Merge pull request #9 from rschick/outputSupport

jlai-d2l · web-flow · commit d11e8e55aad4 · 2018-08-20T13:30:40.000-04:00
Add support for CloudFormation Output ARN to be allowed access to lam…
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ provider:
   allowAccess: # can be defined as a single value or an array
     - 111111111111 # principal as accountId
     - 'arn:aws:iam::222222222222:root' # principal as ARN
+    - Fn::Import: cloudformation-output-arn # principal as CloudFormation Output Value ARN
 
 functions:
   function1:
diff --git a/add-permissions.js b/add-permissions.js
@@ -39,8 +39,16 @@ module.exports = class AwsAddLambdaAccountPermissions {
       const functionLogicalId = this.provider.naming.getLambdaLogicalId(functionName);
 
       functionAllowAccess.reduce((previousResourceName, principal) => {
-        principal = principal.toString();
-        const principalName = principal.replace(/\b\w/g, l => l.toUpperCase()).replace(/[_\W]+/g, "");
+        let principalString;
+        const fnName = principal instanceof Object ? Object.keys(principal).find(k => k.indexOf('Fn::') >= 0) : undefined;
+        if (fnName) {
+          principalString = principal[fnName].toString();
+        }
+        else {
+          principal = principal.toString();
+          principalString = principal;
+        }
+        const principalName = principalString.replace(/\b\w/g, l => l.toUpperCase()).replace(/[_\W]+/g, "");
         const resourceName = `${functionLogicalId}PermitInvokeFrom${principalName}`;
         const resource = {
           Type: 'AWS::Lambda::Permission',
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "serverless-plugin-lambda-account-access",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "engines": {
     "node": ">=4.0"
   },
diff --git a/test/add-permissions-tests.js b/test/add-permissions-tests.js
@@ -347,6 +347,31 @@ describe('serverless-plugin-lambda-account-access', function() {
         });
     });
 
+    it('should support principal to be an ARN Output from CloudFormation', function() {
+      const instance = createTestInstance({
+        functions: {
+          function1: {}
+        }
+      });
+
+      instance.addPoliciesForFunctions([{'Fn::ImportValue':'output-role-arn'}]);
+
+      expect(instance)
+        .to.have.deep.property('serverless.service.resources.Resources')
+        .that.deep.equals({
+          'Function1LambdaFunctionPermitInvokeFromOutputRoleArn': {
+            'Type': 'AWS::Lambda::Permission',
+            'Properties': {
+              'Action': 'lambda:InvokeFunction',
+              'FunctionName': {
+                'Fn::GetAtt': [ 'Function1LambdaFunction', 'Arn' ],
+              },
+              'Principal': {'Fn::ImportValue':'output-role-arn'}
+            }
+          }
+        });
+    });
+
     it('should support local allowAccess to be a single value', function() {
       const instance = createTestInstance({
         functions: {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "serverless-plugin-lambda-account-access",`
`3`		`- "version": "3.0.0",`
	`3`	`+ "version": "3.1.0",`
`4`	`4`	`"engines": {`
`5`	`5`	`"node": ">=4.0"`
`6`	`6`	`},`