From 3820a381080205d9c672e47c0d24829ce0a89713 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Tue, 19 Nov 2024 08:33:29 +1030 Subject: [PATCH 1/5] allow lambda:TagResource against all resources --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 7e3fde5..d1af90f 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -148,6 +148,7 @@ export class ServiceDeployIAM extends cdk.Stack { "lambda:ListEventSourceMappings", "lambda:CreateEventSourceMapping", "lambda:DeleteEventSourceMapping", + "lambda:TagResource", ], }, { From 44ab1af7c2f3a8fd56add207ed94c908ca75efa6 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Mon, 9 Dec 2024 09:14:21 +1030 Subject: [PATCH 2/5] allow lambda:TagResource on Lambda event-source-mapping resources --- packages/serverless-deploy-iam/bin/app.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index d1af90f..60ea67a 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -140,6 +140,11 @@ export class ServiceDeployIAM extends cdk.Stack { qualifiers: [`${serviceName}*`], actions: ["lambda:*"], }, + { + name: "LAMBDA_EVENT_SOURCE_MAPPING", + resources: [`arn:aws:lambda:${region}:${accountId}:event-source-mapping:*`], + actions: ["lambda:TagResource"], + }, { name: "LAMBDA", resources: [`*`], @@ -148,7 +153,6 @@ export class ServiceDeployIAM extends cdk.Stack { "lambda:ListEventSourceMappings", "lambda:CreateEventSourceMapping", "lambda:DeleteEventSourceMapping", - "lambda:TagResource", ], }, { From 3586df3c709259e54617f49684e93794178f213f Mon Sep 17 00:00:00 2001 From: Chris Park Date: Mon, 9 Dec 2024 09:30:45 +1030 Subject: [PATCH 3/5] prettier fixes --- packages/serverless-deploy-iam/bin/app.ts | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 60ea67a..0b34362 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -84,7 +84,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: new Role(this, `ServiceRole-v${version}`, { assumedBy: new CompositePrincipal( new ServicePrincipal("cloudformation.amazonaws.com"), - new ServicePrincipal("lambda.amazonaws.com") + new ServicePrincipal("lambda.amazonaws.com"), ), }), policies: [ @@ -142,7 +142,9 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: "LAMBDA_EVENT_SOURCE_MAPPING", - resources: [`arn:aws:lambda:${region}:${accountId}:event-source-mapping:*`], + resources: [ + `arn:aws:lambda:${region}:${accountId}:event-source-mapping:*`, + ], actions: ["lambda:TagResource"], }, { @@ -539,7 +541,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: "String", description: `Custom qualifier values provided for ${policy.name}`, default: PARAMETER_HASH, - }) + }), ); } @@ -552,7 +554,7 @@ export class ServiceDeployIAM extends cdk.Stack { ServiceDeployIAM.formatResourceQualifier( policy.name, policy.prefix || "", - policy.qualifiers || [] + policy.qualifiers || [], ); store.type.addToPolicy(new PolicyStatement(policy)); @@ -609,7 +611,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier( serviceName: string, prefix: string, - qualifiers: string[] + qualifiers: string[], ): string[] { let delimiter = "/"; switch (serviceName) { From f0e609bfde92e43bda9eac77548914d166bbd769 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Mon, 9 Dec 2024 09:59:59 +1030 Subject: [PATCH 4/5] apply prettier fix --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 0b34362..20d1181 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -84,7 +84,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: new Role(this, `ServiceRole-v${version}`, { assumedBy: new CompositePrincipal( new ServicePrincipal("cloudformation.amazonaws.com"), - new ServicePrincipal("lambda.amazonaws.com"), + new ServicePrincipal("lambda.amazonaws.com") ), }), policies: [ @@ -541,7 +541,7 @@ export class ServiceDeployIAM extends cdk.Stack { type: "String", description: `Custom qualifier values provided for ${policy.name}`, default: PARAMETER_HASH, - }), + }) ); } @@ -554,7 +554,7 @@ export class ServiceDeployIAM extends cdk.Stack { ServiceDeployIAM.formatResourceQualifier( policy.name, policy.prefix || "", - policy.qualifiers || [], + policy.qualifiers || [] ); store.type.addToPolicy(new PolicyStatement(policy)); @@ -611,7 +611,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier( serviceName: string, prefix: string, - qualifiers: string[], + qualifiers: string[] ): string[] { let delimiter = "/"; switch (serviceName) { From cb30cf8da2a94312b5f1449dbcd4bcf70a665d81 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Mon, 9 Dec 2024 10:00:41 +1030 Subject: [PATCH 5/5] Merge actions on lambda:event-source-mapping into one item. --- packages/serverless-deploy-iam/bin/app.ts | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 20d1181..9805097 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -145,12 +145,9 @@ export class ServiceDeployIAM extends cdk.Stack { resources: [ `arn:aws:lambda:${region}:${accountId}:event-source-mapping:*`, ], - actions: ["lambda:TagResource"], - }, - { - name: "LAMBDA", - resources: [`*`], actions: [ + "lambda:TagResource", + "lambda:UntagResource", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "lambda:CreateEventSourceMapping",