --git a/test/fixtures/shortcuts/role-defaults-no-stmt.json b/test/fixtures/shortcuts/role-defaults-no-stmt.json new file mode 100644 index 0000000..86e8ffb --- /dev/null +++ b/test/fixtures/shortcuts/role-defaults-no-stmt.json @@ -0,0 +1,26 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Metadata": {}, + "Parameters": {}, + "Mappings": {}, + "Conditions": {}, + "Resources": { + "MyRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ] + } + } + } + }, + "Outputs": {} +} diff --git a/test/fixtures/shortcuts/scheduled-lambda-defaults.json b/test/fixtures/shortcuts/scheduled-lambda-defaults.json index 0eebdba..cfba37e 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-defaults.json +++ b/test/fixtures/shortcuts/scheduled-lambda-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaSchedule": { diff --git a/test/fixtures/shortcuts/scheduled-lambda-full.json b/test/fixtures/shortcuts/scheduled-lambda-full.json index a178398..deca94e 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-full.json +++ b/test/fixtures/shortcuts/scheduled-lambda-full.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -97,27 +121,7 @@ } } ] - }, - "Policies": [ - { - "PolicyName": "main", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - } - ] - } - } - ] + } } }, "MyLambdaSchedule": { diff --git a/test/fixtures/shortcuts/stream-lambda-defaults.json b/test/fixtures/shortcuts/stream-lambda-defaults.json index c397af5..6af72bf 100644 --- a/test/fixtures/shortcuts/stream-lambda-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -100,20 +124,10 @@ }, "Policies": [ { - "PolicyName": "main", + "PolicyName": "StreamAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": [ diff --git a/test/fixtures/shortcuts/stream-lambda-no-defaults.json b/test/fixtures/shortcuts/stream-lambda-no-defaults.json index 3517fcc..f959a9d 100644 --- a/test/fixtures/shortcuts/stream-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-no-defaults.json @@ -36,14 +36,14 @@ }, "Handler": "index.handler", "MemorySize": 128, + "Runtime": "nodejs10.x", + "Timeout": 300, "Role": { "Fn::GetAtt": [ "MyLambdaRole", "Arn" ] - }, - "Runtime": "nodejs10.x", - "Timeout": 300 + } } }, "MyLambdaErrorAlarm": { @@ -82,6 +82,30 @@ "MetricName": "Errors" } }, + "MyLambdaLogPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-log-access", + "Roles": { + "Ref": "MyLambdaRole" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "logs:*", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaLogs", + "Arn" + ] + } + } + ] + } + } + }, "MyLambdaRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -100,20 +124,10 @@ }, "Policies": [ { - "PolicyName": "main", + "PolicyName": "StreamAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "logs:*", - "Resource": { - "Fn::GetAtt": [ - "MyLambdaLogs", - "Arn" - ] - } - }, { "Effect": "Allow", "Action": [ From 423aacf7cc90d0705bd85e1284341ec5547bb906 Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Wed, 21 Oct 2020 15:37:57 -0400 Subject: [PATCH 7/8] policy requires the Role Name, so split it out --- lib/shortcuts/api.md | 4 ++-- lib/shortcuts/lambda.js | 14 ++++++++--- local.dic | 2 +- .../shortcuts/event-lambda-defaults.json | 6 ++--- .../fixtures/shortcuts/event-lambda-full.json | 6 ++--- .../shortcuts/hookshot-github-secret-ref.json | 16 ++++++------- .../hookshot-github-secret-string.json | 16 ++++++------- test/fixtures/shortcuts/hookshot-github.json | 16 ++++++------- ...ookshot-passthrough-access-log-format.json | 16 ++++++------- .../hookshot-passthrough-alarms.json | 16 ++++++------- ...hookshot-passthrough-enhanced-logging.json | 16 ++++++------- ...okshot-passthrough-full-blown-logging.json | 16 ++++++------- .../hookshot-passthrough-logging.json | 16 ++++++------- .../shortcuts/hookshot-passthrough.json | 16 ++++++------- test/fixtures/shortcuts/lambda-defaults.json | 6 ++--- test/fixtures/shortcuts/lambda-full.json | 6 ++--- .../shortcuts/lambda-provided-role.json | 24 ++++++++++++++----- test/fixtures/shortcuts/lambda-zipfile.json | 6 ++--- .../log-subscription-lambda-defaults.json | 6 ++--- .../log-subscription-lambda-no-defaults.json | 6 ++--- .../fixtures/shortcuts/queue-lambda-zero.json | 6 ++--- test/fixtures/shortcuts/queue-lambda.json | 6 ++--- .../shortcuts/scheduled-lambda-defaults.json | 6 ++--- .../shortcuts/scheduled-lambda-full.json | 6 ++--- .../shortcuts/stream-lambda-defaults.json | 6 ++--- .../shortcuts/stream-lambda-no-defaults.json | 6 ++--- 26 files changed, 143 insertions(+), 123 deletions(-) diff --git a/lib/shortcuts/api.md b/lib/shortcuts/api.md index 5c0b4a8..6925027 100644 --- a/lib/shortcuts/api.md +++ b/lib/shortcuts/api.md @@ -92,8 +92,8 @@ Log Group, a Role, an Alarm on function errors, and the Lambda Function itself. the name of the condition here. See [AWS documentation][78]. (optional, default `undefined`) - `options.DependsOn` **[String][60]** Specify a stack resource dependency to this Lambda function. See [AWS documentation][79]. (optional, default `undefined`) - - `options.Statement` **[Array][68]<[Object][59]>** Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleARN._ (optional, default `[]`) - - `options.RoleARN` **[String][60]** If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ (optional, default `undefined`) + - `options.Statement` **[Array][68]<[Object][59]>** Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleArn._ (optional, default `[]`) + - `options.RoleArn` **[String][60]** If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ (optional, default `undefined`) - `options.AlarmName` **[String][60]** See [AWS documentation][80]. (optional, default `'${stack name}-${logical name}-Errors-${region}'`) - `options.AlarmDescription` **[String][60]** See [AWS documentation][81]. (optional, default `'Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'`) - `options.AlarmActions` **[Array][68]<[String][60]>** See [AWS documentation][82]. (optional, default `[]`) diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index 86b93ff..5b35a10 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -31,8 +31,8 @@ const ServiceRole = require('./service-role'); * the name of the condition here. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html). * @param {String} [options.DependsOn=undefined] - Specify a stack resource dependency * to this Lambda function. See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html). - * @param {Array} [options.Statement=[]] Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleARN._ - * @param {String} [options.RoleARN=undefined] If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ + * @param {Array} [options.Statement=[]] Policy statements that will be added to a generated IAM role defining the permissions your Lambda function needs to run. _Do not use this option when specifying your own role via RoleArn._ + * @param {String} [options.RoleArn=undefined] If specified, the Lambda function will use this role instead of creating a new role. _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ * @param {String} [options.AlarmName='${stack name}-${logical name}-Errors-${region}'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmname). * @param {String} [options.AlarmDescription='Error alarm for ${stack name}-${logical name} lambda function in ${stack name} stack'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmdescription). * @param {Array} [options.AlarmActions=[]] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html#cfn-cloudwatch-alarms-alarmactions). @@ -121,6 +121,14 @@ class Lambda { throw new Error('You cannot specify both Statements and a RoleArn'); } + // if the RoleArn was specified, we need to split just the name for use with the log policy + let roleName; + if (RoleArn) { + roleName = { 'Fn::Select': [1, { 'Fn::Split': ['/', RoleArn] }] }; + } else { + roleName = `${LogicalName}Role`; + } + this.LogicalName = LogicalName; this.FunctionName = FunctionName; this.Condition = Condition; @@ -193,7 +201,7 @@ class Lambda { Condition, Properties: { PolicyName: 'lambda-log-access', - Roles: (RoleArn) ? RoleArn : { 'Ref': `${LogicalName}Role` }, + Roles: [roleName], PolicyDocument: { Version: '2012-10-17', Statement: [ diff --git a/local.dic b/local.dic index 95d2afd..ac555d1 100644 --- a/local.dic +++ b/local.dic @@ -16,7 +16,7 @@ KinesisFirehoseBase LogGroup LogSubscriptionLambda QueueLambda -RoleARN +RoleArn S3KinesisFirehose ScheduledLambda ServiceRole diff --git a/test/fixtures/shortcuts/event-lambda-defaults.json b/test/fixtures/shortcuts/event-lambda-defaults.json index 5fe3109..a08bec5 100644 --- a/test/fixtures/shortcuts/event-lambda-defaults.json +++ b/test/fixtures/shortcuts/event-lambda-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/event-lambda-full.json b/test/fixtures/shortcuts/event-lambda-full.json index 5cefd3a..26797bb 100644 --- a/test/fixtures/shortcuts/event-lambda-full.json +++ b/test/fixtures/shortcuts/event-lambda-full.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-github-secret-ref.json b/test/fixtures/shortcuts/hookshot-github-secret-ref.json index 26fd294..0d44ac9 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-ref.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-ref.json @@ -27,7 +27,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -46,7 +46,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -230,9 +230,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -368,9 +368,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-github-secret-string.json b/test/fixtures/shortcuts/hookshot-github-secret-string.json index f61396e..2d8dd72 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-string.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-string.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -224,9 +224,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -362,9 +362,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-github.json b/test/fixtures/shortcuts/hookshot-github.json index cd3d34d..21c8204 100644 --- a/test/fixtures/shortcuts/hookshot-github.json +++ b/test/fixtures/shortcuts/hookshot-github.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -232,9 +232,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -370,9 +370,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json index df15df2..8badcc9 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -51,7 +51,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -228,9 +228,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -366,9 +366,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json index e3a23dd..138ae59 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -212,9 +212,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -350,9 +350,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json index 1af56d6..142f6f8 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -210,9 +210,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -348,9 +348,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json index 4a41750..63ed1f8 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -210,9 +210,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -348,9 +348,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-logging.json index 3507652..74bc664 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -210,9 +210,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -348,9 +348,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/hookshot-passthrough.json b/test/fixtures/shortcuts/hookshot-passthrough.json index 330a9a1..d3a5790 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough.json +++ b/test/fixtures/shortcuts/hookshot-passthrough.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment4f8e0ab5" + "Ref": "PassDeployment8c2ab881" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment4f8e0ab5": { + "PassDeployment8c2ab881": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -210,9 +210,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "PassFunctionRole" - }, + "Roles": [ + "PassFunctionRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ @@ -348,9 +348,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "DestinationRole" - }, + "Roles": [ + "DestinationRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/lambda-defaults.json b/test/fixtures/shortcuts/lambda-defaults.json index e5e6ba8..f7b8412 100644 --- a/test/fixtures/shortcuts/lambda-defaults.json +++ b/test/fixtures/shortcuts/lambda-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/lambda-full.json b/test/fixtures/shortcuts/lambda-full.json index 0c0b69e..51738d4 100644 --- a/test/fixtures/shortcuts/lambda-full.json +++ b/test/fixtures/shortcuts/lambda-full.json @@ -120,9 +120,9 @@ "Condition": "Always", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/lambda-provided-role.json b/test/fixtures/shortcuts/lambda-provided-role.json index 32aa51b..5d7b366 100644 --- a/test/fixtures/shortcuts/lambda-provided-role.json +++ b/test/fixtures/shortcuts/lambda-provided-role.json @@ -86,12 +86,24 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Fn::GetAtt": [ - "CustomLambdaRole", - "Arn" - ] - }, + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::GetAtt": [ + "CustomLambdaRole", + "Arn" + ] + } + ] + } + ] + } + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/lambda-zipfile.json b/test/fixtures/shortcuts/lambda-zipfile.json index 12d9c2e..c28519e 100644 --- a/test/fixtures/shortcuts/lambda-zipfile.json +++ b/test/fixtures/shortcuts/lambda-zipfile.json @@ -85,9 +85,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json index 6c4447f..41e8c90 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json index 8e85be9..d0e6b8c 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/queue-lambda-zero.json b/test/fixtures/shortcuts/queue-lambda-zero.json index 383b280..c3bdd85 100644 --- a/test/fixtures/shortcuts/queue-lambda-zero.json +++ b/test/fixtures/shortcuts/queue-lambda-zero.json @@ -87,9 +87,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/queue-lambda.json b/test/fixtures/shortcuts/queue-lambda.json index 19420ed..960f808 100644 --- a/test/fixtures/shortcuts/queue-lambda.json +++ b/test/fixtures/shortcuts/queue-lambda.json @@ -87,9 +87,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/scheduled-lambda-defaults.json b/test/fixtures/shortcuts/scheduled-lambda-defaults.json index cfba37e..7a76f12 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-defaults.json +++ b/test/fixtures/shortcuts/scheduled-lambda-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/scheduled-lambda-full.json b/test/fixtures/shortcuts/scheduled-lambda-full.json index deca94e..249d071 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-full.json +++ b/test/fixtures/shortcuts/scheduled-lambda-full.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/stream-lambda-defaults.json b/test/fixtures/shortcuts/stream-lambda-defaults.json index 6af72bf..33271b0 100644 --- a/test/fixtures/shortcuts/stream-lambda-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ diff --git a/test/fixtures/shortcuts/stream-lambda-no-defaults.json b/test/fixtures/shortcuts/stream-lambda-no-defaults.json index f959a9d..87b29a2 100644 --- a/test/fixtures/shortcuts/stream-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-no-defaults.json @@ -86,9 +86,9 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "lambda-log-access", - "Roles": { - "Ref": "MyLambdaRole" - }, + "Roles": [ + "MyLambdaRole" + ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ From 5421843e2bf7c16ac56114577919a1133693685b Mon Sep 17 00:00:00 2001 From: Devin Boyer Date: Wed, 21 Oct 2020 16:12:19 -0400 Subject: [PATCH 8/8] fix log policy Ref and DependsOn for generated roles --- lib/shortcuts/lambda.js | 3 ++- test/fixtures/shortcuts/event-lambda-defaults.json | 5 ++++- test/fixtures/shortcuts/event-lambda-full.json | 5 ++++- .../shortcuts/hookshot-github-secret-ref.json | 14 ++++++++++---- .../shortcuts/hookshot-github-secret-string.json | 14 ++++++++++---- test/fixtures/shortcuts/hookshot-github.json | 14 ++++++++++---- .../hookshot-passthrough-access-log-format.json | 14 ++++++++++---- .../shortcuts/hookshot-passthrough-alarms.json | 14 ++++++++++---- .../hookshot-passthrough-enhanced-logging.json | 14 ++++++++++---- .../hookshot-passthrough-full-blown-logging.json | 14 ++++++++++---- .../shortcuts/hookshot-passthrough-logging.json | 14 ++++++++++---- test/fixtures/shortcuts/hookshot-passthrough.json | 14 ++++++++++---- test/fixtures/shortcuts/lambda-defaults.json | 5 ++++- test/fixtures/shortcuts/lambda-full.json | 5 ++++- test/fixtures/shortcuts/lambda-zipfile.json | 5 ++++- .../log-subscription-lambda-defaults.json | 5 ++++- .../log-subscription-lambda-no-defaults.json | 5 ++++- test/fixtures/shortcuts/queue-lambda-zero.json | 5 ++++- test/fixtures/shortcuts/queue-lambda.json | 5 ++++- .../shortcuts/scheduled-lambda-defaults.json | 5 ++++- test/fixtures/shortcuts/scheduled-lambda-full.json | 5 ++++- .../fixtures/shortcuts/stream-lambda-defaults.json | 5 ++++- .../shortcuts/stream-lambda-no-defaults.json | 5 ++++- 23 files changed, 144 insertions(+), 50 deletions(-) diff --git a/lib/shortcuts/lambda.js b/lib/shortcuts/lambda.js index 5b35a10..739ebae 100644 --- a/lib/shortcuts/lambda.js +++ b/lib/shortcuts/lambda.js @@ -126,7 +126,7 @@ class Lambda { if (RoleArn) { roleName = { 'Fn::Select': [1, { 'Fn::Split': ['/', RoleArn] }] }; } else { - roleName = `${LogicalName}Role`; + roleName = { Ref: `${LogicalName}Role` }; } this.LogicalName = LogicalName; @@ -199,6 +199,7 @@ class Lambda { [`${LogicalName}LogPolicy`]: { Type: 'AWS::IAM::Policy', Condition, + DependsOn: (RoleArn) ? undefined : `${LogicalName}Role`, Properties: { PolicyName: 'lambda-log-access', Roles: [roleName], diff --git a/test/fixtures/shortcuts/event-lambda-defaults.json b/test/fixtures/shortcuts/event-lambda-defaults.json index a08bec5..919138a 100644 --- a/test/fixtures/shortcuts/event-lambda-defaults.json +++ b/test/fixtures/shortcuts/event-lambda-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/event-lambda-full.json b/test/fixtures/shortcuts/event-lambda-full.json index 26797bb..a56551f 100644 --- a/test/fixtures/shortcuts/event-lambda-full.json +++ b/test/fixtures/shortcuts/event-lambda-full.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-github-secret-ref.json b/test/fixtures/shortcuts/hookshot-github-secret-ref.json index 0d44ac9..8e783e9 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-ref.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-ref.json @@ -27,7 +27,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -46,7 +46,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -228,10 +228,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -366,10 +369,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-github-secret-string.json b/test/fixtures/shortcuts/hookshot-github-secret-string.json index 2d8dd72..4b5760e 100644 --- a/test/fixtures/shortcuts/hookshot-github-secret-string.json +++ b/test/fixtures/shortcuts/hookshot-github-secret-string.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -222,10 +222,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -360,10 +363,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-github.json b/test/fixtures/shortcuts/hookshot-github.json index 21c8204..df8f4e8 100644 --- a/test/fixtures/shortcuts/hookshot-github.json +++ b/test/fixtures/shortcuts/hookshot-github.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -230,10 +230,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -368,10 +371,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json index 8badcc9..3f67793 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -51,7 +51,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -226,10 +226,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -364,10 +367,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json index 138ae59..b96d1eb 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-alarms.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-alarms.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -210,10 +210,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -348,10 +351,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json index 142f6f8..f58c13c 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -208,10 +208,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -346,10 +349,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json index 63ed1f8..0804f2f 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -208,10 +208,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -346,10 +349,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough-logging.json b/test/fixtures/shortcuts/hookshot-passthrough-logging.json index 74bc664..5bf91c5 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough-logging.json +++ b/test/fixtures/shortcuts/hookshot-passthrough-logging.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -208,10 +208,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -346,10 +349,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/hookshot-passthrough.json b/test/fixtures/shortcuts/hookshot-passthrough.json index d3a5790..95a04de 100644 --- a/test/fixtures/shortcuts/hookshot-passthrough.json +++ b/test/fixtures/shortcuts/hookshot-passthrough.json @@ -23,7 +23,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "PassDeployment8c2ab881" + "Ref": "PassDeploymentb6246d63" }, "StageName": "hookshot", "RestApiId": { @@ -42,7 +42,7 @@ ] } }, - "PassDeployment8c2ab881": { + "PassDeploymentb6246d63": { "Type": "AWS::ApiGateway::Deployment", "DependsOn": "PassMethod", "Properties": { @@ -208,10 +208,13 @@ }, "PassFunctionLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "PassFunctionRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "PassFunctionRole" + { + "Ref": "PassFunctionRole" + } ], "PolicyDocument": { "Version": "2012-10-17", @@ -346,10 +349,13 @@ }, "DestinationLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "DestinationRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "DestinationRole" + { + "Ref": "DestinationRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/lambda-defaults.json b/test/fixtures/shortcuts/lambda-defaults.json index f7b8412..322cdf8 100644 --- a/test/fixtures/shortcuts/lambda-defaults.json +++ b/test/fixtures/shortcuts/lambda-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/lambda-full.json b/test/fixtures/shortcuts/lambda-full.json index 51738d4..75b0188 100644 --- a/test/fixtures/shortcuts/lambda-full.json +++ b/test/fixtures/shortcuts/lambda-full.json @@ -118,10 +118,13 @@ "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", "Condition": "Always", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/lambda-zipfile.json b/test/fixtures/shortcuts/lambda-zipfile.json index c28519e..7033e31 100644 --- a/test/fixtures/shortcuts/lambda-zipfile.json +++ b/test/fixtures/shortcuts/lambda-zipfile.json @@ -83,10 +83,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json index 41e8c90..608e218 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json index d0e6b8c..ac035b2 100644 --- a/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/log-subscription-lambda-no-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/queue-lambda-zero.json b/test/fixtures/shortcuts/queue-lambda-zero.json index c3bdd85..f5ec06e 100644 --- a/test/fixtures/shortcuts/queue-lambda-zero.json +++ b/test/fixtures/shortcuts/queue-lambda-zero.json @@ -85,10 +85,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/queue-lambda.json b/test/fixtures/shortcuts/queue-lambda.json index 960f808..f809a4b 100644 --- a/test/fixtures/shortcuts/queue-lambda.json +++ b/test/fixtures/shortcuts/queue-lambda.json @@ -85,10 +85,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/scheduled-lambda-defaults.json b/test/fixtures/shortcuts/scheduled-lambda-defaults.json index 7a76f12..5e74d6a 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-defaults.json +++ b/test/fixtures/shortcuts/scheduled-lambda-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/scheduled-lambda-full.json b/test/fixtures/shortcuts/scheduled-lambda-full.json index 249d071..9bcd304 100644 --- a/test/fixtures/shortcuts/scheduled-lambda-full.json +++ b/test/fixtures/shortcuts/scheduled-lambda-full.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/stream-lambda-defaults.json b/test/fixtures/shortcuts/stream-lambda-defaults.json index 33271b0..b35e58e 100644 --- a/test/fixtures/shortcuts/stream-lambda-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17", diff --git a/test/fixtures/shortcuts/stream-lambda-no-defaults.json b/test/fixtures/shortcuts/stream-lambda-no-defaults.json index 87b29a2..ec30daf 100644 --- a/test/fixtures/shortcuts/stream-lambda-no-defaults.json +++ b/test/fixtures/shortcuts/stream-lambda-no-defaults.json @@ -84,10 +84,13 @@ }, "MyLambdaLogPolicy": { "Type": "AWS::IAM::Policy", + "DependsOn": "MyLambdaRole", "Properties": { "PolicyName": "lambda-log-access", "Roles": [ - "MyLambdaRole" + { + "Ref": "MyLambdaRole" + } ], "PolicyDocument": { "Version": "2012-10-17",