From d233fabc41ece731cf1947d9823aeae9ad177ede Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 1 May 2024 15:11:08 +0930 Subject: [PATCH 1/5] Add TagRole permission --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) mode change 100644 => 100755 packages/serverless-deploy-iam/bin/app.ts diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts old mode 100644 new mode 100755 index e126faf..16d82ec --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -166,6 +166,7 @@ export class ServiceDeployIAM extends cdk.Stack { "iam:GetRole", "iam:DeleteRole", "iam:UpdateRole", + "iam:TagRole", "iam:GetRolePolicy", "iam:DeleteRolePolicy", "iam:PutRolePolicy", From 1c5e3a717caefeb1d6789509e68ef859061afb00 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 1 Oct 2024 12:38:36 +0930 Subject: [PATCH 2/5] add lambda:ListTags to allow the deploy user to access tag information --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 16d82ec..f169a93 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -471,7 +471,7 @@ export class ServiceDeployIAM extends cdk.Stack { name: "LAMBDA", prefix: `arn:aws:lambda:${region}:${accountId}:function:`, qualifiers: [`${serviceName}*`], - actions: ["lambda:GetFunction", "lambda:InvokeFunction"], + actions: ["lambda:GetFunction", "lambda:InvokeFunction", "lambda:ListTags"], }, { name: "IAM", From 9459389a4edc80545d0438a4b4abdc4d8580f2e6 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 1 Oct 2024 12:45:53 +0930 Subject: [PATCH 3/5] prettier update --- packages/serverless-deploy-iam/bin/app.ts | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index f169a93..be78d4c 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -84,7 +84,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: new Role(this, `ServiceRole-v${version}`, { assumedBy: new CompositePrincipal( new ServicePrincipal("cloudformation.amazonaws.com"), - new ServicePrincipal("lambda.amazonaws.com") + new ServicePrincipal("lambda.amazonaws.com"), ), }), policies: [ @@ -471,7 +471,11 @@ export class ServiceDeployIAM extends cdk.Stack { name: "LAMBDA", prefix: `arn:aws:lambda:${region}:${accountId}:function:`, qualifiers: [`${serviceName}*`], - actions: ["lambda:GetFunction", "lambda:InvokeFunction", "lambda:ListTags"], + actions: [ + "lambda:GetFunction", + "lambda:InvokeFunction", + "lambda:ListTags", + ], }, { name: "IAM", @@ -537,7 +541,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: "String", description: `Custom qualifier values provided for ${policy.name}`, default: "", - }) + }), ); } @@ -550,7 +554,7 @@ export class ServiceDeployIAM extends cdk.Stack { ServiceDeployIAM.formatResourceQualifier( policy.name, policy.prefix || "", - policy.qualifiers || [] + policy.qualifiers || [], ); store.type.addToPolicy(new PolicyStatement(policy)); @@ -607,7 +611,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier( serviceName: string, prefix: string, - qualifiers: string[] + qualifiers: string[], ): string[] { let delimiter = "/"; switch (serviceName) { From 833b6c6f551c04a6a203353d36db98b6474606ca Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 1 Oct 2024 13:09:34 +0930 Subject: [PATCH 4/5] prettier update --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 75db305..7e3fde5 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -84,7 +84,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: new Role(this, `ServiceRole-v${version}`, { assumedBy: new CompositePrincipal( new ServicePrincipal("cloudformation.amazonaws.com"), - new ServicePrincipal("lambda.amazonaws.com"), + new ServicePrincipal("lambda.amazonaws.com") ), }), policies: [ @@ -534,7 +534,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: "String", description: `Custom qualifier values provided for ${policy.name}`, default: PARAMETER_HASH, - }), + }) ); } @@ -547,7 +547,7 @@ export class ServiceDeployIAM extends cdk.Stack { ServiceDeployIAM.formatResourceQualifier( policy.name, policy.prefix || "", - policy.qualifiers || [], + policy.qualifiers || [] ); store.type.addToPolicy(new PolicyStatement(policy)); @@ -604,7 +604,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier( serviceName: string, prefix: string, - qualifiers: string[], + qualifiers: string[] ): string[] { let delimiter = "/"; switch (serviceName) { From 6682fa975aca951f939c6e96efd7dd14aaa3e262 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 1 Oct 2024 13:14:43 +0930 Subject: [PATCH 5/5] update test --- packages/serverless-deploy-iam/test/deploy-role.test.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/test/deploy-role.test.ts b/packages/serverless-deploy-iam/test/deploy-role.test.ts index f1800a6..0bef6ad 100644 --- a/packages/serverless-deploy-iam/test/deploy-role.test.ts +++ b/packages/serverless-deploy-iam/test/deploy-role.test.ts @@ -108,7 +108,11 @@ describe("Deploy user policy", () => { PolicyDocument: { Statement: arrayWith( objectLike({ - Action: ["lambda:GetFunction", "lambda:InvokeFunction"], + Action: [ + "lambda:GetFunction", + "lambda:InvokeFunction", + "lambda:ListTags", + ], Effect: "Allow", Resource: [ {