feat: add support for Permissions Boundary on Function (#782)

Author: jasonmk

requirements/dev.txt

@@ -2,7 +2,7 @@ coverage>=4.4.0
 flake8>=3.3.0
 tox>=2.2.1
 pytest-cov>=2.4.0
-pylint>=1.7.2
+pylint>=1.7.2,<2.0
 pyyaml>=4.2b1
 
 # Test requirements

samtranslator/model/iam.py

@@ -9,7 +9,8 @@ class IAMRole(Resource):
             'AssumeRolePolicyDocument': PropertyType(True, is_type(dict)),
             'ManagedPolicyArns': PropertyType(False, is_type(list)),
             'Path': PropertyType(False, is_str()),
-            'Policies': PropertyType(False, is_type(list))
+            'Policies': PropertyType(False, is_type(list)),
+            'PermissionsBoundary': PropertyType(False, is_str())
     }
 
     runtime_attrs = {

samtranslator/model/s3_utils/uri_parser.py

@@ -43,7 +43,7 @@ def to_s3_uri(code_dict):
         raise TypeError("Code location should be a dictionary")
 
     if version:
-            uri += "?versionId=" + version
+        uri += "?versionId=" + version
 
     return uri
 

samtranslator/model/sam_resources.py

@@ -42,6 +42,7 @@ class SamFunction(SamResourceMacro):
         'VpcConfig': PropertyType(False, is_type(dict)),
         'Role': PropertyType(False, is_str()),
         'Policies': PropertyType(False, one_of(is_str(), list_of(one_of(is_str(), is_type(dict), is_type(dict))))),
+        'PermissionsBoundary': PropertyType(False, is_str()),
         'Environment': PropertyType(False, dict_of(is_str(), is_type(dict))),
         'Events': PropertyType(False, dict_of(is_str(), is_type(dict))),
         'Tags': PropertyType(False, is_type(dict)),
@@ -239,6 +240,7 @@ def _construct_role(self, managed_policy_map):
 
         execution_role.ManagedPolicyArns = list(managed_policy_arns)
         execution_role.Policies = policy_documents or None
+        execution_role.PermissionsBoundary = self.PermissionsBoundary
 
         return execution_role
 

samtranslator/plugins/globals/globals.py

@@ -29,7 +29,8 @@ class Globals(object):
             "KmsKeyArn",
             "AutoPublishAlias",
             "Layers",
-            "DeploymentPreference"
+            "DeploymentPreference",
+            "PermissionsBoundary"
         ],
 
         # Everything except

samtranslator/translator/translator.py

@@ -110,7 +110,7 @@ def translate(self, sam_template, parameter_values):
         if 'Transform' in template:
             del template['Transform']
 
-        if len(document_errors) is 0:
+        if len(document_errors) == 0:
             template = intrinsics_resolver.resolve_sam_resource_id_refs(template, changed_logical_ids)
             template = intrinsics_resolver.resolve_sam_resource_refs(template, supported_resource_refs)
             return template

tests/translator/input/function_with_permissions_boundary.yaml

@@ -0,0 +1,9 @@
+Resources:
+  MinimalFunction:
+    Type: 'AWS::Serverless::Function'
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Handler: hello.handler
+      Runtime: python2.7
+      PermissionsBoundary: arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary
+

tests/translator/input/globals_for_function.yaml

@@ -16,6 +16,7 @@ Globals:
       tag1: value1
     Tracing: Active
     AutoPublishAlias: live
+    PermissionsBoundary: arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary
     Layers:
       - !Sub arn:${AWS:Partition}:lambda:${AWS:Region}:${AWS:AccountId}:layer:MyLayer:1
 
@@ -41,6 +42,7 @@ Resources:
         newtag1: newvalue1
       Tracing: PassThrough
       AutoPublishAlias: prod
+      PermissionsBoundary: arn:aws:1234:iam:boundary/OverridePermissionsBoundary
       Layers:
         - !Sub arn:${AWS:Partition}:lambda:${AWS:Region}:${AWS:AccountId}:layer:MyLayer2:2
 

tests/translator/output/aws-cn/function_with_permissions_boundary.json

@@ -0,0 +1,52 @@
+{
+  "Resources": {
+    "MinimalFunctionRole": {
+      "Type": "AWS::IAM::Role", 
+      "Properties": {
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ], 
+        "PermissionsBoundary": "arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary", 
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17", 
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ], 
+              "Effect": "Allow", 
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }, 
+    "MinimalFunction": {
+      "Type": "AWS::Lambda::Function", 
+      "Properties": {
+        "Handler": "hello.handler", 
+        "Code": {
+          "S3Bucket": "sam-demo-bucket", 
+          "S3Key": "hello.zip"
+        }, 
+        "Role": {
+          "Fn::GetAtt": [
+            "MinimalFunctionRole", 
+            "Arn"
+          ]
+        }, 
+        "Runtime": "python2.7", 
+        "Tags": [
+          {
+            "Value": "SAM", 
+            "Key": "lambda:createdBy"
+          }
+        ]
+      }
+    }
+  }
+}

tests/translator/output/aws-cn/globals_for_function.json

@@ -7,6 +7,7 @@
           "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", 
           "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess"
         ], 
+        "PermissionsBoundary": "arn:aws:1234:iam:boundary/OverridePermissionsBoundary",
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17", 
           "Statement": [
@@ -85,6 +86,7 @@
           "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", 
           "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess"
         ], 
+        "PermissionsBoundary": "arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary",
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17", 
           "Statement": [
@@ -198,4 +200,4 @@
       }
     }
   }
-}
+}