archive-gh-me/serverless
1
0
Fork 0
mirror of https://github.com/serverless/serverless.git synced 2026-01-18 14:58:43 +00:00
Code Issues Projects Releases Wiki Activity

add lambda invoke permission

Browse Source
This commit is contained in:
Eetu Tuomala 2018-02-26 07:49:19 +02:00 committed by Philipp Muens
parent d85ed060c9
commit 94f3c50862
1 changed files with 96 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
lib/plugins/aws/package/compile/events/cloudFront/index.js
View File

@ -105,7 +105,7 @@ class AwsCompileCloudFrontEvents {
lambdaAtEdgeFunctions.push(_.merge({
cloudFront: { origin, behavior } },
functionObj));
functionObj, { functionName, lambdaVersionLogicalId }));
}
});
}
@ -113,20 +113,106 @@ class AwsCompileCloudFrontEvents {
if (lambdaAtEdgeFunctions.length > 0) {
if (this.provider.getRegion() !== 'us-east-1') {
throw new Error('CloudFront triggered functions has to be deployed to the us-east-1 region.');
throw new
Error('CloudFront associated functions have to be deployed to the us-east-1 region.');
}
Resources
const lambdaInvokePermissions = lambdaAtEdgeFunctions.reduce((permissions, lambdaAtEdgeFunction) => {
const logicalId = this.provider.naming.getLambdaLogicalId(lambdaAtEdgeFunction.functionName);
// @todo fix naming
const invokePermissionName = logicalId+'InvokePermission';
const invokePermission = {
Type: 'AWS::Lambda::Permission',
Properties: {
FunctionName: {
Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId,
},
Action: 'lambda:InvokeFunction',
Principal: 'edgelambda.amazonaws.com',
SourceArn: {
'Fn::Join': [
'',
['', 'arn:aws:cloudfront::',
{ Ref: 'AWS::AccountId' },
':distribution/',
{ Ref: this.provider.naming.getCloudFrontDistributionLogicalId() }],
],
},
},
};
// cloudfront handles replication permissions automatically?
// const replicatorPermissionName = logicalId+'ReplicatorPermission';
// const replicatorPermission = {
// Type: 'AWS::Lambda::Permission',
// Properties: {
// Action: 'lambda:GetFunction',
// FunctionName: {
// Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId,
// // 'Fn::GetAtt': [
// // logicalId,
// // 'Arn',
// // ],
// },
// Principal: 'replicator.lambda.amazonaws.com',
// // SourceAccount: {
// // Ref: 'AWS::AccountId',
// // },
// SourceArn: {
// 'Fn::Join': [
// '',
// ['', 'arn:aws:cloudfront::',
// { Ref: 'AWS::AccountId' },
// ':distribution/',
// { Ref: this.provider.naming.getCloudFrontDistributionLogicalId() }],
// ],
// },
// },
// };
// const replicatorStatement = {
// Sid: 'replicatorLambdaAtEdge',
// Action: 'lambda:GetFunction',
// Principal: { Service: 'replicator.lambda.amazonaws.com' },
// Resource: {
// Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId,
// },
// };
// const policy = {
// Type: 'AWS::IAM::Policy',
// Properties: {
// PolicyName: 'lambdaAtEdgePolicy',
// PolicyDocument: {
// Version: '2012-10-17',
// Statement: [
// replicatorStatement,
// ],
// },
// Roles: [
// { Ref: this.provider.naming.getRoleLogicalId() },
// ],
// },
// };
return Object.assign(permissions, {
[invokePermissionName]: invokePermission,
});
}, {});
_.merge(Resources, lambdaInvokePermissions);
const lambdaAssumeStatement = _.find(Resources
.IamRoleLambdaExecution
.Properties
.AssumeRolePolicyDocument
.Statement.push({
Effect: 'Allow',
Principal: {
Service: ['edgelambda.amazonaws.com'],
},
Action: ['sts:AssumeRole'],
});
.Statement, statement =>
_.includes(statement.Principal.Service, 'lambda.amazonaws.com'));
if (typeof lambdaAssumeStatement !== 'undefined') {
lambdaAssumeStatement.Principal.Service.push('edgelambda.amazonaws.com');
}
console.log('IF NOT ROLE ALERT!');
const CacheBehaviors =
lambdaAtEdgeFunctions