Merge pull request #286 from horike37/feature/iam_per_sm

feat: one IAM role per state machine

Author: horike37

lib/deploy/stepFunctions/compileIamRole.js

@@ -375,55 +375,53 @@ function getIamStatements(iamPermissions) {
 
 module.exports = {
   compileIamRole() {
-    const customRolesProvided = [];
-    let iamPermissions = [];
-    let hasExpressWorkflow = false;
     this.getAllStateMachines().forEach((stateMachineName) => {
       const stateMachineObj = this.getStateMachine(stateMachineName);
-      customRolesProvided.push('role' in stateMachineObj);
+      if (stateMachineObj.role) {
+        return;
+      }
 
       const taskStates = getTaskStates(stateMachineObj.definition.States);
-      iamPermissions = iamPermissions.concat(getIamPermissions.bind(this)(taskStates));
+      let iamPermissions = getIamPermissions.bind(this)(taskStates);
 
       if (stateMachineObj.type === 'EXPRESS') {
-        hasExpressWorkflow = true;
+        iamPermissions.push({
+          action: 'logs:CreateLogDelivery,logs:GetLogDelivery,logs:UpdateLogDelivery,logs:DeleteLogDelivery,logs:ListLogDeliveries,logs:PutResourcePolicy,logs:DescribeResourcePolicies,logs:DescribeLogGroups',
+          resource: '*',
+        });
       }
-    });
-    if (_.isEqual(_.uniq(customRolesProvided), [true])) {
-      return BbPromise.resolve();
-    }
-
-    if (hasExpressWorkflow) {
-      iamPermissions.push({
-        action: 'logs:CreateLogDelivery,logs:GetLogDelivery,logs:UpdateLogDelivery,logs:DeleteLogDelivery,logs:ListLogDeliveries,logs:PutResourcePolicy,logs:DescribeResourcePolicies,logs:DescribeLogGroups',
-        resource: '*',
-      });
-    }
-
-    const iamRoleStateMachineExecutionTemplate = this.serverless.utils.readFileSync(
-      path.join(__dirname,
-        '..',
-        '..',
-        'iam-role-statemachine-execution-template.txt'),
-    );
 
-    iamPermissions = consolidatePermissionsByAction(iamPermissions);
-    iamPermissions = consolidatePermissionsByResource(iamPermissions);
-
-    const iamStatements = getIamStatements(iamPermissions);
-
-    const iamRoleJson = iamRoleStateMachineExecutionTemplate
-      .replace('[region]', this.options.region)
-      .replace('[PolicyName]', this.getStateMachinePolicyName())
-      .replace('[Statements]', JSON.stringify(iamStatements));
+      iamPermissions = consolidatePermissionsByAction(iamPermissions);
+      iamPermissions = consolidatePermissionsByResource(iamPermissions);
+      const iamStatements = getIamStatements(iamPermissions);
+
+      const iamRoleStateMachineExecutionTemplate = this.serverless.utils.readFileSync(
+        path.join(__dirname,
+          '..',
+          '..',
+          'iam-role-statemachine-execution-template.txt'),
+      );
+
+      const iamRoleJson = iamRoleStateMachineExecutionTemplate
+        .replace('[region]', this.options.region)
+        .replace('[PolicyName]', this.getStateMachinePolicyName())
+        .replace('[Statements]', JSON.stringify(iamStatements));
+
+      const stateMachineLogicalId = this.getStateMachineLogicalId(
+        stateMachineName,
+        stateMachineObj,
+      );
+      const iamRoleStateMachineLogicalId = `${stateMachineLogicalId}Role`;
+      const newIamRoleStateMachineExecutionObject = {
+        [iamRoleStateMachineLogicalId]: JSON.parse(iamRoleJson),
+      };
 
-    const iamRoleStateMachineLogicalId = this.getiamRoleStateMachineLogicalId();
-    const newIamRoleStateMachineExecutionObject = {
-      [iamRoleStateMachineLogicalId]: JSON.parse(iamRoleJson),
-    };
+      _.merge(
+        this.serverless.service.provider.compiledCloudFormationTemplate.Resources,
+        newIamRoleStateMachineExecutionObject,
+      );
+    });
 
-    _.merge(this.serverless.service.provider.compiledCloudFormationTemplate.Resources,
-      newIamRoleStateMachineExecutionObject);
     return BbPromise.resolve();
   },
 };