feat: intrinsic function in compile role

Author: theburningmonk

lib/deploy/stepFunctions/compileIamRole.js

@@ -2,6 +2,7 @@
 const _ = require('lodash');
 const BbPromise = require('bluebird');
 const path = require('path');
+const { isIntrinsic } = require('../../utils/aws');
 
 function getTaskStates(states) {
   return _.flatMap(states, state => {
@@ -28,6 +29,12 @@ function sqsQueueUrlToArn(serverless, queueUrl) {
     const accountId = match[2];
     const queueName = match[3];
     return `arn:aws:sqs:${region}:${accountId}:${queueName}`;
+  } else if (isIntrinsic(queueUrl) && queueUrl.Ref) {
+    // most likely we'll see a { Ref: LogicalId }, which we need to map to
+    // { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
+    return {
+      'Fn::GetAtt': [queueUrl.Ref, 'Arn'],
+    };
   }
   serverless.cli.consoleLog(`Unable to parse SQS queue url [${queueUrl}]`);
   return [];
@@ -197,7 +204,7 @@ function getIamPermissions(serverless, taskStates) {
         return getEcsPermissions();
 
       default:
-        if (state.Resource.startsWith('arn:aws:lambda')) {
+        if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
           return [{
             action: 'lambda:InvokeFunction',
             resource: state.Resource,

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -900,4 +900,85 @@ describe('#compileIamRole', () => {
       .Properties.Policies[0];
     expectDenyAllPolicy(policy);
   });
+
+  it('should respect CloudFormation intrinsic functions for Resource', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine: {
+          name: 'stateMachine',
+          definition: {
+            StartAt: 'Lambda',
+            States: {
+              Lambda: {
+                Type: 'Task',
+                Resource: {
+                  Ref: 'MyFunction',
+                },
+                Next: 'Sns',
+              },
+              Sns: {
+                Type: 'Task',
+                Resource: 'arn:aws:states:::sns:publish',
+                Parameters: {
+                  Message: {
+                    'Fn::GetAtt': ['MyTopic', 'TopicName'],
+                  },
+                  TopicArn: {
+                    Ref: 'MyTopic',
+                  },
+                },
+                Next: 'Sqs',
+              },
+              Sqs: {
+                Type: 'Task',
+                Resource: 'arn:aws:states:::sqs:sendMessage',
+                Parameters: {
+                  QueueUrl: {
+                    Ref: 'MyQueue',
+                  },
+                  MessageBody: 'This is a static message',
+                },
+                Next: 'Parallel',
+              },
+              Parallel: {
+                Type: 'Parallel',
+                End: true,
+                Branches: [
+                  {
+                    StartAt: 'Lambda2',
+                    States: {
+                      Lambda2: {
+                        Type: 'Task',
+                        Resource: {
+                          Ref: 'MyFunction2',
+                        },
+                        End: true,
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+        },
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    serverlessStepFunctions.compileStateMachines();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0];
+
+    const statements = policy.PolicyDocument.Statement;
+    const lambdaPermissions = statements.find(x => x.Action[0] === 'lambda:InvokeFunction');
+    expect(lambdaPermissions.Resource).to.be.deep.equal([
+      { Ref: 'MyFunction' }, { Ref: 'MyFunction2' }]);
+    const snsPermissions = statements.find(x => x.Action[0] === 'sns:Publish');
+    expect(snsPermissions.Resource).to.be.deep.equal([{ Ref: 'MyTopic' }]);
+    const sqsPermissions = statements.find(x => x.Action[0] === 'sqs:SendMessage');
+    expect(sqsPermissions.Resource).to.be.deep.equal([{
+      'Fn::GetAtt': ['MyQueue', 'Arn'],
+    }]);
+  });
 });

lib/deploy/stepFunctions/compileStateMachines.js

@@ -1,18 +1,14 @@
 'use strict';
 const _ = require('lodash');
 const BbPromise = require('bluebird');
+const { isIntrinsic } = require('../../utils/aws');
 
 function randomName() {
   const chars = 'abcdefghijklmnopqrstufwxyzABCDEFGHIJKLMNOPQRSTUFWXYZ1234567890';
   const pwd = _.sampleSize(chars, 10);
   return pwd.join('');
 }
 
-function isIntrinsic(obj) {
-  return typeof obj === 'object' &&
-    Object.keys(obj).some((k) => k.startsWith('Fn::') || k.startsWith('Ref'));
-}
-
 function toTags(obj, serverless) {
   const tags = [];
 
@@ -66,7 +62,6 @@ function* getIntrinsicFunctions(obj) {
 }
 
 module.exports = {
-  isIntrinsic,
   compileStateMachines() {
     if (this.isStateMachines()) {
       this.getAllStateMachines().forEach((stateMachineName) => {

lib/deploy/stepFunctions/compileStateMachines.test.js

@@ -608,7 +608,7 @@ describe('#compileStateMachines', () => {
     expect(() => serverlessStepFunctions.compileStateMachines()).to.throw(Error);
   });
 
-  it('should respect CloudFormation intrinsic functions for Resource', () => {
+  it('should respect CloudFormation intrinsic functions', () => {
     serverless.service.stepFunctions = {
       stateMachines: {
         myStateMachine: {

lib/utils/aws.js

@@ -0,0 +1,8 @@
+function isIntrinsic(obj) {
+  return typeof obj === 'object' &&
+    Object.keys(obj).some((k) => k.startsWith('Fn::') || k.startsWith('Ref'));
+}
+
+module.exports = {
+  isIntrinsic,
+};