fix(permissionsBoundary): apply permissionsBoundary

claws-ttd · claws-ttd · commit 7070ae5c8ee8 · 2022-11-24T16:13:35.000Z
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -563,6 +563,8 @@ function getIamStatements(iamPermissions, stateMachineObj) {
 module.exports = {
   compileIamRole() {
     logger.config(this.serverless, this.v3Api);
+    const service = this.serverless.service;
+    const permissionsBoundary = service.provider.rolePermissionsBoundary;
     this.getAllStateMachines().forEach((stateMachineName) => {
       const stateMachineObj = this.getStateMachine(stateMachineName);
       if (stateMachineObj.role) {
@@ -601,10 +603,16 @@ module.exports = {
           'iam-role-statemachine-execution-template.txt'),
       );
 
-      const iamRoleJson = iamRoleStateMachineExecutionTemplate
+      let iamRoleJson = iamRoleStateMachineExecutionTemplate
         .replace('[PolicyName]', this.getStateMachinePolicyName())
         .replace('[Statements]', JSON.stringify(iamStatements));
 
+      if (permissionsBoundary) {
+        const jsonIamRole = JSON.parse(iamRoleJson);
+        jsonIamRole.Properties.PermissionsBoundary = permissionsBoundary;
+        iamRoleJson = JSON.stringify(jsonIamRole);
+      }
+
       const stateMachineLogicalId = this.getStateMachineLogicalId(
         stateMachineName,
         stateMachineObj,
diff --git a/lib/deploy/stepFunctions/compileNotifications.test.js b/lib/deploy/stepFunctions/compileNotifications.test.js
@@ -522,4 +522,31 @@ describe('#compileNotifications', () => {
     expect(logMessage.startsWith('State machine [Beta1] : notifications are not supported on Express Workflows.'))
       .to.equal(true);
   });
+
+  it('should handle permissionsBoundary', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'StateMachine1',
+          definition: {
+            StartAt: 'A',
+            States: {
+              A: {
+                Type: 'Task',
+                Resource:
+                  'arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:hello',
+                End: true,
+              },
+            },
+          },
+        },
+      },
+    };
+    serverless.service.provider.rolePermissionsBoundary = 'arn:aws:iam::myAccount:policy/permission_boundary';
+    serverlessStepFunctions.compileIamRole();
+    const boundary = serverlessStepFunctions.serverless.service.provider
+      .compiledCloudFormationTemplate.Resources.StateMachine1Role.Properties
+      .PermissionsBoundary;
+    expect(boundary).to.equal('arn:aws:iam::myAccount:policy/permission_boundary');
+  });
 });
