Merge pull request #6212 from rdsedmundo/issues/4686

Use common prefix for log groups permissions at Lambdas' execution roles
2026-02-01 16:07:28 +00:00 · 2019-06-07 13:36:20 +02:00 · 2019-06-07 13:36:20 +02:00 · 3c3640b660
commit 3c3640b660
parent 21cef79916 c393d4b22c
2 changed files with 29 additions and 113 deletions
--- a/lib/plugins/aws/package/lib/mergeIamTemplates.js
+++ b/lib/plugins/aws/package/lib/mergeIamTemplates.js
@ -83,33 +83,32 @@ module.exports = {
      }
    );

-    this.serverless.service.getAllFunctions().forEach((functionName) => {
-      const functionObject = this.serverless.service.getFunction(functionName);
+    const logGroupsPrefix = this.provider.naming
+      .getLogGroupName(`${this.provider.serverless.service.service}-${this.provider.getStage()}`);

-      this.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[this.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[0]
-        .Resource
-        .push({
-          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' +
-            `:log-group:${this.provider.naming.getLogGroupName(functionObject.name)}:*`,
-        });
+    this.serverless.service.provider.compiledCloudFormationTemplate
+      .Resources[this.provider.naming.getRoleLogicalId()]
+      .Properties
+      .Policies[0]
+      .PolicyDocument
+      .Statement[0]
+      .Resource
+      .push({
+        'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' +
+          `:log-group:${logGroupsPrefix}*:*`,
+      });

-      this.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[this.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[1]
-        .Resource
-        .push({
-          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' +
-            `:log-group:${this.provider.naming.getLogGroupName(functionObject.name)}:*:*`,
-        });
-    });
+    this.serverless.service.provider.compiledCloudFormationTemplate
+      .Resources[this.provider.naming.getRoleLogicalId()]
+      .Properties
+      .Policies[0]
+      .PolicyDocument
+      .Statement[1]
+      .Resource
+      .push({
+        'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}' +
+          `:log-group:${logGroupsPrefix}*:*:*`,
+      });

    if (this.serverless.service.provider.iamRoleStatements) {
      // add custom iam role statements
--- a/lib/plugins/aws/package/lib/mergeIamTemplates.test.js
+++ b/lib/plugins/aws/package/lib/mergeIamTemplates.test.js
@ -50,7 +50,9 @@ describe('#mergeIamTemplates()', () => {
  it('should merge the IamRoleLambdaExecution template into the CloudFormation template',
    () => awsPackage.mergeIamTemplates()
      .then(() => {
-        const qualifiedFunction = awsPackage.serverless.service.getFunction(functionName).name;
+        const canonicalFunctionsPrefix =
+          `${awsPackage.serverless.service.service}-${awsPackage.provider.getStage()}`;
+
        expect(awsPackage.serverless.service.provider.compiledCloudFormationTemplate
          .Resources[awsPackage.provider.naming.getRoleLogicalId()]
        ).to.deep.equal({
@ -96,7 +98,7 @@ describe('#mergeIamTemplates()', () => {
                      Resource: [
                        {
                          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-                            + `log-group:/aws/lambda/${qualifiedFunction}:*`,
+                            + `log-group:/aws/lambda/${canonicalFunctionsPrefix}*:*`,
                        },
                      ],
                    },
@ -108,7 +110,7 @@ describe('#mergeIamTemplates()', () => {
                      Resource: [
                        {
                          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-                            + `log-group:/aws/lambda/${qualifiedFunction}:*:*`,
+                            + `log-group:/aws/lambda/${canonicalFunctionsPrefix}*:*:*`,
                        },
                      ],
                    },
@ -374,91 +376,6 @@ describe('#mergeIamTemplates()', () => {
    });
  });

-  it('should update IamRoleLambdaExecution with a logging resource for the function', () => {
-    const qualifiedFunction = awsPackage.serverless.service.getFunction(functionName).name;
-    return awsPackage.mergeIamTemplates().then(() => {
-      expect(awsPackage.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[awsPackage.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[0]
-        .Resource
-      ).to.deep.equal([
-        {
-          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-            + `log-group:/aws/lambda/${qualifiedFunction}:*`,
-        },
-      ]);
-      expect(awsPackage.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[awsPackage.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[1]
-        .Resource
-      ).to.deep.equal([
-        {
-          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-            + `log-group:/aws/lambda/${qualifiedFunction}:*:*`,
-        },
-      ]);
-    });
-  });
-
-  it('should update IamRoleLambdaExecution with each function\'s logging resources', () => {
-    awsPackage.serverless.service.functions = {
-      func0: {
-        handler: 'func.function.handler',
-        name: 'func0',
-      },
-      func1: {
-        handler: 'func.function.handler',
-        name: 'func1',
-      },
-    };
-    return awsPackage.mergeIamTemplates().then(() => {
-      expect(awsPackage.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[awsPackage.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[0]
-        .Resource
-      ).to.deep.equal(
-        [
-          {
-            'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-              + 'log-group:/aws/lambda/func0:*',
-          },
-          {
-            'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-              + 'log-group:/aws/lambda/func1:*',
-          },
-        ]
-        );
-      expect(awsPackage.serverless.service.provider.compiledCloudFormationTemplate
-        .Resources[awsPackage.provider.naming.getRoleLogicalId()]
-        .Properties
-        .Policies[0]
-        .PolicyDocument
-        .Statement[1]
-        .Resource
-      ).to.deep.equal(
-        [
-          {
-            'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-              + 'log-group:/aws/lambda/func0:*:*',
-          },
-          {
-            'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:'
-              + 'log-group:/aws/lambda/func1:*:*',
-          },
-        ]
-        );
-    });
-  });
-
  it('should add default role if one of the functions has an ARN role', () => {
    awsPackage.serverless.service.functions = {
      func0: {