refactor(AWS SQS): Optimize IAM permissions generation (#11685)

serverless · Jan 18, 2023 · 99cd9e6 · 99cd9e6
1 parent 2f4de84
commit 99cd9e6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 39 deletions.
diff --git a/lib/plugins/aws/package/compile/events/sqs.js b/lib/plugins/aws/package/compile/events/sqs.js
@@ -33,16 +33,16 @@ class AwsCompileSQSEvents {
   }
 
   compileSQSEvents() {
+    const sqsStatement = {
+      Effect: 'Allow',
+      Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
+      Resource: [],
+    };
+
     this.serverless.service.getAllFunctions().forEach((functionName) => {
       const functionObj = this.serverless.service.getFunction(functionName);
 
       if (functionObj.events) {
-        const sqsStatement = {
-          Effect: 'Allow',
-          Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
-          Resource: [],
-        };
-
         functionObj.events.forEach((event) => {
           if (event.sqs) {
             let EventSourceArn;
@@ -124,21 +124,21 @@ class AwsCompileSQSEvents {
             );
           }
         });
-
-        // update the PolicyDocument statements (if default policy is used)
-        if (
-          this.serverless.service.provider.compiledCloudFormationTemplate.Resources
-            .IamRoleLambdaExecution
-        ) {
-          const statement =
-            this.serverless.service.provider.compiledCloudFormationTemplate.Resources
-              .IamRoleLambdaExecution.Properties.Policies[0].PolicyDocument.Statement;
-          if (sqsStatement.Resource.length) {
-            statement.push(sqsStatement);
-          }
-        }
       }
     });
+
+    // update the PolicyDocument statements (if default policy is used)
+    if (
+      this.serverless.service.provider.compiledCloudFormationTemplate.Resources
+        .IamRoleLambdaExecution
+    ) {
+      const statement =
+        this.serverless.service.provider.compiledCloudFormationTemplate.Resources
+          .IamRoleLambdaExecution.Properties.Policies[0].PolicyDocument.Statement;
+      if (sqsStatement.Resource.length) {
+        statement.push(sqsStatement);
+      }
+    }
   }
 }
 

diff --git a/test/unit/lib/plugins/aws/package/compile/events/sqs.test.js b/test/unit/lib/plugins/aws/package/compile/events/sqs.test.js
@@ -150,30 +150,14 @@ describe('test/unit/lib/plugins/aws/package/compile/events/sqs.test.js', () => {
 
     it('should ensure necessary IAM statememnts', () => {
       const iamRoleStatments = [
-        {
-          Effect: 'Allow',
-          Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
-          Resource: ['arn:aws:sqs:region:account:some-queue-name'],
-        },
-        {
-          Effect: 'Allow',
-          Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
-          Resource: ['arn:aws:sqs:region:account:MyQueue'],
-        },
-        {
-          Effect: 'Allow',
-          Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
-          Resource: [{ 'Fn::GetAtt': ['SomeQueue', 'Arn'] }],
-        },
-        {
-          Effect: 'Allow',
-          Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
-          Resource: [{ 'Fn::ImportValue': 'ForeignQueue' }],
-        },
         {
           Effect: 'Allow',
           Action: ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes'],
           Resource: [
+            'arn:aws:sqs:region:account:some-queue-name',
+            'arn:aws:sqs:region:account:MyQueue',
+            { 'Fn::GetAtt': ['SomeQueue', 'Arn'] },
+            { 'Fn::ImportValue': 'ForeignQueue' },
             {
               'Fn::Join': [
                 ':',