-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
lambda.go
98 lines (82 loc) · 2.39 KB
/
lambda.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package main
import (
"encoding/json"
"strings"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/lambda"
)
func addPermissionToLambdaFromCloudWatchEvents(lc *lambda.Lambda, rules []Rule) error {
for _, rule := range rules {
for _, target := range rule.Targets {
if !IsLambdaFunction(target.Arn) {
continue
}
if result, err := isAlreadyAddPermission(lc, rule, target); err != nil {
return err
} else if result {
// do nothing (already granted permission)
continue
} else {
_, errL := lc.AddPermission(&lambda.AddPermissionInput{
Action: aws.String("lambda:InvokeFunction"),
FunctionName: aws.String(LambdaFunctionNameFromArn(target.Arn)),
Principal: aws.String("events.amazonaws.com"),
SourceArn: rule.ActualRule.Arn,
StatementId: aws.String(target.ID),
})
if errL != nil {
return errL
}
}
}
}
return nil
}
func removePermissonFromLambda(lc *lambda.Lambda, rules []Rule) error {
for _, rule := range rules {
for _, target := range rule.Targets {
if target.NeedDelete && IsLambdaFunction(*target.ActualTarget.Arn) {
_, err := lc.RemovePermission(&lambda.RemovePermissionInput{
FunctionName: target.ActualTarget.Arn,
StatementId: target.ActualTarget.Id,
})
if err != nil {
return err
}
}
}
}
return nil
}
func isAlreadyAddPermission(lc *lambda.Lambda, rule Rule, target Target) (bool, error) {
var policy LambdaPolicy
policyOutput, err := lc.GetPolicy(&lambda.GetPolicyInput{
FunctionName: &target.Arn,
})
if err != nil {
return false, err
}
errJ := json.Unmarshal([]byte(*policyOutput.Policy), &policy)
if errJ != nil {
return false, errJ
}
for _, statement := range *policy.Statement {
if (statement.Resource == target.Arn &&
strings.HasSuffix(statement.Condition.ArnLike.AwsSourceArn, rule.Name) &&
statement.Effect == "Allow" &&
statement.Principal.Service == "events.amazonaws.com" &&
statement.Action == "lambda:InvokeFunction") ||
statement.StatementID == target.ID {
return true, nil
}
}
return false, nil
}
// IsLambdaFunction return true if passed arn is lambda
func IsLambdaFunction(arn string) bool {
return strings.HasPrefix(arn, "arn:aws:lambda")
}
// LambdaFunctionNameFromArn return lambda function name from arn string
func LambdaFunctionNameFromArn(arn string) string {
return strings.Split(arn, ":")[6]
}