Merge pull request #4 from AntonBazhal/local-access

Made it possible to exclude functions or override access list locally

Author: AntonBazhal

.eslintignore

@@ -0,0 +1,2 @@
+coverage/
+node_modules/

.gitignore

@@ -1,2 +1,4 @@
+.nyc_output/
+coverage
 node_modules
 *.log

README.md

@@ -15,27 +15,38 @@ plugins:
   - serverless-plugin-lambda-account-access
 
 provider:
-  permitAccounts: 000001,000002 # CSV list of AWS account numbers
+  allowAccounts: # can be defined as a single value or an array
+    - 111111111111 # principal as accountId
+    - 'arn:aws:iam::222222222222:root' # principal as ARN
 
 functions:
   function1:
   function2:
+    allowAccess: false # excludes specific function
+  function3:
+    allowAccess: 333333333333 # allows access from these principals instead of the globally defined ones
 ```
 
-The above allows all functions to be invoked from the listed accounts.
+The above allows all functions to be invoked from the principals listed in `provider` section, unless access is explicitly forbidden inside function config (`function2`), or accounts list is overridden locally (`function3`).
 
 Permissions are granted by adding resources of the form:
 
 ```yaml
 resources:
   Resources:
-    Function1LambdaFunctionPermitInvokeFromAccount000001:
-	  Type: AWS::Lambda::Permission
+    Function1LambdaFunctionPermitInvokeFrom111111111111:
+    Type: AWS::Lambda::Permission
       Properties:
         Action: lambda:InvokeFunction
         FunctionName:
           Fn::GetAtt:
             - Function1LambdaFunction
             - Arn
-	    Principal: 000001
+      Principal: '111111111111'
 ```
+
+## Migration From 1.x
+
+Version 2 has the following breaking changes:
+  - `permitAccounts` field was changed to `allowAccess`
+  - multiple principals can be defined as an array, instead of CSV list

add-permissions.js

@@ -11,45 +11,56 @@ module.exports = class AwsAddLambdaAccountPermissions {
     this.options = options;
     this.provider = this.serverless.getProvider('aws');
     this.hooks = {
-      'before:deploy:deploy': () => this.beforeDeploy(),
+      'before:deploy:createDeploymentArtifacts': () => this.beforeDeploy(),
     };
   }
 
-  addPoliciesForAccount(account) {
+  addPoliciesForFunctions(globalAllowAccess) {
     const service = this.serverless.service;
     if (typeof service.functions !== 'object') {
       return;
     }
+
     const resources = service.resources = service.resources || {};
     if (!resources.Resources) {
       resources.Resources = {};
     }
+
     Object.keys(service.functions).forEach(functionName => {
-      const functionLogicalId = this.provider.naming
-        .getLambdaLogicalId(functionName);
-      const resourceName = account.replace(/\b\w/g, l => l.toUpperCase()).replace(/[_\W]+/g, "");
-      resources.Resources[`${functionLogicalId}PermitInvokeFrom${resourceName}`] = {
-        Type: 'AWS::Lambda::Permission',
-        Properties: {
-          Action: 'lambda:InvokeFunction',
-          FunctionName: {
-            'Fn::GetAtt': [ functionLogicalId, 'Arn' ],
-          },
-          Principal: account,
-        }
-      };
+      let localAllowAccess = service.functions[functionName].allowAccess;
+      if (localAllowAccess === false || (globalAllowAccess.length === 0 && !localAllowAccess)) {
+        return;
+      }
+
+      const functionAllowAccess = localAllowAccess
+        ? [].concat(localAllowAccess)
+        : globalAllowAccess;
+
+      const functionLogicalId = this.provider.naming.getLambdaLogicalId(functionName);
+
+      functionAllowAccess.forEach(principal => {
+        principal = principal.toString();
+        const resourceName = principal.replace(/\b\w/g, l => l.toUpperCase()).replace(/[_\W]+/g, "");
+        resources.Resources[`${functionLogicalId}PermitInvokeFrom${resourceName}`] = {
+          Type: 'AWS::Lambda::Permission',
+          Properties: {
+            Action: 'lambda:InvokeFunction',
+            FunctionName: {
+              'Fn::GetAtt': [ functionLogicalId, 'Arn' ],
+            },
+            Principal: principal
+          }
+        };
+      });
     });
   }
 
   beforeDeploy() {
     const service = this.serverless.service;
-    const permitAccounts =
-      service.provider &&
-      service.provider.permitAccounts &&
-      service.provider.permitAccounts.toString();
+    let globalAllowAccess = service.provider && service.provider.allowAccess
+      ? [].concat(service.provider.allowAccess)
+      : [];
 
-    if (permitAccounts) {
-      permitAccounts.split(',').map(this.addPoliciesForAccount.bind(this));
-    }
+    this.addPoliciesForFunctions(globalAllowAccess);
   }
 };

package.json

@@ -1,13 +1,13 @@
 {
   "name": "serverless-plugin-lambda-account-access",
-  "version": "1.1.1",
+  "version": "2.0.0",
   "engines": {
     "node": ">=4.0"
   },
   "description": "A Serverless plugin to allow other accounts to invoke your Lambda functions",
   "main": "add-permissions.js",
   "scripts": {
-    "test": "echo \"No tests yet\"",
+    "test": "nyc --reporter=lcov --reporter=text mocha",
     "posttest": "eslint .",
     "preversion": "npm test",
     "postversion": "git push --follow-tags"
@@ -23,7 +23,12 @@
   ],
   "license": "MIT",
   "devDependencies": {
-    "eslint": "^3.11.1"
+    "chai": "^3.5.0",
+    "eslint": "^3.11.1",
+    "eslint-plugin-mocha": "^4.9.0",
+    "mocha": "^3.3.0",
+    "nyc": "^10.2.0",
+    "sinon": "^2.1.0"
   },
   "dependencies": {
     "semver": "^5.3.0"

test/.eslintrc

@@ -0,0 +1,4 @@
+env:
+  mocha: true
+
+plugins: ["mocha"]