Merge pull request #42 from erezrokah/feat/custom_roles

Feat: add support for specifying custom roles

Author: horike37

README.md

@@ -327,6 +327,32 @@ resources:
 
 Source: [AWS::ApiGateway::Method docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html#cfn-apigateway-method-authorizationtype)
 
+### Using a Custom IAM Role
+
+By default, the plugin will generate a role with the required permissions for each service type that is configured.
+
+You can configure your own role by setting the `roleArn` attribute:
+
+```yaml
+custom:
+  apiGatewayServiceProxies:
+    - sqs:
+        path: /sqs
+        method: post
+        queueName: { 'Fn::GetAtt': ['SQSQueue', 'QueueName'] }
+        cors: true
+        roleArn: # Optional. A default role is created when not configured
+          Fn::GetAtt: [CustomS3Role, Arn]
+
+resources:
+  Resources:
+    SQSQueue:
+      Type: 'AWS::SQS::Queue'
+    CustomS3Role:
+      # Custom Role definition
+      Type: 'AWS::IAM::Role'
+```
+
 ### Customizing request body mapping templates
 
 #### Kinesis

__tests__/integration/common/custom-role/service/serverless.yml

@@ -0,0 +1,56 @@
+service: custom-role-proxy
+
+provider:
+  name: aws
+  runtime: nodejs10.x
+
+plugins:
+  localPath: './../../../../../../'
+  modules:
+    - serverless-apigateway-service-proxy
+
+custom:
+  apiGatewayServiceProxies:
+    - s3:
+        path: /s3-custom-role/{key}
+        method: post
+        action: PutObject
+        bucket:
+          Ref: S3Bucket
+        key:
+          pathParam: key
+        cors: true
+        roleArn:
+          Fn::GetAtt: [CustomS3Role, Arn]
+
+resources:
+  Resources:
+    S3Bucket:
+      Type: 'AWS::S3::Bucket'
+    CustomS3Role:
+      Type: 'AWS::IAM::Role'
+      Properties:
+        AssumeRolePolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            - Effect: 'Allow'
+              Principal: {
+                Service: 'apigateway.amazonaws.com'
+              }
+              Action: 'sts:AssumeRole'
+        Policies:
+          - PolicyName: 'apigatewaytos3'
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: 'Allow'
+                  Action: 's3:PutObject*'
+                  Resource:
+                    Fn::Join:
+                      - ''
+                      - - Fn::GetAtt: [S3Bucket, Arn]
+                        - '/*'                      
+  Outputs:
+    S3BucketName:
+      Value:
+        Ref: S3Bucket

__tests__/integration/common/custom-role/tests.js

@@ -0,0 +1,46 @@
+'use strict'
+
+const expect = require('chai').expect
+const fetch = require('node-fetch')
+const {
+  deployWithRandomStage,
+  removeService,
+  getS3Object,
+  deleteS3Object
+} = require('../../../utils')
+
+describe('Proxy With Custom Role Integration Test', () => {
+  let endpoint
+  let stage
+  let bucket
+  const config = '__tests__/integration/common/custom-role/service/serverless.yml'
+  const key = 'my-test-object.json'
+
+  beforeAll(async () => {
+    const result = await deployWithRandomStage(config)
+
+    stage = result.stage
+    endpoint = result.endpoint
+    bucket = result.outputs.S3BucketName
+  })
+
+  afterAll(async () => {
+    await deleteS3Object(bucket, key)
+    removeService(stage, config)
+  })
+
+  it('should get correct response from s3 proxy endpoint with custom role', async () => {
+    const testEndpoint = `${endpoint}/s3-custom-role/${key}`
+
+    const response = await fetch(testEndpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ message: 'test' })
+    })
+    expect(response.headers.get('access-control-allow-origin')).to.deep.equal('*')
+    expect(response.status).to.be.equal(200)
+
+    const uploadedObject = await getS3Object(bucket, key)
+    expect(uploadedObject.toString()).to.equal(JSON.stringify({ message: 'test' }))
+  })
+})

lib/apiGateway/schema.js

@@ -65,13 +65,38 @@ const authorizationType = Joi.alternatives().when('authorizerId', {
 // https://hapi.dev/family/joi/?v=15.1.0#objectpatternpattern-schema
 const requestParameters = Joi.object().pattern(Joi.string(), Joi.string().required())
 
+const stringOrGetAtt = (propertyName, attributeName) => {
+  return Joi.alternatives().try([
+    Joi.string(),
+    Joi.object({
+      'Fn::GetAtt': Joi.array()
+        .length(2)
+        .ordered(
+          Joi.string().required(),
+          Joi.string()
+            .valid(attributeName)
+            .required()
+        )
+        .required()
+    }).error(
+      customErrorBuilder(
+        'object.child',
+        `"${propertyName}" must be in the format "{ 'Fn::GetAtt': ['<ResourceId>', '${attributeName}'] }"`
+      )
+    )
+  ])
+}
+
+const roleArn = stringOrGetAtt('roleArn', 'Arn')
+
 const proxy = Joi.object({
   path,
   method,
   cors,
   authorizationType,
   authorizerId,
-  authorizationScopes
+  authorizationScopes,
+  roleArn
 })
   .oxor('authorizerId', 'authorizationScopes') // can have one of them, but not required
   .error(
@@ -119,28 +144,6 @@ const partitionKey = Joi.alternatives().try([
     )
 ])
 
-const stringOrGetAtt = (propertyName, attributeName) => {
-  return Joi.alternatives().try([
-    Joi.string(),
-    Joi.object({
-      'Fn::GetAtt': Joi.array()
-        .length(2)
-        .ordered(
-          Joi.string().required(),
-          Joi.string()
-            .valid(attributeName)
-            .required()
-        )
-        .required()
-    }).error(
-      customErrorBuilder(
-        'object.child',
-        `"${propertyName}" must be in the format "{ 'Fn::GetAtt': ['<ResourceId>', '${attributeName}'] }"`
-      )
-    )
-  ])
-}
-
 const request = Joi.object({
   template: Joi.object().required()
 })

lib/apiGateway/validate.test.js

@@ -579,6 +579,100 @@ describe('#validateServiceProxies()', () => {
       })
     })
 
+    it('should throw if "roleArn" is not a string or an AWS intrinsic "Fn::GetAtt" function', () => {
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
+          {
+            kinesis: {
+              path: '/kinesis',
+              streamName: 'streamName',
+              method: 'post',
+              roleArn: []
+            }
+          }
+        ]
+      }
+
+      expect(() => serverlessApigatewayServiceProxy.validateServiceProxies()).to.throw(
+        serverless.classes.Error,
+        'child "kinesis" fails because [child "roleArn" fails because ["roleArn" must be a string, "roleArn" must be an object]]'
+      )
+    })
+
+    it('should throw if "roleArn" is an AWS intrinsic function other than "Fn::GetAtt"', () => {
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
+          {
+            kinesis: {
+              path: '/kinesis',
+              streamName: 'streamName',
+              method: 'post',
+              roleArn: { Ref: 'KinesisCustomRoleId' }
+            }
+          }
+        ]
+      }
+
+      expect(() => serverlessApigatewayServiceProxy.validateServiceProxies()).to.throw(
+        serverless.classes.Error,
+        `child "kinesis" fails because [child "roleArn" fails because ["roleArn" must be a string, "roleArn" must be in the format "{ 'Fn::GetAtt': ['<ResourceId>', 'Arn'] }"]]`
+      )
+    })
+
+    it('should throw if "roleArn" is an AWS intrinsic "Fn::GetAtt" function for an attribute other than Arn', () => {
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
+          {
+            kinesis: {
+              path: '/kinesis',
+              streamName: 'streamName',
+              method: 'post',
+              roleArn: { 'Fn::GetAtt': ['KinesisCustomRoleId', 'RoleId'] }
+            }
+          }
+        ]
+      }
+
+      expect(() => serverlessApigatewayServiceProxy.validateServiceProxies()).to.throw(
+        serverless.classes.Error,
+        `child "kinesis" fails because [child "roleArn" fails because ["roleArn" must be a string, "roleArn" must be in the format "{ 'Fn::GetAtt': ['<ResourceId>', 'Arn'] }"]]`
+      )
+    })
+
+    it('should not throw error if "roleArn" is a string', () => {
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
+          {
+            kinesis: {
+              path: '/kinesis',
+              streamName: 'streamName',
+              method: 'post',
+              roleArn: 'roleArn'
+            }
+          }
+        ]
+      }
+
+      expect(() => serverlessApigatewayServiceProxy.validateServiceProxies()).to.not.throw()
+    })
+
+    it('should not throw error if "roleArn" is valid intrinsic function', () => {
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
+          {
+            kinesis: {
+              path: '/kinesis',
+              streamName: 'streamName',
+              method: 'post',
+              roleArn: { 'Fn::GetAtt': ['KinesisCustomRoleId', 'Arn'] }
+            }
+          }
+        ]
+      }
+
+      expect(() => serverlessApigatewayServiceProxy.validateServiceProxies()).to.not.throw()
+    })
+
     const proxiesToTest = [
       { proxy: 'kinesis', props: { streamName: 'streamName' } },
       { proxy: 'sns', props: { topicName: 'topicName' } }
@@ -1280,11 +1374,10 @@ describe('#validateServiceProxies()', () => {
     })
 
     it('should not show error if queueName is a string', () => {
-      serverlessApigatewayServiceProxy.validated = {
-        events: [
+      serverlessApigatewayServiceProxy.serverless.service.custom = {
+        apiGatewayServiceProxies: [
           {
-            serviceName: 'sqs',
-            http: {
+            sqs: {
               queueName: 'yourQueue',
               path: 'sqs',
               method: 'post'

lib/package/kinesis/compileIamRoleToKinesis.js

@@ -1,20 +1,22 @@
 'use strict'
 const _ = require('lodash')
 
+const SERVICE_NAME = 'kinesis'
+
 module.exports = {
   compileIamRoleToKinesis() {
+    if (!this.shouldCreateDefaultRole(SERVICE_NAME)) {
+      return
+    }
+
     const kinesisStreamNames = this.getAllServiceProxies()
-      .filter((serviceProxy) => this.getServiceName(serviceProxy) === 'kinesis')
+      .filter((serviceProxy) => this.getServiceName(serviceProxy) === SERVICE_NAME)
       .map((serviceProxy) => {
         const serviceName = this.getServiceName(serviceProxy)
         const { streamName } = serviceProxy[serviceName]
         return streamName
       })
 
-    if (kinesisStreamNames.length <= 0) {
-      return
-    }
-
     const policyResource = kinesisStreamNames.map((streamName) => ({
       'Fn::Sub': [
         'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',

lib/package/kinesis/compileIamRoleToKinesis.test.js

@@ -109,7 +109,7 @@ describe('#compileIamRoleToKinesis()', () => {
       apiGatewayServiceProxies: [
         {
           sqs: {
-            path: '/kinesis',
+            path: '/sqs',
             method: 'post'
           }
         }
@@ -120,4 +120,31 @@ describe('#compileIamRoleToKinesis()', () => {
 
     expect(serverless.service.provider.compiledCloudFormationTemplate.Resources).to.be.empty
   })
+
+  it('should not create default role if all proxies have a custom role', () => {
+    serverlessApigatewayServiceProxy.serverless.service.custom = {
+      apiGatewayServiceProxies: [
+        {
+          kinesis: {
+            path: '/kinesis1',
+            method: 'post',
+            streamName: { Ref: 'KinesisStream1' },
+            roleArn: 'roleArn1'
+          }
+        },
+        {
+          kinesis: {
+            path: '/kinesis2',
+            method: 'post',
+            streamName: { Ref: 'KinesisStream2' },
+            roleArn: 'roleArn2'
+          }
+        }
+      ]
+    }
+
+    serverlessApigatewayServiceProxy.compileIamRoleToKinesis()
+
+    expect(serverless.service.provider.compiledCloudFormationTemplate.Resources).to.be.empty
+  })
 })