Skip to content

Commit

Permalink
feat: support importing DynamoDB tables exported from external stacks
Browse files Browse the repository at this point in the history 
fixes issue #442
  • Loading branch information
@danrivett
danrivett committed Jul 2, 2021
1 parent e0a391d commit 8a1b732
Show file tree
Hide file tree
Showing 2 changed files with 114 additions and 4 deletions.
33 changes: 29 additions & 4 deletions lib/deploy/stepFunctions/compileIamRole.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,37 @@ function getSnsPermissions(serverless, state) {
}

function getDynamoDBArn(tableName) {
if (isIntrinsic(tableName) && tableName.Ref) {
if (isIntrinsic(tableName)) {
// most likely we'll see a { Ref: LogicalId }, which we need to map to
// { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
return {
'Fn::GetAtt': [tableName.Ref, 'Arn'],
};
if (tableName.Ref) {
return {
'Fn::GetAtt': [tableName.Ref, 'Arn'],
};
}
// but also support importing the table name from an external stack that exports it
// as we still want to support direct state machine actions interacting with those tables
if (tableName['Fn::ImportValue']) {
return {
'Fn::Join': [
':',
[
'arn:aws:dynamodb',
{ Ref: 'AWS::Region' },
{ Ref: 'AWS::AccountId' },
{
'Fn::Join': [
'/',
[
'table',
tableName,
],
],
},
],
],
};
}
}

return {
Expand Down
85 changes: 85 additions & 0 deletions lib/deploy/stepFunctions/compileIamRole.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,91 @@ describe('#compileIamRole', () => {
.to.be.deep.equal([worldTableArn]);
});

it('should give dynamodb permission for table name imported from external stack', () => {
const externalHelloTable = { 'Fn::ImportValue': 'HelloStack:Table:Name' };
const helloTableArn = {
'Fn::Join': [
':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalHelloTable]] }],
],
};

const externalWorldTable = { 'Fn::ImportValue': 'WorldStack:Table:Name' };
const worldTableArn = {
'Fn::Join': [
':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalWorldTable]] }],
],
};

const genStateMachine = (id, tableName) => ({
id,
definition: {
StartAt: 'A',
States: {
A: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:updateItem',
Parameters: {
TableName: tableName,
},
Next: 'B',
},
B: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:putItem',
Parameters: {
TableName: tableName,
},
Next: 'C',
},
C: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:getItem',
Parameters: {
TableName: tableName,
},
Next: 'D',
},
D: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:deleteItem',
Parameters: {
TableName: tableName,
},
End: true,
},
},
},
});

serverless.service.stepFunctions = {
stateMachines: {
myStateMachine1: genStateMachine('StateMachine1', externalHelloTable),
myStateMachine2: genStateMachine('StateMachine2', externalWorldTable),
},
};

serverlessStepFunctions.compileIamRole();
const resources = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources;
const policy1 = resources.StateMachine1Role.Properties.Policies[0];
const policy2 = resources.StateMachine2Role.Properties.Policies[0];

[policy1, policy2].forEach((policy) => {
expect(policy.PolicyDocument.Statement[0].Action)
.to.be.deep.equal([
'dynamodb:UpdateItem',
'dynamodb:PutItem',
'dynamodb:GetItem',
'dynamodb:DeleteItem',
]);
});

expect(policy1.PolicyDocument.Statement[0].Resource)
.to.be.deep.equal([helloTableArn]);
expect(policy2.PolicyDocument.Statement[0].Resource)
.to.be.deep.equal([worldTableArn]);
});

it('should give dynamodb permission to * whenever TableName.$ is seen', () => {
const helloTable = 'hello';

Expand Down

0 comments on commit 8a1b732

Please sign in to comment.