Fixed detection of Principal for Serverless 1.27

Frank Schmid · Frank Schmid · commit 2ccac33bb846 · 2018-05-08T15:03:53.000+02:00
diff --git a/lib/stackops/apiGateway.js b/lib/stackops/apiGateway.js
@@ -204,7 +204,7 @@ module.exports = function(currentTemplate, aliasStackTemplates, currentAliasStac
 		const apiLambdaPermissions =
 				_.assign({},
 					_.pickBy(_.pickBy(stageStack.Resources, [ 'Type', 'AWS::Lambda::Permission' ]),
-						['Properties.Principal', 'apigateway.amazonaws.com']));
+						permission => utils.hasPermissionPrincipal(permission, 'apigateway')));
 
 		const apiMethods = _.assign({}, _.pickBy(stageStack.Resources, [ 'Type', 'AWS::ApiGateway::Method' ]));
 		const authorizers = _.assign({}, _.pickBy(stageStack.Resources, [ 'Type', 'AWS::ApiGateway::Authorizer' ]));
@@ -292,7 +292,9 @@ module.exports = function(currentTemplate, aliasStackTemplates, currentAliasStac
 					'Fn::Join': [
 						'',
 						[
-							'arn:aws:execute-api:',
+							'arn:',
+							{ Ref: 'AWS::Partition' },
+							':execute-api:',
 							{ Ref: 'AWS::Region' },
 							':',
 							{ Ref: 'AWS::AccountId' },
diff --git a/lib/stackops/cwEvents.js b/lib/stackops/cwEvents.js
@@ -16,7 +16,7 @@ module.exports = function(currentTemplate, aliasStackTemplates, currentAliasStac
 	const cwEventLambdaPermissions =
 			_.assign({},
 				_.pickBy(_.pickBy(stageStack.Resources, [ 'Type', 'AWS::Lambda::Permission' ]),
-					['Properties.Principal', 'events.amazonaws.com']));
+					permission => utils.hasPermissionPrincipal(permission, 'events')));
 
 	_.forOwn(cwEvents, (cwEvent, name) => {
 		// Reference alias as FunctionName
diff --git a/lib/stackops/snsEvents.js b/lib/stackops/snsEvents.js
@@ -67,7 +67,7 @@ module.exports = function(currentTemplate, aliasStackTemplates, currentAliasStac
 	const snsLambdaPermissions =
 			_.assign({},
 				_.pickBy(_.pickBy(stageStack.Resources, [ 'Type', 'AWS::Lambda::Permission' ]),
-					[ 'Properties.Principal', 'sns.amazonaws.com' ]));
+					permission => utils.hasPermissionPrincipal(permission, 'sns')));
 
 	// Adjust permission to reference the function aliases
 	_.forOwn(snsLambdaPermissions, (permission, name) => {
diff --git a/lib/utils.js b/lib/utils.js
@@ -87,6 +87,23 @@ class Utils {
 		}, alias);
 	}
 
+	/**
+	 * Checks if a CF resource permission targets the given service as Principal.
+	 * @param {string} service 
+	 */
+	static hasPermissionPrincipal(permission, service) {
+		const principal = _.get(permission, 'Properties.Principal');
+		if (_.isString(principal)) {
+			return _.startsWith(principal, service);
+		} else if (_.isPlainObject(principal)) {
+			const join = principal['Fn::Join'];
+			if (join) {
+				return _.some(join[1], joinPart => _.isString(joinPart) && _.startsWith(joinPart, service));
+			}
+		}
+		return false;
+	}
+
 }
 
 module.exports = Utils;
diff --git a/yarn.lock b/yarn.lock
