Skip to content

Commit

Permalink
fix: consolidate REST API IAM policies (#6904) (ref #2084)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cjihrig
cjihrig authored Apr 19, 2021
1 parent 4761406 commit 5cfff17
Show file tree
Hide file tree
Showing 9 changed files with 437 additions and 249 deletions.
244 changes: 18 additions & 226 deletions ...awscloudformation/cloudformation-templates/apigw-cloudformation-template-default.json.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,6 @@
"Description": "API Gateway resource stack creation using Amplify CLI",
<% if (props.dependsOn) { %>
"Parameters": {
"authRoleName": {
"Type": "String"
},
"unauthRoleName": {
"Type": "String"
},
"env": {
"Type": "String"
}<%if (props.dependsOn && props.dependsOn.length > 0) { %>,<% } %>
Expand All @@ -18,7 +12,7 @@
"Type": "String",
"Default": "<%= props.dependsOn[i].category %><%= props.dependsOn[i].resourceName %><%= props.dependsOn[i].attributes[j] %>"
}<%if (i !== props.dependsOn.length - 1 || j !== props.dependsOn[i].attributes.length - 1) { %>,<% } %>
<% } %>
<% } %>
<% } %>
Expand All @@ -34,107 +28,6 @@
}
},
"Resources": {
<%if (props.privacy.auth) { %>
"PolicyAPIGW<%= props.apiName %>auth": {
"DependsOn": [
"<%= props.apiName %>"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "PolicyAPIGW<%= props.apiName %>auth",
"Roles": [
{"Ref": "authRoleName"}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
<% for(var i=0; i < props.paths.length; i++) { %>
<% if (props.paths[i].privacy && props.paths[i].privacy.auth) { %>
<% for(var x=0; x < props.paths[i].privacy.auth.length; x++) { %>
{
"Fn::Join": [
"",
[
"arn:aws:execute-api:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":",
{
"Ref": "<%= props.apiName %>"
},
"/",
{
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
{
"Ref": "env"
}
]
},
"<%= props.paths[i].privacy.auth[x] %>",
"<%= props.paths[i].policyResourceName %>/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:execute-api:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":",
{
"Ref": "<%= props.apiName %>"
},
"/",
{
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
{
"Ref": "env"
}
]
},
"<%= props.paths[i].privacy.auth[x] %>",
"<%= props.paths[i].policyResourceName %>"
]
]
}
<% if (x !== props.paths[i].privacy.auth.length - 1) { %>
,
<% } %>
<% } %>
<% if (i !== props.paths.length - 1) { %>
,
<% } %>
<% } %>
<% } %>
]
}
]
}
}
},
<% } %>
<% for(var i=0; i < props.paths.length; i++) { %>
<%if (props.paths[i].privacy && props.paths[i].privacy.userPoolGroups) { %>
<% let selectedUserPoolGroupList = Object.keys(props.paths[i].privacy.userPoolGroups); %>
Expand Down Expand Up @@ -168,7 +61,7 @@
"execute-api:Invoke"
],
"Resource": [
<% for(var x=0; x < props.paths[i].privacy.userPoolGroups[selectedUserPoolGroupList[j]].length; x++) { %>
{
"Fn::Join": [
Expand All @@ -190,10 +83,10 @@
{
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
"Prod",
{
"Ref": "env"
}
}
]
},
"<%= props.paths[i].privacy.userPoolGroups[selectedUserPoolGroupList[j]][x] %>",
Expand Down Expand Up @@ -245,107 +138,6 @@
<% } %>
<% } %>
<% } %>
<%if (props.privacy.unauth) { %>
"PolicyAPIGW<%= props.apiName %>unauth": {
"DependsOn": [
"<%= props.apiName %>"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "PolicyAPIGW<%= props.apiName %>unauth",
"Roles": [
{"Ref": "unauthRoleName"}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
<% for(var i=0; i < props.paths.length; i++) { %>
<% if (props.paths[i].privacy && props.paths[i].privacy.unauth) { %>
<% for(var x=0; x < props.paths[i].privacy.unauth.length; x++) { %>
{
"Fn::Join": [
"",
[
"arn:aws:execute-api:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":",
{
"Ref": "<%= props.apiName %>"
},
"/",
{
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
{
"Ref": "env"
}
]
},
"<%= props.paths[i].privacy.unauth[x] %>",
"<%= props.paths[i].policyResourceName %>/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:execute-api:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":",
{
"Ref": "<%= props.apiName %>"
},
"/",
{
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
{
"Ref": "env"
}
]
},
"<%= props.paths[i].privacy.unauth[x] %>",
"<%= props.paths[i].policyResourceName %>"
]
]
}
<% if (x !== props.paths[i].privacy.unauth.length - 1) { %>
,
<% } %>
<% } %>
<% if (i !== props.paths.length - 1) { %>
,
<% } %>
<% } %>
<% } %>
]
}
]
}
}
},
<% } %>
"<%= props.apiName %>": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
Expand Down Expand Up @@ -383,7 +175,7 @@
}
]
]
}
}
]
},
"schemes": [
Expand Down Expand Up @@ -458,7 +250,7 @@
}
}
},
<%if (!props.paths[i].privacy.open) { %>
<%if (!props.paths[i].privacy.open) { %>
"security": [
{
"sigv4": []
Expand All @@ -480,11 +272,11 @@
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
<% if (props.paths[i].lambdaArn ) { %>
"<%= props.paths[i].lambdaArn %>",
<% if (props.paths[i].lambdaArn ) { %>
"<%= props.paths[i].lambdaArn %>",
<% } else { %>
{
"Ref": "function<%= props.paths[i].lambdaFunction %>Arn"
},
<% } %>
Expand Down Expand Up @@ -565,7 +357,7 @@
}
}
},
<%if (!props.paths[i].privacy.open) { %>
<%if (!props.paths[i].privacy.open) { %>
"security": [
{
"sigv4": []
Expand All @@ -587,11 +379,11 @@
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
<% if (props.paths[i].lambdaArn) { %>
<% if (props.paths[i].lambdaArn) { %>
"<%= props.paths[i].lambdaArn %>",
<% } else { %>
{
"Ref": "function<%= props.paths[i].lambdaFunction %>Arn"
},
<% } %>
Expand All @@ -604,7 +396,7 @@
"type": "aws_proxy"
}
}
}<% if (i !== props.paths.length - 1) { %>,<% } %>
}<% if (i !== props.paths.length - 1) { %>,<% } %>
<% } %>
},
"securityDefinitions": {
Expand Down Expand Up @@ -646,9 +438,9 @@
}
},
<%if (props.functionArns) { %>
<%if (props.functionArns) { %>
<% for (var i=0; i < props.functionArns.length; i++) { %>
"function<%= props.functionArns[i].lambdaFunction.replace(/[^0-9a-zA-Z]/gi, '') %>Permission<%= props.apiName %>": {
"Type": "AWS::Lambda::Permission",
"Properties": {
Expand Down Expand Up @@ -683,18 +475,18 @@
},
<% } %>
<% } %>
"DeploymentAPIGW<%= props.apiName %><%= props.uuid %>": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"Description": "The Development stage deployment of your API.",
"StageName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"Prod",
"Prod",
{
"Ref": "env"
}
}
]
},
"RestApiId": {
Expand Down
15 changes: 3 additions & 12 deletions packages/amplify-category-api/src/provider-utils/awscloudformation/legacy-add-resource.ts
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { JSONUtilities } from 'amplify-cli-core';
import { serviceMetadataFor } from './utils/dynamic-imports';
import fs from 'fs-extra';
import path from 'path';
Expand Down Expand Up @@ -29,24 +30,14 @@ export const legacyAddResource = async (serviceWalkthroughPromise: Promise<any>,
copyCfnTemplate(context, category, answers, cfnFilename);

const parameters = { ...answers };
const cfnParameters = {
authRoleName: {
Ref: 'AuthRoleName',
},
unauthRoleName: {
Ref: 'UnauthRoleName',
},
};
const resourceDirPath = path.join(projectBackendDirPath, category, parameters.resourceName);
fs.ensureDirSync(resourceDirPath);

const parametersFilePath = path.join(resourceDirPath, parametersFileName);
let jsonString = JSON.stringify(parameters, null, 4);
fs.writeFileSync(parametersFilePath, jsonString, 'utf8');
JSONUtilities.writeJson(parametersFilePath, parameters);

const cfnParametersFilePath = path.join(resourceDirPath, cfnParametersFilename);
jsonString = JSON.stringify(cfnParameters, null, 4);
fs.writeFileSync(cfnParametersFilePath, jsonString, 'utf8');
JSONUtilities.writeJson(cfnParametersFilePath, {});
}
context.amplify.updateamplifyMetaAfterResourceAdd(category, answers.resourceName, options);
return answers.resourceName;
Expand Down
Loading

0 comments on commit 5cfff17

Please sign in to comment.