Skip to content

Commit

Permalink
Merge pull request #443 from danrivett/442-support-external-ddb-table…
Browse files Browse the repository at this point in the history 
…-names

feat: support importing DynamoDB tables exported from external stacks
  • Loading branch information
@horike37
horike37 authored Jul 5, 2021
2 parents 5929794 + 0f611dd commit 8981580
Show file tree
Hide file tree
Showing 3 changed files with 137 additions and 4 deletions.
23 changes: 23 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ Specify your state machine definition using Amazon States Language in a `definit

Alternatively, you can also provide the raw ARN, or SQS queue URL, or DynamoDB table name as a string. If you need to construct the ARN by hand, then we recommend to use the [serverless-pseudo-parameters](https://www.npmjs.com/package/serverless-pseudo-parameters) plugin together to make your life easier.

In addition, if you want to reference a DynamoDB table managed by an external CloudFormation Stack, as long as that table name is exported as an output from that stack, it can be referenced by importing it using `Fn::ImportValue`. See the `ddbtablestepfunc` Step Function definition below for an example.

```yml
functions:
hello:
Expand Down Expand Up @@ -138,6 +140,27 @@ stepFunctions:
Resource:
Fn::GetAtt: [hello, Arn]
End: true
ddbtablestepfunc:
definition:
Comment: Demonstrates how to reference a DynamoDB Table Name exported from an external CloudFormation Stack
StartAt: ImportDDBTableName
States:
ImportDDBTableName:
Type: Task
Resource: "arn:aws:states:::dynamodb:updateItem"
Parameters:
TableName:
Fn::ImportValue: MyExternalStack:ToDoTable:Name # imports a table name from an external stack
Key:
id:
S.$: "$.todoId"
UpdateExpression: "SET #status = :updatedStatus"
ExpressionAttributeNames:
"#status": status
ExpressionAttributeValues:
":updatedStatus":
S: DONE
End: true
dependsOn:
- DynamoDBTable
- KinesisStream
Expand Down
33 changes: 29 additions & 4 deletions lib/deploy/stepFunctions/compileIamRole.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,37 @@ function getSnsPermissions(serverless, state) {
}

function getDynamoDBArn(tableName) {
if (isIntrinsic(tableName) && tableName.Ref) {
if (isIntrinsic(tableName)) {
// most likely we'll see a { Ref: LogicalId }, which we need to map to
// { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN
return {
'Fn::GetAtt': [tableName.Ref, 'Arn'],
};
if (tableName.Ref) {
return {
'Fn::GetAtt': [tableName.Ref, 'Arn'],
};
}
// but also support importing the table name from an external stack that exports it
// as we still want to support direct state machine actions interacting with those tables
if (tableName['Fn::ImportValue']) {
return {
'Fn::Join': [
':',
[
'arn:aws:dynamodb',
{ Ref: 'AWS::Region' },
{ Ref: 'AWS::AccountId' },
{
'Fn::Join': [
'/',
[
'table',
tableName,
],
],
},
],
],
};
}
}

return {
Expand Down
85 changes: 85 additions & 0 deletions lib/deploy/stepFunctions/compileIamRole.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,91 @@ describe('#compileIamRole', () => {
.to.be.deep.equal([worldTableArn]);
});

it('should give dynamodb permission for table name imported from external stack', () => {
const externalHelloTable = { 'Fn::ImportValue': 'HelloStack:Table:Name' };
const helloTableArn = {
'Fn::Join': [
':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalHelloTable]] }],
],
};

const externalWorldTable = { 'Fn::ImportValue': 'WorldStack:Table:Name' };
const worldTableArn = {
'Fn::Join': [
':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalWorldTable]] }],
],
};

const genStateMachine = (id, tableName) => ({
id,
definition: {
StartAt: 'A',
States: {
A: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:updateItem',
Parameters: {
TableName: tableName,
},
Next: 'B',
},
B: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:putItem',
Parameters: {
TableName: tableName,
},
Next: 'C',
},
C: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:getItem',
Parameters: {
TableName: tableName,
},
Next: 'D',
},
D: {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:deleteItem',
Parameters: {
TableName: tableName,
},
End: true,
},
},
},
});

serverless.service.stepFunctions = {
stateMachines: {
myStateMachine1: genStateMachine('StateMachine1', externalHelloTable),
myStateMachine2: genStateMachine('StateMachine2', externalWorldTable),
},
};

serverlessStepFunctions.compileIamRole();
const resources = serverlessStepFunctions.serverless.service
.provider.compiledCloudFormationTemplate.Resources;
const policy1 = resources.StateMachine1Role.Properties.Policies[0];
const policy2 = resources.StateMachine2Role.Properties.Policies[0];

[policy1, policy2].forEach((policy) => {
expect(policy.PolicyDocument.Statement[0].Action)
.to.be.deep.equal([
'dynamodb:UpdateItem',
'dynamodb:PutItem',
'dynamodb:GetItem',
'dynamodb:DeleteItem',
]);
});

expect(policy1.PolicyDocument.Statement[0].Resource)
.to.be.deep.equal([helloTableArn]);
expect(policy2.PolicyDocument.Statement[0].Resource)
.to.be.deep.equal([worldTableArn]);
});

it('should give dynamodb permission to * whenever TableName.$ is seen', () => {
const helloTable = 'hello';

Expand Down

0 comments on commit 8981580

Please sign in to comment.