From 0b8970fe3737fbce8b44cef0be435d2eff0cd23a Mon Sep 17 00:00:00 2001
From: Adam Biggs <adam.biggs@lightmaker.com>
Date: Mon, 12 Dec 2016 15:14:59 -0800
Subject: [PATCH] Generate a single policy statement to cover all stream
 events. Fixes #2508

---
 .../aws/deploy/compile/events/stream/index.js | 79 ++++++++++---------
 .../compile/events/stream/index.test.js       | 16 +++-
 2 files changed, 54 insertions(+), 41 deletions(-)

diff --git a/lib/plugins/aws/deploy/compile/events/stream/index.js b/lib/plugins/aws/deploy/compile/events/stream/index.js
index 41dab7cc4..de444553f 100644
--- a/lib/plugins/aws/deploy/compile/events/stream/index.js
+++ b/lib/plugins/aws/deploy/compile/events/stream/index.js
@@ -17,6 +17,27 @@ class AwsCompileStreamEvents {
       const functionObj = this.serverless.service.getFunction(functionName);
 
       if (functionObj.events) {
+        const dynamodbStreamStatement = {
+          Effect: 'Allow',
+          Action: [
+            'dynamodb:GetRecords',
+            'dynamodb:GetShardIterator',
+            'dynamodb:DescribeStream',
+            'dynamodb:ListStreams',
+          ],
+          Resource: [],
+        };
+        const kinesisStreamStatement = {
+          Effect: 'Allow',
+          Action: [
+            'kinesis:GetRecords',
+            'kinesis:GetShardIterator',
+            'kinesis:DescribeStream',
+            'kinesis:ListStreams',
+          ],
+          Resource: [],
+        };
+
         functionObj.events.forEach(event => {
           if (event.stream) {
             let EventSourceArn;
@@ -92,47 +113,10 @@ class AwsCompileStreamEvents {
             `;
 
             // create type specific PolicyDocument statements
-            let streamStatement = {};
             if (streamType === 'dynamodb') {
-              streamStatement = {
-                Effect: 'Allow',
-                Action: [
-                  'dynamodb:GetRecords',
-                  'dynamodb:GetShardIterator',
-                  'dynamodb:DescribeStream',
-                  'dynamodb:ListStreams',
-                ],
-                Resource: EventSourceArn,
-              };
+              dynamodbStreamStatement.Resource.push(EventSourceArn)
             } else {
-              streamStatement = {
-                Effect: 'Allow',
-                Action: [
-                  'kinesis:GetRecords',
-                  'kinesis:GetShardIterator',
-                  'kinesis:DescribeStream',
-                  'kinesis:ListStreams',
-                ],
-                Resource: EventSourceArn,
-              };
-            }
-
-            // update the PolicyDocument statements (if default policy is used)
-            if (this.serverless.service.provider.compiledCloudFormationTemplate
-              .Resources.IamPolicyLambdaExecution) {
-              const statement = this.serverless.service.provider.compiledCloudFormationTemplate
-                .Resources
-                .IamPolicyLambdaExecution
-                .Properties
-                .PolicyDocument
-                .Statement;
-
-              this.serverless.service.provider.compiledCloudFormationTemplate
-                .Resources
-                .IamPolicyLambdaExecution
-                .Properties
-                .PolicyDocument
-                .Statement = statement.concat([streamStatement]);
+              kinesisStreamStatement.Resource.push(EventSourceArn)
             }
 
             const newStreamObject = {
@@ -143,6 +127,23 @@ class AwsCompileStreamEvents {
               newStreamObject);
           }
         });
+
+        // update the PolicyDocument statements (if default policy is used)
+        if (this.serverless.service.provider.compiledCloudFormationTemplate
+          .Resources.IamPolicyLambdaExecution) {
+          const statement = this.serverless.service.provider.compiledCloudFormationTemplate
+            .Resources
+            .IamPolicyLambdaExecution
+            .Properties
+            .PolicyDocument
+            .Statement;
+          if(dynamodbStreamStatement.Resource.length) {
+            statement.push(dynamodbStreamStatement)
+          }
+          if(kinesisStreamStatement.Resource.length) {
+            statement.push(kinesisStreamStatement)
+          }
+        }
       }
     });
   }
diff --git a/lib/plugins/aws/deploy/compile/events/stream/index.test.js b/lib/plugins/aws/deploy/compile/events/stream/index.test.js
index a07c16000..9c51c1356 100644
--- a/lib/plugins/aws/deploy/compile/events/stream/index.test.js
+++ b/lib/plugins/aws/deploy/compile/events/stream/index.test.js
@@ -275,6 +275,9 @@ describe('AwsCompileStreamEvents', () => {
               {
                 stream: 'arn:aws:dynamodb:region:account:table/foo/stream/1',
               },
+              {
+                stream: 'arn:aws:dynamodb:region:account:table/bar/stream/2',
+              },
             ],
           },
         };
@@ -288,7 +291,10 @@ describe('AwsCompileStreamEvents', () => {
               'dynamodb:DescribeStream',
               'dynamodb:ListStreams',
             ],
-            Resource: 'arn:aws:dynamodb:region:account:table/foo/stream/1',
+            Resource: [
+              'arn:aws:dynamodb:region:account:table/foo/stream/1',
+              'arn:aws:dynamodb:region:account:table/bar/stream/2',
+            ]
           },
         ];
 
@@ -430,6 +436,9 @@ describe('AwsCompileStreamEvents', () => {
               {
                 stream: 'arn:aws:kinesis:region:account:stream/foo',
               },
+              {
+                stream: 'arn:aws:kinesis:region:account:stream/bar',
+              },
             ],
           },
         };
@@ -443,7 +452,10 @@ describe('AwsCompileStreamEvents', () => {
               'kinesis:DescribeStream',
               'kinesis:ListStreams',
             ],
-            Resource: 'arn:aws:kinesis:region:account:stream/foo',
+            Resource: [
+              'arn:aws:kinesis:region:account:stream/foo',
+              'arn:aws:kinesis:region:account:stream/bar',
+            ]
           },
         ];