diff --git a/examples/2016-10-31/api_resource_policy/template.yaml b/examples/2016-10-31/api_resource_policy/template.yaml index 808603414..6194a9b56 100644 --- a/examples/2016-10-31/api_resource_policy/template.yaml +++ b/examples/2016-10-31/api_resource_policy/template.yaml @@ -13,6 +13,7 @@ Globals: Fn::If: - C1 - Principal: '*' + Effect: Allow Action: execute-api:Invoke Resource: - execute-api:/Prod/PUT/get @@ -20,6 +21,7 @@ Globals: IpAddress: aws:SourceIp: 1.2.3.4 - Principal: '*' + Effect: Allow Action: execute-api:Invoke Resource: - execute-api:/Prod/PUT/get diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index 3e49871f9..6df86cae3 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.20.1" +__version__ = "1.21.0" diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index fe6d139b6..204f180c7 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -591,14 +591,16 @@ def _construct_usage_plan(self, rest_api_stage=None): # create a usage plan for all the Apis elif create_usage_plan == "SHARED": usage_plan_logical_id = "ServerlessUsagePlan" - ApiGenerator.depends_on_shared.append(self.logical_id) + if self.logical_id not in ApiGenerator.depends_on_shared: + ApiGenerator.depends_on_shared.append(self.logical_id) usage_plan = ApiGatewayUsagePlan( logical_id=usage_plan_logical_id, depends_on=ApiGenerator.depends_on_shared ) api_stage = dict() api_stage["ApiId"] = ref(self.logical_id) api_stage["Stage"] = ref(rest_api_stage.logical_id) - ApiGenerator.api_stages_shared.append(api_stage) + if api_stage not in ApiGenerator.api_stages_shared: + ApiGenerator.api_stages_shared.append(api_stage) usage_plan.ApiStages = ApiGenerator.api_stages_shared api_key = self._construct_api_key(usage_plan_logical_id, create_usage_plan, rest_api_stage) @@ -631,7 +633,8 @@ def _construct_api_key(self, usage_plan_logical_id, create_usage_plan, rest_api_ stage_key = dict() stage_key["RestApiId"] = ref(self.logical_id) stage_key["StageName"] = ref(rest_api_stage.logical_id) - ApiGenerator.stage_keys_shared.append(stage_key) + if stage_key not in ApiGenerator.stage_keys_shared: + ApiGenerator.stage_keys_shared.append(stage_key) api_key.StageKeys = ApiGenerator.stage_keys_shared # for create_usage_plan = "PER_API" else: diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py index 0c841f223..378241a38 100644 --- a/samtranslator/model/eventsources/push.py +++ b/samtranslator/model/eventsources/push.py @@ -700,6 +700,8 @@ def _add_swagger_integration(self, api, function, intrinsics_resolver): editor.add_resource_policy( resource_policy=resource_policy, path=self.Path, api_id=self.RestApiId.get("Ref"), stage=self.Stage ) + if resource_policy.get("CustomStatements"): + editor.add_custom_statements(resource_policy.get("CustomStatements")) if self.RequestModel: method_model = self.RequestModel.get("Model") diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index 3d1af1af8..dd6cc10b8 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -431,7 +431,7 @@ def _construct_role(self, managed_policy_map, event_invoke_policies): managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicExecutionRole")] if self.Tracing: - managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn("AWSXRayDaemonWriteAccess")) + managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn("AWSXrayWriteOnlyAccess")) if self.VpcConfig: managed_policy_arns.append( ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaVPCAccessExecutionRole") diff --git a/samtranslator/translator/translator.py b/samtranslator/translator/translator.py index 4204d9fa4..9547e4202 100644 --- a/samtranslator/translator/translator.py +++ b/samtranslator/translator/translator.py @@ -51,7 +51,7 @@ def _get_function_names(self, resource_dict, intrinsics_resolver): # adds to the function_names dict with key as the api_name and value as the function_name if item.get("Type") == "Api" and item.get("Properties") and item.get("Properties").get("RestApiId"): rest_api = item.get("Properties").get("RestApiId") - if type(rest_api) == dict or isinstance(rest_api, dict): + if isinstance(rest_api, dict): api_name = item.get("Properties").get("RestApiId").get("Ref") else: api_name = item.get("Properties").get("RestApiId") diff --git a/tests/translator/input/api_with_resource_policy_global_implicit.yaml b/tests/translator/input/api_with_resource_policy_global_implicit.yaml index 5ec9536e4..d3599c73c 100644 --- a/tests/translator/input/api_with_resource_policy_global_implicit.yaml +++ b/tests/translator/input/api_with_resource_policy_global_implicit.yaml @@ -1,15 +1,3 @@ -Globals: - Api: - Auth: - ResourcePolicy: - CustomStatements: [{ - Action: 'execute-api:Invoke', - Resource: ['execute-api:/*/*/*'] - }, - { - Action: 'execute-api:blah', - Resource: ['execute-api:/*/*/*'] - }] Resources: MinimalFunction: Type: 'AWS::Serverless::Function' @@ -23,4 +11,13 @@ Resources: Properties: Path: /add Method: post - + Auth: + ResourcePolicy: + CustomStatements: [{ + Action: 'execute-api:Invoke', + Resource: ['execute-api:/*/*/*'] + }, + { + Action: 'execute-api:blah', + Resource: ['execute-api:/*/*/*'] + }] diff --git a/tests/translator/output/api_with_resource_policy_global.json b/tests/translator/output/api_with_resource_policy_global.json index f226bb7a5..15b8d9910 100644 --- a/tests/translator/output/api_with_resource_policy_global.json +++ b/tests/translator/output/api_with_resource_policy_global.json @@ -229,4 +229,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_usageplans.json b/tests/translator/output/aws-cn/api_with_usageplans.json index 3f38b0ce5..7f3fe6269 100644 --- a/tests/translator/output/aws-cn/api_with_usageplans.json +++ b/tests/translator/output/aws-cn/api_with_usageplans.json @@ -364,22 +364,6 @@ "Type": "AWS::ApiGateway::UsagePlan", "Properties": { "ApiStages": [ - { - "ApiId": { - "Ref": "MyApiThree" - }, - "Stage": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "ApiId": { - "Ref": "ServerlessRestApi" - }, - "Stage": { - "Ref": "ServerlessRestApiProdStage" - } - }, { "ApiId": { "Ref": "MyApiThree" @@ -399,8 +383,6 @@ ] }, "DependsOn": [ - "MyApiThree", - "ServerlessRestApi", "MyApiThree", "ServerlessRestApi" ] @@ -601,22 +583,6 @@ "Properties": { "Enabled": true, "StageKeys": [ - { - "RestApiId": { - "Ref": "MyApiThree" - }, - "StageName": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "StageName": { - "Ref": "ServerlessRestApiProdStage" - } - }, { "RestApiId": { "Ref": "MyApiThree" diff --git a/tests/translator/output/aws-cn/basic_function.json b/tests/translator/output/aws-cn/basic_function.json index f3d2b1891..33857a45d 100644 --- a/tests/translator/output/aws-cn/basic_function.json +++ b/tests/translator/output/aws-cn/basic_function.json @@ -303,7 +303,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { @@ -334,7 +334,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { diff --git a/tests/translator/output/aws-cn/globals_for_function.json b/tests/translator/output/aws-cn/globals_for_function.json index 1559424a9..0724bd4e8 100644 --- a/tests/translator/output/aws-cn/globals_for_function.json +++ b/tests/translator/output/aws-cn/globals_for_function.json @@ -5,7 +5,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "Tags": [ @@ -107,7 +107,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws-cn:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "Tags": [ diff --git a/tests/translator/output/aws-us-gov/api_with_usageplans.json b/tests/translator/output/aws-us-gov/api_with_usageplans.json index 7c0d0eaad..8309958ba 100644 --- a/tests/translator/output/aws-us-gov/api_with_usageplans.json +++ b/tests/translator/output/aws-us-gov/api_with_usageplans.json @@ -363,38 +363,6 @@ "Type": "AWS::ApiGateway::UsagePlan", "Properties": { "ApiStages": [ - { - "ApiId": { - "Ref": "MyApiThree" - }, - "Stage": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "ApiId": { - "Ref": "ServerlessRestApi" - }, - "Stage": { - "Ref": "ServerlessRestApiProdStage" - } - }, - { - "ApiId": { - "Ref": "MyApiThree" - }, - "Stage": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "ApiId": { - "Ref": "ServerlessRestApi" - }, - "Stage": { - "Ref": "ServerlessRestApiProdStage" - } - }, { "ApiId": { "Ref": "MyApiThree" @@ -414,10 +382,6 @@ ] }, "DependsOn": [ - "MyApiThree", - "ServerlessRestApi", - "MyApiThree", - "ServerlessRestApi", "MyApiThree", "ServerlessRestApi" ] @@ -427,38 +391,6 @@ "Properties": { "Enabled": true, "StageKeys": [ - { - "RestApiId": { - "Ref": "MyApiThree" - }, - "StageName": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "StageName": { - "Ref": "ServerlessRestApiProdStage" - } - }, - { - "RestApiId": { - "Ref": "MyApiThree" - }, - "StageName": { - "Ref": "MyApiThreeProdStage" - } - }, - { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "StageName": { - "Ref": "ServerlessRestApiProdStage" - } - }, { "RestApiId": { "Ref": "MyApiThree" diff --git a/tests/translator/output/aws-us-gov/basic_function.json b/tests/translator/output/aws-us-gov/basic_function.json index ad22b6c2b..649009382 100644 --- a/tests/translator/output/aws-us-gov/basic_function.json +++ b/tests/translator/output/aws-us-gov/basic_function.json @@ -303,7 +303,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws-us-gov:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { @@ -334,7 +334,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws-us-gov:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { diff --git a/tests/translator/output/aws-us-gov/globals_for_function.json b/tests/translator/output/aws-us-gov/globals_for_function.json index 4170d86bc..e436c5079 100644 --- a/tests/translator/output/aws-us-gov/globals_for_function.json +++ b/tests/translator/output/aws-us-gov/globals_for_function.json @@ -5,7 +5,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws-us-gov:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "PermissionsBoundary": "arn:aws:1234:iam:boundary/OverridePermissionsBoundary", @@ -107,7 +107,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws-us-gov:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "PermissionsBoundary": "arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary", diff --git a/tests/translator/output/basic_function.json b/tests/translator/output/basic_function.json index f7c2deae6..8b1e210f4 100644 --- a/tests/translator/output/basic_function.json +++ b/tests/translator/output/basic_function.json @@ -303,7 +303,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { @@ -334,7 +334,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess" ], "Tags": [ { diff --git a/tests/translator/output/globals_for_function.json b/tests/translator/output/globals_for_function.json index 4557c0e91..0ad54729b 100644 --- a/tests/translator/output/globals_for_function.json +++ b/tests/translator/output/globals_for_function.json @@ -5,7 +5,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "PermissionsBoundary": "arn:aws:1234:iam:boundary/OverridePermissionsBoundary", @@ -107,7 +107,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], "PermissionsBoundary": "arn:aws:1234:iam:boundary/CustomerCreatedPermissionsBoundary",