Skip to content

Commit 2de2304

Browse files
keetoniankeetonian
authored
chore: merge pull request #1201 from awslabs/release/v1.15.1
Release/v1.15.1
2 parents 5bd587c + 68f1a8a commit 2de2304

29 files changed

+599
-455
lines changed

examples/2016-10-31/api_resource_policy/template.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,15 @@ Globals:
88
"Effect": "Allow",
99
"Principal": "*",
1010
"Action": "execute-api:Invoke",
11-
"Resource": "execute-api:*/*/*",
11+
"Resource": "execute-api:/Prod/PUT/get",
1212
"Condition": {
1313
"IpAddress": {
1414
"aws:SourceIp": "1.2.3.4"
1515
}
1616
}
1717
}]
18+
# OR you can use the following, they both do the same thing
19+
IpRangeBlacklist: ['1.2.3.4']
1820
Resources:
1921
MyFunction:
2022
Type: AWS::Serverless::Function

samtranslator/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
__version__ = '1.15.0'
1+
__version__ = '1.15.1'

samtranslator/swagger/swagger.py

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@
66
from samtranslator.model.intrinsics import ref
77
from samtranslator.model.intrinsics import make_conditional, fnSub
88
from samtranslator.model.exceptions import InvalidDocumentException, InvalidTemplateException
9-
from samtranslator.translator.arn_generator import ArnGenerator
109

1110

1211
class SwaggerEditor(object):
@@ -891,15 +890,9 @@ def _get_method_path_uri_list(self, path, api_id, stage):
891890

892891
for m in methods:
893892
method = '*' if (m.lower() == self._X_ANY_METHOD or m.lower() == 'any') else m.upper()
894-
895-
# RestApiId can be a simple string or intrinsic function like !Ref. Using Fn::Sub will handle both cases
896-
resource = '${__ApiId__}/' + '${__Stage__}/' + method + path
897-
partition = ArnGenerator.get_partition_name(None)
898-
if partition is None:
899-
partition = "aws"
900-
source_arn = fnSub(ArnGenerator.generate_arn(partition=partition, service='execute-api', resource=resource),
901-
{"__ApiId__": api_id, "__Stage__": stage})
902-
uri_list.extend([source_arn])
893+
resource = "execute-api:/${__Stage__}/" + method + path
894+
resource = fnSub(resource, {"__Stage__": stage})
895+
uri_list.extend([resource])
903896
return uri_list
904897

905898
def _add_ip_resource_policy_for_method(self, ip_list, conditional, resource_list):
@@ -1001,7 +994,9 @@ def _add_custom_statement(self, custom_statements):
1001994
statement = self.resource_policy['Statement']
1002995
if not isinstance(statement, list):
1003996
statement = [statement]
1004-
statement.extend(custom_statements)
997+
for s in custom_statements:
998+
if s not in statement:
999+
statement.append(s)
10051000
self.resource_policy['Statement'] = statement
10061001

10071002
def add_request_parameters_to_method(self, path, method_name, request_parameters):

tests/swagger/test_swagger.py

Lines changed: 48 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -1421,7 +1421,6 @@ def test_must_add_custom_statements(self):
14211421

14221422
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
14231423

1424-
@patch("boto3.session.Session.region_name", "eu-west-2")
14251424
def test_must_add_iam_allow(self):
14261425
## fails
14271426
resourcePolicy = {
@@ -1438,14 +1437,14 @@ def test_must_add_iam_allow(self):
14381437
'Action': 'execute-api:Invoke',
14391438
'Resource': [{
14401439
'Fn::Sub': [
1441-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1442-
{'__Stage__': 'prod', '__ApiId__': '123'}
1440+
'execute-api:/${__Stage__}/PUT/foo',
1441+
{'__Stage__': 'prod'}
14431442
]
14441443
},
14451444
{
14461445
'Fn::Sub': [
1447-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1448-
{'__Stage__': 'prod', '__ApiId__': '123'}
1446+
'execute-api:/${__Stage__}/GET/foo',
1447+
{'__Stage__': 'prod'}
14491448
]
14501449
}],
14511450
'Effect': 'Allow',
@@ -1457,7 +1456,6 @@ def test_must_add_iam_allow(self):
14571456

14581457
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
14591458

1460-
@patch("boto3.session.Session.region_name", "eu-west-2")
14611459
def test_must_add_iam_deny(self):
14621460

14631461
resourcePolicy = {
@@ -1474,14 +1472,14 @@ def test_must_add_iam_deny(self):
14741472
'Action': 'execute-api:Invoke',
14751473
'Resource': [{
14761474
'Fn::Sub': [
1477-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1478-
{'__Stage__': 'prod', '__ApiId__': '123'}
1475+
'execute-api:/${__Stage__}/PUT/foo',
1476+
{'__Stage__': 'prod'}
14791477
]
14801478
},
14811479
{
14821480
'Fn::Sub': [
1483-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1484-
{'__Stage__': 'prod', '__ApiId__': '123'}
1481+
'execute-api:/${__Stage__}/GET/foo',
1482+
{'__Stage__': 'prod'}
14851483
]
14861484
}],
14871485
'Effect': 'Deny',
@@ -1493,7 +1491,6 @@ def test_must_add_iam_deny(self):
14931491

14941492
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
14951493

1496-
@patch("boto3.session.Session.region_name", "eu-west-2")
14971494
def test_must_add_ip_allow(self):
14981495

14991496
resourcePolicy = {
@@ -1510,14 +1507,14 @@ def test_must_add_ip_allow(self):
15101507
'Action': 'execute-api:Invoke',
15111508
'Resource': [{
15121509
'Fn::Sub': [
1513-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1514-
{'__Stage__': 'prod', '__ApiId__': '123'}
1510+
'execute-api:/${__Stage__}/PUT/foo',
1511+
{'__Stage__': 'prod'}
15151512
]
15161513
},
15171514
{
15181515
'Fn::Sub': [
1519-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1520-
{'__Stage__': 'prod', '__ApiId__': '123'}
1516+
'execute-api:/${__Stage__}/GET/foo',
1517+
{'__Stage__': 'prod'}
15211518
]
15221519
}],
15231520
'Effect': 'Allow',
@@ -1527,14 +1524,14 @@ def test_must_add_ip_allow(self):
15271524
'Action': 'execute-api:Invoke',
15281525
'Resource': [{
15291526
'Fn::Sub': [
1530-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1531-
{'__Stage__': 'prod', '__ApiId__': '123'}
1527+
'execute-api:/${__Stage__}/PUT/foo',
1528+
{'__Stage__': 'prod'}
15321529
]
15331530
},
15341531
{
15351532
'Fn::Sub': [
1536-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1537-
{'__Stage__': 'prod', '__ApiId__': '123'}
1533+
'execute-api:/${__Stage__}/GET/foo',
1534+
{'__Stage__': 'prod'}
15381535
]
15391536
}],
15401537
'Effect': 'Deny',
@@ -1549,7 +1546,6 @@ def test_must_add_ip_allow(self):
15491546

15501547
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
15511548

1552-
@patch("boto3.session.Session.region_name", "eu-west-2")
15531549
def test_must_add_ip_deny(self):
15541550

15551551
resourcePolicy = {
@@ -1566,14 +1562,14 @@ def test_must_add_ip_deny(self):
15661562
'Action': 'execute-api:Invoke',
15671563
'Resource': [{
15681564
'Fn::Sub': [
1569-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1570-
{'__Stage__': 'prod', '__ApiId__': '123'}
1565+
'execute-api:/${__Stage__}/PUT/foo',
1566+
{'__Stage__': 'prod'}
15711567
]
15721568
},
15731569
{
15741570
'Fn::Sub': [
1575-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1576-
{'__Stage__': 'prod', '__ApiId__': '123'}
1571+
'execute-api:/${__Stage__}/GET/foo',
1572+
{'__Stage__': 'prod'}
15771573
]
15781574
}],
15791575
'Effect': 'Allow',
@@ -1583,14 +1579,14 @@ def test_must_add_ip_deny(self):
15831579
'Action': 'execute-api:Invoke',
15841580
'Resource': [{
15851581
'Fn::Sub': [
1586-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1587-
{'__Stage__': 'prod', '__ApiId__': '123'}
1582+
'execute-api:/${__Stage__}/PUT/foo',
1583+
{'__Stage__': 'prod'}
15881584
]
15891585
},
15901586
{
15911587
'Fn::Sub': [
1592-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1593-
{'__Stage__': 'prod', '__ApiId__': '123'}
1588+
'execute-api:/${__Stage__}/GET/foo',
1589+
{'__Stage__': 'prod'}
15941590
]
15951591
}],
15961592
'Effect': 'Deny',
@@ -1605,7 +1601,6 @@ def test_must_add_ip_deny(self):
16051601

16061602
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
16071603

1608-
@patch("boto3.session.Session.region_name", "eu-west-2")
16091604
def test_must_add_vpc_allow(self):
16101605

16111606
resourcePolicy = {
@@ -1624,14 +1619,14 @@ def test_must_add_vpc_allow(self):
16241619
'Action': 'execute-api:Invoke',
16251620
'Resource': [{
16261621
'Fn::Sub': [
1627-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1628-
{'__Stage__': 'prod', '__ApiId__': '123'}
1622+
'execute-api:/${__Stage__}/PUT/foo',
1623+
{'__Stage__': 'prod'}
16291624
]
16301625
},
16311626
{
16321627
'Fn::Sub': [
1633-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1634-
{'__Stage__': 'prod', '__ApiId__': '123'}
1628+
'execute-api:/${__Stage__}/GET/foo',
1629+
{'__Stage__': 'prod'}
16351630
]
16361631
}],
16371632
'Effect': 'Allow',
@@ -1641,14 +1636,14 @@ def test_must_add_vpc_allow(self):
16411636
'Action': 'execute-api:Invoke',
16421637
'Resource': [{
16431638
'Fn::Sub': [
1644-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1645-
{'__Stage__': 'prod', '__ApiId__': '123'}
1639+
'execute-api:/${__Stage__}/PUT/foo',
1640+
{'__Stage__': 'prod'}
16461641
]
16471642
},
16481643
{
16491644
'Fn::Sub': [
1650-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1651-
{'__Stage__': 'prod', '__ApiId__': '123'}
1645+
'execute-api:/${__Stage__}/GET/foo',
1646+
{'__Stage__': 'prod'}
16521647
]
16531648
}],
16541649
'Effect': 'Deny',
@@ -1663,14 +1658,14 @@ def test_must_add_vpc_allow(self):
16631658
'Action': 'execute-api:Invoke',
16641659
'Resource': [{
16651660
'Fn::Sub': [
1666-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1667-
{'__Stage__': 'prod', '__ApiId__': '123'}
1661+
'execute-api:/${__Stage__}/PUT/foo',
1662+
{'__Stage__': 'prod'}
16681663
]
16691664
},
16701665
{
16711666
'Fn::Sub': [
1672-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1673-
{'__Stage__': 'prod', '__ApiId__': '123'}
1667+
'execute-api:/${__Stage__}/GET/foo',
1668+
{'__Stage__': 'prod'}
16741669
]
16751670
}],
16761671
'Effect': 'Deny',
@@ -1686,7 +1681,6 @@ def test_must_add_vpc_allow(self):
16861681

16871682
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
16881683

1689-
@patch("boto3.session.Session.region_name", "eu-west-2")
16901684
def test_must_add_vpc_deny(self):
16911685

16921686
resourcePolicy = {
@@ -1704,14 +1698,14 @@ def test_must_add_vpc_deny(self):
17041698
'Action': 'execute-api:Invoke',
17051699
'Resource': [{
17061700
'Fn::Sub': [
1707-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1708-
{'__Stage__': 'prod', '__ApiId__': '123'}
1701+
'execute-api:/${__Stage__}/PUT/foo',
1702+
{'__Stage__': 'prod'}
17091703
]
17101704
},
17111705
{
17121706
'Fn::Sub': [
1713-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1714-
{'__Stage__': 'prod', '__ApiId__': '123'}
1707+
'execute-api:/${__Stage__}/GET/foo',
1708+
{'__Stage__': 'prod'}
17151709
]
17161710
}],
17171711
'Effect': 'Allow',
@@ -1721,14 +1715,14 @@ def test_must_add_vpc_deny(self):
17211715
'Action': 'execute-api:Invoke',
17221716
'Resource': [ {
17231717
'Fn::Sub': [
1724-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1725-
{'__Stage__': 'prod', '__ApiId__': '123'}
1718+
'execute-api:/${__Stage__}/PUT/foo',
1719+
{'__Stage__': 'prod'}
17261720
]
17271721
},
17281722
{
17291723
'Fn::Sub': [
1730-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1731-
{'__Stage__': 'prod', '__ApiId__': '123'}
1724+
'execute-api:/${__Stage__}/GET/foo',
1725+
{'__Stage__': 'prod'}
17321726
]
17331727
}],
17341728
'Effect': 'Deny',
@@ -1744,9 +1738,7 @@ def test_must_add_vpc_deny(self):
17441738

17451739
self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY]))
17461740

1747-
@patch("boto3.session.Session.region_name", "eu-west-2")
17481741
def test_must_add_iam_allow_and_custom(self):
1749-
## fails
17501742
resourcePolicy = {
17511743
'AwsAccountWhitelist': [
17521744
'123456'
@@ -1769,14 +1761,14 @@ def test_must_add_iam_allow_and_custom(self):
17691761
'Action': 'execute-api:Invoke',
17701762
'Resource': [{
17711763
'Fn::Sub': [
1772-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/foo',
1773-
{'__Stage__': 'prod', '__ApiId__': '123'}
1764+
'execute-api:/${__Stage__}/PUT/foo',
1765+
{'__Stage__': 'prod'}
17741766
]
17751767
},
17761768
{
17771769
'Fn::Sub': [
1778-
'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/foo',
1779-
{'__Stage__': 'prod', '__ApiId__': '123'}
1770+
'execute-api:/${__Stage__}/GET/foo',
1771+
{'__Stage__': 'prod'}
17801772
]
17811773
}],
17821774
'Effect': 'Allow',

tests/translator/input/api_with_resource_policy.yaml

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,21 @@ Resources:
2121
Properties:
2222
RestApiId:
2323
Ref: ExplicitApi
24-
Path: /
24+
Path: /one
2525
Method: get
26+
PostHtml:
27+
Type: Api
28+
Properties:
29+
RestApiId:
30+
Ref: ExplicitApi
31+
Path: /two
32+
Method: post
33+
PutHtml:
34+
Type: Api
35+
Properties:
36+
RestApiId:
37+
Ref: ExplicitApi
38+
Path: /three
39+
Method: put
2640

2741

0 commit comments

Comments
 (0)