Merge pull request #214 from horike37/feature/lambda_invoke_intrinsic_funcs

Support intrinsic functions in lambda:invoke resource type

Author: theburningmonk

lib/deploy/stepFunctions/compileIamRole.js

@@ -148,27 +148,56 @@ function getLambdaPermissions(state) {
   // function name can be name-only, name-only with alias, full arn or partial arn
   // https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestParameters
   const functionName = state.Parameters.FunctionName;
-  const segments = functionName.split(':');
-
-  let functionArn;
-  if (functionName.startsWith('arn:aws:lambda')) {
-    // full ARN
-    functionArn = functionName;
-  } else if (segments.length === 3 && segments[0].match(/^\d+$/)) {
-    // partial ARN
-    functionArn = {
-      'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}`,
-    };
-  } else {
-    // name-only (with or without alias)
-    functionArn = {
-      'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
-    };
+  if (_.isString(functionName)) {
+    const segments = functionName.split(':');
+
+    let functionArn;
+    if (functionName.startsWith('arn:aws:lambda')) {
+      // full ARN
+      functionArn = functionName;
+    } else if (segments.length === 3 && segments[0].match(/^\d+$/)) {
+      // partial ARN
+      functionArn = {
+        'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}`,
+      };
+    } else {
+      // name-only (with or without alias)
+      functionArn = {
+        'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
+      };
+    }
+
+    return [{
+      action: 'lambda:InvokeFunction',
+      resource: functionArn,
+    }];
+  } else if (_.has(functionName, 'Fn::GetAtt')) {
+    // because the FunctionName parameter can be either a name or ARN
+    // so you should be able to use Fn::GetAtt here to get the ARN
+    return [{
+      action: 'lambda:InvokeFunction',
+      resource: functionName,
+    }];
+  } else if (_.has(functionName, 'Ref')) {
+    // because the FunctionName parameter can be either a name or ARN
+    // so you should be able to use Ref here to get the function name
+    return [{
+      action: 'lambda:InvokeFunction',
+      resource: {
+        'Fn::Sub': [
+          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
+          {
+            FunctionName: functionName,
+          },
+        ],
+      },
+    }];
   }
 
+  // hope for the best...
   return [{
     action: 'lambda:InvokeFunction',
-    resource: functionArn,
+    resource: functionName,
   }];
 }
 

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -1205,4 +1205,79 @@ describe('#compileIamRole', () => {
     ];
     expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
   });
+
+  it('should support intrinsic functions for lambda::invoke resource type', () => {
+    const getStateMachine = (name, functionName) => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::lambda:invoke',
+            Parameters: {
+              FunctionName: functionName,
+              Payload: {
+                'ExecutionName.$': '$$.Execution.Name',
+              },
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    // function name can be...
+    const lambda1 = { Ref: 'MyFunction' }; // name
+    const lambda2 = { 'Fn::GetAtt': ['MyFunction', 'Arn'] }; // Arn
+    const lambda3 = { // or, something we don't need special handling for
+      'Fn::Sub': [
+        'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
+        {
+          FunctionName: 'myFunction',
+        },
+      ],
+    };
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: getStateMachine('sm1', lambda1),
+        myStateMachine2: getStateMachine('sm2', lambda2),
+        myStateMachine3: getStateMachine('sm3', lambda3),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const lambdaPermissions = statements.filter(s =>
+      _.isEqual(s.Action, ['lambda:InvokeFunction']));
+    expect(lambdaPermissions).to.have.lengthOf(1);
+
+    const lambdaArns = [
+      {
+        'Fn::Sub': [
+          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
+          { FunctionName: lambda1 },
+        ],
+      },
+      {
+        'Fn::GetAtt': [
+          'MyFunction',
+          'Arn',
+        ],
+      },
+      {
+        'Fn::Sub': [
+          'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}',
+          {
+            FunctionName: 'myFunction',
+          },
+        ],
+      },
+    ];
+    expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
+  });
 });