chore: add tests and extend ddb permission function

Michael Bahr · Michael Bahr · commit 182e15cd7a0f · 2023-01-27T10:14:57.000+01:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -130,6 +130,67 @@ function getDynamoDBArn(tableName) {
   };
 }
 
+function getDynamoDBIndexArn(tableName, indexName) {
+  if (isIntrinsic(tableName)) {
+    // most likely we'll see a { Ref: LogicalId }, which we need to map to
+    // { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
+    if (tableName.Ref) {
+      return {
+        'Fn::Join': [
+          '/',
+          [
+            { 'Fn::GetAtt': [tableName.Ref, 'Arn'] },
+            'index',
+            indexName,
+          ],
+        ],
+      };
+    }
+    // but also support importing the table name from an external stack that exports it
+    // as we still want to support direct state machine actions interacting with those tables
+    if (tableName['Fn::ImportValue']) {
+      return {
+        'Fn::Join': [
+          ':',
+          [
+            'arn',
+            { Ref: 'AWS::Partition' },
+            'dynamodb',
+            { Ref: 'AWS::Region' },
+            { Ref: 'AWS::AccountId' },
+            {
+              'Fn::Join': [
+                '/',
+                [
+                  'table',
+                  tableName,
+                  'index',
+                  indexName,
+                ],
+              ],
+            },
+          ],
+        ],
+      };
+    }
+  }
+
+  return {
+    'Fn::Join': [
+      ':',
+      [
+        'arn',
+        { Ref: 'AWS::Partition' },
+        'dynamodb',
+        { Ref: 'AWS::Region' },
+        { Ref: 'AWS::AccountId' },
+        `table/${tableName}/index/${indexName}`,
+      ],
+    ],
+  };
+}
+
+
 function getBatchPermissions() {
   return [{
     action: 'batch:SubmitJob,batch:DescribeJobs,batch:TerminateJob',
@@ -182,19 +243,19 @@ function getEcsPermissions() {
 }
 
 function getDynamoDBPermissions(action, state) {
-  const tableArn = state.Parameters['TableName.$']
-    ? '*'
-    : getDynamoDBArn(state.Parameters.TableName);
-
   const indexName = state.Parameters['IndexName.$']
     ? '*'
     : state.Parameters.IndexName;
 
   let resource;
   if (indexName) {
-    resource = `${tableArn}/index/${indexName}`;
+    resource = state.Parameters['TableName.$']
+      ? '*'
+      : getDynamoDBIndexArn(state.Parameters.TableName, indexName);
   } else {
-    resource = tableArn;
+    resource = state.Parameters['TableName.$']
+      ? '*'
+      : getDynamoDBArn(state.Parameters.TableName);
   }
   return [{
     action,
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -731,6 +731,58 @@ describe('#compileIamRole', () => {
       .to.be.deep.equal([worldTableArn]);
   });
 
+  it('should give dynamodb permission to index table whenever IndexName is provided', () => {
+    const helloTable = 'hello';
+
+    const genStateMachine = (id, tableName) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+            },
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+              IndexName: 'GSI1',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', helloTable),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    expect(policy.PolicyDocument.Statement[0].Resource[0]).to.be.deep.equal({
+      'Fn::Join': [':', ['arn', { Ref: 'AWS::Partition' }, 'dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, 'table/hello']],
+    });
+
+    expect(policy.PolicyDocument.Statement[0].Resource[1]).to.be.deep.equal({
+      'Fn::Join': [':', ['arn', { Ref: 'AWS::Partition' }, 'dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, 'table/hello/index/GSI1']],
+    });
+  });
+
   it('should give dynamodb permission to * whenever TableName.$ is seen', () => {
     const helloTable = 'hello';
 
@@ -778,6 +830,84 @@ describe('#compileIamRole', () => {
     expect(policy.PolicyDocument.Statement[0].Resource).to.equal('*');
   });
 
+  it('should give dynamodb permission to table/TableName/index/* when IndexName.$ is seen', () => {
+    const helloTable = 'hello';
+
+    const genStateMachine = (id, tableName) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              TableName: tableName,
+              'IndexName.$': '$.myDynamicIndexName',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', helloTable),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    // even though some tasks target specific indices, because IndexName.$ is used we
+    // have to give broad permissions to allow execution to talk to whatever index
+    // the input specifies
+    expect(policy.PolicyDocument.Statement[0].Resource[0]['Fn::Join'][1][5]).to.equal('table/hello/index/*');
+  });
+
+  it('should give dynamodb permission to table/* whenever TableName.$ and IndexName.$ are seen', () => {
+    const genStateMachine = id => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:dynamodb:query',
+            Parameters: {
+              'TableName.$': '$.myDynamicTableName',
+              'IndexName.$': '$.myDynamicIndexName',
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const policy = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0];
+    expect(policy.PolicyDocument.Statement[0].Action)
+      .to.be.deep.equal(['dynamodb:Query']);
+
+    // even though some tasks target specific tables, because TableName.$ is used we
+    // have to give broad permissions to allow execution to talk to whatever table
+    // the input specifies
+    expect(policy.PolicyDocument.Statement[0].Resource[0]).to.equal('*');
+  });
+
   it('should give Redshift Data permissions to * for safe actions', () => {
     serverless.service.stepFunctions = {
       stateMachines: {
