fix: correct test for ItemReader with JSONpath input

tvhees · tvhees · commit 740557c6632c · 2023-05-07T17:02:33.000+09:30
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -1494,8 +1494,9 @@ describe('#compileIamRole', () => {
   });
 
   it('should give s3:GetObject permission for only objects referenced by state machine with ItemReader', () => {
+    const hello = 'hello.txt';
+    const world = 'world.txt';
     const testBucket = 'test-bucket';
-    const testKey = 'test-key';
 
     const genStateMachine = (id, lambdaArn, bucket, key) => ({
       id,
@@ -1517,8 +1518,8 @@ describe('#compileIamRole', () => {
             ItemReader: {
               Resource: 'arn:aws:states:::s3:getObject',
               Parameters: {
-                'Bucket.$': bucket,
-                'Key.$': key,
+                Bucket: bucket,
+                Key: key,
               },
             },
             End: true,
@@ -1530,9 +1531,9 @@ describe('#compileIamRole', () => {
     serverless.service.stepFunctions = {
       stateMachines: {
         myStateMachine1: genStateMachine('StateMachine1',
-          'arn:aws:lambda:us-west-2:1234567890:function:foo', '$.testBucket', '$.testKey'),
+          'arn:aws:lambda:us-west-2:1234567890:function:foo', testBucket, hello),
         myStateMachine2: genStateMachine('StateMachine2',
-          'arn:aws:lambda:us-west-2:1234567890:function:foo', testBucket, testKey),
+          'arn:aws:lambda:us-west-2:1234567890:function:foo', testBucket, world),
       },
     };
 
@@ -1542,9 +1543,80 @@ describe('#compileIamRole', () => {
     const policy1 = resources.StateMachine1Role.Properties.Policies[0];
     const policy2 = resources.StateMachine2Role.Properties.Policies[0];
     expect(policy1.PolicyDocument.Statement[1].Resource)
-      .to.be.deep.equal('*');
+      .to.be.deep.equal([`arn:aws:s3:::${testBucket}/${hello}`]);
     expect(policy2.PolicyDocument.Statement[1].Resource)
-      .to.be.deep.equal([`arn:aws:s3:::${testBucket}/${testKey}`]);
+      .to.be.deep.equal([`arn:aws:s3:::${testBucket}/${world}`]);
+  });
+
+  it('should give s3:GetObject permission to * when Bucket.$ and Key.$ are seen on ItemReader', () => {
+    const genStateMachine = (id, lambdaArn) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Map',
+            ItemProcessor: {
+              StartAt: 'B',
+              States: {
+                B: {
+                  Type: 'Task',
+                  Resource: lambdaArn,
+                  End: true,
+                },
+              },
+            },
+            ItemReader: {
+              Resource: 'arn:aws:states:::s3:getObject',
+              Parameters: {
+                Bucket: 'test-bucket',
+                Key: 'test-key',
+              },
+            },
+            Next: 'C',
+          },
+          C: {
+            Type: 'Map',
+            ItemProcessor: {
+              StartAt: 'D',
+              States: {
+                D: {
+                  Type: 'Task',
+                  Resource: lambdaArn,
+                  End: true,
+                },
+              },
+            },
+            ItemReader: {
+              Resource: 'arn:aws:states:::s3:getObject',
+              Parameters: {
+                'Bucket.$': '$.testBucket',
+                'Key.$': '$.key',
+              },
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1',
+          'arn:aws:lambda:us-west-2:1234567890:function:foo'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const resources = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources;
+    const policy1 = resources.StateMachine1Role.Properties.Policies[0];
+
+    // even though some tasks target specific topic ARNs, other states use Bucket.$
+    // and Key.$  so we need to give broad permissions to be able to get any
+    // table and key the input specifies
+    expect(policy1.PolicyDocument.Statement[1].Resource)
+      .to.be.deep.equal('*');
   });
 
   it('should not generate any permissions for Task states not yet supported', () => {
