-
Notifications
You must be signed in to change notification settings - Fork 78
Expand file tree
/
Copy pathcompileIamRoleToDynamodb.js
More file actions
73 lines (67 loc) · 1.88 KB
/
compileIamRoleToDynamodb.js
File metadata and controls
73 lines (67 loc) · 1.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
'use strict'
const _ = require('lodash')
module.exports = {
async compileIamRoleToDynamodb() {
const tableNameActions = _.flatMap(this.getAllServiceProxies(), (serviceProxy) => {
return _.flatMap(Object.keys(serviceProxy), (serviceName) => {
if (serviceName !== 'dynamodb') {
return []
}
return {
tableName: serviceProxy.dynamodb.tableName,
action: serviceProxy.dynamodb.action
}
})
})
if (tableNameActions.length <= 0) {
return
}
const permissions = tableNameActions.map(({ tableName, action }) => {
const baiscArn =
'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}'
return {
Effect: 'Allow',
Action: `dynamodb:${action}`,
Resource: {
'Fn::Sub': [action === 'Query' ? baiscArn + '/*' : baiscArn, { tableName }]
}
}
})
const template = {
Type: 'AWS::IAM::Role',
Properties: {
AssumeRolePolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Service: 'apigateway.amazonaws.com'
},
Action: 'sts:AssumeRole'
}
]
},
Policies: [
{
PolicyName: 'apigatewaytodynamodb',
PolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
Resource: '*'
},
...permissions
]
}
}
]
}
}
_.merge(this.serverless.service.provider.compiledCloudFormationTemplate.Resources, {
ApigatewayToDynamodbRole: template
})
}
}