diff --git a/README.md b/README.md index fd1a8249..dd51479b 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,8 @@ Specify your state machine definition using Amazon States Language in a `definit Alternatively, you can also provide the raw ARN, or SQS queue URL, or DynamoDB table name as a string. If you need to construct the ARN by hand, then we recommend to use the [serverless-pseudo-parameters](https://www.npmjs.com/package/serverless-pseudo-parameters) plugin together to make your life easier. +In addition, if you want to reference a DynamoDB table managed by an external CloudFormation Stack, as long as that table name is exported as an output from that stack, it can be referenced by importing it using `Fn::ImportValue`. See the `ddbtablestepfunc` Step Function definition below for an example. + ```yml functions: hello: @@ -138,6 +140,27 @@ stepFunctions: Resource: Fn::GetAtt: [hello, Arn] End: true + ddbtablestepfunc: + definition: + Comment: Demonstrates how to reference a DynamoDB Table Name exported from an external CloudFormation Stack + StartAt: ImportDDBTableName + States: + ImportDDBTableName: + Type: Task + Resource: "arn:aws:states:::dynamodb:updateItem" + Parameters: + TableName: + Fn::ImportValue: MyExternalStack:ToDoTable:Name # imports a table name from an external stack + Key: + id: + S.$: "$.todoId" + UpdateExpression: "SET #status = :updatedStatus" + ExpressionAttributeNames: + "#status": status + ExpressionAttributeValues: + ":updatedStatus": + S: DONE + End: true dependsOn: - DynamoDBTable - KinesisStream diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 2d709d1f..27ca8c88 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -76,12 +76,37 @@ function getSnsPermissions(serverless, state) { } function getDynamoDBArn(tableName) { - if (isIntrinsic(tableName) && tableName.Ref) { + if (isIntrinsic(tableName)) { // most likely we'll see a { Ref: LogicalId }, which we need to map to // { Fn::GetAtt: [ LogicalId, Arn ] } to get the ARN - return { - 'Fn::GetAtt': [tableName.Ref, 'Arn'], - }; + if (tableName.Ref) { + return { + 'Fn::GetAtt': [tableName.Ref, 'Arn'], + }; + } + // but also support importing the table name from an external stack that exports it + // as we still want to support direct state machine actions interacting with those tables + if (tableName['Fn::ImportValue']) { + return { + 'Fn::Join': [ + ':', + [ + 'arn:aws:dynamodb', + { Ref: 'AWS::Region' }, + { Ref: 'AWS::AccountId' }, + { + 'Fn::Join': [ + '/', + [ + 'table', + tableName, + ], + ], + }, + ], + ], + }; + } } return { diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js index 28f65a12..78353748 100644 --- a/lib/deploy/stepFunctions/compileIamRole.test.js +++ b/lib/deploy/stepFunctions/compileIamRole.test.js @@ -576,6 +576,91 @@ describe('#compileIamRole', () => { .to.be.deep.equal([worldTableArn]); }); + it('should give dynamodb permission for table name imported from external stack', () => { + const externalHelloTable = { 'Fn::ImportValue': 'HelloStack:Table:Name' }; + const helloTableArn = { + 'Fn::Join': [ + ':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalHelloTable]] }], + ], + }; + + const externalWorldTable = { 'Fn::ImportValue': 'WorldStack:Table:Name' }; + const worldTableArn = { + 'Fn::Join': [ + ':', ['arn:aws:dynamodb', { Ref: 'AWS::Region' }, { Ref: 'AWS::AccountId' }, { 'Fn::Join': ['/', ['table', externalWorldTable]] }], + ], + }; + + const genStateMachine = (id, tableName) => ({ + id, + definition: { + StartAt: 'A', + States: { + A: { + Type: 'Task', + Resource: 'arn:aws:states:::dynamodb:updateItem', + Parameters: { + TableName: tableName, + }, + Next: 'B', + }, + B: { + Type: 'Task', + Resource: 'arn:aws:states:::dynamodb:putItem', + Parameters: { + TableName: tableName, + }, + Next: 'C', + }, + C: { + Type: 'Task', + Resource: 'arn:aws:states:::dynamodb:getItem', + Parameters: { + TableName: tableName, + }, + Next: 'D', + }, + D: { + Type: 'Task', + Resource: 'arn:aws:states:::dynamodb:deleteItem', + Parameters: { + TableName: tableName, + }, + End: true, + }, + }, + }, + }); + + serverless.service.stepFunctions = { + stateMachines: { + myStateMachine1: genStateMachine('StateMachine1', externalHelloTable), + myStateMachine2: genStateMachine('StateMachine2', externalWorldTable), + }, + }; + + serverlessStepFunctions.compileIamRole(); + const resources = serverlessStepFunctions.serverless.service + .provider.compiledCloudFormationTemplate.Resources; + const policy1 = resources.StateMachine1Role.Properties.Policies[0]; + const policy2 = resources.StateMachine2Role.Properties.Policies[0]; + + [policy1, policy2].forEach((policy) => { + expect(policy.PolicyDocument.Statement[0].Action) + .to.be.deep.equal([ + 'dynamodb:UpdateItem', + 'dynamodb:PutItem', + 'dynamodb:GetItem', + 'dynamodb:DeleteItem', + ]); + }); + + expect(policy1.PolicyDocument.Statement[0].Resource) + .to.be.deep.equal([helloTableArn]); + expect(policy2.PolicyDocument.Statement[0].Resource) + .to.be.deep.equal([worldTableArn]); + }); + it('should give dynamodb permission to * whenever TableName.$ is seen', () => { const helloTable = 'hello';