fix: update the method by which IAM roles are applied

* removes the previous implementation using deploymentmanager, as it does not appear to work as documented
* adds support for setting IAM via cloudfunctions API
* adds test cases

Author: edaniszewski

deploy/googleDeploy.js

@@ -10,6 +10,7 @@ const monitorDeployment = require('../shared/monitorDeployment');
 const uploadArtifacts = require('./lib/uploadArtifacts');
 const updateDeployment = require('./lib/updateDeployment');
 const cleanupDeploymentBucket = require('./lib/cleanupDeploymentBucket');
+const setIamPolicy = require('./lib/setIamPolicy');
 
 class GoogleDeploy {
   constructor(serverless, options) {
@@ -26,7 +27,8 @@ class GoogleDeploy {
       monitorDeployment,
       uploadArtifacts,
       updateDeployment,
-      cleanupDeploymentBucket
+      cleanupDeploymentBucket,
+      setIamPolicy
     );
 
     this.hooks = {
@@ -37,7 +39,8 @@ class GoogleDeploy {
           .then(this.createDeployment)
           .then(this.setDeploymentBucketName)
           .then(this.uploadArtifacts)
-          .then(this.updateDeployment),
+          .then(this.updateDeployment)
+          .then(this.setIamPolicy),
 
       'after:deploy:deploy': () => BbPromise.bind(this).then(this.cleanupDeploymentBucket),
     };

deploy/googleDeploy.test.js

@@ -43,6 +43,7 @@ describe('GoogleDeploy', () => {
       let uploadArtifactsStub;
       let updateDeploymentStub;
       let cleanupDeploymentBucketStub;
+      let setIamPolicyStub;
 
       beforeEach(() => {
         validateStub = sinon.stub(googleDeploy, 'validate').returns(BbPromise.resolve());
@@ -62,6 +63,7 @@ describe('GoogleDeploy', () => {
         cleanupDeploymentBucketStub = sinon
           .stub(googleDeploy, 'cleanupDeploymentBucket')
           .returns(BbPromise.resolve());
+        setIamPolicyStub = sinon.stub(googleDeploy, 'setIamPolicy').returns(BbPromise.resolve());
       });
 
       afterEach(() => {
@@ -72,6 +74,7 @@ describe('GoogleDeploy', () => {
         googleDeploy.uploadArtifacts.restore();
         googleDeploy.updateDeployment.restore();
         googleDeploy.cleanupDeploymentBucket.restore();
+        googleDeploy.setIamPolicy.restore();
       });
 
       it('should run "before:deploy:deploy" promise chain', () =>
@@ -86,6 +89,7 @@ describe('GoogleDeploy', () => {
           expect(setDeploymentBucketNameStub.calledAfter(createDeploymentStub)).toEqual(true);
           expect(uploadArtifactsStub.calledAfter(createDeploymentStub)).toEqual(true);
           expect(updateDeploymentStub.calledAfter(uploadArtifactsStub)).toEqual(true);
+          expect(setIamPolicyStub.calledAfter(updateDeploymentStub)).toEqual(true);
         }));
 
       it('should run "after:deploy:deploy" promise chain', () =>

deploy/lib/setIamPolicy.js

@@ -0,0 +1,69 @@
+'use strict';
+
+const _ = require('lodash');
+const BbPromise = require('bluebird');
+
+module.exports = {
+  setIamPolicy() {
+    return BbPromise.bind(this).then(this.getFunctions).then(this.setPolicies);
+  },
+
+  getFunctions() {
+    const project = this.serverless.service.provider.project;
+    const region = this.options.region;
+
+    const params = {
+      parent: `projects/${project}/locations/${region}`,
+    };
+
+    return this.provider
+      .request('cloudfunctions', 'projects', 'locations', 'functions', 'list', params)
+      .then((response) => {
+        return response.functions;
+      });
+  },
+
+  setPolicies(functions) {
+    const policies = this.serverless.service.provider.functionIamBindings;
+
+    // If there are no IAM policies configured with any function, there is nothing to
+    // do here.
+    if (!policies || !Object.keys(policies).length) {
+      return BbPromise.resolve();
+    }
+    this.serverless.cli.log('Setting IAM policies...');
+
+    _.forEach(policies, (value, key) => {
+      const func = functions.find((fn) => {
+        return fn.name === key;
+      });
+      if (func) {
+        const params = {
+          resource: func.name,
+          requestBody: {
+            policy: {
+              bindings: value,
+            },
+          },
+        };
+
+        this.provider.request(
+          'cloudfunctions',
+          'projects',
+          'locations',
+          'functions',
+          'setIamPolicy',
+          params
+        );
+      } else {
+        const errorMessage = [
+          `Unable to set IAM bindings (${value}) for "${key}": function not found for`,
+          ` project "${this.serverless.service.provider.project}" in region "${this.options.region}".`,
+        ].join('');
+        throw new Error(errorMessage);
+      }
+    });
+
+    return BbPromise.resolve();
+  },
+};

deploy/lib/setIamPolicy.test.js

@@ -0,0 +1,192 @@
+'use strict';
+
+const sinon = require('sinon');
+const BbPromise = require('bluebird');
+
+const GoogleProvider = require('../../provider/googleProvider');
+const GoogleDeploy = require('../googleDeploy');
+const Serverless = require('../../test/serverless');
+
+describe('SetIamPolicy', () => {
+  let serverless;
+  let googleDeploy;
+  let requestStub;
+
+  beforeEach(() => {
+    serverless = new Serverless();
+    serverless.service.service = 'my-service';
+    serverless.service.provider = {
+      project: 'my-project',
+    };
+    serverless.config = {
+      servicePath: 'tmp',
+    };
+    serverless.setProvider('google', new GoogleProvider(serverless));
+    const options = {
+      stage: 'dev',
+      region: 'us-central1',
+    };
+    googleDeploy = new GoogleDeploy(serverless, options);
+    requestStub = sinon.stub(googleDeploy.provider, 'request');
+  });
+
+  afterEach(() => {
+    googleDeploy.provider.request.restore();
+  });
+
+  describe('#setIamPolicy', () => {
+    let getFunctionsStub;
+    let setPoliciesStub;
+
+    beforeEach(() => {
+      getFunctionsStub = sinon.stub(googleDeploy, 'getFunctions').returns(BbPromise.resolve());
+      setPoliciesStub = sinon.stub(googleDeploy, 'setPolicies').returns(BbPromise.resolve());
+    });
+
+    afterEach(() => {
+      googleDeploy.getFunctions.restore();
+      googleDeploy.setPolicies.restore();
+    });
+
+    it('should run the promise chain', () => {
+      googleDeploy.setIamPolicy().then(() => {
+        expect(getFunctionsStub.calledOnce).toEqual(true);
+        expect(setPoliciesStub.calledAfter(getFunctionsStub));
+      });
+    });
+  });
+
+  describe('#getFunctions', () => {
+    it('should return "undefined" if no functions are found', () => {
+      requestStub.returns(BbPromise.resolve([]));
+
+      return googleDeploy.getFunctions().then((foundFunctions) => {
+        expect(foundFunctions).toEqual(undefined);
+        expect(
+          requestStub.calledWithExactly(
+            'cloudfunctions',
+            'projects',
+            'locations',
+            'functions',
+            'list',
+            {
+              parent: 'projects/my-project/locations/us-central1',
+            }
+          )
+        ).toEqual(true);
+      });
+    });
+
+    it('should return all functions that are found', () => {
+      const response = {
+        functions: [{ name: 'cloud-function-1' }, { name: 'cloud-function-2' }],
+      };
+      requestStub.returns(BbPromise.resolve(response));
+
+      return googleDeploy.getFunctions().then((foundFunctions) => {
+        expect(foundFunctions).toEqual([
+          { name: 'cloud-function-1' },
+          { name: 'cloud-function-2' },
+        ]);
+        expect(
+          requestStub.calledWithExactly(
+            'cloudfunctions',
+            'projects',
+            'locations',
+            'functions',
+            'list',
+            {
+              parent: 'projects/my-project/locations/us-central1',
+            }
+          )
+        ).toEqual(true);
+      });
+    });
+  });
+
+  describe('#setPolicies', () => {
+    let consoleLogStub;
+
+    beforeEach(() => {
+      consoleLogStub = sinon.stub(googleDeploy.serverless.cli, 'log').returns();
+      googleDeploy.serverless.service.provider.functionIamBindings = {};
+    });
+
+    afterEach(() => {
+      googleDeploy.serverless.cli.log.restore();
+    });
+
+    it('should resolve if functionIamBindings is undefined', () => {
+      const foundFunctions = [{ name: 'cloud-function-1' }, { name: 'cloud-function-2' }];
+      delete googleDeploy.serverless.service.provider.functionIamBindings;
+
+      return googleDeploy.setPolicies(foundFunctions).then(() => {
+        expect(consoleLogStub.calledOnce).toEqual(false);
+      });
+    });
+
+    it('should resolve if there are no IAM policies configured', () => {
+      const foundFunctions = [{ name: 'cloud-function-1' }, { name: 'cloud-function-2' }];
+
+      return googleDeploy.setPolicies(foundFunctions).then(() => {
+        expect(consoleLogStub.calledOnce).toEqual(false);
+      });
+    });
+
+    it('should error if there are no existing functions to apply configured IAM to', () => {
+      const foundFunctions = [];
+      googleDeploy.serverless.service.provider.functionIamBindings = {
+        'cloud-function-1': [{ role: 'roles/cloudfunctions.invoker', members: ['allUsers'] }],
+      };
+
+      expect(() => googleDeploy.setPolicies(foundFunctions)).toThrow(Error);
+      expect(consoleLogStub.calledOnce).toEqual(true);
+      expect(requestStub.calledOnce).toEqual(false);
+    });
+
+    it('should error if a configured function is not found', () => {
+      const foundFunctions = [{ name: 'cloud-function-2' }];
+      googleDeploy.serverless.service.provider.functionIamBindings = {
+        'cloud-function-1': [{ role: 'roles/cloudfunctions.invoker', members: ['allUsers'] }],
+      };
+
+      expect(() => googleDeploy.setPolicies(foundFunctions)).toThrow(Error);
+      expect(consoleLogStub.calledOnce).toEqual(true);
+      expect(requestStub.calledOnce).toEqual(false);
+    });
+
+    it('should set the IAM policy for the configured functions', () => {
+      const foundFunctions = [{ name: 'cloud-function-1' }, { name: 'cloud-function-2' }];
+      googleDeploy.serverless.service.provider.functionIamBindings = {
+        'cloud-function-2': [{ role: 'roles/cloudfunctions.invoker', members: ['allUsers'] }],
+      };
+      requestStub.returns(BbPromise.resolve());
+
+      return googleDeploy.setPolicies(foundFunctions).then(() => {
+        expect(consoleLogStub.calledOnce).toEqual(true);
+        expect(
+          requestStub.calledWithExactly(
+            'cloudfunctions',
+            'projects',
+            'locations',
+            'functions',
+            'setIamPolicy',
+            {
+              resource: 'cloud-function-2',
+              requestBody: {
+                policy: {
+                  bindings: [
+                    {
+                      role: 'roles/cloudfunctions.invoker',
+                      members: ['allUsers'],
+                    },
+                  ],
+                },
+              },
+            }
+          )
+        ).toEqual(true);
+      });
+    });
+  });
+});