From ca79b798d4fc4ec5ed12772cc0c959725ac0fdf7 Mon Sep 17 00:00:00 2001 From: Geolffrey Mena Date: Mon, 7 Oct 2024 09:06:18 -0600 Subject: [PATCH 1/4] fix: support IAM role deleteSchedule --- lib/deploy/stepFunctions/compileIamRole.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index c5f5676..192cb77 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -72,7 +72,7 @@ function sqsQueueUrlToArn(serverless, queueUrl) { function getSqsPermissions(serverless, state) { if (_.has(state, 'Parameters.QueueUrl') - || _.has(state, ['Parameters', 'QueueUrl.$'])) { + || _.has(state, ['Parameters', 'QueueUrl.$'])) { // if queue URL is provided by input, then need pervasive permissions (i.e. '*') const queueArn = state.Parameters['QueueUrl.$'] ? '*' @@ -85,7 +85,7 @@ function getSqsPermissions(serverless, state) { function getSnsPermissions(serverless, state) { if (_.has(state, 'Parameters.TopicArn') - || _.has(state, ['Parameters', 'TopicArn.$'])) { + || _.has(state, ['Parameters', 'TopicArn.$'])) { // if topic ARN is provided by input, then need pervasive permissions const topicArn = state.Parameters['TopicArn.$'] ? '*' : state.Parameters.TopicArn; return [{ action: 'sns:Publish', resource: topicArn }]; @@ -561,13 +561,13 @@ function getEventBridgePermissions(state) { ]; } -function getEventBridgeSchedulerPermissions(state) { +function getEventBridgeSchedulerPermissions(action, state) { const scheduleGroupName = state.Parameters.GroupName; const scheduleTargetRoleArn = state.Parameters.Target.RoleArn; return [ { - action: 'scheduler:CreateSchedule', + action, resource: { 'Fn::Sub': [ 'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*', @@ -748,7 +748,9 @@ function getIamPermissions(taskStates) { return getEventBridgePermissions(state); case 'arn:aws:states:::aws-sdk:scheduler:createSchedule': - return getEventBridgeSchedulerPermissions(state); + return getEventBridgeSchedulerPermissions("scheduler:CreateSchedule", state); + case 'arn:aws:states:::aws-sdk:scheduler:deleteSchedule': + return getEventBridgeSchedulerPermissions("scheduler:DeleteSchedule", state); case 'arn:aws:states:::s3:getObject': case 'arn:aws:states:::aws-sdk:s3:getObject': From 8cfe5649c77fdfb877764803b2ca10a22ef10da1 Mon Sep 17 00:00:00 2001 From: Geolffrey Mena Date: Mon, 7 Oct 2024 09:19:27 -0600 Subject: [PATCH 2/4] fix: support IAM role deleteSchedule --- lib/deploy/stepFunctions/compileIamRole.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 192cb77..bbe155b 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -563,7 +563,7 @@ function getEventBridgePermissions(state) { function getEventBridgeSchedulerPermissions(action, state) { const scheduleGroupName = state.Parameters.GroupName; - const scheduleTargetRoleArn = state.Parameters.Target.RoleArn; + const scheduleTargetRoleArn = state.Parameters?.Target?.RoleArn; return [ { @@ -575,10 +575,11 @@ function getEventBridgeSchedulerPermissions(action, state) { ], }, }, - { + // create schedule needs a target role arn + ...(action.includes("CreateSchedule") ? { action: 'iam:PassRole', resource: scheduleTargetRoleArn, - }, + } : {}), ]; } From 30fcb17324ae112867f3fbfedb9a68748eb3b199 Mon Sep 17 00:00:00 2001 From: Geolffrey Mena Date: Mon, 7 Oct 2024 09:31:33 -0600 Subject: [PATCH 3/4] fix: support IAM role deleteSchedule --- lib/deploy/stepFunctions/compileIamRole.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index bbe155b..670fd8e 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -576,10 +576,10 @@ function getEventBridgeSchedulerPermissions(action, state) { }, }, // create schedule needs a target role arn - ...(action.includes("CreateSchedule") ? { + ...(action === "scheduler:CreateSchedule" ? [{ action: 'iam:PassRole', resource: scheduleTargetRoleArn, - } : {}), + }] : []), ]; } From 9d126cad1752909a1f05158ead84d7dfca82a5a4 Mon Sep 17 00:00:00 2001 From: Geolffrey Mena Date: Mon, 7 Oct 2024 09:53:30 -0600 Subject: [PATCH 4/4] fix: support IAM role deleteSchedule --- lib/deploy/stepFunctions/compileIamRole.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 670fd8e..a60adac 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -562,7 +562,7 @@ function getEventBridgePermissions(state) { } function getEventBridgeSchedulerPermissions(action, state) { - const scheduleGroupName = state.Parameters.GroupName; + const scheduleGroupName = state.Parameters?.GroupName ?? 'default'; const scheduleTargetRoleArn = state.Parameters?.Target?.RoleArn; return [